1login(1) User Commands login(1)
2
3
4
6 login - sign on to the system
7
9 login [-p] [-d device] [-R repository] [-s service]
10 [-t terminal] [-u identity] [-U ruser]
11 [-h hostname [terminal] | -r hostname]
12 [name [environ]...]
13
14
16 The login command is used at the beginning of each terminal session to
17 identify oneself to the system. login is invoked by the system when a
18 connection is first established, after the previous user has terminated
19 the login shell by issuing the exit command.
20
21
22 If login is invoked as a command, it must replace the initial command
23 interpreter. To invoke login in this fashion, type:
24
25 exec login
26
27
28
29
30 from the initial shell. The C shell and Korn shell have their own
31 built-ins of login. See ksh(1), ksh93(1), and csh(1) for descriptions
32 of login built-ins and usage.
33
34
35 login asks for your user name, if it is not supplied as an argument,
36 and your password, if appropriate. Where possible, echoing is turned
37 off while you type your password, so it does not appear on the written
38 record of the session.
39
40
41 If you make any mistake in the login procedure, the message:
42
43 Login incorrect
44
45
46
47
48 is printed and a new login prompt appears. If you make five incorrect
49 login attempts, all five can be logged in /var/adm/loginlog, if it
50 exists. The TTY line is dropped.
51
52
53 If password aging is turned on and the password has aged (see passwd(1)
54 for more information), the user is forced to changed the password. In
55 this case the /etc/nsswitch.conf file is consulted to determine pass‐
56 word repositories (see nsswitch.conf(4)). The password update configu‐
57 rations supported are limited to the following five cases.
58
59 o passwd: files
60
61 o passwd: files nis
62
63 o passwd: files nisplus
64
65 o passwd: compat (==> files nis)
66
67 o passwd: compat (==> files nisplus)
68
69 passwd_compat: nisplus
70
71
72 Failure to comply with the configurations prevents the user from log‐
73 ging onto the system because passwd(1) fails. If you do not complete
74 the login successfully within a certain period of time, it is likely
75 that you are silently disconnected.
76
77
78 After a successful login, accounting files are updated. Device owner,
79 group, and permissions are set according to the contents of the
80 /etc/logindevperm file, and the time you last logged in is printed (see
81 logindevperm(4)).
82
83
84 The user-ID, group-ID, supplementary group list, and working directory
85 are initialized, and the command interpreter (usually ksh) is started.
86
87
88 The basic environment is initialized to:
89
90 HOME=your-login-directory
91 LOGNAME=your-login-name
92 PATH=/usr/bin:
93 SHELL=last-field-of-passwd-entry
94 MAIL=/var/mail/
95 TZ=timezone-specification
96
97
98
99 For Bourne shell and Korn shell logins, the shell executes /etc/profile
100 and $HOME/.profile, if it exists.
101
102
103 For the ksh93 Korn shell, an interactive shell then executes
104 /etc/ksh.kshrc, followed by the file specified by the ENV environment
105 variable. If $ENV is not set, this defaults to $HOME/.kshrc. For the
106 ksh and /usr/xpg4/bin/sh Korn Shell, an interactive shell executes the
107 file named by $ENV (no default).
108
109
110 For C shell logins, the shell executes /etc/.login, $HOME/.cshrc, and
111 $HOME/.login. The default /etc/profile and /etc/.login files check quo‐
112 tas (see quota(1M)), print /etc/motd, and check for mail. None of the
113 messages are printed if the file $HOME/.hushlogin exists. The name of
114 the command interpreter is set to − (dash), followed by the last compo‐
115 nent of the interpreter's path name, for example, −sh.
116
117
118 If the login-shell field in the password file (see passwd(4)) is empty,
119 then the default command interpreter, /usr/bin/sh, is used. If this
120 field is * (asterisk), then the named directory becomes the root direc‐
121 tory. At that point, login is re-executed at the new level, which must
122 have its own root structure.
123
124
125 The environment can be expanded or modified by supplying additional
126 arguments to login, either at execution time or when login requests
127 your login name. The arguments can take either the form xxx or xxx=yyy.
128 Arguments without an = (equal sign) are placed in the environment as:
129
130 Ln=xxx
131
132
133
134
135 where n is a number starting at 0 and is incremented each time a new
136 variable name is required. Variables containing an = (equal sign) are
137 placed in the environment without modification. If they already appear
138 in the environment, then they replace the older values.
139
140
141 There are two exceptions: The variables PATH and SHELL cannot be
142 changed. This prevents people logged into restricted shell environments
143 from spawning secondary shells that are not restricted. login under‐
144 stands simple single-character quoting conventions. Typing a \ (back‐
145 slash) in front of a character quotes it and allows the inclusion of
146 such characters as spaces and tabs.
147
148
149 Alternatively, you can pass the current environment by supplying the -p
150 flag to login. This flag indicates that all currently defined environ‐
151 ment variables should be passed, if possible, to the new environment.
152 This option does not bypass any environment variable restrictions men‐
153 tioned above. Environment variables specified on the login line take
154 precedence, if a variable is passed by both methods.
155
156
157 To enable remote logins by root, edit the /etc/default/login file by
158 inserting a # (pound sign) before the CONSOLE=/dev/console entry. See
159 FILES.
160
162 For accounts in name services which support automatic account locking,
163 the account can be configured to be automatically locked (see
164 user_attr(4) and policy.conf(4)) if successive failed login attempts
165 equals or exceeds RETRIES. Currently, only the files repository (see
166 passwd(4) and shadow(4)) supports automatic account locking. See also
167 pam_unix_auth(5).
168
169
170 The login command uses pam(3PAM) for authentication, account manage‐
171 ment, session management, and password management. The PAM configura‐
172 tion policy, listed through /etc/pam.conf, specifies the modules to be
173 used for login. Here is a partial pam.conf file with entries for the
174 login command using the UNIX authentication, account management, and
175 session management modules:
176
177 login auth required pam_authtok_get.so.1
178 login auth required pam_dhkeys.so.1
179 login auth required pam_unix_auth.so.1
180 login auth required pam_dial_auth.so.1
181
182 login account requisite pam_roles.so.1
183 login account required pam_unix_account.so.1
184
185 login session required pam_unix_session.so.1
186
187
188
189 The Password Management stack looks like the following:
190
191 other password required pam_dhkeys.so.1
192 other password requisite pam_authtok_get.so.1
193 other password requisite pam_authtok_check.so.1
194 other password required pam_authtok_store.so.1
195
196
197
198 If there are no entries for the service, then the entries for the other
199 service is used. If multiple authentication modules are listed, then
200 the user can be prompted for multiple passwords.
201
202
203 When login is invoked through rlogind or telnetd, the service name used
204 by PAM is rlogin or telnet, respectively.
205
207 The following options are supported:
208
209 -d device login accepts a device option, device. device
210 is taken to be the path name of the TTY port
211 login is to operate on. The use of the device
212 option can be expected to improve login per‐
213 formance, since login does not need to call
214 ttyname(3C). The -d option is available only
215 to users whose UID and effective UID are
216 root. Any other attempt to use -d causes
217 login to quietly exit.
218
219
220 -h hostname [terminal] Used by in.telnetd(1M) to pass information
221 about the remote host and terminal type.
222
223 Terminal type as a second argument to the -h
224 option should not start with a hyphen (-).
225
226
227 -p Used to pass environment variables to the
228 login shell.
229
230
231 -r hostname Used by in.rlogind(1M) to pass information
232 about the remote host.
233
234
235 -R repository Used to specify the PAM repository that
236 should be used to tell PAM about the "iden‐
237 tity" (see option -u below). If no "identity"
238 information is passed, the repository is not
239 used.
240
241
242 -s service Indicates the PAM service name that should be
243 used. Normally, this argument is not neces‐
244 sary and is used only for specifying alterna‐
245 tive PAM service names. For example: "ktel‐
246 net" for the Kerberized telnet process.
247
248
249 -u identity Specifies the "identity" string associated
250 with the user who is being authenticated.
251 This usually is not be the same as that
252 user's Unix login name. For Kerberized login
253 sessions, this is the Kerberos principal name
254 associated with the user.
255
256
257 -U ruser Indicates the name of the person attempting
258 to login on the remote side of the rlogin
259 connection. When in.rlogind(1M) is operating
260 in Kerberized mode, that daemon processes the
261 terminal and remote user name information
262 prior to invoking login, so the "ruser" data
263 is indicated using this command line parame‐
264 ter. Normally (non-Kerberos authenticated
265 rlogin), the login daemon reads the remote
266 user information from the client.
267
268
270 The following exit values are returned:
271
272 0 Successful operation.
273
274
275 non-zero Error.
276
277
279 $HOME/.cshrc Initial commands for each csh.
280
281
282 $HOME/.hushlogin Suppresses login messages.
283
284
285 $HOME/.kshrc User's commands for interactive ksh93, if $ENV
286 is unset; executes after /etc/ksh.kshrc.
287
288
289 $HOME/.login User's login commands for csh.
290
291
292 $HOME/.profile User's login commands for sh, ksh, and ksh93.
293
294
295 $HOME/.rhosts Private list of trusted hostname/username combi‐
296 nations.
297
298
299 /etc/.login System-wide csh login commands.
300
301
302 /etc/issue Issue or project identification.
303
304
305 /etc/ksh.kshrc System-wide commands for interactive ksh93.
306
307
308 /etc/logindevperm Login-based device permissions.
309
310
311 /etc/motd Message-of-the-day.
312
313
314 /etc/nologin Message displayed to users attempting to login
315 during machine shutdown.
316
317
318 /etc/passwd Password file.
319
320
321 /etc/profile System-wide sh, ksh, and ksh93 login commands.
322
323
324 /etc/shadow List of users' encrypted passwords.
325
326
327 /usr/bin/sh User's default command interpreter.
328
329
330 /var/adm/lastlog Time of last login.
331
332
333 /var/adm/loginlog Record of failed login attempts.
334
335
336 /var/adm/utmpx Accounting.
337
338
339 /var/adm/wtmpx Accounting.
340
341
342 /var/mail/your-name Mailbox for user your-name.
343
344
345 /etc/default/login Default value can be set for the following flags
346 in /etc/default/login. Default values are speci‐
347 fied as comments in the /etc/default/login file,
348 for example, TIMEZONE=EST5EDT.
349
350 TIMEZONE Sets the TZ environment
351 variable of the shell
352 (see environ(5)).
353
354
355 HZ Sets the HZ environment
356 variable of the shell.
357
358
359 ULIMIT Sets the file size limit
360 for the login. Units are
361 disk blocks. Default is
362 zero (no limit).
363
364
365 CONSOLE If set, root can login
366 on that device only.
367 This does not prevent
368 execution of remote com‐
369 mands with rsh(1). Com‐
370 ment out this line to
371 allow login by root.
372
373
374 PASSREQ Determines if login
375 requires a non-null
376 password.
377
378
379 ALTSHELL Determines if login
380 should set the SHELL
381 environment variable.
382
383
384 PATH Sets the initial shell
385 PATH variable.
386
387
388 SUPATH Sets the initial shell
389 PATH variable for root.
390
391
392 TIMEOUT Sets the number of sec‐
393 onds (between 0 and 900)
394 to wait before abandon‐
395 ing a login session.
396
397
398 UMASK Sets the initial shell
399 file creation mode mask.
400 See umask(1).
401
402
403 SYSLOG Determines whether the
404 syslog(3C) LOG_AUTH
405 facility should be used
406 to log all root logins
407 at level LOG_NOTICE and
408 multiple failed login
409 attempts atLOG_CRIT.
410
411
412 DISABLETIME If present, and greater
413 than zero, the number of
414 seconds that login waits
415 after RETRIES failed
416 attempts or the PAM
417 framework returns
418 PAM_ABORT. Default is 20
419 seconds. Minimum is 0
420 seconds. No maximum is
421 imposed.
422
423
424 SLEEPTIME If present, sets the
425 number of seconds to
426 wait before the login
427 failure message is
428 printed to the screen.
429 This is for any login
430 failure other than
431 PAM_ABORT. Another login
432 attempt is allowed, pro‐
433 viding RETRIES has not
434 been reached or the PAM
435 framework is returned
436 PAM_MAXTRIES. Default is
437 4 seconds. Minimum is 0
438 seconds. Maximum is 5
439 seconds.
440
441 Both su(1M) and sulo‐
442 gin(1M) are affected by
443 the value of SLEEPTIME.
444
445
446 RETRIES Sets the number of
447 retries for logging in
448 (see pam(3PAM)). The
449 default is 5. The maxi‐
450 mum number of retries is
451 15. For accounts config‐
452 ured with automatic
453 locking (see SECURITY
454 above), the account is
455 locked and login exits.
456 If automatic locking has
457 not been configured,
458 login exits without
459 locking the account.
460
461
462 SYSLOG_FAILED_LOGINS Used to determine how
463 many failed login
464 attempts are allowed by
465 the system before a
466 failed login message is
467 logged, using the sys‐
468 log(3C) LOG_NOTICE
469 facility. For example,
470 if the variable is set
471 to 0, login logs all
472 failed login attempts.
473
474
475
477 See attributes(5) for descriptions of the following attributes:
478
479
480
481
482 ┌─────────────────────────────┬─────────────────────────────┐
483 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
484 ├─────────────────────────────┼─────────────────────────────┤
485 │Availability │SUNWcsu │
486 ├─────────────────────────────┼─────────────────────────────┤
487 │Interface Stability │Committed │
488 └─────────────────────────────┴─────────────────────────────┘
489
491 csh(1), exit(1), ksh(1), ksh93(1), mail(1), mailx(1), newgrp(1),
492 passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), telnet(1),
493 umask(1), in.rlogind(1M), in.telnetd(1M), logins(1M), quota(1M),
494 su(1M), sulogin(1M), syslogd(1M), useradd(1M), userdel(1M), pam(3PAM),
495 rcmd(3SOCKET), syslog(3C), ttyname(3C), auth_attr(4), exec_attr(4),
496 hosts.equiv(4), issue(4), logindevperm(4), loginlog(4), nologin(4),
497 nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4), profile(4),
498 shadow(4), user_attr(4), utmpx(4), wtmpx(4), attributes(5), environ(5),
499 pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5), pam_auth‐
500 tok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
501 pam_passwd_auth(5), termio(7I)
502
504 Login incorrect
505
506 The user name or the password cannot be matched.
507
508
509 Not on system console
510
511 Root login denied. Check the CONSOLE setting in /etc/default/login.
512
513
514 No directory! Logging in with home=/
515
516 The user's home directory named in the passwd(4) database cannot be
517 found or has the wrong permissions. Contact your system administra‐
518 tor.
519
520
521 No shell
522
523 Cannot execute the shell named in the passwd(4) database. Contact
524 your system administrator.
525
526
527 NO LOGINS: System going down in N minutes
528
529 The machine is in the process of being shut down and logins have
530 been disabled.
531
532
534 Users with a UID greater than 76695844 are not subject to password
535 aging, and the system does not record their last login time.
536
537
538 If you use the CONSOLE setting to disable root logins, you should
539 arrange that remote command execution by root is also disabled. See
540 rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further details.
541
543 The pam_unix(5) module is no longer supported. Similar functionality is
544 provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
545 pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
546 pam_dhkeys(5), and pam_passwd_auth(5).
547
548
549
550SunOS 5.11 7 Jan 2008 login(1)