]>
Commit | Line | Data |
---|---|---|
6dbe3af9 KZ |
1 | .\" Copyright 1993 Rickard E. Faith (faith@cs.unc.edu) |
2 | .\" May be distributed under the GNU General Public License | |
232dc924 | 3 | .TH LOGIN 1 "March 2009" "util-linux" "User Commands" |
6dbe3af9 KZ |
4 | .SH NAME |
5 | login \- sign on | |
6 | .SH SYNOPSIS | |
7 | .BR "login [ " name " ]" | |
8 | .br | |
9 | .B "login \-p" | |
10 | .br | |
11 | .BR "login \-h " hostname | |
12 | .br | |
13 | .BR "login \-f " name | |
14 | .SH DESCRIPTION | |
15 | .B login | |
bc4aa3b5 | 16 | is used when signing onto a system. |
6dbe3af9 KZ |
17 | |
18 | If an argument is not given, | |
19 | .B login | |
20 | prompts for the username. | |
21 | ||
22 | If the user is | |
23 | .I not | |
24 | root, and if | |
25 | .I /etc/nologin | |
7eda085c | 26 | exists, the contents of this file are printed to the screen, and the |
6dbe3af9 KZ |
27 | login is terminated. This is typically used to prevent logins when the |
28 | system is being taken down. | |
29 | ||
726f69e2 KZ |
30 | If special access restrictions are specified for the user in |
31 | .IR /etc/usertty , | |
32 | these must be met, or the log in attempt will be denied and a | |
33 | .B syslog | |
34 | message will be generated. See the section on "Special Access Restrictions". | |
35 | ||
eb63b9b8 | 36 | If the user is root, then the login must be occurring on a tty listed in |
6dbe3af9 KZ |
37 | .IR /etc/securetty . |
38 | Failures will be logged with the | |
39 | .B syslog | |
40 | facility. | |
41 | ||
eb63b9b8 KZ |
42 | After these conditions have been checked, the password will be requested and |
43 | checked (if a password is required for this username). Ten attempts | |
fd6b7a7f | 44 | are allowed before |
6dbe3af9 KZ |
45 | .B login |
46 | dies, but after the first three, the response starts to get very slow. | |
47 | Login failures are reported via the | |
48 | .B syslog | |
49 | facility. This facility is also used to report any successful root logins. | |
50 | ||
51 | If the file | |
52 | .I .hushlogin | |
fd6b7a7f | 53 | exists, then a "quiet" login is performed (this disables the checking |
eb63b9b8 KZ |
54 | of mail and the printing of the last login time and message of the day). |
55 | Otherwise, if | |
726f69e2 | 56 | .I /var/log/lastlog |
fd6b7a7f KZ |
57 | exists, the last login time is printed (and the current login is |
58 | recorded). | |
6dbe3af9 | 59 | |
fd6b7a7f KZ |
60 | Random administrative things, such as setting the UID and GID of the |
61 | tty are performed. The TERM environment variable is preserved, if it | |
62 | exists (other environment variables are preserved if the | |
6dbe3af9 KZ |
63 | .B \-p |
64 | option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME | |
65 | environment variables are set. PATH defaults to | |
b22550fa | 66 | .I /usr/local/bin:/bin:/usr/bin |
6dbe3af9 | 67 | for normal users, and to |
b22550fa | 68 | .I /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
fd6b7a7f KZ |
69 | for root. Last, if this is not a "quiet" login, the message of the |
70 | day is printed and the file with the user's name in | |
cad18f61 | 71 | .I /var/spool/mail |
6dbe3af9 KZ |
72 | will be checked, and a message printed if it has non-zero length. |
73 | ||
fd6b7a7f KZ |
74 | The user's shell is then started. If no shell is specified for the |
75 | user in | |
6dbe3af9 KZ |
76 | .BR /etc/passwd , |
77 | then | |
78 | .B /bin/sh | |
79 | is used. If there is no directory specified in | |
80 | .IR /etc/passwd , | |
81 | then | |
82 | .I / | |
83 | is used (the home directory is checked for the | |
84 | .I .hushlogin | |
85 | file described above). | |
86 | .SH OPTIONS | |
87 | .TP | |
88 | .B \-p | |
89 | Used by | |
90 | .BR getty (8) | |
91 | to tell | |
92 | .B login | |
93 | not to destroy the environment | |
94 | .TP | |
95 | .B \-f | |
96 | Used to skip a second login authentication. This specifically does | |
97 | .B not | |
98 | work for root, and does not appear to work well under Linux. | |
99 | .TP | |
100 | .B \-h | |
101 | Used by other servers (i.e., | |
102 | .BR telnetd (8)) | |
103 | to pass the name of the remote host to | |
104 | .B login | |
fd6b7a7f KZ |
105 | so that it may be placed in utmp and wtmp. Only the superuser may use |
106 | this option. | |
726f69e2 | 107 | |
067f5343 KZ |
108 | Note that the \fB-h\fP option has impact on the \fBPAM service name\fP. The standard |
109 | service name is "login", with the \fB-h\fP option the name is "remote". It's | |
110 | necessary to create a proper PAM config files (e.g. | |
111 | .I /etc/pam.d/login | |
112 | and | |
113 | .I /etc/pam.d/remote | |
114 | ). | |
115 | ||
726f69e2 KZ |
116 | .SH "SPECIAL ACCESS RESTRICTIONS" |
117 | The file | |
118 | .I /etc/securetty | |
fd6b7a7f KZ |
119 | lists the names of the ttys where root is allowed to log in. One name |
120 | of a tty device without the /dev/ prefix must be specified on each | |
121 | line. If the file does not exist, root is allowed to log in on any | |
122 | tty. | |
726f69e2 | 123 | .PP |
a2c5f3ca KZ |
124 | On most modern Linux systems PAM (Pluggable Authentication Modules) |
125 | is used. On systems that do not use PAM, the file | |
726f69e2 | 126 | .I /etc/usertty |
a2c5f3ca KZ |
127 | specifies additional access restrictions for specific users. |
128 | If this file does not exist, no additional access restrictions are | |
fd6b7a7f KZ |
129 | imposed. The file consists of a sequence of sections. There are three |
130 | possible section types: CLASSES, GROUPS and USERS. A CLASSES section | |
131 | defines classes of ttys and hostname patterns, A GROUPS section | |
132 | defines allowed ttys and hosts on a per group basis, and a USERS | |
133 | section defines allowed ttys and hosts on a per user basis. | |
726f69e2 | 134 | .PP |
fd6b7a7f KZ |
135 | Each line in this file in may be no longer than 255 |
136 | characters. Comments start with # character and extend to the end of | |
137 | the line. | |
726f69e2 KZ |
138 | .PP |
139 | .SS "The CLASSES Section" | |
fd6b7a7f KZ |
140 | A CLASSES section begins with the word CLASSES at the start of a line |
141 | in all upper case. Each following line until the start of a new | |
142 | section or the end of the file consists of a sequence of words | |
143 | separated by tabs or spaces. Each line defines a class of ttys and | |
144 | host patterns. | |
726f69e2 | 145 | .PP |
fd6b7a7f KZ |
146 | The word at the beginning of a line becomes defined as a collective |
147 | name for the ttys and host patterns specified at the rest of the | |
148 | line. This collective name can be used in any subsequent GROUPS or | |
149 | USERS section. No such class name must occur as part of the definition | |
150 | of a class in order to avoid problems with recursive classes. | |
726f69e2 KZ |
151 | .PP |
152 | An example CLASSES section: | |
153 | .PP | |
154 | .nf | |
155 | .in +.5 | |
156 | CLASSES | |
157 | myclass1 tty1 tty2 | |
158 | myclass2 tty3 @.foo.com | |
159 | .in -.5 | |
160 | .fi | |
161 | .PP | |
162 | This defines the classes | |
163 | .I myclass1 | |
164 | and | |
165 | .I myclass2 | |
166 | as the corresponding right hand sides. | |
167 | .PP | |
168 | ||
fd6b7a7f | 169 | .SS "The GROUPS Section" |
726f69e2 KZ |
170 | A GROUPS section defines allowed ttys and hosts on a per Unix group basis. If |
171 | a user is a member of a Unix group according to | |
172 | .I /etc/passwd | |
173 | and | |
174 | .I /etc/group | |
175 | and such a group is mentioned in a GROUPS section in | |
176 | .I /etc/usertty | |
177 | then the user is granted access if the group is. | |
178 | .PP | |
179 | A GROUPS section starts with the word GROUPS in all upper case at the start of | |
180 | a line, and each following line is a sequence of words separated by spaces | |
181 | or tabs. The first word on a line is the name of the group and the rest | |
182 | of the words on the line specifies the ttys and hosts where members of that | |
183 | group are allowed access. These specifications may involve the use of | |
184 | classes defined in previous CLASSES sections. | |
185 | .PP | |
186 | An example GROUPS section. | |
187 | .PP | |
188 | .nf | |
189 | .in +0.5 | |
190 | GROUPS | |
191 | sys tty1 @.bar.edu | |
192 | stud myclass1 tty4 | |
193 | .in -0.5 | |
194 | .fi | |
195 | .PP | |
196 | This example specifies that members of group | |
197 | .I sys | |
fd6b7a7f KZ |
198 | may log in on tty1 and from hosts in the bar.edu domain. Users in |
199 | group | |
726f69e2 | 200 | .I stud |
fd6b7a7f KZ |
201 | may log in from hosts/ttys specified in the class myclass1 or from |
202 | tty4. | |
726f69e2 KZ |
203 | .PP |
204 | ||
205 | .SS "The USERS Section" | |
206 | A USERS section starts with the word USERS in all upper case at the | |
207 | start of a line, and each following line is a sequence of words | |
208 | separated by spaces or tabs. The first word on a line is a username | |
209 | and that user is allowed to log in on the ttys and from the hosts | |
210 | mentioned on the rest of the line. These specifications may involve | |
211 | classes defined in previous CLASSES sections. If no section header is | |
212 | specified at the top of the file, the first section defaults to be a | |
213 | USERS section. | |
214 | .PP | |
215 | An example USERS section: | |
216 | .PP | |
217 | .nf | |
218 | .in +0.5 | |
219 | USERS | |
220 | zacho tty1 @130.225.16.0/255.255.255.0 | |
221 | blue tty3 myclass2 | |
222 | .in -0.5 | |
223 | .fi | |
224 | .PP | |
fd6b7a7f | 225 | This lets the user zacho login only on tty1 and from hosts with IP |
2d0b7292 | 226 | addresses in the range 130.225.16.0 \- 130.225.16.255, and user blue is |
fd6b7a7f KZ |
227 | allowed to log in from tty3 and whatever is specified in the class |
228 | myclass2. | |
726f69e2 | 229 | .PP |
fd6b7a7f KZ |
230 | There may be a line in a USERS section starting with a username of |
231 | *. This is a default rule and it will be applied to any user not | |
232 | matching any other line. | |
726f69e2 | 233 | .PP |
fd6b7a7f KZ |
234 | If both a USERS line and GROUPS line match a user then the user is |
235 | allowed access from the union of all the ttys/hosts mentioned in these | |
236 | specifications. | |
726f69e2 KZ |
237 | |
238 | .SS Origins | |
fd6b7a7f KZ |
239 | The tty and host pattern specifications used in the specification of |
240 | classes, group and user access are called origins. An origin string | |
241 | may have one of these formats: | |
726f69e2 KZ |
242 | .IP o |
243 | The name of a tty device without the /dev/ prefix, for example tty1 or | |
244 | ttyS0. | |
245 | .PP | |
246 | .IP o | |
fd6b7a7f KZ |
247 | The string @localhost, meaning that the user is allowed to |
248 | telnet/rlogin from the local host to the same host. This also allows | |
249 | the user to for example run the command: xterm -e /bin/login. | |
726f69e2 KZ |
250 | .PP |
251 | .IP o | |
252 | A domain name suffix such as @.some.dom, meaning that the user may | |
7eda085c KZ |
253 | rlogin/telnet from any host whose domain name has the suffix |
254 | \&.some.dom. | |
726f69e2 KZ |
255 | .PP |
256 | .IP o | |
fd6b7a7f KZ |
257 | A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where x.x.x.x is |
258 | the IP address in the usual dotted quad decimal notation, and y.y.y.y | |
259 | is a bitmask in the same notation specifying which bits in the address | |
260 | to compare with the IP address of the remote host. For example | |
726f69e2 | 261 | @130.225.16.0/255.255.254.0 means that the user may rlogin/telnet from |
fd6b7a7f KZ |
262 | any host whose IP address is in the range 130.225.16.0 \- |
263 | 130.225.17.255. | |
726f69e2 | 264 | .PP |
ea6c190a KZ |
265 | .IP o |
266 | An range of IPv6 addresses, written @[n:n:n:n:n:n:n:n]/m is interpreted as a | |
267 | [net]/prefixlen pair. An IPv6 host address is matched if prefixlen bits of | |
268 | net is equal to the prefixlen bits of the address. For example, the | |
269 | [net]/prefixlen pattern [3ffe:505:2:1::]/64 matches every address in the | |
270 | range 3ffe:505:2:1:: through 3ffe:505:2:1:ffff:ffff:ffff:ffff. | |
271 | .PP | |
fd6b7a7f KZ |
272 | Any of the above origins may be prefixed by a time specification |
273 | according to the syntax: | |
726f69e2 KZ |
274 | .PP |
275 | .nf | |
276 | timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']' | |
277 | day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun' | |
278 | hour ::= '0' | '1' | ... | '23' | |
279 | hourspec ::= <hour> | <hour> '\-' <hour> | |
280 | day-or-hour ::= <day> | <hourspec> | |
281 | .fi | |
282 | .PP | |
fd6b7a7f | 283 | For example, the origin [mon:tue:wed:thu:fri:8\-17]tty3 means that log |
2d0b7292 | 284 | in is allowed on Mondays through Fridays between 8:00 and 17:59 (5:59 |
fd6b7a7f KZ |
285 | pm) on tty3. This also shows that an hour range a\-b includes all |
286 | moments between a:00 and b:59. A single hour specification (such as | |
287 | 10) means the time span between 10:00 and 10:59. | |
726f69e2 | 288 | .PP |
fd6b7a7f KZ |
289 | Not specifying any time prefix for a tty or host means log in from |
290 | that origin is allowed any time. If you give a time prefix be sure to | |
291 | specify both a set of days and one or more hours or hour ranges. A | |
292 | time specification may not include any white space. | |
726f69e2 KZ |
293 | .PP |
294 | If no default rule is given then users not matching any line | |
295 | .I /etc/usertty | |
296 | are allowed to log in from anywhere as is standard behavior. | |
297 | .PP | |
6dbe3af9 KZ |
298 | .SH FILES |
299 | .nf | |
726f69e2 KZ |
300 | .I /var/run/utmp |
301 | .I /var/log/wtmp | |
302 | .I /var/log/lastlog | |
cad18f61 | 303 | .I /var/spool/mail/* |
6dbe3af9 KZ |
304 | .I /etc/motd |
305 | .I /etc/passwd | |
306 | .I /etc/nologin | |
726f69e2 | 307 | .I /etc/usertty |
067f5343 KZ |
308 | .I /etc/pam.d/login |
309 | .I /etc/pam.d/remote | |
6dbe3af9 KZ |
310 | .I .hushlogin |
311 | .fi | |
312 | .SH "SEE ALSO" | |
313 | .BR init (8), | |
314 | .BR getty (8), | |
315 | .BR mail (1), | |
316 | .BR passwd (1), | |
317 | .BR passwd (5), | |
318 | .BR environ (7), | |
319 | .BR shutdown (8) | |
320 | .SH BUGS | |
fd6b7a7f | 321 | |
6dbe3af9 KZ |
322 | The undocumented BSD |
323 | .B \-r | |
324 | option is not supported. This may be required by some | |
325 | .BR rlogind (8) | |
326 | programs. | |
7eda085c KZ |
327 | |
328 | A recursive login, as used to be possible in the good old days, | |
329 | no longer works; for most purposes | |
330 | .BR su (1) | |
331 | is a satisfactory substitute. Indeed, for security reasons, | |
332 | login does a vhangup() system call to remove any possible | |
333 | listening processes on the tty. This is to avoid password | |
334 | sniffing. If one uses the command "login", then the surrounding shell | |
335 | gets killed by vhangup() because it's no longer the true owner of the tty. | |
336 | This can be avoided by using "exec login" in a top-level shell or xterm. | |
6dbe3af9 | 337 | .SH AUTHOR |
fd6b7a7f KZ |
338 | Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk) |
339 | for HP-UX | |
6dbe3af9 KZ |
340 | .br |
341 | Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk) | |
86d62711 | 342 | .SH AVAILABILITY |
601d12fb KZ |
343 | The login command is part of the util-linux package and is available from |
344 | ftp://ftp.kernel.org/pub/linux/utils/util-linux/. |