Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   18016 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

LOGIN(1)		  BSD General Commands Manual		      LOGIN(1)

NAME
     login — authenticate a user and start new session

SYNOPSIS
     login [-fp] [-a level] [-h hostname] [username]

DESCRIPTION
     This manual page documents	 the login program distributed with the Heim‐
     dal Kerberos 5 implementation, it may differ in important ways from your
     system version.

     The login programs logs users into the system. It is intended to be run
     by system daemons like getty(8) or telnetd(8).  If you are already logged
     in, but want to change to another user, you should use su(1).

     A username can be given on the command line, else one will be prompted
     for.

     A password is required to login, unless the -f option is given (indicat‐
     ing that the calling program has already done proper authentication).
     With -f the user will be logged in without further questions.

     For password authentication Kerberos 5, Kerberos 4 (if compiled in), OTP
     (if compiled in) and local (/etc/passwd) passwords are supported. OTP
     will be used if the the user is registered to use it, and login is given
     the option -a otp.	 When using OTP, a challenge is shown to the user.

     Further options are:

     -a string
	     Which authentication mode to use, the only supported value is
	     currently “otp”.

     -f	     Indicates that the user is already authenticated. This happens,
	     for instance, when login is started by telnetd, and the user has
	     proved authentic via Kerberos.

     -h hostname
	     Indicates which host the user is logging in from. This is passed
	     from telnetd, and is entered into the login database.

     -p	     This tells login to preserve all environment variables. If not
	     given, only the TERM and TZ variables are preserved. It could be
	     a security risk to pass random variables to login or the user
	     shell, so the calling daemon should make sure it only passes
	     “safe” variables.

     The process of logging user in proceeds as follows.

     First a check is made that logins are allowed at all. This usually means
     checking /etc/nologin.  If it exists, and the user trying to login is not
     root, the contents is printed, and then login exits.

     Then various system parameters are set up, like changing the owner of the
     tty to the user, setting up signals, setting the group list, and user and
     group id. Also various machine specific tasks are performed.

     Next login changes to the users home directory, or if that fails, to /.
     The environment is setup, by adding some required variables (such as
     PATH), and also authentication related ones (such as KRB5CCNAME).	If an
     environment file exists (/etc/environment), variables are set according
     to it.

     If one or more login message files are configured, their contents is
     printed to the terminal.

     If a login time command is configured, it is executed. A logout time com‐
     mand can also be configured, which makes login fork, and wait for the
     user shell to exit, and then run the command.  This can be used to clean
     up user credentials.

     Finally, the user's shell is executed. If the user logging in is root,
     and root's login shell does not exist, a default shell (usually /bin/sh)
     is also tried before giving up.

ENVIRONMENT
     These environment variables are set by login (not including ones set by
     /etc/environment):

     PATH	    the default system path
     HOME	    the user's home directory (or possibly /)
     USER, LOGNAME  both set to the username
     SHELL	    the user's shell
     TERM, TZ	    set to whatever is passed to login
     KRB5CCNAME	    if the password is verified via Kerberos 5, this will
		    point to the credentials cache file
     KRBTKFILE	    if the password is verified via Kerberos 4, this will
		    point to the ticket file

FILES
     /etc/environment
	     Contains a set of environment variables that should be set in
	     addition to the ones above. It should contain sh-style assign‐
	     ments like “VARIABLE=value”.  Note that they are not parsed the
	     way a shell would. No variable expansion is performed, and all
	     strings are literal, and quotation marks should not be used.
	     Everything after a hash mark is considered a comment. The follow‐
	     ing are all different (the last will set the variable BAR, not
	     FOO).

		   FOO=this is a string
		   FOO="this is a string"
		   BAR= FOO='this is a string'
     /etc/login.access
	     See login.access(5).
     /etc/login.conf
	     This is a termcap style configuration file, that contains various
	     settings used by login.  Currently only the “default” capability
	     record is used. The possible capability strings include:

	     environment
		     This is a comma separated list of environment files that
		     are read in the order specified. If this is missing the
		     default /etc/environment is used.
	     login_program
		     This program will be executed just before the user's
		     shell is started.	It will be called without arguments.
	     logout_program
		     This program will be executed just after the user's shell
		     has terminated. It will be called without arguments. This
		     program will be the parent process of the spawned shell.
	     motd    A comma separated list of text files that will be printed
		     to the user's terminal before starting the shell. The
		     string welcome works similarly, but points to a single
		     file.
	     limits  Points to a file containing ulimit settings for various
		     users. Syntax is inspired by what pam_limits uses, and
		     the default is /etc/security/limits.conf.
     /etc/nologin
	     If it exists, login is denied to all but root. The contents of
	     this file is printed before login exits.

     Other login programs typically print all sorts of information by default,
     such as last time you logged in, if you have mail, and system message
     files.  This version of login does not, so there is no reason for
     .hushlogin files or similar. We feel that these tasks are best left to
     the user's shell, but the login_program facility allows for a shell inde‐
     pendent solution, if that is desired.

EXAMPLES
     A login.conf file could look like:

	   default:\
		   :motd=/etc/motd,/etc/motd.local:\
		   :limits=/etc/limits.conf:

     The limits.conf file consists of a table with four whitespace separated
     fields. First field is a username or a groupname (prefixed with ‘@’), or
     ‘*’.  Second field is ‘soft’, ‘hard’, or ‘-’ (the last meaning both soft
     and hard).	 Third field is a limit name (such as ‘cpu’ or ‘core’).	 Last
     field is the limit value (a number or ‘-’ for unlimited). In the case of
     data sizes, the value is in kilobytes, and cputime is in minutes.

SEE ALSO
     su(1), login.access(5), getty(8), telnetd(8)

AUTHORS
     This login program was written for the Heimdal Kerberos 5 implementation.
     The login.access code was written by Wietse Venema.

HEIMDAL				April 22, 2005			       HEIMDAL

Vote for polarhome