User Commands login(1)
NAME
login - sign on to the system
SYNOPSIS
login [-p] [-d device] [-R repository] [-s service]
[-t terminal] [-u identity] [-U ruser]
[-h hostname [terminal] -r hostname]
[name [environ]...]
DESCRIPTION
The login command is used at the beginning of each terminal
session to identify oneself to the system. login is invoked
by the system when a connection is first established, after
the previous user has terminated the login shell by issuing
the exit command.
If login is invoked as a command, it must replace the ini-
tial command interpreter. To invoke login in this fashion,
type:
exec login
from the initial shell. The C shell and Korn shell have
their own built-ins of login. See ksh(1), ksh93(1), and
csh(1) for descriptions of login built-ins and usage.
login asks for your user name, if it is not supplied as an
argument, and your password, if appropriate. Where possible,
echoing is turned off while you type your password, so it
does not appear on the written record of the session.
If you make any mistake in the login procedure, the message:
Login incorrect
is printed and a new login prompt appears. If you make five
incorrect login attempts, all five can be logged in
/var/adm/loginlog, if it exists. The TY line is dropped.
If password aging is turned on and the password has aged
(see passwd(1) for more information), the user is forced to
SunOS 5.11 Last change: 7 Jan 2008 1
User Commands login(1)
changed the password. In this case the /etc/nsswitch.conf
file is consulted to determine password repositories (see
nsswitch.conf(4)). The password update configurations sup-
ported are limited to the following five cases.
o passwd: files
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files nisplus)
passwdcompat: nisplus
Failure to comply with the configurations prevents the user
from logging onto the system because passwd(1) fails. If you
do not complete the login successfully within a certain
period of time, it is likely that you are silently discon-
nected.
After a successful login, accounting files are updated. Dev-
ice owner, group, and permissions are set according to the
contents of the /etc/logindevperm file, and the time you
last logged in is printed (see logindevperm(4)).
The user-ID, group-ID, supplementary group list, and working
directory are initialized, and the command interpreter (usu-
ally ksh) is started.
The basic environment is initialized to:
HOME=your-login-directory
LOGNAME=your-login-name
PATH=/usr/bin:
SHEL=last-field-of-passwd-entry
MAIL=/var/mail/
TZ=timezone-specification
For Bourne shell and Korn shell logins, the shell executes
/etc/profile and $HOME/.profile, if it exists.
SunOS 5.11 Last change: 7 Jan 2008 2
User Commands login(1)
For the ksh93 Korn shell, an interactive shell then executes
/etc/ksh.kshrc, followed by the file specified by the ENV
environment variable. If $ENV is not set, this defaults to
$HOME/.kshrc. For the ksh and /usr/xpg4/bin/sh Korn Shell,
an interactive shell executes the file named by $ENV (no
default).
For C shell logins, the shell executes /etc/.login,
$HOME/.cshrc, and $HOME/.login. The default /etc/profile and
/etc/.login files check quotas (see quota(1M)), print
/etc/motd, and check for mail. None of the messages are
printed if the file $HOME/.hushlogin exists. The name of the
command interpreter is set to - (dash), followed by the last
component of the interpreter's path name, for example, -sh.
If the login-shell field in the password file (see
passwd(4)) is empty, then the default command interpreter,
/usr/bin/sh, is used. If this field is * (asterisk), then
the named directory becomes the root directory. At that
point, login is re-executed at the new level, which must
have its own root structure.
The environment can be expanded or modified by supplying
additional arguments to login, either at execution time or
when login requests your login name. The arguments can take
either the form xxx or xxx=yyy. Arguments without an =
(equal sign) are placed in the environment as:
Ln=xxx
where n is a number starting at 0 and is incremented each
time a new variable name is required. Variables containing
an = (equal sign) are placed in the environment without
modification. If they already appear in the environment,
then they replace the older values.
There are two exceptions: The variables PATH and SHEL can-
not be changed. This prevents people logged into restricted
shell environments from spawning secondary shells that are
not restricted. login understands simple single-character
quoting conventions. Typing a \ (backslash) in front of a
character quotes it and allows the inclusion of such charac-
ters as spaces and tabs.
SunOS 5.11 Last change: 7 Jan 2008 3
User Commands login(1)
Alternatively, you can pass the current environment by sup-
plying the -p flag to login. This flag indicates that all
currently defined environment variables should be passed, if
possible, to the new environment. This option does not
bypass any environment variable restrictions mentioned
above. Environment variables specified on the login line
take precedence, if a variable is passed by both methods.
To enable remote logins by root, edit the /etc/default/login
file by inserting a # (pound sign) before the
CONSOLE=/dev/console entry. See FILES.
SECURITY
For accounts in name services which support automatic
account locking, the account can be configured to be
automatically locked (see userattr(4) and policy.conf(4))
if successive failed login attempts equals or exceeds
RETRIES. Currently, only the files repository (see passwd(4)
and shadow(4)) supports automatic account locking. See also
pamunixauth(5).
The login command uses pam(3PAM) for authentication, account
management, session management, and password management. The
PAM configuration policy, listed through /etc/pam.conf,
specifies the modules to be used for login. Here is a par-
tial pam.conf file with entries for the login command using
the UNIX authentication, account management, and session
management modules:
login auth required pamauthtokget.so.1
login auth required pamdhkeys.so.1
login auth required pamunixauth.so.1
login auth required pamdialauth.so.1
login account requisite pamroles.so.1
login account required pamunixaccount.so.1
login session required pamunixsession.so.1
The Password Management stack looks like the following:
other password required pamdhkeys.so.1
other password requisite pamauthtokget.so.1
other password requisite pamauthtokcheck.so.1
other password required pamauthtokstore.so.1
SunOS 5.11 Last change: 7 Jan 2008 4
User Commands login(1)
If there are no entries for the service, then the entries
for the other service is used. If multiple authentication
modules are listed, then the user can be prompted for multi-
ple passwords.
When login is invoked through rlogind or telnetd, the ser-
vice name used by PAM is rlogin or telnet, respectively.
OPTIONS
The following options are supported:
-d device login accepts a device option,
device. device is taken to be the
path name of the TY port login is
to operate on. The use of the dev-
ice option can be expected to
improve login performance, since
login does not need to call
ttyname(3C). The -d option is
available only to users whose UID
and effective UID are root. Any
other attempt to use -d causes
login to quietly exit.
-h hostname [terminal] Used by in.telnetd(1M) to pass
information about the remote host
and terminal type.
Terminal type as a second argument
to the -h option should not start
with a hyphen (-).
-p Used to pass environment variables
to the login shell.
-r hostname Used by in.rlogind(1M) to pass
information about the remote host.
-R repository Used to specify the PAM repository
that should be used to tell PAM
about the "identity" (see option
-u below). If no "identity" infor-
mation is passed, the repository
is not used.
SunOS 5.11 Last change: 7 Jan 2008 5
User Commands login(1)
-s service Indicates the PAM service name
that should be used. Normally,
this argument is not necessary and
is used only for specifying alter-
native PAM service names. For
example: "ktelnet" for the Kerber-
ized telnet process.
-u identity Specifies the "identity" string
associated with the user who is
being authenticated. This usually
is not be the same as that user's
Unix login name. For Kerberized
login sessions, this is the Ker-
beros principal name associated
with the user.
-U ruser Indicates the name of the person
attempting to login on the remote
side of the rlogin connection.
When in.rlogind(1M) is operating
in Kerberized mode, that daemon
processes the terminal and remote
user name information prior to
invoking login, so the "ruser"
data is indicated using this com-
mand line parameter. Normally
(non-Kerberos authenticated rlo-
gin), the login daemon reads the
remote user information from the
client.
EXIT STATUS
The following exit values are returned:
0 Successful operation.
non-zero Error.
FILES
$HOME/.cshrc Initial commands for each csh.
$HOME/.hushlogin Suppresses login messages.
SunOS 5.11 Last change: 7 Jan 2008 6
User Commands login(1)
$HOME/.kshrc User's commands for interactive
ksh93, if $ENV is unset; executes
after /etc/ksh.kshrc.
$HOME/.login User's login commands for csh.
$HOME/.profile User's login commands for sh, ksh,
and ksh93.
$HOME/.rhosts Private list of trusted
hostname/username combinations.
/etc/.login System-wide csh login commands.
/etc/issue Issue or project identification.
/etc/ksh.kshrc System-wide commands for interactive
ksh93.
/etc/logindevperm Login-based device permissions.
/etc/motd Message-of-the-day.
/etc/nologin Message displayed to users attempting
to login during machine shutdown.
/etc/passwd Password file.
/etc/profile System-wide sh, ksh, and ksh93 login
commands.
/etc/shadow List of users' encrypted passwords.
/usr/bin/sh User's default command interpreter.
/var/adm/lastlog Time of last login.
SunOS 5.11 Last change: 7 Jan 2008 7
User Commands login(1)
/var/adm/loginlog Record of failed login attempts.
/var/adm/utmpx Accounting.
/var/adm/wtmpx Accounting.
/var/mail/your-name Mailbox for user your-name.
/etc/default/login Default value can be set for the fol-
lowing flags in /etc/default/login.
Default values are specified as com-
ments in the /etc/default/login file,
for example, TIMEZONE=EST5EDT.
TIMEZONE Sets the TZ
environment
variable of
the shell
(see
environ(5)).
HZ Sets the HZ
environment
variable of
the shell.
ULIMIT Sets the file
size limit
for the
login. Units
are disk
blocks.
Default is
zero (no
limit).
CONSOLE If set, root
can login on
that device
only. This
does not
prevent exe-
cution of
remote com-
mands with
SunOS 5.11 Last change: 7 Jan 2008 8
User Commands login(1)
rsh(1). Com-
ment out this
line to allow
login by
root.
PASREQ Determines if
login
requires a
non-null
password.
ALTSHEL Determines if
login should
set the SHEL
environment
variable.
PATH Sets the ini-
tial shell
PATH vari-
able.
SUPATH Sets the ini-
tial shell
PATH variable
for root.
TIMEOUT Sets the
number of
seconds
(between 0
and 900) to
wait before
abandoning a
login ses-
sion.
UMASK Sets the ini-
tial shell
file creation
mode mask.
See umask(1).
SunOS 5.11 Last change: 7 Jan 2008 9
User Commands login(1)
SYSLOG Determines
whether the
syslog(3C)
LOGAUTH
facility
should be
used to log
all root
logins at
level
LOGNOTICE
and multiple
failed login
attempts
atLOGCRIT.
DISABLETIME If present,
and greater
than zero,
the number of
seconds that
login waits
after RETRIES
failed
attempts or
the PAM
framework
returns
PAMABORT.
Default is 20
seconds.
Minimum is 0
seconds. No
maximum is
imposed.
SLEPTIME If present,
sets the
number of
seconds to
wait before
the login
failure mes-
sage is
printed to
the screen.
This is for
any login
failure other
than
SunOS 5.11 Last change: 7 Jan 2008 10
User Commands login(1)
PAMABORT.
Another login
attempt is
allowed, pro-
viding
RETRIES has
not been
reached or
the PAM
framework is
returned
PAMAXTRIES.
Default is 4
seconds.
Minimum is 0
seconds. Max-
imum is 5
seconds.
Both su(1M)
and
sulogin(1M)
are affected
by the value
of SLEPTIME.
RETRIES Sets the
number of
retries for
logging in
(see
pam(3PAM)).
The default
is 5. The
maximum
number of
retries is
15. For
accounts con-
figured with
automatic
locking (see
SECURITY
above), the
account is
locked and
login exits.
If automatic
locking has
not been con-
figured,
SunOS 5.11 Last change: 7 Jan 2008 11
User Commands login(1)
login exits
without lock-
ing the
account.
SYSLOGFAILEDLOGINS Used to
determine how
many failed
login
attempts are
allowed by
the system
before a
failed login
message is
logged, using
the
syslog(3C)
LOGNOTICE
facility. For
example, if
the variable
is set to 0,
login logs
all failed
login
attempts.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsu
Interface Stability Committed
SEE ALSO
csh(1), exit(1), ksh(1), ksh93(1), mail(1), mailx(1),
newgrp(1), passwd(1), rlogin(1), rsh(1), sh(1),
shellbuiltins(1), telnet(1), umask(1), in.rlogind(1M),
in.telnetd(1M), logins(1M), quota(1M), su(1M), sulogin(1M),
syslogd(1M), useradd(1M), userdel(1M), pam(3PAM),
SunOS 5.11 Last change: 7 Jan 2008 12
User Commands login(1)
rcmd(3SOCKET), syslog(3C), ttyname(3C), authattr(4),
execattr(4), hosts.equiv(4), issue(4), logindevperm(4),
loginlog(4), nologin(4), nsswitch.conf(4), pam.conf(4),
passwd(4), policy.conf(4), profile(4), shadow(4),
userattr(4), utmpx(4), wtmpx(4), attributes(5), environ(5),
pamunixaccount(5), pamunixauth(5), pamunixsession(5),
pamauthtokcheck(5), pamauthtokget(5),
pamauthtokstore(5), pamdhkeys(5), pampasswdauth(5),
termio(7I)
DIAGNOSTICS
Login incorrect
The user name or the password cannot be matched.
Not on system console
Root login denied. Check the CONSOLE setting in
/etc/default/login.
No directory! Logging in with home=/
The user's home directory named in the passwd(4) data-
base cannot be found or has the wrong permissions. Con-
tact your system administrator.
No shell
Cannot execute the shell named in the passwd(4) data-
base. Contact your system administrator.
NO LOGINS: System going down in N minutes
The machine is in the process of being shut down and
logins have been disabled.
WARNINGS
Users with a UID greater than 76695844 are not subject to
password aging, and the system does not record their last
login time.
If you use the CONSOLE setting to disable root logins, you
should arrange that remote command execution by root is also
disabled. See rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for
further details.
SunOS 5.11 Last change: 7 Jan 2008 13
User Commands login(1)
NOTES
The pamunix(5) module is no longer supported. Similar func-
tionality is provided by pamunixaccount(5),
pamunixauth(5), pamunixsession(5), pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5), and
pampasswdauth(5).
SunOS 5.11 Last change: 7 Jan 2008 14
|
