User Commands                                            login(1)


NAME

     login - sign on to the system


SYNOPSIS

     login [-p] [-d device] [-R repository] [-s service]
          [-t terminal] [-u identity] [-U ruser]
          [-h hostname [terminal] | -r hostname]
          [name [environ]...]


DESCRIPTION

     The login command is used at the beginning of each  terminal
     session to identify oneself to the system.  login is invoked
     by the system when a connection is first established,  after
     the  previous user has terminated the login shell by issuing
     the exit command.

     If login is invoked as a command, it must replace  the  ini-
     tial  command  interpreter. To invoke login in this fashion,
     type:

       exec login

     from the initial shell. The C  shell  and  Korn  shell  have
     their  own  built-ins  of  login.  See ksh(1), ksh93(1), and
     csh(1) for descriptions of login built-ins and usage.

     login asks for your user name, if it is not supplied  as  an
     argument, and your password, if appropriate. Where possible,
     echoing is turned off while you type your  password,  so  it
     does not appear on the written record of the session.

     If you make any mistake in the login procedure, the message:

       Login incorrect

     is printed and a new login prompt appears. If you make  five
     incorrect   login  attempts,  all  five  can  be  logged  in
     /var/adm/loginlog, if it exists. The TTY line is dropped.

     If password aging is turned on and  the  password  has  aged
     (see  passwd(1) for more information), the user is forced to

SunOS 5.11           Last change: 7 Jan 2008                    1


User Commands                                            login(1)

     changed the password. In this  case  the  /etc/nsswitch.conf
     file  is  consulted  to determine password repositories (see
     nsswitch.conf(4)).  The password update configurations  sup-
     ported are limited to the following five cases.

         o    passwd: files

         o    passwd: files nis

         o    passwd: files nisplus

         o    passwd: compat (==> files nis)

         o    passwd: compat (==> files nisplus)

              passwd_compat: nisplus

     Failure to comply with the configurations prevents the  user
     from logging onto the system because passwd(1) fails. If you
     do not complete the  login  successfully  within  a  certain
     period  of  time, it is likely that you are silently discon-
     nected.

     After a successful login, accounting files are updated. Dev-
     ice  owner,  group, and permissions are set according to the
     contents of the /etc/logindevperm file,  and  the  time  you
     last logged in is printed (see logindevperm(4)).

     The user-ID, group-ID, supplementary group list, and working
     directory are initialized, and the command interpreter (usu-
     ally ksh) is started.

     The basic environment is initialized to:

       HOME=your-login-directory
       LOGNAME=your-login-name
       PATH=/usr/bin:
       SHELL=last-field-of-passwd-entry
       MAIL=/var/mail/
       TZ=timezone-specification

     For Bourne shell and Korn shell logins, the  shell  executes
     /etc/profile and $HOME/.profile, if it exists.

SunOS 5.11           Last change: 7 Jan 2008                    2


User Commands                                            login(1)

     For the ksh93 Korn shell, an interactive shell then executes
     /etc/ksh.kshrc,  followed  by  the file specified by the ENV
     environment variable. If $ENV is not set, this  defaults  to
     $HOME/.kshrc.   For the ksh and /usr/xpg4/bin/sh Korn Shell,
     an interactive shell executes the file  named  by  $ENV  (no
     default).

     For  C  shell  logins,  the  shell   executes   /etc/.login,
     $HOME/.cshrc,  and  $HOME/.login.   The default /etc/profile
     and /etc/.login files check quotas  (see  quota(1M)),  print
     /etc/motd,  and  check  for  mail.  None of the messages are
     printed if the file $HOME/.hushlogin exists. The name of the
     command interpreter is set to - (dash), followed by the last
     component of the interpreter's path name, for example, -sh.

     If  the  login-shell  field  in  the  password   file   (see
     passwd(4))  is  empty, then the default command interpreter,
     /usr/bin/sh, is used. If this field is  *  (asterisk),  then
     the  named  directory  becomes  the  root directory. At that
     point, login is re-executed at the  new  level,  which  must
     have its own root structure.

     The environment can be expanded  or  modified  by  supplying
     additional  arguments  to login, either at execution time or
     when login requests your login name. The arguments can  take
     either  the  form  xxx  or  xxx=yyy.  Arguments without an =
     (equal sign) are placed in the environment as:

       Ln=xxx

     where n is a number starting at 0 and  is  incremented  each
     time  a  new variable name is required. Variables containing
     an = (equal sign) are  placed  in  the  environment  without
     modification.  If  they  already  appear in the environment,
     then they replace the older values.

     There are two exceptions: The variables PATH and SHELL  can-
     not  be changed. This prevents people logged into restricted
     shell environments from spawning secondary shells  that  are
     not  restricted.   login understands simple single-character
     quoting conventions. Typing a \ (backslash) in  front  of  a
     character quotes it and allows the inclusion of such charac-
     ters as spaces and tabs.

SunOS 5.11           Last change: 7 Jan 2008                    3


User Commands                                            login(1)

     Alternatively, you can pass the current environment by  sup-
     plying  the  -p flag to login.  This flag indicates that all
     currently defined environment variables should be passed, if
     possible,  to  the  new  environment.   This option does not
     bypass  any  environment  variable  restrictions   mentioned
     above.  Environment  variables  specified  on the login line
     take precedence, if a variable is passed by both methods.

     To enable remote logins by root, edit the /etc/default/login
     file   by   inserting   a   #   (pound   sign)   before  the
     CONSOLE=/dev/console entry.  See FILES.


SECURITY

     For  accounts  in  name  services  which  support  automatic
     account  locking,  the  account  can  be  configured  to  be
     automatically locked (see user_attr(4)  and  policy.conf(4))
     if  successive  failed  login  attempts  equals  or  exceeds
     RETRIES.   Currently,  only  the   files   repository   (see
     passwd(4) and shadow(4)) supports automatic account locking.
     See also pam_unix_auth(5).

     The login command uses pam(3PAM) for authentication, account
     management, session management, and password management. The
     PAM  configuration  policy,  listed  through  /etc/pam.conf,
     specifies  the modules to be used for login.  Here is a par-
     tial pam.conf file with entries for the login command  using
     the  UNIX  authentication,  account  management, and session
     management modules:

       login  auth       required  pam_authtok_get.so.1
       login  auth       required  pam_dhkeys.so.1
       login  auth       required  pam_unix_auth.so.1
       login  auth       required  pam_dial_auth.so.1

       login  account    requisite pam_roles.so.1
       login  account    required  pam_unix_account.so.1

       login  session    required  pam_unix_session.so.1

     The Password Management stack looks like the following:

       other  password   required   pam_dhkeys.so.1
       other  password   requisite  pam_authtok_get.so.1
       other  password   requisite  pam_authtok_check.so.1
       other  password   required   pam_authtok_store.so.1

SunOS 5.11           Last change: 7 Jan 2008                    4


User Commands                                            login(1)

     If there are no entries for the service,  then  the  entries
     for  the  other  service is used. If multiple authentication
     modules are listed, then the user can be prompted for multi-
     ple passwords.

     When login is invoked through rlogind or telnetd,  the  ser-
     vice name used by PAM is rlogin or telnet, respectively.


OPTIONS

     The following options are supported:

     -d device                 login  accepts  a  device  option,
                               device.  device is taken to be the
                               path name of the TTY port login is
                               to operate on. The use of the dev-
                               ice  option  can  be  expected  to
                               improve  login  performance, since
                               login  does  not  need   to   call
                               ttyname(3C).   The  -d  option  is
                               available only to users whose  UID
                               and  effective  UID  are root. Any
                               other attempt  to  use  -d  causes
                               login to quietly exit.

     -h hostname [terminal]    Used  by  in.telnetd(1M)  to  pass
                               information  about the remote host
                               and terminal type.

                               Terminal type as a second argument
                               to  the -h option should not start
                               with a hyphen (-).

     -p                        Used to pass environment variables
                               to the login shell.

     -r hostname               Used  by  in.rlogind(1M)  to  pass
                               information about the remote host.

     -R repository             Used to specify the PAM repository
                               that  should  be  used to tell PAM
                               about the "identity"  (see  option
                               -u below). If no "identity" infor-
                               mation is passed,  the  repository
                               is not used.

SunOS 5.11           Last change: 7 Jan 2008                    5


User Commands                                            login(1)

     -s service                Indicates  the  PAM  service  name
                               that  should  be  used.  Normally,
                               this argument is not necessary and
                               is used only for specifying alter-
                               native  PAM  service  names.   For
                               example: "ktelnet" for the Kerber-
                               ized telnet process.

     -u identity               Specifies  the  "identity"  string
                               associated  with  the  user who is
                               being authenticated. This  usually
                               is  not be the same as that user's
                               Unix login  name.  For  Kerberized
                               login  sessions,  this is the Ker-
                               beros  principal  name  associated
                               with the user.

     -U ruser                  Indicates the name of  the  person
                               attempting  to login on the remote
                               side  of  the  rlogin  connection.
                               When  in.rlogind(1M)  is operating
                               in Kerberized  mode,  that  daemon
                               processes  the terminal and remote
                               user  name  information  prior  to
                               invoking  login,  so  the  "ruser"
                               data is indicated using this  com-
                               mand   line   parameter.  Normally
                               (non-Kerberos  authenticated  rlo-
                               gin),  the  login daemon reads the
                               remote user information  from  the
                               client.


EXIT STATUS

     The following exit values are returned:

     0           Successful operation.

     non-zero    Error.


FILES

     $HOME/.cshrc           Initial commands for each csh.

     $HOME/.hushlogin       Suppresses login messages.

SunOS 5.11           Last change: 7 Jan 2008                    6


User Commands                                            login(1)

     $HOME/.kshrc           User's   commands   for   interactive
                            ksh93,  if  $ENV  is  unset; executes
                            after /etc/ksh.kshrc.

     $HOME/.login           User's login commands for csh.

     $HOME/.profile         User's login commands  for  sh,  ksh,
                            and ksh93.

     $HOME/.rhosts          Private     list      of      trusted
                            hostname/username combinations.

     /etc/.login            System-wide csh login commands.

     /etc/issue             Issue or project identification.

     /etc/ksh.kshrc         System-wide commands for  interactive
                            ksh93.

     /etc/logindevperm      Login-based device permissions.

     /etc/motd              Message-of-the-day.

     /etc/nologin           Message displayed to users attempting
                            to login during machine shutdown.

     /etc/passwd            Password file.

     /etc/profile           System-wide sh, ksh, and ksh93  login
                            commands.

     /etc/shadow            List of users' encrypted passwords.

     /usr/bin/sh            User's default command interpreter.

     /var/adm/lastlog       Time of last login.

SunOS 5.11           Last change: 7 Jan 2008                    7


User Commands                                            login(1)

     /var/adm/loginlog      Record of failed login attempts.

     /var/adm/utmpx         Accounting.

     /var/adm/wtmpx         Accounting.

     /var/mail/your-name    Mailbox for user your-name.

     /etc/default/login     Default value can be set for the fol-
                            lowing  flags  in /etc/default/login.
                            Default values are specified as  com-
                            ments in the /etc/default/login file,
                            for example, TIMEZONE=EST5EDT.

                            TIMEZONE                Sets  the  TZ
                                                    environment
                                                    variable   of
                                                    the     shell
                                                    (see
                                                    environ(5)).

                            HZ                      Sets  the  HZ
                                                    environment
                                                    variable   of
                                                    the shell.

                            ULIMIT                  Sets the file
                                                    size    limit
                                                    for       the
                                                    login.  Units
                                                    are      disk
                                                    blocks.
                                                    Default    is
                                                    zero      (no
                                                    limit).

                            CONSOLE                 If set,  root
                                                    can  login on
                                                    that   device
                                                    only.    This
                                                    does      not
                                                    prevent  exe-
                                                    cution     of
                                                    remote   com-
                                                    mands    with

SunOS 5.11           Last change: 7 Jan 2008                    8


User Commands                                            login(1)

                                                    rsh(1).  Com-
                                                    ment out this
                                                    line to allow
                                                    login      by
                                                    root.

                            PASSREQ                 Determines if
                                                    login
                                                    requires    a
                                                    non-null
                                                    password.

                            ALTSHELL                Determines if
                                                    login  should
                                                    set the SHELL
                                                    environment
                                                    variable.

                            PATH                    Sets the ini-
                                                    tial    shell
                                                    PATH    vari-
                                                    able.

                            SUPATH                  Sets the ini-
                                                    tial    shell
                                                    PATH variable
                                                    for root.

                            TIMEOUT                 Sets      the
                                                    number     of
                                                    seconds
                                                    (between    0
                                                    and  900)  to
                                                    wait   before
                                                    abandoning  a
                                                    login    ses-
                                                    sion.

                            UMASK                   Sets the ini-
                                                    tial    shell
                                                    file creation
                                                    mode    mask.
                                                    See umask(1).

SunOS 5.11           Last change: 7 Jan 2008                    9


User Commands                                            login(1)

                            SYSLOG                  Determines
                                                    whether   the
                                                    syslog(3C)
                                                    LOG_AUTH
                                                    facility
                                                    should     be
                                                    used  to  log
                                                    all      root
                                                    logins     at
                                                    level
                                                    LOG_NOTICE
                                                    and  multiple
                                                    failed  login
                                                    attempts
                                                    atLOG_CRIT.

                            DISABLETIME             If   present,
                                                    and   greater
                                                    than    zero,
                                                    the number of
                                                    seconds  that
                                                    login   waits
                                                    after RETRIES
                                                    failed
                                                    attempts   or
                                                    the       PAM
                                                    framework
                                                    returns
                                                    PAM_ABORT.
                                                    Default is 20
                                                    seconds.
                                                    Minimum  is 0
                                                    seconds.   No
                                                    maximum    is
                                                    imposed.

                            SLEEPTIME               If   present,
                                                    sets      the
                                                    number     of
                                                    seconds    to
                                                    wait   before
                                                    the     login
                                                    failure  mes-
                                                    sage       is
                                                    printed    to
                                                    the   screen.
                                                    This  is  for
                                                    any     login
                                                    failure other
                                                    than

SunOS 5.11           Last change: 7 Jan 2008                   10


User Commands                                            login(1)

                                                    PAM_ABORT.
                                                    Another login
                                                    attempt    is
                                                    allowed, pro-
                                                    viding
                                                    RETRIES   has
                                                    not      been
                                                    reached    or
                                                    the       PAM
                                                    framework  is
                                                    returned
                                                    PAM_MAXTRIES.
                                                    Default is  4
                                                    seconds.
                                                    Minimum is  0
                                                    seconds. Max-
                                                    imum   is   5
                                                    seconds.

                                                    Both   su(1M)
                                                    and
                                                    sulogin(1M)
                                                    are  affected
                                                    by the  value
                                                    of SLEEPTIME.

                            RETRIES                 Sets      the
                                                    number     of
                                                    retries   for
                                                    logging    in
                                                    (see
                                                    pam(3PAM)).
                                                    The   default
                                                    is   5.   The
                                                    maximum
                                                    number     of
                                                    retries    is
                                                    15.       For
                                                    accounts con-
                                                    figured  with
                                                    automatic
                                                    locking  (see
                                                    SECURITY
                                                    above),   the
                                                    account    is
                                                    locked    and
                                                    login  exits.
                                                    If  automatic
                                                    locking   has
                                                    not been con-
                                                    figured,

SunOS 5.11           Last change: 7 Jan 2008                   11


User Commands                                            login(1)

                                                    login   exits
                                                    without lock-
                                                    ing       the
                                                    account.

                            SYSLOG_FAILED_LOGINS    Used       to
                                                    determine how
                                                    many   failed
                                                    login
                                                    attempts  are
                                                    allowed    by
                                                    the    system
                                                    before      a
                                                    failed  login
                                                    message    is
                                                    logged, using
                                                    the
                                                    syslog(3C)
                                                    LOG_NOTICE
                                                    facility. For
                                                    example,   if
                                                    the  variable
                                                    is  set to 0,
                                                    login    logs
                                                    all    failed
                                                    login
                                                    attempts.


ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcsu                     |
    |_____________________________|_____________________________|
    | Interface Stability         | Committed                   |
    |_____________________________|_____________________________|


SEE ALSO

     csh(1),  exit(1),  ksh(1),  ksh93(1),   mail(1),   mailx(1),
     newgrp(1),     passwd(1),    rlogin(1),    rsh(1),    sh(1),
     shell_builtins(1),  telnet(1),   umask(1),   in.rlogind(1M),
     in.telnetd(1M),  logins(1M), quota(1M), su(1M), sulogin(1M),
     syslogd(1M),    useradd(1M),     userdel(1M),     pam(3PAM),

SunOS 5.11           Last change: 7 Jan 2008                   12


User Commands                                            login(1)

     rcmd(3SOCKET),    syslog(3C),   ttyname(3C),   auth_attr(4),
     exec_attr(4),  hosts.equiv(4),  issue(4),   logindevperm(4),
     loginlog(4),   nologin(4),   nsswitch.conf(4),  pam.conf(4),
     passwd(4),    policy.conf(4),     profile(4),     shadow(4),
     user_attr(4), utmpx(4), wtmpx(4), attributes(5), environ(5),
     pam_unix_account(5), pam_unix_auth(5),  pam_unix_session(5),
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     termio(7I)


DIAGNOSTICS

     Login incorrect

         The user name or the password cannot be matched.

     Not on system console

         Root  login  denied.  Check  the  CONSOLE   setting   in
         /etc/default/login.

     No directory! Logging in with home=/

         The user's home directory named in the  passwd(4)  data-
         base  cannot be found or has the wrong permissions. Con-
         tact your system administrator.

     No shell

         Cannot execute the shell named in  the  passwd(4)  data-
         base. Contact your system administrator.

     NO LOGINS: System going down in N minutes

         The machine is in the process of  being  shut  down  and
         logins have been disabled.


WARNINGS

     Users with a UID greater than 76695844 are  not  subject  to
     password  aging,  and  the system does not record their last
     login time.

     If you use the CONSOLE setting to disable root  logins,  you
     should arrange that remote command execution by root is also
     disabled. See rsh(1), rcmd(3SOCKET), and hosts.equiv(4)  for
     further details.

SunOS 5.11           Last change: 7 Jan 2008                   13


User Commands                                            login(1)


NOTES

     The pam_unix(5) module is no longer supported. Similar func-
     tionality     is     provided     by    pam_unix_account(5),
     pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5),
     pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and
     pam_passwd_auth(5).

SunOS 5.11           Last change: 7 Jan 2008                   14


Man(1) output converted with man2html


FhG Schily's Home VED powered