[thirdparty/util-linux.git] / login-utils / login.1

.\" Copyright 1993 Rickard E. Faith (faith@cs.unc.edu)
.\" May be distributed under the GNU General Public License
.TH LOGIN 1 "March 2009" "util-linux" "User Commands"
.SH NAME
login \- begin session on the system
.SH SYNOPSIS
.B login
[
.BR \-p
] [
.BR \-h
.IR host
] [
.BR \-H
] [
.BR \-f
.IR username
|
.IR username
]
.SH DESCRIPTION
.B login
is used when signing onto a system.
If no argument is given,
.B login
prompts for the username.

The user is then prompted for a password, where approprate.  Echoing is
disabled to prevent revealing the password. Only a small number of password
failures are permitted before
.B login
exits and the communications link is severed.

If password aging has been enabled for the account, the user may be prompted
for a new password before proceeding. He will be forced to provide his old
password and the new password before continuing. Please refer to
.BR passwd (1)
for more information.

The user and group ID will be set according to their values in the
.I /etc/passwd
file. There is one exception if the user ID is zero: in this case,
only the primary group ID of the account is set. This should prevent
that the system adminitrator cannot login in case of network problems.
The value for
.BR $HOME ,
.BR $SHELL ,
.BR $PATH ,
.BR $LOGNAME ,
and
.B $MAIL
are set according to the appropriate fields in the password entry.
.B $PATH
defaults to
.I /usr/local/bin:/bin:/usr/bin:.
for normal users, and to
.I /sbin:/bin:/usr/sbin:/usr/bin
for root if not other configured.

The environment variable
.B $TERM
will be preserved, if it exists (other environment variables are
preserved if the
.B \-p
option is given) or be initialize to the terminal type on your tty

Then the user's shell is started. If no shell is specified for the
user in
.BR /etc/passwd ,
then
.B /bin/sh
is used.  If there is no directory specified in
.IR /etc/passwd ,
then
.I /
is used (the home directory is checked for the
.I .hushlogin
file described below).

If the file
.I .hushlogin
exists, then a "quiet" login is performed (this disables the checking
of mail and the printing of the last login time and message of the day).
Otherwise, if
.I /var/log/lastlog
exists, the last login time is printed (and the current login is
recorded).

.SH OPTIONS
.TP
.B \-p
Used by
.BR getty (8)
to tell
.B login
not to destroy the environment
.TP
.B \-f
Used to skip a second login authentication.  This specifically does
.B not
work for root, and does not appear to work well under Linux.
.TP
.B \-h
Used by other servers (i.e.,
.BR telnetd (8))
to pass the name of the remote host to
.B login
so that it may be placed in utmp and wtmp.  Only the superuser may use
this option.

Note that the \fB-h\fP option has impact on the \fBPAM service name\fP. The standard
service name is "login", with the \fB-h\fP option the name is "remote". It's
necessary to create a proper PAM config files (e.g.
.I /etc/pam.d/login
and 
.I /etc/pam.d/remote
).
.TP
.B \-H
Used by other servers (i.e.,
.BR telnetd (8))
to tell
.B login
that printing the hostname should be suppressed in the login: prompt.

.SH CONFIG FILE ITEMS
.B login
reads the
.IR /etc/login.defs (5)
configuration file. Note that the configuration file could be distributed with
another package (e.g. shadow-utils). The following configuration items are
relevant for
.BR login (1):
.PP
\fBMOTD_FILE\fR (string)
.RS 4
If defined, ":" delimited list of "message of the day" files to be displayed
upon login. The default value is "/etc/motd". If the \fBMOTD_FILE\fR item is
empty or "quiet" login is enabled then the message of the day is not displayed.
Note that the same functionality is also provided by
.BR pam_motd (8)
PAM module.
.RE
.PP
\fBLOGIN_TIMEOUT\fR (number)
.RS 4
Max time in seconds for login. The default value is 60.
.RE
.PP
\fBFAIL_DELAY\fR (number)
.RS 4
Delay in seconds before being allowed another attempt after a login failure.
The default value is 5.
.RE
.PP
\fBTTYPERM\fR (string)
.RS 4
The terminal permissions. The default value is 0600.
.RE
.PP
\fBTTYGROUP\fR (string)
.RS 4
The login tty will be owned by the
\fBTTYGROUP\fR. The default value is 'tty'. If the \fBTTYGROUP\fR does not exist
then the ownership of the terminal is set to the user\'s primary group.
.SP
The \fBTTYGROUP\fR can be either the name of a group or a numeric group identifier.
.RE
.PP
\fBHUSHLOGIN_FILE\fR (string)
.RS 4
If defined, this file can inhibit all the usual chatter during the login
sequence.  If a full pathname (e.g. /etc/hushlogins) is specified, then hushed
mode will be enabled if the user\'s name or shell are found in the file. If
this global hush login file is empty then the hushed mode will be enabled for
all users.

If not a full pathname is specified, then hushed mode will be enabled if the
file exists in the user\'s home directory.

The default is to check "/etc/hushlogins" and if does not exist then
"~/.hushlogin".

If the \fBHUSHLOGIN_FILE\fR item is empty then all checks are disabled.
.RE
.PP
\fBDEFAULT_HOME\fR (boolean)
.RS 4
Indicate if login is allowed if we can\'t cd to the home directory. If set to
\fIyes\fR, the user will login in the root (/) directory if it is not possible
to cd to her home directory. The default value is 'yes'.
.RE
.PP
\fBLOG_UNKFAIL_ENAB\fR (boolean)
.RS 4
Enable display of unknown usernames when login failures are recorded\&.
.sp
Note that logging unknown usernames may be a security issue if an user enter
her password instead of her login name.
.RE
.SH FILES
.nf
.I /var/run/utmp
.I /var/log/wtmp
.I /var/log/lastlog
.I /var/spool/mail/*
.I /etc/motd
.I /etc/passwd
.I /etc/nologin
.I /etc/usertty
.I /etc/pam.d/login
.I /etc/pam.d/remote
.I .hushlogin
.fi
.SH "SEE ALSO"
.BR init (8),
.BR getty (8),
.BR mail (1),
.BR passwd (1),
.BR passwd (5),
.BR environ (7),
.BR shutdown (8)
.SH BUGS

The undocumented BSD
.B \-r
option is not supported.  This may be required by some
.BR rlogind (8)
programs.

A recursive login, as used to be possible in the good old days,
no longer works; for most purposes
.BR su (1)
is a satisfactory substitute. Indeed, for security reasons,
login does a vhangup() system call to remove any possible
listening processes on the tty. This is to avoid password
sniffing. If one uses the command "login", then the surrounding shell
gets killed by vhangup() because it's no longer the true owner of the tty.
This can be avoided by using "exec login" in a top-level shell or xterm.
.SH AUTHOR
Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
for HP-UX
.br
Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
.SH AVAILABILITY
The login command is part of the util-linux package and is available from
ftp://ftp.kernel.org/pub/linux/utils/util-linux/.
Commit	Line	Data
6dbe3af9 KZ	1	.\" Copyright 1993 Rickard E. Faith (faith@cs.unc.edu)
6dbe3af9 KZ	2	.\" May be distributed under the GNU General Public License
232dc924	3	.TH LOGIN 1 "March 2009" "util-linux" "User Commands"
6dbe3af9	4	.SH NAME
7d6b450d	5	login \- begin session on the system
6dbe3af9	6	.SH SYNOPSIS
7d6b450d KZ	7	.B login
	8	[
	9	.BR \-p
	10	] [
	11	.BR \-h
	12	.IR host
	13	] [
92e386ca KZ	14	.BR \-H
92e386ca KZ	15	] [
7d6b450d KZ	16	.BR \-f
	17	.IR username
	18	\|
	19	.IR username
	20	]
6dbe3af9 KZ	21	.SH DESCRIPTION
6dbe3af9 KZ	22	.B login
bc4aa3b5	23	is used when signing onto a system.
7d6b450d	24	If no argument is given,
6dbe3af9 KZ	25	.B login
	26	prompts for the username.
	27
7d6b450d KZ	28	The user is then prompted for a password, where approprate. Echoing is
	29	disabled to prevent revealing the password. Only a small number of password
	30	failures are permitted before
6dbe3af9	31	.B login
7d6b450d	32	exits and the communications link is severed.
6dbe3af9	33
7d6b450d KZ	34	If password aging has been enabled for the account, the user may be prompted
	35	for a new password before proceeding. He will be forced to provide his old
	36	password and the new password before continuing. Please refer to
	37	.BR passwd (1)
	38	for more information.
6dbe3af9	39
7d6b450d KZ	40	The user and group ID will be set according to their values in the
	41	.I /etc/passwd
	42	file. There is one exception if the user ID is zero: in this case,
	43	only the primary group ID of the account is set. This should prevent
	44	that the system adminitrator cannot login in case of network problems.
	45	The value for
	46	.BR $HOME ,
	47	.BR $SHELL ,
	48	.BR $PATH ,
	49	.BR $LOGNAME ,
	50	and
	51	.B $MAIL
	52	are set according to the appropriate fields in the password entry.
	53	.B $PATH
	54	defaults to
	55	.I /usr/local/bin:/bin:/usr/bin:.
6dbe3af9	56	for normal users, and to
7d6b450d KZ	57	.I /sbin:/bin:/usr/sbin:/usr/bin
7d6b450d KZ	58	for root if not other configured.
6dbe3af9	59
7d6b450d KZ	60	The environment variable
	61	.B $TERM
	62	will be preserved, if it exists (other environment variables are
	63	preserved if the
	64	.B \-p
	65	option is given) or be initialize to the terminal type on your tty
	66
	67	Then the user's shell is started. If no shell is specified for the
fd6b7a7f	68	user in
6dbe3af9 KZ	69	.BR /etc/passwd ,
	70	then
	71	.B /bin/sh
	72	is used. If there is no directory specified in
	73	.IR /etc/passwd ,
	74	then
	75	.I /
	76	is used (the home directory is checked for the
	77	.I .hushlogin
7d6b450d KZ	78	file described below).
	79
	80	If the file
	81	.I .hushlogin
	82	exists, then a "quiet" login is performed (this disables the checking
	83	of mail and the printing of the last login time and message of the day).
	84	Otherwise, if
	85	.I /var/log/lastlog
	86	exists, the last login time is printed (and the current login is
	87	recorded).
	88
6dbe3af9 KZ	89	.SH OPTIONS
	90	.TP
	91	.B \-p
	92	Used by
	93	.BR getty (8)
	94	to tell
	95	.B login
	96	not to destroy the environment
	97	.TP
	98	.B \-f
	99	Used to skip a second login authentication. This specifically does
	100	.B not
	101	work for root, and does not appear to work well under Linux.
	102	.TP
	103	.B \-h
	104	Used by other servers (i.e.,
	105	.BR telnetd (8))
	106	to pass the name of the remote host to
	107	.B login
fd6b7a7f KZ	108	so that it may be placed in utmp and wtmp. Only the superuser may use
fd6b7a7f KZ	109	this option.
726f69e2	110
067f5343 KZ	111	Note that the \fB-h\fP option has impact on the \fBPAM service name\fP. The standard
	112	service name is "login", with the \fB-h\fP option the name is "remote". It's
	113	necessary to create a proper PAM config files (e.g.
	114	.I /etc/pam.d/login
	115	and
	116	.I /etc/pam.d/remote
	117	).
92e386ca KZ	118	.TP
	119	.B \-H
	120	Used by other servers (i.e.,
	121	.BR telnetd (8))
	122	to tell
	123	.B login
	124	that printing the hostname should be suppressed in the login: prompt.
4d8fc09c KZ	125
	126	.SH CONFIG FILE ITEMS
	127	.B login
	128	reads the
	129	.IR /etc/login.defs (5)
	130	configuration file. Note that the configuration file could be distributed with
	131	another package (e.g. shadow-utils). The following configuration items are
	132	relevant for
	133	.BR login (1):
	134	.PP
	135	\fBMOTD_FILE\fR (string)
	136	.RS 4
	137	If defined, ":" delimited list of "message of the day" files to be displayed
	138	upon login. The default value is "/etc/motd". If the \fBMOTD_FILE\fR item is
	139	empty or "quiet" login is enabled then the message of the day is not displayed.
	140	Note that the same functionality is also provided by
	141	.BR pam_motd (8)
	142	PAM module.
	143	.RE
9abd9cde KZ	144	.PP
	145	\fBLOGIN_TIMEOUT\fR (number)
	146	.RS 4
	147	Max time in seconds for login. The default value is 60.
	148	.RE
ca5ee2a8 KZ	149	.PP
	150	\fBFAIL_DELAY\fR (number)
	151	.RS 4
	152	Delay in seconds before being allowed another attempt after a login failure.
	153	The default value is 5.
	154	.RE
738246ed KZ	155	.PP
	156	\fBTTYPERM\fR (string)
	157	.RS 4
	158	The terminal permissions. The default value is 0600.
	159	.RE
45d0a30e KZ	160	.PP
	161	\fBTTYGROUP\fR (string)
	162	.RS 4
	163	The login tty will be owned by the
	164	\fBTTYGROUP\fR. The default value is 'tty'. If the \fBTTYGROUP\fR does not exist
	165	then the ownership of the terminal is set to the user\'s primary group.
	166	.SP
	167	The \fBTTYGROUP\fR can be either the name of a group or a numeric group identifier.
	168	.RE
84d3c9ff KZ	169	.PP
	170	\fBHUSHLOGIN_FILE\fR (string)
	171	.RS 4
	172	If defined, this file can inhibit all the usual chatter during the login
	173	sequence. If a full pathname (e.g. /etc/hushlogins) is specified, then hushed
	174	mode will be enabled if the user\'s name or shell are found in the file. If
	175	this global hush login file is empty then the hushed mode will be enabled for
	176	all users.
	177
	178	If not a full pathname is specified, then hushed mode will be enabled if the
	179	file exists in the user\'s home directory.
738246ed	180
84d3c9ff KZ	181	The default is to check "/etc/hushlogins" and if does not exist then
	182	"~/.hushlogin".
	183
	184	If the \fBHUSHLOGIN_FILE\fR item is empty then all checks are disabled.
	185	.RE
91d0a913 KZ	186	.PP
	187	\fBDEFAULT_HOME\fR (boolean)
	188	.RS 4
	189	Indicate if login is allowed if we can\'t cd to the home directory. If set to
	190	\fIyes\fR, the user will login in the root (/) directory if it is not possible
	191	to cd to her home directory. The default value is 'yes'.
	192	.RE
cea8ec53 KZ	193	.PP
	194	\fBLOG_UNKFAIL_ENAB\fR (boolean)
	195	.RS 4
	196	Enable display of unknown usernames when login failures are recorded\&.
	197	.sp
	198	Note that logging unknown usernames may be a security issue if an user enter
	199	her password instead of her login name.
	200	.RE
6dbe3af9 KZ	201	.SH FILES
6dbe3af9 KZ	202	.nf
726f69e2 KZ	203	.I /var/run/utmp
	204	.I /var/log/wtmp
	205	.I /var/log/lastlog
cad18f61	206	.I /var/spool/mail/*
6dbe3af9 KZ	207	.I /etc/motd
	208	.I /etc/passwd
	209	.I /etc/nologin
726f69e2	210	.I /etc/usertty
067f5343 KZ	211	.I /etc/pam.d/login
067f5343 KZ	212	.I /etc/pam.d/remote
6dbe3af9 KZ	213	.I .hushlogin
	214	.fi
	215	.SH "SEE ALSO"
	216	.BR init (8),
	217	.BR getty (8),
	218	.BR mail (1),
	219	.BR passwd (1),
	220	.BR passwd (5),
	221	.BR environ (7),
	222	.BR shutdown (8)
	223	.SH BUGS
fd6b7a7f	224
6dbe3af9 KZ	225	The undocumented BSD
	226	.B \-r
	227	option is not supported. This may be required by some
	228	.BR rlogind (8)
	229	programs.
7eda085c KZ	230
	231	A recursive login, as used to be possible in the good old days,
	232	no longer works; for most purposes
	233	.BR su (1)
	234	is a satisfactory substitute. Indeed, for security reasons,
	235	login does a vhangup() system call to remove any possible
	236	listening processes on the tty. This is to avoid password
	237	sniffing. If one uses the command "login", then the surrounding shell
	238	gets killed by vhangup() because it's no longer the true owner of the tty.
	239	This can be avoided by using "exec login" in a top-level shell or xterm.
6dbe3af9	240	.SH AUTHOR
fd6b7a7f KZ	241	Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
fd6b7a7f KZ	242	for HP-UX
6dbe3af9 KZ	243	.br
6dbe3af9 KZ	244	Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
86d62711	245	.SH AVAILABILITY
601d12fb KZ	246	The login command is part of the util-linux package and is available from
601d12fb KZ	247	ftp://ftp.kernel.org/pub/linux/utils/util-linux/.