.\" Copyright 1993 Rickard E. Faith (faith@cs.unc.edu)
.\" May be distributed under the GNU General Public License
-.TH LOGIN 1 "4 November 1996" "Util-linux 1.6" "Linux Programmer's Manual"
+.TH LOGIN "1" "June 2012" "util-linux" "User Commands"
.SH NAME
-login \- sign on
+login \- begin session on the system
.SH SYNOPSIS
-.BR "login [ " name " ]"
-.br
-.B "login \-p"
-.br
-.BR "login \-h " hostname
-.br
-.BR "login \-f " name
+.B login
+[
+.B \-p
+] [
+.B \-h
+.I host
+] [
+.B \-H
+] [
+.B \-f
+.I username
+|
+.I username
+]
.SH DESCRIPTION
.B login
-is used when signing onto a system.
-
-If an argument is not given,
+is used when signing onto a system. If no argument is given,
.B login
prompts for the username.
-
-If the user is
-.I not
-root, and if
-.I /etc/nologin
-exists, the contents of this file are printed to the screen, and the
-login is terminated. This is typically used to prevent logins when the
-system is being taken down.
-
-If special access restrictions are specified for the user in
-.IR /etc/usertty ,
-these must be met, or the log in attempt will be denied and a
-.B syslog
-message will be generated. See the section on "Special Access Restrictions".
-
-If the user is root, then the login must be occurring on a tty listed in
-.IR /etc/securetty .
-Failures will be logged with the
-.B syslog
-facility.
-
-After these conditions have been checked, the password will be requested and
-checked (if a password is required for this username). Ten attempts
-are allowed before
+.PP
+The user is then prompted for a password, where appropriate. Echoing
+is disabled to prevent revealing the password. Only a small number
+of password failures are permitted before
.B login
-dies, but after the first three, the response starts to get very slow.
-Login failures are reported via the
-.B syslog
-facility. This facility is also used to report any successful root logins.
-
-If the file
-.I .hushlogin
-exists, then a "quiet" login is performed (this disables the checking
-of mail and the printing of the last login time and message of the day).
-Otherwise, if
-.I /var/log/lastlog
-exists, the last login time is printed (and the current login is
-recorded).
-
-Random administrative things, such as setting the UID and GID of the
-tty are performed. The TERM environment variable is preserved, if it
-exists (other environment variables are preserved if the
-.B \-p
-option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME
-environment variables are set. PATH defaults to
-.I /usr/local/bin:/bin:/usr/bin
+exits and the communications link is severed.
+.PP
+If password aging has been enabled for the account, the user may be
+prompted for a new password before proceeding. He will be forced to
+provide his old password and the new password before continuing.
+Please refer to
+.BR passwd (1)
+for more information.
+.PP
+The user and group ID will be set according to their values in the
+.I /etc/passwd
+file. There is one exception if the user ID is zero: in this case,
+only the primary group ID of the account is set. This should allow
+the system administrator to login even in case of network problems.
+The value for
+.BR $HOME ,
+.BR $USER ,
+.BR $SHELL ,
+.BR $PATH ,
+.BR $LOGNAME ,
+and
+.B $MAIL
+are set according to the appropriate fields in the password entry.
+.B $PATH
+defaults to
+.I /usr\:/local\:/bin:\:/bin:\:/usr\:/bin
for normal users, and to
-.I /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-for root. Last, if this is not a "quiet" login, the message of the
-day is printed and the file with the user's name in
-.I /var/spool/mail
-will be checked, and a message printed if it has non-zero length.
-
-The user's shell is then started. If no shell is specified for the
+.I /usr\:/local\:/sbin:\:/usr\:/local\:/bin:\:/sbin:\:/bin:\:/usr\:/sbin:\:/usr\:/bin
+for root, if not otherwise configured.
+.P
+The environment variable
+.B $TERM
+will be preserved, if it exists (other environment variables are
+preserved if the
+.B \-p
+option is given), else it will be initialized to the terminal type on your tty.
+.PP
+Then the user's shell is started. If no shell is specified for the
user in
-.BR /etc/passwd ,
+.IR /etc\:/passwd ,
then
-.B /bin/sh
+.I /bin\:/sh
is used. If there is no directory specified in
-.IR /etc/passwd ,
+.IR /etc\:/passwd ,
then
.I /
is used (the home directory is checked for the
.I .hushlogin
-file described above).
+file described below).
+.PP
+If the file
+.I .hushlogin
+exists, then a "quiet" login is performed (this disables the checking
+of mail and the printing of the last login time and message of the
+day). Otherwise, if
+.I /var\:/log\:/lastlog
+exists, the last login time is printed (and the current login is
+recorded).
.SH OPTIONS
.TP
.B \-p
.BR getty (8)
to tell
.B login
-not to destroy the environment
+not to destroy the environment.
.TP
.B \-f
Used to skip a second login authentication. This specifically does
.BR telnetd (8))
to pass the name of the remote host to
.B login
-so that it may be placed in utmp and wtmp. Only the superuser may use
-this option.
-
-Note that the \fB-h\fP option has impact on the \fBPAM service name\fP. The standard
-service name is "login", with the \fB-h\fP option the name is "remote". It's
-necessary to create a proper PAM config files (e.g.
-.I /etc/pam.d/login
-and
-.I /etc/pam.d/remote
-).
-
-.SH "SPECIAL ACCESS RESTRICTIONS"
-The file
-.I /etc/securetty
-lists the names of the ttys where root is allowed to log in. One name
-of a tty device without the /dev/ prefix must be specified on each
-line. If the file does not exist, root is allowed to log in on any
-tty.
-.PP
-On most modern Linux systems PAM (Pluggable Authentication Modules)
-is used. On systems that do not use PAM, the file
-.I /etc/usertty
-specifies additional access restrictions for specific users.
-If this file does not exist, no additional access restrictions are
-imposed. The file consists of a sequence of sections. There are three
-possible section types: CLASSES, GROUPS and USERS. A CLASSES section
-defines classes of ttys and hostname patterns, A GROUPS section
-defines allowed ttys and hosts on a per group basis, and a USERS
-section defines allowed ttys and hosts on a per user basis.
-.PP
-Each line in this file in may be no longer than 255
-characters. Comments start with # character and extend to the end of
-the line.
-.PP
-.SS "The CLASSES Section"
-A CLASSES section begins with the word CLASSES at the start of a line
-in all upper case. Each following line until the start of a new
-section or the end of the file consists of a sequence of words
-separated by tabs or spaces. Each line defines a class of ttys and
-host patterns.
-.PP
-The word at the beginning of a line becomes defined as a collective
-name for the ttys and host patterns specified at the rest of the
-line. This collective name can be used in any subsequent GROUPS or
-USERS section. No such class name must occur as part of the definition
-of a class in order to avoid problems with recursive classes.
-.PP
-An example CLASSES section:
-.PP
-.nf
-.in +.5
-CLASSES
-myclass1 tty1 tty2
-myclass2 tty3 @.foo.com
-.in -.5
-.fi
-.PP
-This defines the classes
-.I myclass1
-and
-.I myclass2
-as the corresponding right hand sides.
-.PP
-
-.SS "The GROUPS Section"
-A GROUPS section defines allowed ttys and hosts on a per Unix group basis. If
-a user is a member of a Unix group according to
-.I /etc/passwd
+so that it may be placed in utmp and wtmp. Only the superuser may
+use this option.
+.IP
+Note that the
+.B \-h
+option has impact on the
+.B PAM service
+.BR name .
+The standard service name is
+.IR login ,
+with the
+.B \-h
+option the name is
+.IR remote .
+It is necessary to create proper PAM config files (e.g.
+.I /etc\:/pam.d\:/login
and
-.I /etc/group
-and such a group is mentioned in a GROUPS section in
-.I /etc/usertty
-then the user is granted access if the group is.
-.PP
-A GROUPS section starts with the word GROUPS in all upper case at the start of
-a line, and each following line is a sequence of words separated by spaces
-or tabs. The first word on a line is the name of the group and the rest
-of the words on the line specifies the ttys and hosts where members of that
-group are allowed access. These specifications may involve the use of
-classes defined in previous CLASSES sections.
-.PP
-An example GROUPS section.
+.IR /etc\:/pam.d\:/remote ).
+.TP
+.B \-H
+Used by other servers (i.e.,
+.BR telnetd (8))
+to tell
+.B login
+that printing the hostname should be suppressed in the login: prompt.
+See also LOGIN_PLAIN_PROMPT below if your server does not allow to configure
+.B login
+command line.
+.TP
+\fB\-\-help\fR
+Display help text and exit.
+.TP
+\fB\-V\fR, \fB\-\-version\fR
+Display version information and exit.
+.SH CONFIG FILE ITEMS
+.B login
+reads the
+.IR /etc\:/login.defs (5)
+configuration file. Note that the configuration file could be
+distributed with another package (e.g. shadow-utils). The following
+configuration items are relevant for
+.BR login (1):
.PP
-.nf
-.in +0.5
-GROUPS
-sys tty1 @.bar.edu
-stud myclass1 tty4
-.in -0.5
-.fi
+.B MOTD_FILE
+(string)
+.RS 4
+If defined, a ":" delimited list of "message of the day" files to be
+displayed upon login. The default value is
+.IR /etc\:/motd .
+If the
+.B MOTD_FILE
+item is empty or a quiet login is enabled, then the message of the day
+is not displayed. Note that the same functionality is also provided
+by
+.BR pam_motd (8)
+PAM module.
+.RE
.PP
-This example specifies that members of group
-.I sys
-may log in on tty1 and from hosts in the bar.edu domain. Users in
-group
-.I stud
-may log in from hosts/ttys specified in the class myclass1 or from
-tty4.
+.B LOGIN_PLAIN_PROMPT
+(boolean)
+.RS 4
+Tell login that printing the hostname should be suppressed in the login:
+prompt. This is alternative to the \fB\-H\fR command line option. The default
+value is
+.IR no .
+.RE
.PP
-
-.SS "The USERS Section"
-A USERS section starts with the word USERS in all upper case at the
-start of a line, and each following line is a sequence of words
-separated by spaces or tabs. The first word on a line is a username
-and that user is allowed to log in on the ttys and from the hosts
-mentioned on the rest of the line. These specifications may involve
-classes defined in previous CLASSES sections. If no section header is
-specified at the top of the file, the first section defaults to be a
-USERS section.
+.B LOGIN_TIMEOUT
+(number)
+.RS 4
+Max time in seconds for login. The default value is
+.IR 60 .
+.RE
.PP
-An example USERS section:
+.B LOGIN_RETRIES
+(number)
+.RS 4
+Maximum number of login retries in case of a bad password. The default
+value is
+.IR 3 .
+.RE
.PP
-.nf
-.in +0.5
-USERS
-zacho tty1 @130.225.16.0/255.255.255.0
-blue tty3 myclass2
-.in -0.5
-.fi
+.B FAIL_DELAY
+(number)
+.RS 4
+Delay in seconds before being allowed another three tries after a
+login failure. The default value is
+.IR 5 .
+.RE
.PP
-This lets the user zacho login only on tty1 and from hosts with IP
-addresses in the range 130.225.16.0 \- 130.225.16.255, and user blue is
-allowed to log in from tty3 and whatever is specified in the class
-myclass2.
+.B TTYPERM
+(string)
+.RS 4
+The terminal permissions. The default value is
+.I 0600
+or
+.I 0620
+if tty group is used.
+.RE
.PP
-There may be a line in a USERS section starting with a username of
-*. This is a default rule and it will be applied to any user not
-matching any other line.
+.B TTYGROUP
+(string)
+.RS 4
+The login tty will be owned by the
+.BR TTYGROUP .
+The default value is
+.IR tty .
+If the
+.B TTYGROUP
+does not exist, then the ownership of the terminal is set to the
+user\'s primary group.
.PP
-If both a USERS line and GROUPS line match a user then the user is
-allowed access from the union of all the ttys/hosts mentioned in these
-specifications.
-
-.SS Origins
-The tty and host pattern specifications used in the specification of
-classes, group and user access are called origins. An origin string
-may have one of these formats:
-.IP o
-The name of a tty device without the /dev/ prefix, for example tty1 or
-ttyS0.
+The
+.B TTYGROUP
+can be either the name of a group or a numeric group identifier.
+.RE
.PP
-.IP o
-The string @localhost, meaning that the user is allowed to
-telnet/rlogin from the local host to the same host. This also allows
-the user to for example run the command: xterm -e /bin/login.
+.B HUSHLOGIN_FILE
+(string)
+.RS 4
+If defined, this file can inhibit all the usual chatter during the
+login sequence. If a full pathname (e.g.
+.IR /etc\:/hushlogins )
+is specified, then hushed mode will be enabled if the user\'s name or
+shell are found in the file. If this global hush login file is empty
+then the hushed mode will be enabled for all users.
.PP
-.IP o
-A domain name suffix such as @.some.dom, meaning that the user may
-rlogin/telnet from any host whose domain name has the suffix
-\&.some.dom.
+If a full pathname is not specified, then hushed mode will be enabled
+if the file exists in the user\'s home directory.
.PP
-.IP o
-A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where x.x.x.x is
-the IP address in the usual dotted quad decimal notation, and y.y.y.y
-is a bitmask in the same notation specifying which bits in the address
-to compare with the IP address of the remote host. For example
-@130.225.16.0/255.255.254.0 means that the user may rlogin/telnet from
-any host whose IP address is in the range 130.225.16.0 \-
-130.225.17.255.
+The default is to check
+.I /etc\:/hushlogins
+and if it does not exist then
+.I ~/.hushlogin
.PP
-.IP o
-An range of IPv6 addresses, written @[n:n:n:n:n:n:n:n]/m is interpreted as a
-[net]/prefixlen pair. An IPv6 host address is matched if prefixlen bits of
-net is equal to the prefixlen bits of the address. For example, the
-[net]/prefixlen pattern [3ffe:505:2:1::]/64 matches every address in the
-range 3ffe:505:2:1:: through 3ffe:505:2:1:ffff:ffff:ffff:ffff.
+If the
+.B HUSHLOGIN_FILE
+item is empty, then all the checks are disabled.
+.RE
.PP
-Any of the above origins may be prefixed by a time specification
-according to the syntax:
+.B DEFAULT_HOME
+(boolean)
+.RS 4
+Indicate if login is allowed if we cannot change directory to the
+home directory. If set to
+.IR yes ,
+the user will login in the root (/) directory if it is not possible
+to change directory to her home. The default value is
+.IR yes .
+.RE
.PP
-.nf
-timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
-day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
-hour ::= '0' | '1' | ... | '23'
-hourspec ::= <hour> | <hour> '\-' <hour>
-day-or-hour ::= <day> | <hourspec>
-.fi
+.B LASTLOG_UID_MAX
+(unsigned number)
+.RS 4
+Highest user ID number for which the lastlog entries should be
+updated. As higher user IDs are usually tracked by remote user
+identity and authentication services there is no need to create
+a huge sparse lastlog file for them. No LASTLOG_UID_MAX option
+present in the configuration means that there is no user ID limit
+for writing lastlog entries.
+.RE
.PP
-For example, the origin [mon:tue:wed:thu:fri:8\-17]tty3 means that log
-in is allowed on Mondays through Fridays between 8:00 and 17:59 (5:59
-pm) on tty3. This also shows that an hour range a\-b includes all
-moments between a:00 and b:59. A single hour specification (such as
-10) means the time span between 10:00 and 10:59.
+.B LOG_UNKFAIL_ENAB
+(boolean)
+.RS 4
+Enable display of unknown usernames when login failures are recorded.
+The default value is
+.IR no .
.PP
-Not specifying any time prefix for a tty or host means log in from
-that origin is allowed any time. If you give a time prefix be sure to
-specify both a set of days and one or more hours or hour ranges. A
-time specification may not include any white space.
+Note that logging unknown usernames may be a security issue if a
+user enters her password instead of her login name.
+.RE
.PP
-If no default rule is given then users not matching any line
-.I /etc/usertty
-are allowed to log in from anywhere as is standard behavior.
+.B ENV_PATH
+(string)
+.RS 4
+If set, it will be used to define the PATH environment variable when
+a regular user logs in. The default value is
+.I /usr\:/local\:/bin:\:/bin:\:/usr\:/bin
+.RE
.PP
+.B ENV_ROOTPATH
+(string)
+.br
+.B ENV_SUPATH
+(string)
+.RS 4
+If set, it will be used to define the PATH environment variable when
+the superuser logs in. ENV_ROOTPATH takes precedence. The default value is
+.I /usr\:/local\:/sbin:\:/usr\:/local\:/bin:\:/sbin:\:/bin:\:/usr\:/sbin:\:/usr\:/bin
+.RE
.SH FILES
.nf
.I /var/run/utmp
.I /etc/motd
.I /etc/passwd
.I /etc/nologin
-.I /etc/usertty
.I /etc/pam.d/login
.I /etc/pam.d/remote
+.I /etc/hushlogins
.I .hushlogin
.fi
.SH "SEE ALSO"
-.BR init (8),
-.BR getty (8),
.BR mail (1),
.BR passwd (1),
.BR passwd (5),
.BR environ (7),
+.BR getty (8),
+.BR init (8),
.BR shutdown (8)
.SH BUGS
-
The undocumented BSD
.B \-r
option is not supported. This may be required by some
.BR rlogind (8)
programs.
-
-A recursive login, as used to be possible in the good old days,
-no longer works; for most purposes
+.PP
+A recursive login, as used to be possible in the good old days, no
+longer works; for most purposes
.BR su (1)
-is a satisfactory substitute. Indeed, for security reasons,
-login does a vhangup() system call to remove any possible
-listening processes on the tty. This is to avoid password
-sniffing. If one uses the command "login", then the surrounding shell
-gets killed by vhangup() because it's no longer the true owner of the tty.
-This can be avoided by using "exec login" in a top-level shell or xterm.
+is a satisfactory substitute. Indeed, for security reasons, login
+does a vhangup() system call to remove any possible listening
+processes on the tty. This is to avoid password sniffing. If one
+uses the command
+.BR login ,
+then the surrounding shell gets killed by vhangup() because it's no
+longer the true owner of the tty. This can be avoided by using
+.B exec login
+in a top-level shell or xterm.
.SH AUTHOR
-Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
+Derived from BSD login 5.40 (5/9/89) by
+.MT glad@\:daimi.\:dk
+Michael Glad
+.ME
for HP-UX
.br
-Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
+Ported to Linux 0.12:
+.MT poe@\:daimi.\:aau.\:dk
+Peter Orbaek
+.ME
+.br
+Rewritten to a PAM-only version by
+.MT kzak@\:redhat.\:com
+Karel Zak
+.ME
.SH AVAILABILITY
-The login command is part of the util-linux package and is available from
-ftp://ftp.kernel.org/pub/linux/utils/util-linux/.
+The login command is part of the util-linux package and is
+available from
+.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
+Linux Kernel Archive
+.UE .
projects / thirdparty / util-linux.git / blobdiff