NAME | SYNOPSIS | DESCRIPTION | SECURITY | OPTIONS | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO | DIAGNOSTICS | WARNINGS
The login command is used at the beginning of each terminal session to identify oneself to the system. login is invoked by the system when a connection is first established, after the previous user has terminated the login shell by issuing the exit command.
If login is invoked as a command, it must replace the initial command interpreter. To invoke login in this fashion, type:
exec login |
from the initial shell. The C shell and Korn shell have their own builtins of login. See ksh(1) and csh(1) for descriptions of login builtins and usage.
login asks for your user name if it is not supplied as an argument, and your password, if appropriate. Where possible, echoing is turned off while you type your password, so it will not appear on the written record of the session.
If you make any mistake in the login procedure, the message:
Login incorrect |
is printed and a new login prompt will appear. If you make five incorrect login attempts, all five may be logged in /var/adm/loginlog, if it exists. The TTY line will be dropped.
If password aging is turned on and the password has "aged" (see passwd(1) for more information), login is denied with a message to use the desktop to log in and change the password.
After a successful login, accounting files are updated. Device owner, group, and permissions are set according to the contents of the /etc/logindevperm file, and the time you last logged in is printed (see logindevperm(4)).
Except for remote logins, login asks you to select the sensitivity label (SL) at which you will operate for this terminal session. You must enter a label that you are authorized to use and that is valid for the device.
The user-ID, group-ID, supplementary group list, and working directory are initialized, and the command interpreter (usually ksh) is started.
The basic environment is initialized to:
HOME=your-login-directory LOGNAME=your-login-name PATH=/usr/bin: SHELL=last-field-of-passwd-entry MAIL=/var/mail/TZ=timezone-specification
For Bourne shell and Korn shell logins, the shell executes /etc/profile and $HOME/.profile, if it exists. For C shell logins, the shell executes /etc/.login, $HOME/.cshrc, and $HOME/.login. The default /etc/profile and /etc/.login files check quotas (see quota(1M)), print /etc/motd, and check for mail. None of the messages are printed if the file $HOME/.hushlogin exists. The name of the command interpreter is set to - (dash), followed by the last component of the interpreter's path name, for example, -sh.
If the login-shell field in the password file (see passwd(4)) is empty, then the default command interpreter, /usr/bin/sh, is used. If this field is * (asterisk), then the named directory becomes the root directory. At that point, login is re-executed at the new level, which must have its own root structure.
The environment may be expanded or modified by supplying additional arguments to login, either at execution time or when login requests your login name. The arguments may take either the form xxx or xxx=yyy. Arguments without an = (equal sign) are placed in the environment as:
Ln=xxx
where n is a number starting at 0 and is incremented each time a new variable name is required. Variables containing an = (equal sign) are placed in the environment without modification. If they already appear in the environment, then they replace the older values.
There are two exceptions: The variables PATH and SHELL cannot be changed. This prevents people logged into restricted shell environments from spawning secondary shells that are not restricted. login understands simple single-character quoting conventions. Typing a \ (backslash) in front of a character quotes it and allows the inclusion of such characters as spaces and tabs.
Alternatively, you can pass the current environment by supplying the -p flag to login. This flag indicates that all currently defined environment variables should be passed, if possible, to the new environment. This option does not bypass any environment variable restrictions mentioned above. Environment variables specified on the login line take precedence, if a variable is passed by both methods.
To enable remote logins by administrative users (that is, administrative roles), edit the /etc/default/login file by inserting a pound sign (#) before the CONSOLE=/dev/console entry. See FILES.
The login command uses pam(3PAM) for authentication, account management, session management, and password management. The PAM configuration policy, listed through /etc/pam.conf, specifies the modules to be used for login. Here is a partial pam.conf file with entries for the login command using the UNIX authentication, account management, session management, and password management module.
login auth required /usr/lib/security/pam_unix.so.1 login account required /usr/lib/security/pam_unix.so.1 login session required /usr/lib/security/pam_unix.so.1 login password required /usr/lib/security/pam_unix.so.1
When login is invoked through rlogind or telnetd, the service name used by PAM is rlogin or telnet respectively.
The following options are supported:
login accepts a device option, device. device is taken as the path name of the TTY port on which login is to operate. The use of the device option can be expected to improve login performance because login will not need to call ttyname(3C).
Used by in.telnetd(1M) to pass information about the remote host and terminal type.
Used to pass environment variables to the login shell.
Used by in.rlogind(1M) to pass information about the remote host.
in.rlogind(1M) uses this option to indicate that the trusted path process attribute is set on the remote host for the process invoking rlogin.
in.rlogind(1M) uses this option to pass information about the UID of the invoker of rlogin. If uid and name are both passed by in.rlogind(1M), the UID of name must match the uid value or login is denied.
Upon success, login returns 0. Upon failure, login returns a nonzero value.
initial commands for each csh
suppresses login messages
user's login commands for csh
user's login commands for sh and ksh
private list of trusted hostname/username combinations
system-wide csh login commands
login-based device permissions
message-of-the-day
message displayed to users attempting to login during machine shutdown
password file
system-wide sh and ksh login commands
list of users' encrypted passwords
user's default command interpreter
time of last login
record of failed login attempts
accounting
accounting
mailbox for user your-name
Default value can be set for the following flags in /etc/default/login. For example: TIMEZONE=EST5EDT
Sets the TZ environment variable of the shell (see environ(5)).
Sets the HZ environment variable of the shell.
Sets the file size limit for the login. Units are disk blocks. Default is zero (no limit).
If this flag is set, administrative users can log in only on that device. This setting will not prevent execution of remote commands with rsh(1). Comment out this line to allow login by administrative users.
Determines if login requires a non-null password.
Determines if login should set the SHELL environment variable.
Sets the initial shell PATH variable.
Sets the initial shell PATH variable for root.
Sets the number of seconds (between 0 and 900) to wait before abandoning a login session.
Sets the initial shell file creation mode mask. See umask(1).
Determines whether the syslog(3C) LOG_AUTH
facility should
be used to log all root logins at level LOG_NOTICE and multiple failed login attempts atLOG_CRIT.
If present, sets the number of seconds to wait before login failure is printed to the screen and another login attempt is allowed. Default is 4 seconds. Minimum is 0 seconds. Maximum is 5 seconds.
Sets the number of retries for logging in (see pam(3PAM)). The default is 5.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWcsu |
You are prompted to select the label for your session at login time (except for remote login). Restrictions on labels and UIDs apply. The DESCRIPTION section explains these restrictions. The Trusted Solaris environment adds two options: -T and -U. (See OPTIONS.)
passwd(1), in.rlogind(1M)
csh(1), exit(1), ksh(1), mail(1), mailx(1), newgrp(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), telnet(1), umask(1), in.telnetd(1M), logins(1M), su(1M), syslogd(1M), useradd(1M), userdel(1M), pam(3PAM), rcmd(3SOCKET), syslog(3C), ttyname(3C), hosts.equiv(4), logindevperm(4), loginlog(4), nologin(4), pam.conf(4), passwd(4), profile(4), shadow(4), utmpx(4), wtmpx(4), attributes(5), environ(5), pam_unix( 5), termio(7I)
The user name or the password cannot be matched.
Administrative user login denied. Check the CONSOLE setting in /etc/default/login.
The user's home directory named in the passwd(4) database cannot be found or has the wrong permissions. Contact your system administrator.
Cannot execute the shell named in the passwd(4) database. Contact your system administrator.
The machine is in the process of being shut down and logins have been disabled.
Users with a UID greater than 76695844 are not subject to password aging, and the system does not record their last login time.
If you use the CONSOLE setting to disable administrative user logins, make sure that remote command execution by administrative users is also disabled. See rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further details.
NAME | SYNOPSIS | DESCRIPTION | SECURITY | OPTIONS | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO | DIAGNOSTICS | WARNINGS