1LOGIN(1) Linux Programmer's Manual LOGIN(1)
2
3
4
6 login - sign on
7
9 login [ -p ] [ -h hostname ] [ -H ] [ -f username | username ]
10
12 login is used when signing onto a system.
13
14 If an argument is not given, login prompts for the username.
15
16 If the user is not root, and if /etc/nologin exists, the contents of
17 this file are printed to the screen, and the login is terminated. This
18 is typically used to prevent logins when the system is being taken
19 down.
20
21 If special access restrictions are specified for the user in
22 /etc/usertty, these must be met, or the log in attempt will be denied
23 and a syslog message will be generated. See the section on "Special
24 Access Restrictions".
25
26 If the user is root, then the login must be occurring on a tty listed
27 in /etc/securetty. Failures will be logged with the syslog facility.
28
29 After these conditions have been checked, the password will be
30 requested and checked (if a password is required for this username).
31 Ten attempts are allowed before login dies, but after the first three,
32 the response starts to get very slow. Login failures are reported via
33 the syslog facility. This facility is also used to report any success‐
34 ful root logins.
35
36 If the file ~/.hushlogin or /etc/hushlogins exists, then a "quiet"
37 login is performed (this disables the checking of mail and the printing
38 of the last login time and message of the day). Otherwise, if
39 /var/log/lastlog exists, the last login time is printed (and the cur‐
40 rent login is recorded).
41
42 Note that if the /etc/hushlogins file exists then the last login mes‐
43 sage could be generated by PAM, for example by:
44
45 session required pam_lastlog.so noupdate showfailed
46
47 setting in the /etc/pam.d/login file. The PAM library provides more
48 detailed information about failed login attempts.
49
50 Random administrative things, such as setting the UID and GID of the
51 tty are performed. The TERM environment variable is preserved, if it
52 exists (other environment variables are preserved if the -p option is
53 used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment
54 variables are set. PATH defaults to /usr/local/bin:/bin:/usr/bin for
55 normal users, and to
56 /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for root.
57 Last, if this is not a "quiet" login, the message of the day is printed
58 and the file with the user's name in /var/spool/mail will be checked,
59 and a message printed if it has non-zero length.
60
61 The user's shell is then started. If no shell is specified for the
62 user in /etc/passwd, then /bin/sh is used. If there is no directory
63 specified in /etc/passwd, then / is used (the home directory is checked
64 for the .hushlogin file described above).
65
67 -p Used by getty(8) to tell login not to destroy the environment
68
69 -f Used to skip a second login authentication. This specifically
70 does not work for root, and does not appear to work well under
71 Linux.
72
73 -h Used by other servers (i.e., telnetd(8)) to pass the name of the
74 remote host to login so that it may be placed in utmp and wtmp.
75 Only the superuser may use this option.
76
77 Note that the -h option has impact on the PAM service name. The
78 standard service name is "login", with the -h option the name is
79 "remote". It's necessary to create a proper PAM config files
80 (e.g. /etc/pam.d/login and /etc/pam.d/remote ).
81
82 -H Used by other servers (i.e., telnetd(8)) to tell login that
83 printing the hostname should be suppressed in the login: prompt.
84 See also LOGIN_PLAIN_PROMPT below if your server does not allow
85 to configure login command line.
86
88 login reads the /etc/login.defs(5) configuration file. This support
89 has been backported to RHEL6 and it's limited to the options described
90 below. Note that the configuration file could be distributed with
91 another package (e.g. shadow-utils). The following configuration items
92 are relevant for login(1):
93
94 LOGIN_PLAIN_PROMPT (boolean)
95 Tell login that printing the hostname should be suppressed in the
96 login: prompt. This is alternative to the -H command line option.
97 The default value is no.
98
100 The file /etc/securetty lists the names of the ttys where root is
101 allowed to log in. One name of a tty device without the /dev/ prefix
102 must be specified on each line. If the file does not exist, root is
103 allowed to log in on any tty.
104
105 On most modern Linux systems PAM (Pluggable Authentication Modules) is
106 used. On systems that do not use PAM, the file /etc/usertty specifies
107 additional access restrictions for specific users. If this file does
108 not exist, no additional access restrictions are imposed. The file con‐
109 sists of a sequence of sections. There are three possible section
110 types: CLASSES, GROUPS and USERS. A CLASSES section defines classes of
111 ttys and hostname patterns, A GROUPS section defines allowed ttys and
112 hosts on a per group basis, and a USERS section defines allowed ttys
113 and hosts on a per user basis.
114
115 Each line in this file in may be no longer than 255 characters. Com‐
116 ments start with # character and extend to the end of the line.
117
118 The CLASSES Section
119 A CLASSES section begins with the word CLASSES at the start of a line
120 in all upper case. Each following line until the start of a new section
121 or the end of the file consists of a sequence of words separated by
122 tabs or spaces. Each line defines a class of ttys and host patterns.
123
124 The word at the beginning of a line becomes defined as a collective
125 name for the ttys and host patterns specified at the rest of the line.
126 This collective name can be used in any subsequent GROUPS or USERS sec‐
127 tion. No such class name must occur as part of the definition of a
128 class in order to avoid problems with recursive classes.
129
130 An example CLASSES section:
131
132 CLASSES
133 myclass1 tty1 tty2
134 myclass2 tty3 @.foo.com
135
136 This defines the classes myclass1 and myclass2 as the corresponding
137 right hand sides.
138
139 The GROUPS Section
140 A GROUPS section defines allowed ttys and hosts on a per Unix group
141 basis. If a user is a member of a Unix group according to /etc/passwd
142 and /etc/group and such a group is mentioned in a GROUPS section in
143 /etc/usertty then the user is granted access if the group is.
144
145 A GROUPS section starts with the word GROUPS in all upper case at the
146 start of a line, and each following line is a sequence of words sepa‐
147 rated by spaces or tabs. The first word on a line is the name of the
148 group and the rest of the words on the line specifies the ttys and
149 hosts where members of that group are allowed access. These specifica‐
150 tions may involve the use of classes defined in previous CLASSES sec‐
151 tions.
152
153 An example GROUPS section.
154
155 GROUPS
156 sys tty1 @.bar.edu
157 stud myclass1 tty4
158
159 This example specifies that members of group sys may log in on tty1 and
160 from hosts in the bar.edu domain. Users in group stud may log in from
161 hosts/ttys specified in the class myclass1 or from tty4.
162
163 The USERS Section
164 A USERS section starts with the word USERS in all upper case at the
165 start of a line, and each following line is a sequence of words sepa‐
166 rated by spaces or tabs. The first word on a line is a username and
167 that user is allowed to log in on the ttys and from the hosts mentioned
168 on the rest of the line. These specifications may involve classes
169 defined in previous CLASSES sections. If no section header is speci‐
170 fied at the top of the file, the first section defaults to be a USERS
171 section.
172
173 An example USERS section:
174
175 USERS
176 zacho tty1 @130.225.16.0/255.255.255.0
177 blue tty3 myclass2
178
179 This lets the user zacho login only on tty1 and from hosts with IP
180 addreses in the range 130.225.16.0 - 130.225.16.255, and user blue is
181 allowed to log in from tty3 and whatever is specified in the class
182 myclass2.
183
184 There may be a line in a USERS section starting with a username of *.
185 This is a default rule and it will be applied to any user not matching
186 any other line.
187
188 If both a USERS line and GROUPS line match a user then the user is
189 allowed access from the union of all the ttys/hosts mentioned in these
190 specifications.
191
192
193 Origins
194 The tty and host pattern specifications used in the specification of
195 classes, group and user access are called origins. An origin string may
196 have one of these formats:
197
198 o The name of a tty device without the /dev/ prefix, for example
199 tty1 or ttyS0.
200
201 o The string @localhost, meaning that the user is allowed to tel‐
202 net/rlogin from the local host to the same host. This also
203 allows the user to for example run the command: xterm -e
204 /bin/login.
205
206 o A domain name suffix such as @.some.dom, meaning that the user
207 may rlogin/telnet from any host whose domain name has the suffix
208 .some.dom.
209
210 o A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where
211 x.x.x.x is the IP address in the usual dotted quad decimal nota‐
212 tion, and y.y.y.y is a bitmask in the same notation specifying
213 which bits in the address to compare with the IP address of the
214 remote host. For example @130.225.16.0/255.255.254.0 means that
215 the user may rlogin/telnet from any host whose IP address is in
216 the range 130.225.16.0 - 130.225.17.255.
217
218 o An range of IPv6 addresses, written @[n:n:n:n:n:n:n:n]/m is
219 interpreted as a [net]/prefixlen pair. An IPv6 host address is
220 matched if prefixlen bits of net is equal to the prefixlen bits
221 of the address. For example, the [net]/prefixlen pattern
222 [3ffe:505:2:1::]/64 matches every address in the range
223 3ffe:505:2:1:: through 3ffe:505:2:1:ffff:ffff:ffff:ffff.
224
225 Any of the above origins may be prefixed by a time specification
226 according to the syntax:
227
228 timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
229 day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
230 hour ::= '0' | '1' | ... | '23'
231 hourspec ::= <hour> | <hour> '-' <hour>
232 day-or-hour ::= <day> | <hourspec>
233
234 For example, the origin [mon:tue:wed:thu:fri:8-17]tty3 means that log
235 in is allowed on mondays through fridays between 8:00 and 17:59 (5:59
236 pm) on tty3. This also shows that an hour range a-b includes all
237 moments between a:00 and b:59. A single hour specification (such as 10)
238 means the time span between 10:00 and 10:59.
239
240 Not specifying any time prefix for a tty or host means log in from that
241 origin is allowed any time. If you give a time prefix be sure to spec‐
242 ify both a set of days and one or more hours or hour ranges. A time
243 specification may not include any white space.
244
245 If no default rule is given then users not matching any line
246 /etc/usertty are allowed to log in from anywhere as is standard behav‐
247 ior.
248
250 /var/run/utmp
251 /var/log/wtmp
252 /var/log/lastlog
253 /var/spool/mail/*
254 /etc/motd
255 /etc/passwd
256 /etc/nologin
257 /etc/usertty
258 /etc/pam.d/login
259 /etc/pam.d/remote
260 /etc/hushlogins
261 .hushlogin
262
264 init(8), getty(8), mail(1), passwd(1), passwd(5), environ(7), shut‐
265 down(8)
266
268 The undocumented BSD -r option is not supported. This may be required
269 by some rlogind(8) programs.
270
271 A recursive login, as used to be possible in the good old days, no
272 longer works; for most purposes su(1) is a satisfactory substitute.
273 Indeed, for security reasons, login does a vhangup() system call to
274 remove any possible listening processes on the tty. This is to avoid
275 password sniffing. If one uses the command "login", then the surround‐
276 ing shell gets killed by vhangup() because it's no longer the true
277 owner of the tty. This can be avoided by using "exec login" in a top-
278 level shell or xterm.
279
281 Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
282 for HP-UX
283 Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
284
286 The login command is part of the util-linux-ng package and is available
287 from ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng/.
288
289
290
291Util-linux 1.6 4 November 1996 LOGIN(1)