User Commands login(1)
NAME
login - sign on to the system
SYNOPSIS
login [-p] [-d device] [-R repository] [-s service]
[-t terminal] [-u identity] [-U ruser]
[-h hostname [terminal] | -r hostname]
[name [environ]...]DESCRIPTION
The login command is used at the beginning of each terminal
session to identify oneself to the system. login is invoked
by the system when a connection is first established, afterthe previous user has terminated the login shell by issuing
the exit command. Login cannot be invoked as a command, except by the superuser.If login is invoked as a command, it must replace the ini-
tial command interpreter. To invoke login in this fashion,
type:exec login
from the initial shell. The C shell and Korn shell havetheir own built-ins of login. See ksh(1), ksh93(1), and
csh(1) for descriptions of login built-ins and usage.
login asks for your user name, if it is not supplied as an
argument, and your password, if appropriate. Where possible, echoing is turned off while you type your password, so it does not appear on the written record of the session.If you make any mistake in the login procedure, the message:
Login incorrectis printed and a new login prompt appears. If you make five
incorrect login attempts, all five can be logged in
/var/adm/loginlog, if it exists. The TTY line is dropped.
SunOS 5.11 Last change: 8 Sep 2010 1
User Commands login(1)
If password aging is turned on and the password has aged (see passwd(1) for more information), the user is forced to changed the password. In this case the /etc/nsswitch.conf file is consulted to determine password repositories (seensswitch.conf(4)). The password update configurations sup-
ported are limited to the following five cases. o passwd: files o passwd: files nis o passwd: compat (==> files nis) Failure to comply with the configurations prevents the user from logging onto the system because passwd(1) fails. If youdo not complete the login successfully within a certain
period of time, it is likely that you are silently discon-
nected.After a successful login, accounting files are updated. Dev-
ice owner, group, and permissions are set according to thecontents of the /etc/logindevperm file, and the time you
last logged in is printed (see logindevperm(4)).
The user-ID, group-ID, supplementary group list, and working
directory are initialized, and the command interpreter (usu-
ally ksh) is started. The basic environment is initialized to:HOME=your-login-directory
LOGNAME=your-login-name
PATH=/usr/bin:SHELL=last-field-of-passwd-entry
MAIL=/var/mail/TZ=timezone-specification
For Bourne shell and Korn shell logins, the shell executes
/etc/profile and $HOME/.profile, if it exists.
For the ksh93 Korn shell, an interactive shell then executes /etc/ksh.kshrc, followed by the file specified by the ENVenvironment variable. If $ENV is not set, this defaults to
$HOME/.kshrc. For the ksh and /usr/xpg4/bin/sh Korn Shell,
an interactive shell executes the file named by $ENV (no
SunOS 5.11 Last change: 8 Sep 2010 2
User Commands login(1)
default).For C shell logins, the shell executes /etc/.login,
$HOME/.cshrc, and $HOME/.login. The default /etc/profile and
/etc/.login files check quotas (see quota(1M)), print
/etc/motd, and check for mail. None of the messages areprinted if the file $HOME/.hushlogin exists. The name of the
command interpreter is set to - (dash), followed by the last
component of the interpreter's path name, for example, -sh.
If the login-shell field in the password file (see
passwd(4)) is empty, then the default command interpreter, /usr/bin/sh, is used. If this field is * (asterisk), then the named directory becomes the root directory. At thatpoint, login is re-executed at the new level, which must
have its own root structure. The environment can be expanded or modified by supplyingadditional arguments to login, either at execution time or
when login requests your login name. The arguments can take
either the form xxx or xxx=yyy. Arguments without an = (equal sign) are placed in the environment as: Ln=xxx where n is a number starting at 0 and is incremented each time a new variable name is required. Variables containing an = (equal sign) are placed in the environment without modification. If they already appear in the environment, then they replace the older values.There are two exceptions: The variables PATH and SHELL can-
not be changed. This prevents people logged into restricted shell environments from spawning secondary shells that arenot restricted. login understands simple single-character
quoting conventions. Typing a \ (backslash) in front of acharacter quotes it and allows the inclusion of such charac-
ters as spaces and tabs.Alternatively, you can pass the current environment by sup-
plying the -p flag to login. This flag indicates that all
currently defined environment variables should be passed, if possible, to the new environment. This option does not bypass any environment variable restrictions mentionedSunOS 5.11 Last change: 8 Sep 2010 3
User Commands login(1)
above. Environment variables specified on the login line
take precedence, if a variable is passed by both methods.To enable remote logins by root, edit the /etc/default/login
file by inserting a # (pound sign) before the
CONSOLE=/dev/console entry. See FILES. SECURITY For accounts in name services which support automatic account locking, the account can be configured to beautomatically locked (see user_attr(4) and policy.conf(4))
if successive failed login attempts equals or exceeds
RETRIES. Currently, only the files repository (see passwd(4) and shadow(4)) supports automatic account locking. See alsopam_unix_auth(5).
The login command uses pam(3PAM) for authentication, account
management, session management, and password management. The PAM configuration policy, listed through /etc/pam.conf,specifies the modules to be used for login. Here is a par-
tial pam.conf file with entries for the login command using
the UNIX authentication, account management, and session management modules:login auth required pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login account requisite pam_roles.so.1
login account required pam_unix_account.so.1
login session required pam_unix_session.so.1
The Password Management stack looks like the following:other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
If there are no entries for the service, then the entries for the other service is used. If multiple authenticationmodules are listed, then the user can be prompted for multi-
ple passwords.SunOS 5.11 Last change: 8 Sep 2010 4
User Commands login(1)
When login is invoked through rlogind or telnetd, the ser-
vice name used by PAM is rlogin or telnet, respectively.
OPTIONS The following options are supported:-d device login accepts a device option,
device. device is taken to be thepath name of the TTY port login is
to operate on. The use of the dev-
ice option can be expected toimprove login performance, since
login does not need to call
ttyname(3C). The -d option is
available only to users whose UID and effective UID are root. Anyother attempt to use -d causes
login to quietly exit.
-h hostname [terminal] Used by in.telnetd(1M) to pass
information about the remote host and terminal type. Terminal type as a second argumentto the -h option should not start
with a hyphen (-).
-p Used to pass environment variables
to the login shell.
-r hostname Used by in.rlogind(1M) to pass
information about the remote host.-R repository Used to specify the PAM repository
that should be used to tell PAM about the "identity" (see option-u below). If no "identity" infor-
mation is passed, the repository is not used.-s service Indicates the PAM service name
that should be used. Normally, this argument is not necessary andis used only for specifying alter-
native PAM service names. Forexample: "ktelnet" for the Kerber-
ized telnet process.SunOS 5.11 Last change: 8 Sep 2010 5
User Commands login(1)
-u identity Specifies the "identity" string
associated with the user who is being authenticated. This usually is not be the same as that user'sUnix login name. For Kerberized
login sessions, this is the Ker-
beros principal name associated with the user.-U ruser Indicates the name of the person
attempting to login on the remote
side of the rlogin connection.
When in.rlogind(1M) is operating
in Kerberized mode, that daemon processes the terminal and remote user name information prior toinvoking login, so the "ruser"
data is indicated using this com-
mand line parameter. Normally(non-Kerberos authenticated rlo-
gin), the login daemon reads the
remote user information from the client. EXIT STATUS The following exit values are returned: 0 Successful operation.non-zero Error.
FILES$HOME/.cshrc Initial commands for each csh.
$HOME/.hushlogin Suppresses login messages.
$HOME/.kshrc User's commands for interactive
ksh93, if $ENV is unset; executes
after /etc/ksh.kshrc.$HOME/.login User's login commands for csh.
$HOME/.profile User's login commands for sh, ksh,
and ksh93.SunOS 5.11 Last change: 8 Sep 2010 6
User Commands login(1)
$HOME/.rhosts Private list of trusted
hostname/username combinations./etc/.login System-wide csh login commands.
/etc/issue Issue or project identification./etc/ksh.kshrc System-wide commands for interactive
ksh93./etc/logindevperm Login-based device permissions.
/etc/motd Message-of-the-day.
/etc/nologin Message displayed to users attempting
to login during machine shutdown.
/etc/passwd Password file./etc/profile System-wide sh, ksh, and ksh93 login
commands. /etc/shadow List of users' encrypted passwords. /usr/bin/sh User's default command interpreter./var/adm/lastlog Time of last login.
/var/adm/loginlog Record of failed login attempts.
/var/adm/utmpx Accounting. /var/adm/wtmpx Accounting./var/mail/your-name Mailbox for user your-name.
SunOS 5.11 Last change: 8 Sep 2010 7
User Commands login(1)
/etc/default/login Default value can be set for the fol-
lowing flags in /etc/default/login.
Default values are specified as com-
ments in the /etc/default/login file,
for example, TIMEZONE=EST5EDT. TIMEZONE Sets the TZ environment variable of the shell (see environ(5)). HZ Sets the HZ environment variable of the shell. ULIMIT Sets the file size limit for thelogin. Units
are disk blocks. Default is zero (no limit). CONSOLE If set, rootcan login on
that device only. This does notprevent exe-
cution ofremote com-
mands withrsh(1). Com-
ment out this line to allowlogin by
root. PASSREQ Determines iflogin
requires anon-null
password.SunOS 5.11 Last change: 8 Sep 2010 8
User Commands login(1)
ALTSHELL Determines iflogin should
set the SHELL environment variable.PATH Sets the ini-
tial shellPATH vari-
able.SUPATH Sets the ini-
tial shell PATH variable for root. TIMEOUT Sets the number of seconds (between 0 and 900) to wait before abandoning alogin ses-
sion.UMASK Sets the ini-
tial shell file creation mode mask. See umask(1). SYSLOG Determines whether the syslog(3C)LOG_AUTH
facility should be used to log all rootlogins at
levelLOG_NOTICE
and multiplefailed login
attemptsatLOG_CRIT.
SunOS 5.11 Last change: 8 Sep 2010 9
User Commands login(1)
DISABLETIME If present, and greater than zero, the number of seconds thatlogin waits
after RETRIES failed attempts or the PAM framework returnsPAM_ABORT.
Default is 20 seconds. Minimum is 0 seconds. No maximum is imposed. SLEEPTIME If present, sets the number of seconds to wait beforethe login
failure mes-
sage is printed to the screen. This is forany login
failure other thanPAM_ABORT.
Another login
attempt isallowed, pro-
viding RETRIES has not been reached or the PAM framework is returnedPAM_MAXTRIES.
Default is 4 seconds. Minimum is 0seconds. Max-
imum is 5SunOS 5.11 Last change: 8 Sep 2010 10
User Commands login(1)
seconds. Both su(1M) andsulogin(1M)
are affected by the value of SLEEPTIME. RETRIES Sets the number of retries for logging in (see pam(3PAM)). The default is 5. The maximum number of retries is 15. Foraccounts con-
figured with automatic locking (see SECURITY above), the account is locked andlogin exits.
If automatic locking hasnot been con-
figured,login exits
without lock-
ing the account.SYSLOG_FAILED_LOGINS Used to
determine how many failedlogin
attempts are allowed by the system before afailed login
message is logged, usingSunOS 5.11 Last change: 8 Sep 2010 11
User Commands login(1)
the syslog(3C)LOG_NOTICE
facility. For example, if the variable is set to 0,login logs
all failedlogin
attempts.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
csh(1), exit(1), ksh(1), ksh93(1), mail(1), mailx(1),newgrp(1), passwd(1), rlogin(1), rsh(1), sh(1),
shell_builtins(1), telnet(1), umask(1), in.rlogind(1M),
in.telnetd(1M), logins(1M), quota(1M), su(1M), sulogin(1M),
syslogd(1M), useradd(1M), userdel(1M), pam(3PAM),rcmd(3SOCKET), syslog(3C), ttyname(3C), auth_attr(4),
exec_attr(4), hosts.equiv(4), issue(4), logindevperm(4),
loginlog(4), nologin(4), nsswitch.conf(4), pam.conf(4),
passwd(4), policy.conf(4), profile(4), shadow(4),user_attr(4), utmpx(4), wtmpx(4), attributes(5), environ(5),
pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
termio(7I) DIAGNOSTICS Login incorrect The user name or the password cannot be matched.SunOS 5.11 Last change: 8 Sep 2010 12
User Commands login(1)
Not on system consoleRoot login denied. Check the CONSOLE setting in
/etc/default/login.
No directory! Logging in with home=/The user's home directory named in the passwd(4) data-
base cannot be found or has the wrong permissions. Con-
tact your system administrator. No shellCannot execute the shell named in the passwd(4) data-
base. Contact your system administrator. NO LOGINS: System going down in N minutes The machine is in the process of being shut down andlogins have been disabled.
WARNINGS Users with a UID greater than 76695844 are not subject to password aging, and the system does not record their lastlogin time.
If you use the CONSOLE setting to disable root logins, you
should arrange that remote command execution by root is also disabled. See rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further details. NOTESThe pam_unix(5) module is no longer supported. Similar func-
tionality is provided by pam_unix_account(5),
pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and
pam_passwd_auth(5).
SunOS 5.11 Last change: 8 Sep 2010 13