Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

login(1)

Name

login - sign on to the system

Synopsis

login [-p] [-d device] [-R repository] [-s service] 
     [-t terminal] [-u identity] [-U ruser] 
     [-h hostname [terminal] | -r hostname] 
     [name [environ]...]

Description

The login command is used at the beginning of each terminal session to identify oneself to the system. login is invoked by the system when a connection is first established, after the previous user has terminated the login shell by issuing the exit command.

Login cannot be invoked as a command, except by the superuser.

If login is invoked as a command, it must replace the initial command interpreter. To invoke login in this fashion, type:

exec login

from the initial shell. The C shell and Korn shell have their own built-ins of login. See ksh(1), ksh88(1), and csh(1) for descriptions of login built-ins and usage.

login asks for your user name, if it is not supplied as an argument, and your password, if appropriate. Where possible, echoing is turned off while you type your password, so it does not appear on the written record of the session.

If you make any mistake in the login procedure, the message:

Login incorrect

is printed and a new login prompt appears. If you make five incorrect login attempts, all five can be logged in /var/adm/loginlog, if it exists. The TTY line is dropped.

If password aging is turned on and the password has aged (see passwd(1) for more information), the user is forced to change the password. In this case the /etc/nsswitch.conf file is consulted to determine password repositories (see nsswitch.conf(5)). The password update configurations supported are limited to the following cases.

  • passwd: files

  • passwd: files nis

Failure to comply with the configurations prevents the user from logging onto the system because passwd(1) fails. If you do not complete the login successfully within a certain period of time, it is likely that you are silently disconnected.

After a successful login, accounting files are updated. Device owner, group, and permissions are set according to the contents of the /etc/logindevperm file, and the time you last logged in is printed (see logindevperm(5)).

The user-ID, group-ID, supplementary group list, and working directory are initialized, and the command interpreter is started.

The basic environment is initialized to:

HOME=your-login-directory
LOGNAME=your-login-name
PATH=/usr/bin:
SHELL=last-field-of-passwd-entry
MAIL=/var/mail/

For Bourne shell and Korn shell logins, the shell executes /etc/profile and $HOME/.profile, if it exists.

For the ksh Korn shell, an interactive shell then executes /etc/ksh.kshrc, followed by the file specified by the ENV environment variable. If $ENV is not set, this defaults to $HOME/.kshrc. For the ksh and /usr/xpg4/bin/sh Korn Shell, an interactive shell executes the file named by $ENV (no default).

For C shell logins, the shell executes /etc/.login, $HOME/.cshrc, and $HOME/.login. The default /etc/profile and /etc/.login files check quotas (see quota(8)), print /etc/motd, and check for mail. None of the messages are printed if the file $HOME/.hushlogin exists. The name of the command interpreter is set to (dash), followed by the last component of the interpreter's path name, for example, −sh.

If the login-shell field in the password file (see passwd(5)) is empty, then the default command interpreter, /usr/bin/sh, is used. If this field is * (asterisk), then the named directory becomes the root directory. At that point, login is re-executed at the new level, which must have its own root structure.

The environment can be expanded or modified by supplying additional arguments to login, either at execution time or when login requests your login name. The arguments can take either the form xxx or xxx=yyy. Arguments without an = (equal sign) are placed in the environment as:

Ln=xxx

where n is a number starting at 0 and is incremented each time a new variable name is required. Variables containing an = (equal sign) are placed in the environment without modification. If they already appear in the environment, then they replace the older values.

There are two exceptions: The variables PATH and SHELL cannot be changed. This prevents people logged into restricted shell environments from spawning secondary shells that are not restricted. login understands simple single-character quoting conventions. Typing a \  (backslash) in front of a character quotes it and allows the inclusion of such characters as spaces and tabs.

Alternatively, you can pass the current environment by supplying the –p flag to login. This flag indicates that all currently defined environment variables should be passed, if possible, to the new environment. This option does not bypass any environment variable restrictions mentioned above. Environment variables specified on the login line take precedence, if a variable is passed by both methods.

To enable remote logins by root, edit the /etc/default/login file by inserting a # (pound sign) before the CONSOLE=/dev/console entry. See FILES.

Security

For accounts in the files (passwd(5) and shadow(5)) name service, or the ldap name service, when configured with enableShadowUpdate true, the account can be configured to be automatically locked if successive failed login attempts equals or exceeds the configured value. See ldapclient(8), user_attr(5), policy.conf(5), and pam_unix_auth(7).

The login command uses pam(3PAM) for authentication, account management, session management, and password management. The PAM configuration policy, listed in either /etc/pam.conf or /etc/pam.d/login, specifies the modules to be used for login. Here is a partial pam.conf file with entries for the login command using the UNIX authentication, account management, and session management modules:


login  auth       required  pam_authtok_get.so.1
login  auth       required  pam_dhkeys.so.1
login  auth       required  pam_unix_auth.so.1
login  auth       required  pam_dial_auth.so.1

login  account    requisite pam_roles.so.1
login  account    required  pam_unix_account.so.1

login  session    required  pam_unix_session.so.1

The equivalent PAM configuration in /etc/pam.d/ would be the following entries in /etc/pam.d/login:

auth     required  pam_authtok_get.so.1
auth     required  pam_dhkeys.so.1
auth     required  pam_unix_auth.so.1
auth     required  pam_dial_auth.so.1
account  requisite pam_roles.so.1
account  required  pam_unix_account.so.1

session  required  pam_unix_session.so.1

The Password Management stack in /etc/pam.conf typically looks like the following:

other  password   required   pam_dhkeys.so.1
other  password   requisite  pam_authtok_get.so.1
other  password   requisite  pam_authtok_check.so.1
other  password   required   pam_authtok_store.so.1

If there are no entries for a PAM service in /etc/pam.conf and /etc/pam.d/service then the entries for the “other” service in /etc/pam.conf are used. If there are not any entries in /etc/pam.conf for the “other” service, then the entries in /etc/pam.d/other will be used. If multiple authentication modules are listed, then the user can be prompted for multiple passwords.

When login is invoked through rlogind or telnetd, the service name used by PAM is rlogin or telnet, respectively.

Options

The following options are supported:

–d device

login accepts a device option, device. device is taken to be the path name of the TTY port login is to operate on. The use of the device option can be expected to improve login performance, since login does not need to call ttyname(3C). The –d option is available only to users whose UID and effective UID are root. Any other attempt to use –d causes login to quietly exit.

–h hostname [terminal]

Used by in.telnetd(8) to pass information about the remote host and terminal type.

Terminal type as a second argument to the –h option should not start with a hyphen (-).

–p

Used to pass environment variables to the login shell.

–r hostname

Used by in.rlogind(8) to pass information about the remote host.

–R repository

Used to specify the PAM repository that should be used to tell PAM about the “identity” (see option –u below). If no “identity” information is passed, the repository is not used.

–s service

Indicates the PAM service name that should be used. Normally, this argument is not necessary and is used only for specifying alternative PAM service names. For example: “ktelnet” for the Kerberized telnet process.

–u identity

Specifies the “identity” string associated with the user who is being authenticated. This usually is not be the same as that user's Unix login name. For Kerberized login sessions, this is the Kerberos principal name associated with the user.

–U ruser

Indicates the name of the person attempting to login on the remote side of the rlogin connection. When in.rlogind(8) is operating in Kerberized mode, that daemon processes the terminal and remote user name information prior to invoking login, so the “ruser” data is indicated using this command line parameter. Normally (non-Kerberos authenticated rlogin), the login daemon reads the remote user information from the client.

Exit Status

The following exit values are returned:

0

Successful operation.

non-zero

Error.

Files

$HOME/.cshrc

Initial commands for each csh.

$HOME/.hushlogin

Suppresses login messages.

$HOME/.kshrc

User's commands for interactive ksh, if $ENV is unset; executes after /etc/ksh.kshrc.

$HOME/.login

User's login commands for csh.

$HOME/.profile

User's login commands for sh and ksh.

$HOME/.rhosts

Private list of trusted hostname/username combinations.

/etc/.login

System-wide csh login commands.

/etc/issue

Issue or project identification.

/etc/ksh.kshrc

System-wide commands for interactive ksh.

/etc/logindevperm

Login-based device permissions.

/etc/motd

Message-of-the-day.

/etc/nologin

Message displayed to users attempting to login during machine shutdown.

/etc/passwd

Password file.

/etc/profile

System-wide sh and ksh login commands.

/etc/shadow

List of users' encrypted passwords.

/usr/bin/sh

User's default command interpreter.

/var/adm/lastlog

Time of last login.

/var/adm/loginlog

Record of failed login attempts.

/var/adm/utmpx

Accounting.

/var/adm/wtmpx

Accounting.

/var/mail/your-name

Mailbox for user your-name.

/etc/default/login

Default value can be set for the following flags in /etc/default/login. Default values are specified as comments in the /etc/default/login file, for example, ULIMIT=0.

The /etc/default/login file is obsolete. However, you can use the svc:/system/security/account-policy:default service to set the corresponding SMF properties.

The following table lists the mapping between the properties in the /etc/default/login and the SMF properties:

Property in /etc/default/login
Corresponding SMF Property
HZ
login/environment/hz
ULIMIT
login/environment/ulimit
CONSOLE
login_policy/root_login_device
PASSREQ
login_policy/password_required
ALTSHELL
login/environment/set_shell
PATH
login/environment/path
SUPATH
login/environment/root_path
TIMEOUT
login_policy/timeout
UMASK
login_environment/umask
SYSLOG
login/log/syslog
DISABLETIME
login_policy/disabletime
SLEEPTIME
login_policy/sleeptime
RETRIES
login_policy/retries
SYSLOG_FAILED_LOGINS
login/log/syslog_failed_attempts

For information on managing the SMF properties, see the account-policy (8S) man page.

The descriptions of the properties in the /etc/default/login file are as follows:

HZ

Sets the HZ environment variable of the shell.

ULIMIT

Sets the file size limit for the login. Units are disk blocks. Default is zero (no limit).

CONSOLE

If set, root can login on that device only. This does not prevent execution of remote commands with rsh(1). Comment out this line to allow login by root.

PASSREQ

Determines if login requires a non-null password.

ALTSHELL

Determines if login should set the SHELL environment variable.

PATH

Sets the initial shell PATH variable.

SUPATH

Sets the initial shell PATH variable for root.

TIMEOUT

Sets the number of seconds (between 0 and 900) to wait before abandoning a login session.

UMASK

Sets the initial shell file creation mode mask. See umask(1).

SYSLOG

Determines whether the syslog(3C) LOG_AUTH facility should be used to log all root logins at level LOG_NOTICE and multiple failed login attempts atLOG_CRIT.

DISABLETIME

If present, and greater than zero, the number of seconds that login waits after RETRIES failed attempts or the PAM framework returns PAM_ABORT. Default is 20 seconds. Minimum is 0 seconds. No maximum is imposed.

SLEEPTIME

If present, sets the number of seconds to wait before the login failure message is printed to the screen. This is for any login failure other than PAM_ABORT. Another login attempt is allowed, providing RETRIES has not been reached or the PAM framework is returned PAM_MAXTRIES. Default is 4 seconds. Minimum is 0 seconds. Maximum is 5 seconds.

Both su(8) and sulogin(8) are affected by the value of SLEEPTIME.

RETRIES

Sets the number of retries for logging in (see pam(3PAM)). The default is 5. The maximum number of retries is 15. For accounts configured with automatic locking (see SECURITY above), the account is locked and login exits. If automatic locking has not been configured, login exits without locking the account.

SYSLOG_FAILED_LOGINS

Used to determine how many failed login attempts are allowed by the system before a failed login message is logged, using the syslog(3C) LOG_NOTICE facility. For example, if the variable is set to 0, login logs all failed login attempts.

Of the flags listed in /etc/default/login, sshd(8) uses:

  • PATH

  • SUPATH

  • UMASK

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
Interface Stability
Committed

See Also

csh(1), exit(1), ksh(1), ksh88(1), mail(1), mailx(1), newgrp(1), passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), telnet(1), umask(1), rcmd(3C), syslog(3C), ttyname(3C) and pam(3PAM), termio(4I), auth_attr(5), exec_attr(5), hosts.equiv(5), issue(5), logindevperm(5), loginlog(5), nologin(5), nsswitch.conf(5), pam.conf(5), passwd(5), policy.conf(5), policy.conf(5), profile(5), shadow(5), user_attr(5), user_attr(5), utmpx(5), wtmpx(5), attributes(7), environ(7), pam_authtok_check(7), pam_authtok_get(7), pam_authtok_store(7), pam_dhkeys(7), pam_passwd_auth(7), pam_unix_account(7), pam_unix_auth(7), pam_unix_session(7), in.rlogind(8), in.telnetd(8), logins(8), quota(8), sshd(8), su(8), sulogin(8), syslogd(8), useradd(8), userdel(8), account-policy (8S)

Diagnostics

Login incorrect

The user name or the password cannot be matched.

Not on system console

Root login denied. Check the CONSOLE setting in /etc/default/login.

No directory! Logging in with home=/

The user's home directory named in the passwd(5) database cannot be found or has the wrong permissions. Contact your system administrator.

No shell

Cannot execute the shell named in the passwd(5) database. Contact your system administrator.

NO LOGINS: System going down in N minutes

The machine is in the process of being shut down and logins have been disabled.

Warnings

If you use the CONSOLE setting to disable root logins, you should arrange that remote command execution by root is also disabled. See rsh(1), rcmd(3C), and hosts.equiv(5) for further details.