login(1)
NAME
login − sign on; start terminal session
SYNOPSIS
login [name [env-var ...]]
DESCRIPTION
The login command is used at the beginning of each terminal session to properly identify the prospective user. login can be invoked as a user command, or by the system when an incoming connection is first established. login is also invoked by the system when a previous user shell terminates but the terminal does not disconnect.
If login is invoked as a command it must replace the initial command interpreter (user’s login shell). This is accomplished by typing:
exec login
from the user shell.
If name is not specified on the command line, login prompts with login: for the login name and, if required, Password: for the corresponding password. Terminal echo is turned off (where possible) during typing of the password so that it will not appear on any written record of the session. If the login name provided is not valid, login requests a password. This is done to make it more difficult for an unauthorized user to log in to the system by trial and error. After three unsuccessful login attempts, a HANGUP signal is issued.
On a trusted system, the login program prints the last successful and unsuccessful login times and terminal devices. If the account does not have a password, and the authentication profile for the account requires one, login starts the passwd program to establish one for the account.
As a security precaution, some installations use an option that requires a second "dialup" password. This occurs only for dialup connections, and is prompted with the message dialup password:. Both passwords must be correct for a successful login. See dialups(4) for details on dialup security.
If password aging has been invoked on the user’s behalf by a user with appropriate privileges, the user’s password may have expired. In this case, the user will be diverted into passwd to change it, after which the user can attempt to log in again (see passwd(1)).
If a login is not successfully completed within a certain period of time (e.g., one minute), the terminal is silently disconnected.
After a successful login, the accounting files are updated, user and group IDs, group access list, and working directory are initialized, and the user’s command interpreter (shell) is determined from corresponding user entries in the files /etc/passwd and /etc/logingroup (see passwd(4) and group(4)). If /etc/passwd does not specify a shell for the user name, /usr/bin/sh is used by default. login then forks the appropriate shell by using the last component of the shell pathname preceded by a - (for example, -sh or -ksh). When the command interpreter is invoked with its name preceded by a minus in this manner, the shell performs its own initialization, including execution of profile, login, or other initialization scripts.
For example, if the user login shell is the Bourne, Korn, or POSIX shell (see sh-bourne(1), ksh(1), or sh-posix(1), respectively), the shell executes the profile files /etc/profile and $HOME/.profile if they exist (and possibly others as well, depending on what the profile files contain). Depending on what these profile files contain, messages regarding mail in the user’s mail file or any messages the user may have received since the user’s last login may be displayed.
If the command name field is *, a chroot() to the directory named in the directory field of the entry is performed. At that point login is re-executed at the new level which must have its own root structure, including a /usr/bin/login command and an /etc/passwd file.
For the normal user, the basic environment variables (see environ(5)) are initialized to:
HOME=login_directory
LOGNAME=login_name
MAIL=/var/mail/login_name
PATH=:/usr/bin
SHELL=login_shell
login_directory, login_name, and login_shell are taken from the corresponding fields of the passwd file entry (see passwd(4)).
For superuser, PATH is set to:
PATH=:/usr/sbin:/usr/bin:/sbin
In the case of a remote login, the environment variable TERM is also set to the remote user’s terminal type.
The environment can be expanded or modified by supplying additional arguments to login, either at execution time or when login requests the user’s login name. The arguments can take either the form value or varname=value, where varname is a new or existing environment variable name value is a value to be assigned to an enviroment variable.
An argument in the first form (without an equals sign) is placed in the environment as if it were entered in the form
Ln=value
where n is a number starting at 0 that is incremented each time a new variable name is required.
An argument in the second form (with an equals sign) is placed into the environment without modification.
If the variable name (Ln or varname) already appears in the environment, the new value replaces the older one.
There are two exceptions. The variables PATH and SHELL cannot be changed. This prevents users logged in with restricted shell environments from spawning secondary shells that are not restricted.
Both login and getty understand simple single-character quoting conventions. Typing a backslash in front of a character quotes it and allows the inclusion of such things as spaces and tabs.
If /var/adm/btmp is present, all unsuccessful login attempts are logged to that file. This feature is disabled if the file is not present. The lastb command, (see last(1)), displays a summary of bad login attempts for users with read access to btmp.
If the /etc/securetty file is present, login security is in effect. Only user root is allowed to log in successfully on the ttys listed in this file. Restricted ttys are listed by device name, one per line. Valid tty names are dependent on installation. An example is
console
tty01
ttya1
etc.
Note that this feature does not inhibit a normal user from using the su command (see su(1)).
SECURITY FEATURES
On a trusted system, login prohibits the user from logging in if any of the following are true:
• The password for the account has expired and the user cannot successfully change the password.
• The password lifetime for the account has passed.
• The time between the last login and the current time exceeds the time allowed for login intervals.
• The administrative lock on the account has been set.
• The maximum number of unsuccessful login attempts for the account has been exceeded.
• The maximum number of unsuccessful login attempts for the terminal has been exceeded.
• The administrative lock on the terminal has been set.
• The terminal has an authorized user list and the user is not on it.
• The terminal has time of day restrictions and the current time is not within the allowable period.
On a trusted system, login always allows user root to log in on the console unless /etc/securetty exists and does not contain console.
DIAGNOSTICS
The following diagnostics appear if the associated condition occurs:
.rhosts is a soft link
The personal equivalence file is a symbolic link.
Bad .rhosts ownership
The personal equivalence file is not owned by the local user or by a user with appropriate privileges.
Bad group id
setgid() failed (see setgid(2)).
Bad user id
setuid() failed (see setgid(2)).
Cannot open password file
Consult system administrator.
Locuser too long
The indicated string was too long for login’s internal buffer.
Login incorrect
User name and password cannot be matched.
No /usr/bin/login or /etc/login on root
Attempted to log in to a subdirectory root that does not have a subroot login command. That is, the passwd file entry had shell path *, but the system cannot find a login command under the given home directory.
No directory
Consult system administrator.
No Root Directory
Attempted to log in to a subdirectory root that does not exist. That is, the passwd file entry had shell path *, but the system cannot chroot to the given home directory.
No shell
The user shell (/usr/bin/sh if shell name is null in /etc/passwd) could not be started with the exec command. Consult system administrator.
No utmp entry. You must exec "login" from the lowest level "sh"
Attempted to execute login as a command without using the shell’s exec internal command or from other than the initial shell. The current shell is terminated.
Remuser too long
The indicated string was too long for login’s internal buffer.
Terminal type too long
The indicated string was too long for login’s internal buffer.
Unable to change to directory name
Cannot chdir to the user’s home directory.
Your password has expired. Choose a new one
Password aging is enabled and the user’s password has expired.
WARNINGS
If /etc/group is linked to /etc/logingroup, and group membership for the user trying to log in is managed by the Network Information Service (NIS), and no NIS server is able to respond, login waits until a server does respond.
DEPENDENCIES
HP-UX Integrated Login Library
login can use the HP-UX Integrated Login Library, if it is configured. For further details, see auth(5) and auth.adm(1M).
The HP-UX Integrated Login typically uses the Distributed Computing Environment (DCE) for its user registry. The DCE user registry and its relationship to the HP-UX Integrated Login are described in auth.dce(5).
HP Process Resource Manager
If the optional HP Process Resource Manager (PRM) software is installed and configured, the login shell is launched in the user’s initial process resource group. If the user’s initial group is not defined, the shell runs in the user default group (PRMID=1). See prmconfig(1) for a description of how to configure HP PRM, and prmconf(4) for a description of how the user’s initial process resource group is determined.
AUTHOR
login was developed by AT&T and HP.
FILES
$HOME/.profile Personal profile (individual user initialization)
$HOME/.rhosts Personal equivalence file for the remote login server
/etc/d_passwd Dialup security encrypted passwords
/etc/dialups Lines which require dialup security
/etc/hosts.equiv System list of equivalent hosts allowing logins without passwords
/etc/logingroup Group file — defines group access lists
/etc/motd Message-of-the-day
/etc/passwd Password file — defines users, passwords, and primary groups
/etc/profile System profile (initialization for all users)
/etc/securetty List of valid ttys for root login
/etc/utmp Users currently logged in
/tcb/files/auth/*/* The trusted system password database
/var/adm/btmp History of bad login attempts
/var/adm/wtmp History of logins, logouts, and date changes
/var/mail/login_name Mailbox for user login_name
VARIABLES
HOME User’s home directory.
MAIL Where to look for mail.
PATH Path to be searched for commands.
SHELL Which command interpreter is being used.
TERM User’s terminal type.
varname User-specified named variables.
Ln User-specified unnamed variables.
SEE ALSO
csh(1), groups(1), ksh(1), last(1), mail(1), newgrp(1), passwd(1), sh(1), sh-bourne(1), sh-posix(1), su(1), getty(1M), initgroups(3C), dialups(4), group(4), passwd(4), profile(4), utmp(4), environ(5).
HP Process Resource Manager: prmconfig(1), prmconf(4) in HP Process Resource Manager User’s Guide.
HP-UX Integrated Login Library: auth.adm(1M), auth(5), auth.dce(5).
Hewlett-Packard Company — HP-UX Release 10.20: July 1996