login [-p] [-d device] [-R repository] [-s service] [-t terminal] [-u identity] [-U ruser] [-h hostname [terminal] | -r hostname] [name [environ]...]
The login command is used at the beginning of each terminal session to identify oneself to the system. login is invoked by the system when a connection is first established, after the previous user has terminated the login shell by issuing the exit command.
If login is invoked as a command, it must replace the initial command interpreter. To invoke login in this fashion, type:
from the initial shell. The C shell and Korn shell have their own built-ins of login. See ksh(1), ksh93(1), and csh(1) for descriptions of login built-ins and usage.
login asks for your user name, if it is not supplied as an argument, and your password, if appropriate. Where possible, echoing is turned off while you type your password, so it does not appear on the written record of the session.
If you make any mistake in the login procedure, the message:
is printed and a new login prompt appears. If you make five incorrect login attempts, all five can be logged in /var/adm/loginlog, if it exists. The TTY line is dropped.
If password aging is turned on and the password has aged (see passwd(1) for more information), the user is forced to changed the password. In this case the /etc/nsswitch.conf file is consulted to determine password repositories (see nsswitch.conf(4)). The password update configurations supported are limited to the following five cases.
Failure to comply with the configurations prevents the user from logging onto the system because passwd(1) fails. If you do not complete the login successfully within a certain period of time, it is likely that you are silently disconnected.
After a successful login, accounting files are updated. Device owner, group, and permissions are set according to the contents of the /etc/logindevperm file, and the time you last logged in is printed (see logindevperm(4)).
The user-ID, group-ID, supplementary group list, and working directory are initialized, and the command interpreter (usually ksh) is started.
The basic environment is initialized to:
HOME=your-login-directory LOGNAME=your-login-name PATH=/usr/bin: SHELL=last-field-of-passwd-entry MAIL=/var/mail/ TZ=timezone-specification
For Bourne shell and Korn shell logins, the shell executes /etc/profile and $HOME/.profile, if it exists.
For the ksh93 Korn shell, an interactive shell then executes /etc/ksh.kshrc, followed by the file specified by the ENV environment variable. If $ENV is not set, this defaults to $HOME/.kshrc. For the ksh and /usr/xpg4/bin/sh Korn Shell, an interactive shell executes the file named by $ENV (no default).
For C shell logins, the shell executes /etc/.login, $HOME/.cshrc, and $HOME/.login. The default /etc/profile and /etc/.login files check quotas (see quota(1M)), print /etc/motd, and check for mail. None of the messages are printed if the file $HOME/.hushlogin exists. The name of the command interpreter is set to - (dash), followed by the last component of the interpreter's path name, for example, -sh.
If the login-shell field in the password file (see passwd(4)) is empty, then the default command interpreter, /usr/bin/sh, is used. If this field is * (asterisk), then the named directory becomes the root directory. At that point, login is re-executed at the new level, which must have its own root structure.
The environment can be expanded or modified by supplying additional arguments to login, either at execution time or when login requests your login name. The arguments can take either the form xxx or xxx=yyy. Arguments without an = (equal sign) are placed in the environment as:
where n is a number starting at 0 and is incremented each time a new variable name is required. Variables containing an = (equal sign) are placed in the environment without modification. If they already appear in the environment, then they replace the older values.
There are two exceptions: The variables PATH and SHELL cannot be changed. This prevents people logged into restricted shell environments from spawning secondary shells that are not restricted. login understands simple single-character quoting conventions. Typing a \ (backslash) in front of a character quotes it and allows the inclusion of such characters as spaces and tabs.
Alternatively, you can pass the current environment by supplying the -p flag to login. This flag indicates that all currently defined environment variables should be passed, if possible, to the new environment. This option does not bypass any environment variable restrictions mentioned above. Environment variables specified on the login line take precedence, if a variable is passed by both methods.
To enable remote logins by root, edit the /etc/default/login file by inserting a # (pound sign) before the CONSOLE=/dev/console entry. See FILES.
For accounts in name services which support automatic account locking, the account can be configured to be automatically locked (see user_attr(4) and policy.conf(4)) if successive failed login attempts equals or exceeds RETRIES. Currently, only the files repository (see passwd(4) and shadow(4)) supports automatic account locking. See also pam_unix_auth(5).
The login command uses pam(3PAM) for authentication, account management, session management, and password management. The PAM configuration policy, listed through /etc/pam.conf, specifies the modules to be used for login. Here is a partial pam.conf file with entries for the login command using the UNIX authentication, account management, and session management modules:
login auth required pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login account requisite pam_roles.so.1 login account required pam_unix_account.so.1 login session required pam_unix_session.so.1
The Password Management stack looks like the following:
other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1
If there are no entries for the service, then the entries for the other service is used. If multiple authentication modules are listed, then the user can be prompted for multiple passwords.
When login is invoked through rlogind or telnetd, the service name used by PAM is rlogin or telnet, respectively.
The following options are supported:
-h hostname [terminal]
Terminal type as a second argument to the -h option should not start with a hyphen (-).
The following exit values are returned:
Both su(1M) and sulogin(1M) are affected by the value of SLEEPTIME.
See attributes(5) for descriptions of the following attributes:
csh(1), exit(1), ksh(1), ksh93(1), mail(1), mailx(1), newgrp(1), passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), telnet(1), umask(1), in.rlogind(1M), in.telnetd(1M), logins(1M), quota(1M), su(1M), sulogin(1M), syslogd(1M), useradd(1M), userdel(1M), pam(3PAM), rcmd(3SOCKET), syslog(3C), ttyname(3C), auth_attr(4), exec_attr(4), hosts.equiv(4), issue(4), logindevperm(4), loginlog(4), nologin(4), nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4), profile(4), shadow(4), user_attr(4), utmpx(4), wtmpx(4), attributes(5), environ(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), termio(7I)
Not on system console
No directory! Logging in with home=/
NO LOGINS: System going down in N minutes
Users with a UID greater than 76695844 are not subject to password aging, and the system does not record their last login time.
If you use the CONSOLE setting to disable root logins, you should arrange that remote command execution by root is also disabled. See rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further details.
The pam_unix(5) module is no longer supported. Similar functionality is provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and pam_passwd_auth(5).