1LOGIN(1) Linux Programmer's Manual LOGIN(1)
2
3
4
6 login - sign on
7
9 login [ name ]
10 login -p
11 login -h hostname
12 login -f name
13
15 login is used when signing onto a system.
16
17 If an argument is not given, login prompts for the username.
18
19 If the user is not root, and if /etc/nologin exists, the contents of
20 this file are printed to the screen, and the login is terminated. This
21 is typically used to prevent logins when the system is being taken
22 down.
23
24 If special access restrictions are specified for the user in
25 /etc/usertty, these must be met, or the log in attempt will be denied
26 and a syslog message will be generated. See the section on "Special
27 Access Restrictions".
28
29 If the user is root, then the login must be occurring on a tty listed
30 in /etc/securetty. Failures will be logged with the syslog facility.
31
32 After these conditions have been checked, the password will be
33 requested and checked (if a password is required for this username).
34 Ten attempts are allowed before login dies, but after the first three,
35 the response starts to get very slow. Login failures are reported via
36 the syslog facility. This facility is also used to report any success‐
37 ful root logins.
38
39 If the file .hushlogin exists, then a "quiet" login is performed (this
40 disables the checking of mail and the printing of the last login time
41 and message of the day). Otherwise, if /var/log/lastlog exists, the
42 last login time is printed (and the current login is recorded).
43
44 Random administrative things, such as setting the UID and GID of the
45 tty are performed. The TERM environment variable is preserved, if it
46 exists (other environment variables are preserved if the -p option is
47 used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment
48 variables are set. PATH defaults to /usr/local/bin:/bin:/usr/bin for
49 normal users, and to
50 /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for root.
51 Last, if this is not a "quiet" login, the message of the day is printed
52 and the file with the user's name in /var/spool/mail will be checked,
53 and a message printed if it has non-zero length.
54
55 The user's shell is then started. If no shell is specified for the
56 user in /etc/passwd, then /bin/sh is used. If there is no directory
57 specified in /etc/passwd, then / is used (the home directory is checked
58 for the .hushlogin file described above).
59
61 -p Used by getty(8) to tell login not to destroy the environment
62
63 -f Used to skip a second login authentication. This specifically
64 does not work for root, and does not appear to work well under
65 Linux.
66
67 -h Used by other servers (i.e., telnetd(8)) to pass the name of the
68 remote host to login so that it may be placed in utmp and wtmp.
69 Only the superuser may use this option.
70
71 Note that the -h option has impact on the PAM service name. The
72 standard service name is "login", with the -h option the name is
73 "remote". It's necessary to create a proper PAM config files
74 (e.g. /etc/pam.d/login and /etc/pam.d/remote ).
75
76
78 The file /etc/securetty lists the names of the ttys where root is
79 allowed to log in. One name of a tty device without the /dev/ prefix
80 must be specified on each line. If the file does not exist, root is
81 allowed to log in on any tty.
82
83 On most modern Linux systems PAM (Pluggable Authentication Modules) is
84 used. On systems that do not use PAM, the file /etc/usertty specifies
85 additional access restrictions for specific users. If this file does
86 not exist, no additional access restrictions are imposed. The file con‐
87 sists of a sequence of sections. There are three possible section
88 types: CLASSES, GROUPS and USERS. A CLASSES section defines classes of
89 ttys and hostname patterns, A GROUPS section defines allowed ttys and
90 hosts on a per group basis, and a USERS section defines allowed ttys
91 and hosts on a per user basis.
92
93 Each line in this file in may be no longer than 255 characters. Com‐
94 ments start with # character and extend to the end of the line.
95
96 The CLASSES Section
97 A CLASSES section begins with the word CLASSES at the start of a line
98 in all upper case. Each following line until the start of a new section
99 or the end of the file consists of a sequence of words separated by
100 tabs or spaces. Each line defines a class of ttys and host patterns.
101
102 The word at the beginning of a line becomes defined as a collective
103 name for the ttys and host patterns specified at the rest of the line.
104 This collective name can be used in any subsequent GROUPS or USERS sec‐
105 tion. No such class name must occur as part of the definition of a
106 class in order to avoid problems with recursive classes.
107
108 An example CLASSES section:
109
110 CLASSES
111 myclass1 tty1 tty2
112 myclass2 tty3 @.foo.com
113
114 This defines the classes myclass1 and myclass2 as the corresponding
115 right hand sides.
116
117 The GROUPS Section
118 A GROUPS section defines allowed ttys and hosts on a per Unix group
119 basis. If a user is a member of a Unix group according to /etc/passwd
120 and /etc/group and such a group is mentioned in a GROUPS section in
121 /etc/usertty then the user is granted access if the group is.
122
123 A GROUPS section starts with the word GROUPS in all upper case at the
124 start of a line, and each following line is a sequence of words sepa‐
125 rated by spaces or tabs. The first word on a line is the name of the
126 group and the rest of the words on the line specifies the ttys and
127 hosts where members of that group are allowed access. These specifica‐
128 tions may involve the use of classes defined in previous CLASSES sec‐
129 tions.
130
131 An example GROUPS section.
132
133 GROUPS
134 sys tty1 @.bar.edu
135 stud myclass1 tty4
136
137 This example specifies that members of group sys may log in on tty1 and
138 from hosts in the bar.edu domain. Users in group stud may log in from
139 hosts/ttys specified in the class myclass1 or from tty4.
140
141 The USERS Section
142 A USERS section starts with the word USERS in all upper case at the
143 start of a line, and each following line is a sequence of words sepa‐
144 rated by spaces or tabs. The first word on a line is a username and
145 that user is allowed to log in on the ttys and from the hosts mentioned
146 on the rest of the line. These specifications may involve classes
147 defined in previous CLASSES sections. If no section header is speci‐
148 fied at the top of the file, the first section defaults to be a USERS
149 section.
150
151 An example USERS section:
152
153 USERS
154 zacho tty1 @130.225.16.0/255.255.255.0
155 blue tty3 myclass2
156
157 This lets the user zacho login only on tty1 and from hosts with IP
158 addreses in the range 130.225.16.0 - 130.225.16.255, and user blue is
159 allowed to log in from tty3 and whatever is specified in the class
160 myclass2.
161
162 There may be a line in a USERS section starting with a username of *.
163 This is a default rule and it will be applied to any user not matching
164 any other line.
165
166 If both a USERS line and GROUPS line match a user then the user is
167 allowed access from the union of all the ttys/hosts mentioned in these
168 specifications.
169
170
171 Origins
172 The tty and host pattern specifications used in the specification of
173 classes, group and user access are called origins. An origin string may
174 have one of these formats:
175
176 o The name of a tty device without the /dev/ prefix, for example
177 tty1 or ttyS0.
178
179 o The string @localhost, meaning that the user is allowed to tel‐
180 net/rlogin from the local host to the same host. This also
181 allows the user to for example run the command: xterm -e
182 /bin/login.
183
184 o A domain name suffix such as @.some.dom, meaning that the user
185 may rlogin/telnet from any host whose domain name has the suffix
186 .some.dom.
187
188 o A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where
189 x.x.x.x is the IP address in the usual dotted quad decimal nota‐
190 tion, and y.y.y.y is a bitmask in the same notation specifying
191 which bits in the address to compare with the IP address of the
192 remote host. For example @130.225.16.0/255.255.254.0 means that
193 the user may rlogin/telnet from any host whose IP address is in
194 the range 130.225.16.0 - 130.225.17.255.
195
196 o An range of IPv6 addresses, written @[n:n:n:n:n:n:n:n]/m is
197 interpreted as a [net]/prefixlen pair. An IPv6 host address is
198 matched if prefixlen bits of net is equal to the prefixlen bits
199 of the address. For example, the [net]/prefixlen pattern
200 [3ffe:505:2:1::]/64 matches every address in the range
201 3ffe:505:2:1:: through 3ffe:505:2:1:ffff:ffff:ffff:ffff.
202
203 Any of the above origins may be prefixed by a time specification
204 according to the syntax:
205
206 timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
207 day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
208 hour ::= '0' | '1' | ... | '23'
209 hourspec ::= <hour> | <hour> '-' <hour>
210 day-or-hour ::= <day> | <hourspec>
211
212 For example, the origin [mon:tue:wed:thu:fri:8-17]tty3 means that log
213 in is allowed on mondays through fridays between 8:00 and 17:59 (5:59
214 pm) on tty3. This also shows that an hour range a-b includes all
215 moments between a:00 and b:59. A single hour specification (such as 10)
216 means the time span between 10:00 and 10:59.
217
218 Not specifying any time prefix for a tty or host means log in from that
219 origin is allowed any time. If you give a time prefix be sure to spec‐
220 ify both a set of days and one or more hours or hour ranges. A time
221 specification may not include any white space.
222
223 If no default rule is given then users not matching any line
224 /etc/usertty are allowed to log in from anywhere as is standard behav‐
225 ior.
226
228 /var/run/utmp
229 /var/log/wtmp
230 /var/log/lastlog
231 /var/spool/mail/*
232 /etc/motd
233 /etc/passwd
234 /etc/nologin
235 /etc/usertty
236 /etc/pam.d/login
237 /etc/pam.d/remote
238 .hushlogin
239
241 init(8), getty(8), mail(1), passwd(1), passwd(5), environ(7), shut‐
242 down(8)
243
245 The undocumented BSD -r option is not supported. This may be required
246 by some rlogind(8) programs.
247
248 A recursive login, as used to be possible in the good old days, no
249 longer works; for most purposes su(1) is a satisfactory substitute.
250 Indeed, for security reasons, login does a vhangup() system call to
251 remove any possible listening processes on the tty. This is to avoid
252 password sniffing. If one uses the command "login", then the surround‐
253 ing shell gets killed by vhangup() because it's no longer the true
254 owner of the tty. This can be avoided by using "exec login" in a top-
255 level shell or xterm.
256
258 Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
259 for HP-UX
260 Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
261
263 The login command is part of the util-linux-ng package and is available
264 from ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng/.
265
266
267
268Util-linux 1.6 4 November 1996 LOGIN(1)