login man page on IRIX

Man page or keyword search:  
man Server   31559 pages
apropos Keyword Search (all sections)
Output format
IRIX logo
[printable version]



login(1)							      login(1)

NAME
     login - sign on

SYNOPSIS
     login [ -d device ] [ name [ environ ... ]]

DESCRIPTION
     The login command is used at the beginning of each terminal session and
     allows you to identify yourself to the system.  It is invoked by the
     system when a connection is first established.  It is invoked by the
     system when a previous user has terminated the initial shell by typing a
     <Ctrl-d> to indicate an end-of-file.

     If login is invoked as a command, it must replace the initial command
     interpreter.  This is accomplished by typing

	  exec login

     from the initial shell.

     login asks for your user name (if it is not supplied as an argument) and,
     if appropriate, your password.  Echoing is turned off (where possible)
     during the typing of your password, so it does not appear on the written
     record of the session.

     login reads /etc/default/login to determine default behavior.  To change
     the defaults, the system administrator should edit this file.  The syntax
     of the below lines within the /etc/default/login file must not contain
     any whitespaces.  The examples shown below are login defaults.
     Recognized values are:

     Note:  If PAM (see pam(8)) is enabled, some of the options are not
     supported.

     CONSOLE=device   If defined, only allows root logins on the device
		      specified, typically /dev/console.  This MUST NOT be
		      defined as either /dev/syscon or /dev/systty.  If
		      undefined, root can log in on any device.

     PASSREQ=NO	      Determines whether all accounts must have passwords.  If
		      YES, and user has no password, they are prompted for one
		      at login time.

		      Not supported when PAM is enabled.

     MANDPASS=NO      Like PASSREQ, but doesn't allow users with no password
		      to log in.

		      Not supported when PAM is enabled.

									Page 1

login(1)							      login(1)

     ALTSHELL=YES     If YES, the environment variable SHELL is initialized.

     UMASK=022	      Default umask, in octal.

     TIMEOUT=60	      Exit login after this many seconds of inactivity
		      (maximum 900, or 15 minutes)

     SLEEPTIME=1      Sleep for this many seconds before issuing "login
		      incorrect" message (maximum 60 seconds).

     DISABLETIME=20   After LOGFAILURES or MAXTRYS unsuccessful attempts,
		      sleep for DISABLETIME seconds before exiting (no
		      maximum).

     MAXTRYS=3	      Exit login after MAXTRYS unsuccessful attempts (0 =
		      unlimited attempts).

     LOGFAILURES=3    If there are LOGFAILURES consecutive unsuccessful login
		      attempts, each of them is logged in /var/adm/loginlog,
		      if it exists.  LOGFAILURES has a maximum value of 20.

		      Note:  Users get at most the minimum of (MAXTRYS,
		      LOGFAILURES) unsuccessful attempts.

     IDLEWEEKS=-1     If nonnegative, specify a grace period during which
		      users with expired passwords are allowed to enter a new
		      password.	 In other words, accounts with expired
		      passwords can stay idle up to this long before being
		      "locked out."  If IDLEWEEKS is 0, there is no grace
		      period, and expired passwords are the same as
		      invalidated passwords.

		      Not supported when PAM is enabled.

     PATH=	      Path for normal users (from /usr/include/paths.h).

     SUPATH=	      Path for superuser (from /usr/include/paths.h).

     SYSLOG=FAIL      Log to syslog all login failures (SYSLOG=FAIL) or all
		      successes and failures (SYSLOG=ALL).  Log entries are
		      written to the LOG_AUTH facility (see syslog(3C) and
		      syslogd(1M) for details).	 No messages are sent to
		      syslog if not set.  Note that this is separate from the
		      login log, /var/adm/loginlog.

     INITGROUPS=YES   If YES, make the user session be a member of all of the
		      user's supplementary groups (see multgrps(1) or
		      initgroups(3C)).

     LANG=C	      If LANG is set, make this the default login language.
		      This is used if no LANG comes from environment (rlogind,
		      getty, ...) and $HOME/.lang does not exist or does not

									Page 2

login(1)							      login(1)

		      contain a lang id.  Only LANG is supported, not other
		      locale categories such as LC_CTYPE.

     SVR4_SIGNALS=YES Use the SVR4 semantics for the SIGXCPU and SIGXFSZ
		      signals.	If SVR4_SIGNALS=YES, the SVR4 semantics are
		      preserved and all processes ignore SIGXCPU and SIGXFSZ
		      by default.  If SVR4_SIGNALS=NO, these two signals
		      retain their default action, which is to cause the
		      receiving process to core dump.  If users intend to make
		      use of the CPU and filesize resource limits,
		      SVR4_SIGNALS should be set to NO.	 Note that using these
		      signals while SVR4_SIGNALS is set to YES causes behavior
		      that varies depending on the login shell.	 This setting
		      has no affect on processes that explicitly alter the
		      behavior of these signals using the signal(2) system
		      call.

     SITECHECK=	      Use an external program to authenticate users instead of
		      using the encrypted password field.  This allows sites
		      to implement other means of authentication, such as card
		      keys, biometrics, etc.  The program is invoked with user
		      name as the first argument, and remote hostname and
		      username, if applicable.	The action taken depend on
		      exit status, as follows:

		      0	      Success; user was authenticated, log in.

		      1	      Failure; exit login.

		      2	      Failure; try again (don't exit login).

		      other   Use normal UNIX authentication.

		      If authentication fails, the program can chose to
		      indicate either exit code 1 or 2, as appropriate.	 If
		      the program is not owned by root, is writable by others,
		      or cannot be executed, normal password authentication is
		      performed.  It is recommended that the program be given
		      a mode of 500.

		      Warning:	Because this option has the potential to
		      defeat normal IRIX security, any program used in this
		      way must be designed and tested very carefully.

		      Not supported when PAM is enabled.

     LOCKOUT=	      If nonzero, after this number of consecutive
		      unsuccessful login attempts by the same user, by all
		      instances of xdm and login, lock the account by invoking
		      passwd -l username.  Note that this feature allows a
		      denial of service attack that may require booting from
		      the miniroot to fix, as even the root accounts can be

									Page 3

login(1)							      login(1)

		      locked out.

     LOCKOUTEXEMPT=   If LOCKOUT is greater than zero, the users listed as
		      LOCKOUTEXEMPT will NOT be subject to the LOCKOUT option.
		      Usernames are separated by spaces, the list must be
		      terminated by end-of-line, maximum list length is 240
		      characters. LOCKOUTEXEMPT is ignored unless LOCKOUT is
		      enabled, and the list is not empty. Including privileged
		      accounts (such as root) in the LOCKOUTEXEMPT list, is
		      not recommended, as it allows an indefinite number of
		      attacks on the exempt accounts. Also, if LOCKOUTEXEMPT
		      is enabled, the /etc/default/login file should be given
		      a mode 400 or 600 to prevent unauthorized viewing and/or
		      tampering with the LOCKOUTEXEMPT list.

     MACREMOTE=SESSION
		      If SESSION, the session label of a remote login session
		      is always the same as that of the current login session.
		      If CLEARANCE, the default and permitted session labels
		      of a remote login session become those specified in
		      clearance(4).

     At some installations, you may be required to enter a dialup password for
     dialup connections as well as a login password.  In this case, the prompt
     for the dialup password is:

     ( dialup password is not supported when PAM is enabled. )

	  Dialup Password:

     Both passwords are required for a successful login.

     For remote logins over the network, the following sequence is performed
     by login before prompting for a username or password:

     o	If PAM is disabled, the file /etc/nologin disables remote logins if it
	exists; login prints the contents of this file before disconnecting
	the session.  If  PAM is enabled, login skip /etc/nologin check and
	depends on the configuration of the pam_nologin module ( see pam(8) )
	in /etc/pam.d/login.

     o	login prints the contents of /etc/issue ( if present ).

     The system can be configured to automate the login process after a system
     restart.  When the file /etc/autologin exists and contains a valid user
     name, the system logs in as the specified user without prompting for a
     user name or password.  The automatic login takes place only after a
     system restart; once the user logs out, the normal interactive login
     session is used until the next restart.  This is intended to be used at
     sites where the normal security mechanisms provided by login are not
     needed or desired.	 If you make five incorrect login attempts, all five

									Page 4

login(1)							      login(1)

     are logged in /var/adm/loginlog (if it exists) and the TTY line is
     dropped.  /etc/autologin.TTYLINE is like /etc/autologin except it is used
     by getty(1m) when initiating a terminal session for the device named by
     TTYLINE, and it will prompt for a password.  For example
     /etc/autologin.ttyd1 will control the login processes on /dev/ttyd1.

     If you do not complete the login successfully within a certain period of
     time (by default, 20 seconds), you are likely to be silently
     disconnected.

     After a successful login, accounting files are updated, the /etc/profile
     script is executed, the time you last logged in is printed (unless a file
     .hushlogin is present in the user's home directory), /etc/motd is
     printed, the user ID, group ID, supplementary group list, working
     directory, and command interpreter (usually sh) are initialized, and the
     file .profile in the working directory is executed, if it exists.	The
     name of the command interpreter is - followed by the last component of
     the interpreter's pathname (for example, -sh).  If this field in the
     password file is empty, the default command interpreter, /usr/bin/sh is
     used.

     If the shell field is *, the named directory becomes the root directory
     (a chroot(2) is done to the home directory, and the home directory is
     therefore the starting point (/) for path searches for pathnames
     beginning with a /.  At that point login is re-executed following the
     chroot(2).

     At the very least, this root structure must include the following files,
     with usr/lib32/libc.so.1 normally being a symlink to
     ../../lib32/libc.so.1.  A home directory must also exist, as well as the
     shell for the user(s) being chroot'ed.  It is possible to have the shell,
     password, and home directory be different in the new environment.	In
     this example, the shell used is /sbin/csh, and the home directory is
     /usr/people/olson.	 Given the following password entry, the directories
     and files listed below would exist below the directory /home/secure.

	  Entry in /etc/passwd:
	    olson:hl0njohzc0uC2:2117:10:Dave Olson:/home/secure:*
	  Entry in /home/secure/etc/passwd:
	    olson:am34670a63463:2117:10:Dave Olson:/usr/people/olson:/sbin/csh

	  dev:
	  tty	 zero
	  etc:
	  group	   passwd
	  lib32:
	  libc.so.1  rld
	  sbin:
	  csh
	  usr/bin:
	  login
	  usr/lib32:

									Page 5

login(1)							      login(1)

	  libc.so.1@	  libcrypt.so	  libgen.so	  libpthread.so
	  usr/people/olson:
	  .cshrc

     These files allow login to execute correctly, but you may also need to
     include additional files or applications that the user is allowed to
     execute.  Since these applications can in turn rely on additional shared
     libraries, it may also be necessary to place additional shared objects in
     /usr/lib32.  See the ftpd(1M) reference page for more information about
     setting up a root environment.

     The basic environment is initialized to:

	  HOME=your-login-directory
	  LOGNAME=your-login-name
	  PATH=/usr/bin
	  SHELL=last-field-of-passwd-entry
	  MAIL=/usr/mail/your-login-name
	  LANG=language-specification
	  TZ=timezone-specification

     The environment can be expanded or modified by supplying additional
     arguments when login prints the prompt requesting the user's login name.
     The arguments can take either of two forms:  xxx or xxx=yyy.  Arguments
     without an equal sign are placed in the environment as

	  Ln=xxx

     where n is a number that starts at 0 and is incremented each time a new
     variable name is required.	 Variables containing = are placed in the
     environment without modification.	If such a variable is already defined,
     the new value replaces the old value.  To prevent users who log in to
     restricted shell environments from spawning secondary shells that are not
     restricted, the following environment variables cannot be changed:

	  HOME
	  IFS
	  LOGNAME
	  PATH
	  SHELL

     Attempts to set environment variables beginning with the following
     strings (see the rld(1) reference page) are ignored, and such attempts
     are logged via syslogd:

	  _RLD
	  LD_LIBRARY

     login understands simple, single-character quoting conventions.  Typing a
     backslash in front of a character quotes it and allows the inclusion of
     such characters as spaces and tabs.

									Page 6

login(1)							      login(1)

     The capability set and MAC label of a Trusted IRIX login session can also
     be modified by supplying the CAP (see capability(4)) and MAC (see
     dominance(5)) arguments in addition to the login name.  The arguments
     take the following form:

	  CAP=capability-set
	  MAC=MAC-label

     For example, the following login prompt will set the MAC label of the
     login shell to userlow with all capabilities:

	  login: username MAC=userlow CAP=all+eip
	  password:

     To enable dial-in line password protection, two files are required.  The
     file /etc/dialups must contain of the name of any dialup ports (for
     example, /dev/ttyd2) that require password protection.  These are
     specified one per line.  The second file, /etc/d_passwd consists of lines
     with the following format:

	  shell:password:

     This file is scanned when the user logs in, and if the shell portion of
     any line matches the command interpreter that the user gets, the user is
     prompted for an additional dialin password, which is encoded and compared
     to that specified in the password portion of the line.  If the command
     interpreter cannot be found, the entry for the default shell, /sbin/sh,
     (or, for compatibility with existing configurations, /bin/sh) is used.
     (If both are present, the last one in file is used.)  If there is no such
     entry, no dialup password is required.  In other words, the /etc/d_passwd
     entry for /sbin/sh is the default.

NOTES
     Autologin is controlled by the existence of the /etc/autologin.on file.
     The file is normally created at boot time to automate the login process
     and then removed by login to disable the autologin process for succeeding
     terminal sessions.

     In the default configuration, encrypted passwords for users are kept in
     the system password file, /etc/passwd, which is a text file and is
     readable by any system user.  The program pwconv(1M) can be used by the
     system administrator to activate the shadow password mechanism.  When
     shadow passwords are enabled, the encrypted passwords are kept only in
     /etc/shadow, a file that is only readable by the superuser.  Refer to the
     pwconv(1M) reference page for more information about shadow passwords.

FILES
     /etc/dialups

									Page 7

login(1)							      login(1)

     /etc/d_passwd
     /etc/motd		  message of the day
     /etc/passwd	  password file
     /etc/shadow	  shadow password file
     /etc/profile	  system profile
     $HOME/.profile	  user's login profile
     $HOME/.lang	  user's login language specification
     /usr/lib/iaf/scheme  login authentication scheme
     /var/adm/lastlog	  time of last login
     /var/adm/loginlog	  record of failed login attempts
     /var/adm/utmp	  accounting
     /var/adm/wtmp	  accounting
     /etc/default/login	  to determine default behavior
     /var/mail/login_name mailbox for user login_name
     /usr/lib/locale/locale/LC_MESSAGES/uxcore
			  language-specific message file (see LANG in
			  environ(5))
     /etc/config/pam	  to determine whether PAM is enabled

SEE ALSO
     mail(1), newgrp(1), pwconv(1M), rexecd(1M), rshd(1M), sh(1), su(1M),
     capability(4), dominance(5), loginlog(4), passwd(4), profile(4),
     shadow(4), environ(5), pam(8).

DIAGNOSTICS
     The message

	  UX:login: ERROR: Login incorrect

     is printed if the user name or the password cannot be matched or if the
     user's login account has expired or remained inactive for a period
     greater than the system threshold.

     The message

	  UX:login: ioctl() failed: TCSETA

     is printed if the tty line does not support a requested baud rate
     (specified for remote logins).  A similar message is also sent to syslog.
     See serial(7) for information on which baud rates are supported.

									Page 8

[top]

List of man pages available for IRIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
...................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net