login(1) login(1) NAME login - sign on SYNOPSIS login [ -d device ] [ name [ environ ... ]] DESCRIPTION The login command is used at the beginning of each terminal session and allows you to identify yourself to the system. It is invoked by the system when a connection is first established. It is invoked by the system when a previous user has terminated the initial shell by typing a <Ctrl-d> to indicate an end-of-file. If login is invoked as a command, it must replace the initial command interpreter. This is accomplished by typing exec login from the initial shell. login asks for your user name (if it is not supplied as an argument) and, if appropriate, your password. Echoing is turned off (where possible) during the typing of your password, so it does not appear on the written record of the session. login reads /etc/default/login to determine default behavior. To change the defaults, the system administrator should edit this file. The syntax of the below lines within the /etc/default/login file must not contain any whitespaces. The examples shown below are login defaults. Recognized values are: Note: If PAM (see pam(8)) is enabled, some of the options are not supported. CONSOLE=device If defined, only allows root logins on the device specified, typically /dev/console. This MUST NOT be defined as either /dev/syscon or /dev/systty. If undefined, root can log in on any device. PASSREQ=NO Determines whether all accounts must have passwords. If YES, and user has no password, they are prompted for one at login time. Not supported when PAM is enabled. MANDPASS=NO Like PASSREQ, but doesn't allow users with no password to log in. Not supported when PAM is enabled. ALTSHELL=YES If YES, the environment variable SHELL is initialized. UMASK=022 Default umask, in octal. TIMEOUT=60 Exit login after this many seconds of inactivity (maximum 900, or 15 minutes) SLEEPTIME=1 Sleep for this many seconds before issuing "login incorrect" message (maximum 60 seconds). DISABLETIME=20 After LOGFAILURES or MAXTRYS unsuccessful attempts, sleep for DISABLETIME seconds before exiting (no maximum). MAXTRYS=3 Exit login after MAXTRYS unsuccessful attempts (0 = unlimited attempts). LOGFAILURES=3 If there are LOGFAILURES consecutive unsuccessful login attempts, each of them is logged in /var/adm/loginlog, if it exists. LOGFAILURES has a maximum value of 20. Note: Users get at most the minimum of (MAXTRYS, LOGFAILURES) unsuccessful attempts. IDLEWEEKS=-1 If nonnegative, specify a grace period during which users with expired passwords are allowed to enter a new password. In other words, accounts with expired passwords can stay idle up to this long before being "locked out." If IDLEWEEKS is 0, there is no grace period, and expired passwords are the same as invalidated passwords. Not supported when PAM is enabled. PATH= Path for normal users (from /usr/include/paths.h). SUPATH= Path for superuser (from /usr/include/paths.h). SYSLOG=FAIL Log to syslog all login failures (SYSLOG=FAIL) or all successes and failures (SYSLOG=ALL). Log entries are written to the LOG_AUTH facility (see syslog(3C) and syslogd(1M) for details). No messages are sent to syslog if not set. Note that this is separate from the login log, /var/adm/loginlog. INITGROUPS=YES If YES, make the user session be a member of all of the user's supplementary groups (see multgrps(1) or initgroups(3C)). LANG=C If LANG is set, make this the default login language. This is used if no LANG comes from environment (rlogind, getty, ...) and $HOME/.lang does not exist or does not contain a lang id. Only LANG is supported, not other locale categories such as LC_CTYPE. SVR4_SIGNALS=YES Use the SVR4 semantics for the SIGXCPU and SIGXFSZ signals. If SVR4_SIGNALS=YES, the SVR4 semantics are preserved and all processes ignore SIGXCPU and SIGXFSZ by default. If SVR4_SIGNALS=NO, these two signals retain their default action, which is to cause the receiving process to core dump. If users intend to make use of the CPU and filesize resource limits, SVR4_SIGNALS should be set to NO. Note that using these signals while SVR4_SIGNALS is set to YES causes behavior that varies depending on the login shell. This setting has no affect on processes that explicitly alter the behavior of these signals using the signal(2) system call. SITECHECK= Use an external program to authenticate users instead of using the encrypted password field. This allows sites to implement other means of authentication, such as card keys, biometrics, etc. The program is invoked with user name as the first argument, and remote hostname and username, if applicable. The action taken depend on exit status, as follows: 0 Success; user was authenticated, log in. 1 Failure; exit login. 2 Failure; try again (don't exit login). other Use normal UNIX authentication. If authentication fails, the program can chose to indicate either exit code 1 or 2, as appropriate. If the program is not owned by root, is writable by others, or cannot be executed, normal password authentication is performed. It is recommended that the program be given a mode of 500. Warning: Because this option has the potential to defeat normal IRIX security, any program used in this way must be designed and tested very carefully. Not supported when PAM is enabled. LOCKOUT= If nonzero, after this number of consecutive unsuccessful login attempts by the same user, by all instances of xdm and login, lock the account by invoking passwd -l username. Note that this feature allows a denial of service attack that may require booting from the miniroot to fix, as even the root accounts can be locked out. LOCKOUTEXEMPT= If LOCKOUT is greater than zero, the users listed as LOCKOUTEXEMPT will NOT be subject to the LOCKOUT option. Usernames are separated by spaces, the list must be terminated by end-of-line, maximum list length is 240 characters. LOCKOUTEXEMPT is ignored unless LOCKOUT is enabled, and the list is not empty. Including privileged accounts (such as root) in the LOCKOUTEXEMPT list, is not recommended, as it allows an indefinite number of attacks on the exempt accounts. Also, if LOCKOUTEXEMPT is enabled, the /etc/default/login file should be given a mode 400 or 600 to prevent unauthorized viewing and/or tampering with the LOCKOUTEXEMPT list. MACREMOTE=SESSION If SESSION, the session label of a remote login session is always the same as that of the current login session. If CLEARANCE, the default and permitted session labels of a remote login session become those specified in clearance(4). At some installations, you may be required to enter a dialup password for dialup connections as well as a login password. In this case, the prompt for the dialup password is: ( dialup password is not supported when PAM is enabled. ) Dialup Password: Both passwords are required for a successful login. For remote logins over the network, the following sequence is performed by login before prompting for a username or password: + If PAM is disabled, the file /etc/nologin disables remote logins if it exists; login prints the contents of this file before disconnecting the session. If PAM is enabled, login skip /etc/nologin check and depends on the configuration of the pam_nologin module ( see pam(8) ) in /etc/pam.d/login. + login prints the contents of /etc/issue ( if present ). The system can be configured to automate the login process after a system restart. When the file /etc/autologin exists and contains a valid user name, the system logs in as the specified user without prompting for a user name or password. The automatic login takes place only after a system restart; once the user logs out, the normal interactive login session is used until the next restart. This is intended to be used at sites where the normal security mechanisms provided by login are not needed or desired. If you make five incorrect login attempts, all five are logged in /var/adm/loginlog (if it exists) and the TTY line is dropped. /etc/autologin.TTYLINE is like /etc/autologin except it is used by getty(1m) when initiating a terminal session for the device named by TTYLINE, and it will prompt for a password. For example /etc/autologin.ttyd1 will control the login processes on /dev/ttyd1. If you do not complete the login successfully within a certain period of time (by default, 20 seconds), you are likely to be silently disconnected. After a successful login, accounting files are updated, the /etc/profile script is executed, the time you last logged in is printed (unless a file .hushlogin is present in the user's home directory), /etc/motd is printed, the user ID, group ID, supplementary group list, working directory, and command interpreter (usually sh) are initialized, and the file .profile in the working directory is executed, if it exists. The name of the command interpreter is - followed by the last component of the interpreter's pathname (for example, -sh). If this field in the password file is empty, the default command interpreter, /usr/bin/sh is used. If the shell field is *, the named directory becomes the root directory (a chroot(2) is done to the home directory, and the home directory is therefore the starting point (/) for path searches for pathnames beginning with a /. At that point login is re-executed following the chroot(2). At the very least, this root structure must include the following files, with usr/lib32/libc.so.1 normally being a symlink to ../../lib32/libc.so.1. A home directory must also exist, as well as the shell for the user(s) being chroot'ed. It is possible to have the shell, password, and home directory be different in the new environment. In this example, the shell used is /sbin/csh, and the home directory is /usr/people/olson. Given the following password entry, the directories and files listed below would exist below the directory /home/secure. Entry in /etc/passwd: olson:hl0njohzc0uC2:2117:10:Dave Olson:/home/secure:* Entry in /home/secure/etc/passwd: olson:am34670a63463:2117:10:Dave Olson:/usr/people/olson:/sbin/csh dev: tty zero etc: group passwd lib32: libc.so.1 rld sbin: csh usr/bin: login usr/lib32: libc.so.1@ libcrypt.so libgen.so libpthread.so usr/people/olson: .cshrc These files allow login to execute correctly, but you may also need to include additional files or applications that the user is allowed to execute. Since these applications can in turn rely on additional shared libraries, it may also be necessary to place additional shared objects in /usr/lib32. See the ftpd(1M) reference page for more information about setting up a root environment. The basic environment is initialized to: HOME=your-login-directory LOGNAME=your-login-name PATH=/usr/bin SHELL=last-field-of-passwd-entry MAIL=/usr/mail/your-login-name LANG=language-specification TZ=timezone-specification The environment can be expanded or modified by supplying additional arguments when login prints the prompt requesting the user's login name. The arguments can take either of two forms: xxx or xxx=yyy. Arguments without an equal sign are placed in the environment as Ln=xxx where n is a number that starts at 0 and is incremented each time a new variable name is required. Variables containing = are placed in the environment without modification. If such a variable is already defined, the new value replaces the old value. To prevent users who log in to restricted shell environments from spawning secondary shells that are not restricted, the following environment variables cannot be changed: HOME IFS LOGNAME PATH SHELL Attempts to set environment variables beginning with the following strings (see the rld(1) reference page) are ignored, and such attempts are logged via syslogd: _RLD LD_LIBRARY login understands simple, single-character quoting conventions. Typing a backslash in front of a character quotes it and allows the inclusion of such characters as spaces and tabs. The capability set and MAC label of a Trusted IRIX login session can also be modified by supplying the CAP (see capability(4)) and MAC (see dominance(5)) arguments in addition to the login name. The arguments take the following form: CAP=capability-set MAC=MAC-label For example, the following login prompt will set the MAC label of the login shell to userlow with all capabilities: login: username MAC=userlow CAP=all+eip password: To enable dial-in line password protection, two files are required. The file /etc/dialups must contain of the name of any dialup ports (for example, /dev/ttyd2) that require password protection. These are specified one per line. The second file, /etc/d_passwd consists of lines with the following format: shell:password: This file is scanned when the user logs in, and if the shell portion of any line matches the command interpreter that the user gets, the user is prompted for an additional dialin password, which is encoded and compared to that specified in the password portion of the line. If the command interpreter cannot be found, the entry for the default shell, /sbin/sh, (or, for compatibility with existing configurations, /bin/sh) is used. (If both are present, the last one in file is used.) If there is no such entry, no dialup password is required. In other words, the /etc/d_passwd entry for /sbin/sh is the default. NOTES Autologin is controlled by the existence of the /etc/autologin.on file. The file is normally created at boot time to automate the login process and then removed by login to disable the autologin process for succeeding terminal sessions. In the default configuration, encrypted passwords for users are kept in the system password file, /etc/passwd, which is a text file and is readable by any system user. The program pwconv(1M) can be used by the system administrator to activate the shadow password mechanism. When shadow passwords are enabled, the encrypted passwords are kept only in /etc/shadow, a file that is only readable by the superuser. Refer to the pwconv(1M) reference page for more information about shadow passwords. FILES /etc/dialups /etc/d_passwd /etc/motd message of the day /etc/passwd password file /etc/shadow shadow password file /etc/profile system profile $HOME/.profile user's login profile $HOME/.lang user's login language specification /usr/lib/iaf/scheme login authentication scheme /var/adm/lastlog time of last login /var/adm/loginlog record of failed login attempts /var/adm/utmp accounting /var/adm/wtmp accounting /etc/default/login to determine default behavior /var/mail/login_name mailbox for user login_name /usr/lib/locale/locale/LC_MESSAGES/uxcore language-specific message file (see LANG in environ(5)) /etc/config/pam to determine whether PAM is enabled SEE ALSO mail(1), newgrp(1), pwconv(1M), rexecd(1M), rshd(1M), sh(1), su(1M), capability(4), dominance(5), loginlog(4), passwd(4), profile(4), shadow(4), environ(5), pam(8). DIAGNOSTICS The message UX:login: ERROR: Login incorrect is printed if the user name or the password cannot be matched or if the user's login account has expired or remained inactive for a period greater than the system threshold. The message UX:login: ioctl() failed: TCSETA is printed if the tty line does not support a requested baud rate (specified for remote logins). A similar message is also sent to syslog. See serial(7) for information on which baud rates are supported. Page 8