LOGIN(1)
NAME
login - sign on
SYNOPSIS
login [ name ]
login -p
login -h hostname
login -f name
DESCRIPTION
login is used when signing onto a system. It can also be
used to switch from one user to another at any time (most
modern shells have support for this feature built into
them, however).
If an argument is not given, login prompts for the user-
name.
If the user is not root, and if /etc/nologin exists, the
contents of of this file are printed to the screen, and
the login is terminated. This is typically used to pre-
vent logins when the system is being taken down.
If special access restrictions are specified for the user
in /etc/usertty, these must be met, or the log in attempt
will be denied and a syslog message will be generated. See
the section on "Special Access Restrictions".
If the user is root, then the login must be occuring on a
tty listed in /etc/securetty. Failures will be logged
with the syslog facility.
After these conditions are checked, the password will be
requested and checks (if a password is required for this
username). Ten attempts are allowed before login dies,
but after the first three, the response starts to get very
slow. Login failures are reported via the syslog facil-
ity. This facility is also used to report any successful
root logins.
If the file .hushlogin exists, then a "quiet" login is
performed (this disables the checking of the checking of
mail and the printing of the last login time and message
of the day). Otherwise, if /var/log/lastlog exists, the
last login time is printed (and the current login is
recorded).
Random administrative things, such as setting the UID and
GID of the tty are performed. The TERM environment vari-
able is preserved, if it exists (other environment vari-
ables are preserved if the -p option is used). Then the
HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment
variables are set. PATH defaults to
/usr/local/bin:/bin:/usr/bin:. for normal users, and to
/sbin:/bin:/usr/sbin:/usr/bin for root. Last, if this is
not a "quiet" login, the message of the day is printed and
the file with the user's name in /usr/spool/mail will be
checked, and a message printed if it has non-zero length.
The user's shell is then started. If no shell is speci-
fied for the user in /etc/passwd, then /bin/sh is used.
If there is no directory specified in /etc/passwd, then /
is used (the home directory is checked for the .hushlogin
file described above).
OPTIONS
-p Used by getty(8) to tell login not to destroy the
environment
-f Used to skip a second login authentication. This
specifically does not work for root, and does not
appear to work well under Linux.
-h Used by other servers (i.e., telnetd(8)) to pass
the name of the remote host to login so that it may
be placed in utmp and wtmp. Only the superuser may
use this option.
SPECIAL ACCESS RESTRICTIONS
The file /etc/securetty lists the names of the ttys where
root is allowed to log in. One name of a tty device with-
out the /dev/ prefix must be specified on each line. If
the file does not exist, root is allowed to log in on any
tty.
The file /etc/usertty specifies additional access restric-
tions for specific users. If this file does not exist, no
additional access restrictions are imposed. The file con-
sists of a sequence of sections. There are three possible
section types: CLASSES, GROUPS and USERS. A CLASSES sec-
tion defines classes of ttys and hostname patterns, A
GROUPS section defines allowed ttys and hosts on a per
group basis, and a USERS section defines allowed ttys and
hosts on a per user basis.
Each line in this file in may be no longer than 255 char-
acters. Comments start with # character and extend to the
end of the line.
The CLASSES Section
A CLASSES section begins with the word CLASSES at the
start of a line in all upper case. Each following line
until the start of a new section or the end of the file
consists of a sequence of words separated by tabs or
spaces. Each line defines a class of ttys and host pat-
terns.
The word at the beginning of a line becomes defined as a
collective name for the ttys and host patterns specified
at the rest of the line. This collective name can be used
in any subsequent GROUPS or USERS section. No such class
name must occur as part of the definition of a class in
order to avoid problems with recursive classes.
An example CLASSES section:
CLASSES
myclass1 tty1 tty2
myclass2 tty3 @.foo.com
This defines the classes myclass1 and myclass2 as the cor-
responding right hand sides.
The GROUPS Section
A GROUPS section defines allowed ttys and hosts on a per
Unix group basis. If a user is a member of a Unix group
according to /etc/passwd and /etc/group and such a group
is mentioned in a GROUPS section in /etc/usertty then the
user is granted access if the group is.
A GROUPS section starts with the word GROUPS in all upper
case at the start of a line, and each following line is a
sequence of words separated by spaces or tabs. The first
word on a line is the name of the group and the rest of
the words on the line specifies the ttys and hosts where
members of that group are allowed access. These specifica-
tions may involve the use of classes defined in previous
CLASSES sections.
An example GROUPS section.
GROUPS
sys tty1 @.bar.edu
stud myclass1 tty4
This example specifies that members of group sys may log
in on tty1 and from hosts in the bar.edu domain. Users in
group stud may log in from hosts/ttys specified in the
class myclass1 or from tty4.
The USERS Section
A USERS section starts with the word USERS in all upper
case at the start of a line, and each following line is a
sequence of words separated by spaces or tabs. The first
word on a line is a username and that user is allowed to
log in on the ttys and from the hosts mentioned on the
rest of the line. These specifications may involve classes
defined in previous CLASSES sections. If no section
header is specified at the top of the file, the first sec-
tion defaults to be a USERS section.
An example USERS section:
USERS
zacho tty1 @130.225.16.0/255.255.255.0
blue tty3 myclass2
This lets the user zacho login only on tty1 and from hosts
with IP addreses in the range 130.225.16.0 -
130.225.16.255, and user blue is allowed to log in from
tty3 and whatever is specified in the class myclass2.
There may be a line in a USERS section starting with a
username of *. This is a default rule and it will be
applied to any user not matching any other line.
If both a USERS line and GROUPS line match a user then the
user is allowed access from the union of all the
ttys/hosts mentioned in these specifications.
Origins
The tty and host pattern specifications used in the speci-
fication of classes, group and user access are called ori-
gins. An origin string may have one of these formats:
o The name of a tty device without the /dev/ prefix,
for example tty1 or ttyS0.
o The string @localhost, meaning that the user is
allowed to telnet/rlogin from the local host to the
same host. This also allows the user to for example
run the command: xterm -e /bin/login.
o A domain name suffix such as @.some.dom, meaning
that the user may rlogin/telnet from any host whose
domain name has the suffix
o A range of IPv4 addresses, written @x.x.x.x/y.y.y.y
where x.x.x.x is the IP address in the usual dotted
quad decimal notation, and y.y.y.y is a bitmask in
the same notation specifying which bits in the
address to compare with the IP address of the
remote host. For example
@130.225.16.0/255.255.254.0 means that the user may
rlogin/telnet from any host whose IP address is in
the range 130.225.16.0 - 130.225.17.255.
Any of the above origins may be prefixed by a time speci-
fication according to the syntax:
timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
hour ::= '0' | '1' | ... | '23'
hourspec ::= <hour> | <hour> '-' <hour>
day-or-hour ::= <day> | <hourspec>
For example, the origin [mon:tue:wed:thu:fri:8-17]tty3
means that log in is allowed on mondays through fridays
between 8:00 and 17:59 (5:59 pm) on tty3. This also shows
that an hour range a-b includes all moments between a:00
and b:59. A single hour specification (such as 10) means
the time span between 10:00 and 10:59.
Not specifying any time prefix for a tty or host means log
in from that origin is allowed any time. If you give a
time prefix be sure to specify both a set of days and one
or more hours or hour ranges. A time specification may not
include any white space.
If no default rule is given then users not matching any
line /etc/usertty are allowed to log in from anywhere as
is standard behavior.
FILES
/var/run/utmp
/var/log/wtmp
/var/log/lastlog
/usr/spool/mail/*
/etc/motd
/etc/passwd
/etc/nologin
/etc/usertty
.hushlogin
SEE ALSO
init(8) getty(8) mail(1) passwd(1) passwd(5) envi-
ron(7) shutdown(8)
BUGS
Linux, unlike other draconian operating systems, does not
check quotas.
The undocumented BSD -r option is not supported. This may
be required by some rlogind(8) programs.
AUTHOR
Derived from BSD login 5.40 (5/9/89) by Michael Glad
glad@daimi.dk for HP-UX
Ported to Linux 0.12: Peter Orbaek poe@daimi.aau.dk