1LOGIN(1) Linux Programmer's Manual LOGIN(1)
2
3
4
6 login - sign on
7
9 login [ name ]
10 login -p
11 login -h hostname
12 login -f name
13
15 login is used when signing onto a system. It can also be used to
16 switch from one user to another at any time (most modern shells have
17 support for this feature built into them, however).
18
19 If an argument is not given, login prompts for the username.
20
21 If the user is not root, and if /etc/nologin exists, the contents of
22 this file are printed to the screen, and the login is terminated. This
23 is typically used to prevent logins when the system is being taken
24 down.
25
26 If special access restrictions are specified for the user in
27 /etc/usertty, these must be met, or the log in attempt will be denied
28 and a syslog message will be generated. See the section on "Special
29 Access Restrictions".
30
31 If the user is root, then the login must be occurring on a tty listed
32 in /etc/securetty. Failures will be logged with the syslog facility.
33
34 After these conditions have been checked, the password will be
35 requested and checked (if a password is required for this username).
36 Ten attempts are allowed before login dies, but after the first three,
37 the response starts to get very slow. Login failures are reported via
38 the syslog facility. This facility is also used to report any success‐
39 ful root logins.
40
41 If the file .hushlogin exists, then a "quiet" login is performed (this
42 disables the checking of mail and the printing of the last login time
43 and message of the day). Otherwise, if /var/log/lastlog exists, the
44 last login time is printed (and the current login is recorded).
45
46 Random administrative things, such as setting the UID and GID of the
47 tty are performed. The TERM environment variable is preserved, if it
48 exists (other environment variables are preserved if the -p option is
49 used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment
50 variables are set. PATH defaults to /usr/local/bin:/bin:/usr/bin for
51 normal users, and to
52 /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for root.
53 Last, if this is not a "quiet" login, the message of the day is printed
54 and the file with the user's name in /var/spool/mail will be checked,
55 and a message printed if it has non-zero length.
56
57 The user's shell is then started. If no shell is specified for the
58 user in /etc/passwd, then /bin/sh is used. If there is no directory
59 specified in /etc/passwd, then / is used (the home directory is checked
60 for the .hushlogin file described above).
61
63 -p Used by getty(8) to tell login not to destroy the environment
64
65 -f Used to skip a second login authentication. This specifically
66 does not work for root, and does not appear to work well under
67 Linux.
68
69 -h Used by other servers (i.e., telnetd(8)) to pass the name of the
70 remote host to login so that it may be placed in utmp and wtmp.
71 Only the superuser may use this option.
72
73
75 The file /etc/securetty lists the names of the ttys where root is
76 allowed to log in. One name of a tty device without the /dev/ prefix
77 must be specified on each line. If the file does not exist, root is
78 allowed to log in on any tty.
79
80 On most modern Linux systems PAM (Pluggable Authentication Modules) is
81 used. On systems that do not use PAM, the file /etc/usertty specifies
82 additional access restrictions for specific users. If this file does
83 not exist, no additional access restrictions are imposed. The file con‐
84 sists of a sequence of sections. There are three possible section
85 types: CLASSES, GROUPS and USERS. A CLASSES section defines classes of
86 ttys and hostname patterns, A GROUPS section defines allowed ttys and
87 hosts on a per group basis, and a USERS section defines allowed ttys
88 and hosts on a per user basis.
89
90 Each line in this file in may be no longer than 255 characters. Com‐
91 ments start with # character and extend to the end of the line.
92
93 The CLASSES Section
94 A CLASSES section begins with the word CLASSES at the start of a line
95 in all upper case. Each following line until the start of a new section
96 or the end of the file consists of a sequence of words separated by
97 tabs or spaces. Each line defines a class of ttys and host patterns.
98
99 The word at the beginning of a line becomes defined as a collective
100 name for the ttys and host patterns specified at the rest of the line.
101 This collective name can be used in any subsequent GROUPS or USERS sec‐
102 tion. No such class name must occur as part of the definition of a
103 class in order to avoid problems with recursive classes.
104
105 An example CLASSES section:
106
107 CLASSES
108 myclass1 tty1 tty2
109 myclass2 tty3 @.foo.com
110
111 This defines the classes myclass1 and myclass2 as the corresponding
112 right hand sides.
113
114 The GROUPS Section
115 A GROUPS section defines allowed ttys and hosts on a per Unix group
116 basis. If a user is a member of a Unix group according to /etc/passwd
117 and /etc/group and such a group is mentioned in a GROUPS section in
118 /etc/usertty then the user is granted access if the group is.
119
120 A GROUPS section starts with the word GROUPS in all upper case at the
121 start of a line, and each following line is a sequence of words sepa‐
122 rated by spaces or tabs. The first word on a line is the name of the
123 group and the rest of the words on the line specifies the ttys and
124 hosts where members of that group are allowed access. These specifica‐
125 tions may involve the use of classes defined in previous CLASSES sec‐
126 tions.
127
128 An example GROUPS section.
129
130 GROUPS
131 sys tty1 @.bar.edu
132 stud myclass1 tty4
133
134 This example specifies that members of group sys may log in on tty1 and
135 from hosts in the bar.edu domain. Users in group stud may log in from
136 hosts/ttys specified in the class myclass1 or from tty4.
137
138 The USERS Section
139 A USERS section starts with the word USERS in all upper case at the
140 start of a line, and each following line is a sequence of words sepa‐
141 rated by spaces or tabs. The first word on a line is a username and
142 that user is allowed to log in on the ttys and from the hosts mentioned
143 on the rest of the line. These specifications may involve classes
144 defined in previous CLASSES sections. If no section header is speci‐
145 fied at the top of the file, the first section defaults to be a USERS
146 section.
147
148 An example USERS section:
149
150 USERS
151 zacho tty1 @130.225.16.0/255.255.255.0
152 blue tty3 myclass2
153
154 This lets the user zacho login only on tty1 and from hosts with IP
155 addreses in the range 130.225.16.0 - 130.225.16.255, and user blue is
156 allowed to log in from tty3 and whatever is specified in the class
157 myclass2.
158
159 There may be a line in a USERS section starting with a username of *.
160 This is a default rule and it will be applied to any user not matching
161 any other line.
162
163 If both a USERS line and GROUPS line match a user then the user is
164 allowed access from the union of all the ttys/hosts mentioned in these
165 specifications.
166
167
168 Origins
169 The tty and host pattern specifications used in the specification of
170 classes, group and user access are called origins. An origin string may
171 have one of these formats:
172
173 o The name of a tty device without the /dev/ prefix, for example
174 tty1 or ttyS0.
175
176 o The string @localhost, meaning that the user is allowed to tel‐
177 net/rlogin from the local host to the same host. This also
178 allows the user to for example run the command: xterm -e
179 /bin/login.
180
181 o A domain name suffix such as @.some.dom, meaning that the user
182 may rlogin/telnet from any host whose domain name has the suffix
183 .some.dom.
184
185 o A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where
186 x.x.x.x is the IP address in the usual dotted quad decimal nota‐
187 tion, and y.y.y.y is a bitmask in the same notation specifying
188 which bits in the address to compare with the IP address of the
189 remote host. For example @130.225.16.0/255.255.254.0 means that
190 the user may rlogin/telnet from any host whose IP address is in
191 the range 130.225.16.0 - 130.225.17.255.
192
193 Any of the above origins may be prefixed by a time specification
194 according to the syntax:
195
196 timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
197 day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
198 hour ::= '0' | '1' | ... | '23'
199 hourspec ::= <hour> | <hour> '-' <hour>
200 day-or-hour ::= <day> | <hourspec>
201
202 For example, the origin [mon:tue:wed:thu:fri:8-17]tty3 means that log
203 in is allowed on mondays through fridays between 8:00 and 17:59 (5:59
204 pm) on tty3. This also shows that an hour range a-b includes all
205 moments between a:00 and b:59. A single hour specification (such as 10)
206 means the time span between 10:00 and 10:59.
207
208 Not specifying any time prefix for a tty or host means log in from that
209 origin is allowed any time. If you give a time prefix be sure to spec‐
210 ify both a set of days and one or more hours or hour ranges. A time
211 specification may not include any white space.
212
213 If no default rule is given then users not matching any line
214 /etc/usertty are allowed to log in from anywhere as is standard behav‐
215 ior.
216
218 /var/run/utmp
219 /var/log/wtmp
220 /var/log/lastlog
221 /var/spool/mail/*
222 /etc/motd
223 /etc/passwd
224 /etc/nologin
225 /etc/usertty
226 .hushlogin
227
229 init(8), getty(8), mail(1), passwd(1), passwd(5), environ(7), shut‐
230 down(8)
231
233 The undocumented BSD -r option is not supported. This may be required
234 by some rlogind(8) programs.
235
236 A recursive login, as used to be possible in the good old days, no
237 longer works; for most purposes su(1) is a satisfactory substitute.
238 Indeed, for security reasons, login does a vhangup() system call to
239 remove any possible listening processes on the tty. This is to avoid
240 password sniffing. If one uses the command "login", then the surround‐
241 ing shell gets killed by vhangup() because it's no longer the true
242 owner of the tty. This can be avoided by using "exec login" in a top-
243 level shell or xterm.
244
246 Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
247 for HP-UX
248 Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
249
250
251
252Util-linux 1.6 4 November 1996 LOGIN(1)