1login(1) User Commands login(1)
2
6 login - sign on to the system
7
9 login [-p] [-d device] [-R repository] [-s service]
10 [-t terminal] [-u identity] [-U ruser]
11 [-h hostname [terminal] | -r hostname]
12 [name [environ]...]
13
16 The login command is used at the beginning of each terminal session to
17 identify oneself to the system. login is invoked by the system when a
18 connection is first established, after the previous user has terminated
19 the login shell by issuing the exit command.
20 If login is invoked as a command, it must replace the initial command
23 interpreter. To invoke login in this fashion, type:
24 exec login
26 from the initial shell. The C shell and Korn shell have their own
31 built-ins of login. See ksh(1), ksh93(1), and csh(1) for descriptions
32 of login built-ins and usage.
33 login asks for your user name, if it is not supplied as an argument,
36 and your password, if appropriate. Where possible, echoing is turned
37 off while you type your password, so it does not appear on the written
38 record of the session.
39 If you make any mistake in the login procedure, the message:
42 Login incorrect
44 is printed and a new login prompt appears. If you make five incorrect
49 login attempts, all five can be logged in /var/adm/loginlog, if it
50 exists. The TTY line is dropped.
51 If password aging is turned on and the password has aged (see passwd(1)
54 for more information), the user is forced to changed the password. In
55 this case the /etc/nsswitch.conf file is consulted to determine pass‐
56 word repositories (see nsswitch.conf(4)). The password update configu‐
57 rations supported are limited to the following five cases.
58 o passwd: files
60 o passwd: files nis
62 o passwd: files nisplus
64 o passwd: compat (==> files nis)
66 o passwd: compat (==> files nisplus)
68 passwd_compat: nisplus
70 Failure to comply with the configurations prevents the user from log‐
73 ging onto the system because passwd(1) fails. If you do not complete
74 the login successfully within a certain period of time, it is likely
75 that you are silently disconnected.
76 After a successful login, accounting files are updated. Device owner,
79 group, and permissions are set according to the contents of the
80 /etc/logindevperm file, and the time you last logged in is printed (see
81 logindevperm(4)).
82 The user-ID, group-ID, supplementary group list, and working directory
85 are initialized, and the command interpreter (usually ksh) is started.
86 The basic environment is initialized to:
89 HOME=your-login-directory
91 LOGNAME=your-login-name
92 PATH=/usr/bin:
93 SHELL=last-field-of-passwd-entry
94 MAIL=/var/mail/
95 TZ=timezone-specification
96 For Bourne shell and Korn shell logins, the shell executes /etc/profile
100 and $HOME/.profile, if it exists.
101 For the ksh93 Korn shell, an interactive shell then executes
104 /etc/ksh.kshrc, followed by the file specified by the ENV environment
105 variable. If $ENV is not set, this defaults to $HOME/.kshrc. For the
106 ksh and /usr/xpg4/bin/sh Korn Shell, an interactive shell executes the
107 file named by $ENV (no default).
108 For C shell logins, the shell executes /etc/.login, $HOME/.cshrc, and
111 $HOME/.login. The default /etc/profile and /etc/.login files check quo‐
112 tas (see quota(1M)), print /etc/motd, and check for mail. None of the
113 messages are printed if the file $HOME/.hushlogin exists. The name of
114 the command interpreter is set to − (dash), followed by the last compo‐
115 nent of the interpreter's path name, for example, −sh.
116 If the login-shell field in the password file (see passwd(4)) is empty,
119 then the default command interpreter, /usr/bin/sh, is used. If this
120 field is * (asterisk), then the named directory becomes the root direc‐
121 tory. At that point, login is re-executed at the new level, which must
122 have its own root structure.
123 The environment can be expanded or modified by supplying additional
126 arguments to login, either at execution time or when login requests
127 your login name. The arguments can take either the form xxx or xxx=yyy.
128 Arguments without an = (equal sign) are placed in the environment as:
129 Ln=xxx
131 where n is a number starting at 0 and is incremented each time a new
136 variable name is required. Variables containing an = (equal sign) are
137 placed in the environment without modification. If they already appear
138 in the environment, then they replace the older values.
139 There are two exceptions: The variables PATH and SHELL cannot be
142 changed. This prevents people logged into restricted shell environments
143 from spawning secondary shells that are not restricted. login under‐
144 stands simple single-character quoting conventions. Typing a \ (back‐
145 slash) in front of a character quotes it and allows the inclusion of
146 such characters as spaces and tabs.
147 Alternatively, you can pass the current environment by supplying the -p
150 flag to login. This flag indicates that all currently defined environ‐
151 ment variables should be passed, if possible, to the new environment.
152 This option does not bypass any environment variable restrictions men‐
153 tioned above. Environment variables specified on the login line take
154 precedence, if a variable is passed by both methods.
155 To enable remote logins by root, edit the /etc/default/login file by
158 inserting a # (pound sign) before the CONSOLE=/dev/console entry. See
159 FILES.
160
162 For accounts in name services which support automatic account locking,
163 the account can be configured to be automatically locked (see
164 user_attr(4) and policy.conf(4)) if successive failed login attempts
165 equals or exceeds RETRIES. Currently, only the files repository (see
166 passwd(4) and shadow(4)) supports automatic account locking. See also
167 pam_unix_auth(5).
168 The login command uses pam(3PAM) for authentication, account manage‐
171 ment, session management, and password management. The PAM configura‐
172 tion policy, listed through /etc/pam.conf, specifies the modules to be
173 used for login. Here is a partial pam.conf file with entries for the
174 login command using the UNIX authentication, account management, and
175 session management modules:
176 login auth required pam_authtok_get.so.1
178 login auth required pam_dhkeys.so.1
179 login auth required pam_unix_auth.so.1
180 login auth required pam_dial_auth.so.1
181 login account requisite pam_roles.so.1
183 login account required pam_unix_account.so.1
184 login session required pam_unix_session.so.1
186 The Password Management stack looks like the following:
190 other password required pam_dhkeys.so.1
192 other password requisite pam_authtok_get.so.1
193 other password requisite pam_authtok_check.so.1
194 other password required pam_authtok_store.so.1
195 If there are no entries for the service, then the entries for the other
199 service is used. If multiple authentication modules are listed, then
200 the user can be prompted for multiple passwords.
201 When login is invoked through rlogind or telnetd, the service name used
204 by PAM is rlogin or telnet, respectively.
205
207 The following options are supported:
208 -d device login accepts a device option, device. device
210 is taken to be the path name of the TTY port
211 login is to operate on. The use of the device
212 option can be expected to improve login per‐
213 formance, since login does not need to call
214 ttyname(3C). The -d option is available only
215 to users whose UID and effective UID are
216 root. Any other attempt to use -d causes
217 login to quietly exit.
218 -h hostname [terminal] Used by in.telnetd(1M) to pass information
221 about the remote host and terminal type.
222 Terminal type as a second argument to the -h
224 option should not start with a hyphen (-).
225 -p Used to pass environment variables to the
228 login shell.
229 -r hostname Used by in.rlogind(1M) to pass information
232 about the remote host.
233 -R repository Used to specify the PAM repository that
236 should be used to tell PAM about the "iden‐
237 tity" (see option -u below). If no "identity"
238 information is passed, the repository is not
239 used.
240 -s service Indicates the PAM service name that should be
243 used. Normally, this argument is not neces‐
244 sary and is used only for specifying alterna‐
245 tive PAM service names. For example: "ktel‐
246 net" for the Kerberized telnet process.
247 -u identity Specifies the "identity" string associated
250 with the user who is being authenticated.
251 This usually is not be the same as that
252 user's Unix login name. For Kerberized login
253 sessions, this is the Kerberos principal name
254 associated with the user.
255 -U ruser Indicates the name of the person attempting
258 to login on the remote side of the rlogin
259 connection. When in.rlogind(1M) is operating
260 in Kerberized mode, that daemon processes the
261 terminal and remote user name information
262 prior to invoking login, so the "ruser" data
263 is indicated using this command line parame‐
264 ter. Normally (non-Kerberos authenticated
265 rlogin), the login daemon reads the remote
266 user information from the client.
267
270 The following exit values are returned:
271 0 Successful operation.
273 non-zero Error.
276
279 $HOME/.cshrc Initial commands for each csh.
280 $HOME/.hushlogin Suppresses login messages.
283 $HOME/.kshrc User's commands for interactive ksh93, if $ENV
286 is unset; executes after /etc/ksh.kshrc.
287 $HOME/.login User's login commands for csh.
290 $HOME/.profile User's login commands for sh, ksh, and ksh93.
293 $HOME/.rhosts Private list of trusted hostname/username combi‐
296 nations.
297 /etc/.login System-wide csh login commands.
300 /etc/issue Issue or project identification.
303 /etc/ksh.kshrc System-wide commands for interactive ksh93.
306 /etc/logindevperm Login-based device permissions.
309 /etc/motd Message-of-the-day.
312 /etc/nologin Message displayed to users attempting to login
315 during machine shutdown.
316 /etc/passwd Password file.
319 /etc/profile System-wide sh, ksh, and ksh93 login commands.
322 /etc/shadow List of users' encrypted passwords.
325 /usr/bin/sh User's default command interpreter.
328 /var/adm/lastlog Time of last login.
331 /var/adm/loginlog Record of failed login attempts.
334 /var/adm/utmpx Accounting.
337 /var/adm/wtmpx Accounting.
340 /var/mail/your-name Mailbox for user your-name.
343 /etc/default/login Default value can be set for the following flags
346 in /etc/default/login. Default values are speci‐
347 fied as comments in the /etc/default/login file,
348 for example, TIMEZONE=EST5EDT.
349 TIMEZONE Sets the TZ environment
351 variable of the shell
352 (see environ(5)).
353 HZ Sets the HZ environment
356 variable of the shell.
357 ULIMIT Sets the file size limit
360 for the login. Units are
361 disk blocks. Default is
362 zero (no limit).
363 CONSOLE If set, root can login
366 on that device only.
367 This does not prevent
368 execution of remote com‐
369 mands with rsh(1). Com‐
370 ment out this line to
371 allow login by root.
372 PASSREQ Determines if login
375 requires a non-null
376 password.
377 ALTSHELL Determines if login
380 should set the SHELL
381 environment variable.
382 PATH Sets the initial shell
385 PATH variable.
386 SUPATH Sets the initial shell
389 PATH variable for root.
390 TIMEOUT Sets the number of sec‐
393 onds (between 0 and 900)
394 to wait before abandon‐
395 ing a login session.
396 UMASK Sets the initial shell
399 file creation mode mask.
400 See umask(1).
401 SYSLOG Determines whether the
404 syslog(3C) LOG_AUTH
405 facility should be used
406 to log all root logins
407 at level LOG_NOTICE and
408 multiple failed login
409 attempts atLOG_CRIT.
410 DISABLETIME If present, and greater
413 than zero, the number of
414 seconds that login waits
415 after RETRIES failed
416 attempts or the PAM
417 framework returns
418 PAM_ABORT. Default is 20
419 seconds. Minimum is 0
420 seconds. No maximum is
421 imposed.
422 SLEEPTIME If present, sets the
425 number of seconds to
426 wait before the login
427 failure message is
428 printed to the screen.
429 This is for any login
430 failure other than
431 PAM_ABORT. Another login
432 attempt is allowed, pro‐
433 viding RETRIES has not
434 been reached or the PAM
435 framework is returned
436 PAM_MAXTRIES. Default is
437 4 seconds. Minimum is 0
438 seconds. Maximum is 5
439 seconds.
440 Both su(1M) and sulo‐
442 gin(1M) are affected by
443 the value of SLEEPTIME.
444 RETRIES Sets the number of
447 retries for logging in
448 (see pam(3PAM)). The
449 default is 5. The maxi‐
450 mum number of retries is
451 15. For accounts config‐
452 ured with automatic
453 locking (see SECURITY
454 above), the account is
455 locked and login exits.
456 If automatic locking has
457 not been configured,
458 login exits without
459 locking the account.
460 SYSLOG_FAILED_LOGINS Used to determine how
463 many failed login
464 attempts are allowed by
465 the system before a
466 failed login message is
467 logged, using the sys‐
468 log(3C) LOG_NOTICE
469 facility. For example,
470 if the variable is set
471 to 0, login logs all
472 failed login attempts.
473
477 See attributes(5) for descriptions of the following attributes:
478 ┌─────────────────────────────┬─────────────────────────────┐
483 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
484 ├─────────────────────────────┼─────────────────────────────┤
485 │Availability │SUNWcsu │
486 ├─────────────────────────────┼─────────────────────────────┤
487 │Interface Stability │Committed │
488 └─────────────────────────────┴─────────────────────────────┘
489
491 csh(1), exit(1), ksh(1), ksh93(1), mail(1), mailx(1), newgrp(1),
492 passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), telnet(1),
493 umask(1), in.rlogind(1M), in.telnetd(1M), logins(1M), quota(1M),
494 su(1M), sulogin(1M), syslogd(1M), useradd(1M), userdel(1M), pam(3PAM),
495 rcmd(3SOCKET), syslog(3C), ttyname(3C), auth_attr(4), exec_attr(4),
496 hosts.equiv(4), issue(4), logindevperm(4), loginlog(4), nologin(4),
497 nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4), profile(4),
498 shadow(4), user_attr(4), utmpx(4), wtmpx(4), attributes(5), environ(5),
499 pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5), pam_auth‐
500 tok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
501 pam_passwd_auth(5), termio(7I)
502
504 Login incorrect
505 The user name or the password cannot be matched.
507 Not on system console
510 Root login denied. Check the CONSOLE setting in /etc/default/login.
512 No directory! Logging in with home=/
515 The user's home directory named in the passwd(4) database cannot be
517 found or has the wrong permissions. Contact your system administra‐
518 tor.
519 No shell
522 Cannot execute the shell named in the passwd(4) database. Contact
524 your system administrator.
525 NO LOGINS: System going down in N minutes
528 The machine is in the process of being shut down and logins have
530 been disabled.
531
534 Users with a UID greater than 76695844 are not subject to password
535 aging, and the system does not record their last login time.
536 If you use the CONSOLE setting to disable root logins, you should
539 arrange that remote command execution by root is also disabled. See
540 rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further details.
541
543 The pam_unix(5) module is no longer supported. Similar functionality is
544 provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
545 pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
546 pam_dhkeys(5), and pam_passwd_auth(5).
547SunOS 5.11 7 Jan 2008 login(1)