Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ login(1) — IRIX 6.5.3f

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

mail(1)

newgrp(1)

pwconv(1M)

rexecd(1M)

rshd(1M)

sh(1)

su(1M)

loginlog(4)

passwd(4)

profile(4)

shadow(4)

environ(5)

share(5)



login(1)                                                              login(1)



NAME
     login - sign on

SYNOPSIS
     login [ -d device ] [ name [ environ ... ]]

DESCRIPTION
     The login command is used at the beginning of each terminal session and
     allows you to identify yourself to the system.  It is invoked by the
     system when a connection is first established.  It is invoked by the
     system when a previous user has terminated the initial shell by typing a
     <Ctrl-d> to indicate an end-of-file.

     If login is invoked as a command, it must replace the initial command
     interpreter.  This is accomplished by typing

          exec login

     from the initial shell.

     login asks for your user name (if it is not supplied as an argument) and,
     if appropriate, your password.  Echoing is turned off (where possible)
     during the typing of your password, so it does not appear on the written
     record of the session.

     login reads /etc/default/login to determine default behavior.  To change
     the defaults, the system administrator should edit this file.  The syntax
     of the below lines within the /etc/default/login file must not contain
     any whitespaces.  The examples shown below are login defaults.
     Recognized values are:

     CONSOLE=device   If defined, only allows root logins on the device
                      specified, typically /dev/console.  This MUST NOT be
                      defined as either /dev/syscon or /dev/systty.  If
                      undefined, root can log in on any device.

     PASSREQ=NO       Determines whether all accounts must have passwords.  If
                      YES, and user has no password, they are prompted for one
                      at login time.

     MANDPASS=NO      Like PASSREQ, but doesn't allow users with no password
                      to log in.

     ALTSHELL=YES     If YES, the environment variable SHELL is initialized.

     UMASK=022        Default umask, in octal.

     TIMEOUT=60       Exit login after this many seconds of inactivity
                      (maximum 900, or 15 minutes)






                                                                        Page 1





login(1)                                                              login(1)



     SLEEPTIME=1      Sleep for this many seconds before issuing "login
                      incorrect" message (maximum 60 seconds).

     DISABLETIME=20   After LOGFAILURES or MAXTRYS unsuccessful attempts,
                      sleep for DISABLETIME seconds before exiting (no
                      maximum).

     MAXTRYS=3        Exit login after MAXTRYS unsuccessful attempts (0 =
                      unlimited attempts).

     LOGFAILURES=3    If there are LOGFAILURES consecutive unsuccessful login
                      attempts, each of them is logged in /var/adm/loginlog,
                      if it exists.  LOGFAILURES has a maximum value of 20.

                      Note:  Users get at most the minimum of (MAXTRYS,
                      LOGFAILURES) unsuccessful attempts.

     IDLEWEEKS=-1     If nonnegative, specify a grace period during which
                      users with expired passwords are allowed to enter a new
                      password.  In other words, accounts with expired
                      passwords can stay idle up to this long before being
                      "locked out."  If IDLEWEEKS is 0, there is no grace
                      period, and expired passwords are the same as
                      invalidated passwords.

     PATH=            Path for normal users (from /usr/include/paths.h).

     SUPATH=          Path for superuser (from /usr/include/paths.h).

     SYSLOG=FAIL      Log to syslog all login failures (SYSLOG=FAIL) or all
                      successes and failures (SYSLOG=ALL).  Log entries are
                      written to the LOG_AUTH facility (see syslog(3C) and
                      syslogd(1M) for details).  No messages are sent to
                      syslog if not set.  Note that this is separate from the
                      login log, /var/adm/loginlog.

     INITGROUPS=YES   If YES, make the user session be a member of all of the
                      user's supplementary groups (see multgrps(1) or
                      initgroups(3C)).

     LANG=C           If LANG is set, make this the default login language.
                      This is used if no LANG comes from environment (rlogind,
                      getty, ...) and $HOME/.lang does not exist or does not
                      contain a lang id.  Only LANG is supported, not other
                      locale categories such as LC_CTYPE.

     SVR4SIGNALS=YES Use the SVR4 semantics for the SIGXCPU and SIGXFSZ
                      signals.  If SVR4SIGNALS=YES, the SVR4 semantics are
                      preserved and all processes ignore SIGXCPU and SIGXFSZ
                      by default.  If SVR4SIGNALS=NO, these two signals
                      retain their default action, which is to cause the
                      receiving process to core dump.  If users intend to make



                                                                        Page 2





login(1)                                                              login(1)



                      use of the CPU and filesize resource limits,
                      SVR4SIGNALS should be set to NO.  Note that using these
                      signals while SVR4SIGNALS is set to YES causes behavior
                      that varies depending on the login shell.  This setting
                      has no affect on processes that explicitly alter the
                      behavior of these signals using the signal(2) system
                      call.

     SITECHECK=       Use an external program to authenticate users instead of
                      using the encrypted password field.  This allows sites
                      to implement other means of authentication, such as card
                      keys, biometrics, etc.  The program is invoked with user
                      name as the first argument, and remote hostname and
                      username, if applicable.  The action taken depend on
                      exit status, as follows:

                      0       Success; user was authenticated, log in.

                      1       Failure; exit login.

                      2       Failure; try again (don't exit login).

                      other   Use normal UNIX authentication.

                      If authentication fails, the program can chose to
                      indicate either exit code 1 or 2, as appropriate.  If
                      the program is not owned by root, is writable by others,
                      or cannot be executed, normal password authentication is
                      performed.  It is recommended that the program be given
                      a mode of 500.

                      Warning:  Because this option has the potential to
                      defeat normal IRIX security, any program used in this
                      way must be designed and tested very carefully.

     LOCKOUT=         If nonzero, after this number of consecutive
                      unsuccessful login attempts by the same user, by all
                      instances of xdm and login, lock the account by invoking
                      passwd -l username.  Note that this feature allows a
                      denial of service attack that may require booting from
                      the miniroot to fix, as even the root accounts can be
                      locked out.

     LOCKOUTEXEMPT=   If LOCKOUT is greater than zero, the users listed as
                      LOCKOUTEXEMPT will NOT be subject to the LOCKOUT option.
                      Usernames are separated by spaces, the list must be
                      terminated by end-of-line, maximum list length is 240
                      characters. LOCKOUTEXEMPT is ignored unless LOCKOUT is
                      enabled, and the list is not empty. Including privileged
                      accounts (such as root) in the LOCKOUTEXEMPT list, is
                      not recommended, as it allows an indefinite number of
                      attacks on the exempt accounts. Also, if LOCKOUTEXEMPT



                                                                        Page 3





login(1)                                                              login(1)



                      is enabled, the /etc/default/login file should be given
                      a mode 400 or 600 to prevent unauthorized viewing and/or
                      tampering with the LOCKOUTEXEMPT list.

     MACREMOTE=SESSION
                      If SESSION, the session label of a remote login session
                      is always the same as that of the current login session.
                      If CLEARANCE, the default and permitted session labels
                      of a remote login session become those specified in
                      clearance(4).

     At some installations, you may be required to enter a dialup password for
     dialup connections as well as a login password.  In this case, the prompt
     for the dialup password is:

          Dialup Password:

     Both passwords are required for a successful login.

     For remote logins over the network, login prints the contents of
     /etc/issue before prompting for a username or password.  The file
     /etc/nologin disables remote logins if it exists; login prints the
     contents of this file before disconnecting the session.

     The system can be configured to automate the login process after a system
     restart.  When the file /etc/autologin exists and contains a valid user
     name, the system logs in as the specified user without prompting for a
     user name or password.  The automatic login takes place only after a
     system restart; once the user logs out, the normal interactive login
     session is used until the next restart.  This is intended to be used at
     sites where the normal security mechanisms provided by login are not
     needed or desired.  If you make five incorrect login attempts, all five
     are logged in /var/adm/loginlog (if it exists) and the TTY line is
     dropped.

     If you do not complete the login successfully within a certain period of
     time (by default, 20 seconds), you are likely to be silently
     disconnected.

     After a successful login, accounting files are updated, the /etc/profile
     script is executed, the time you last logged in is printed (unless a file
     .hushlogin is present in the user's home directory), /etc/motd is
     printed, the user ID, group ID, supplementary group list, working
     directory, and command interpreter (usually sh) are initialized, and the
     file .profile in the working directory is executed, if it exists.  The
     name of the command interpreter is - followed by the last component of
     the interpreter's pathname (for example, -sh).  If this field in the
     password file is empty, the default command interpreter, /usr/bin/sh is
     used.






                                                                        Page 4





login(1)                                                              login(1)



     If the shell field is *, the named directory becomes the root directory
     (a chroot(2) is done to the home directory, and the home directory is
     therefore the starting point (/) for path searches for pathnames
     beginning with a /.  At that point login is re-executed following the
     chroot(2).

     At the very least, this root structure must include the following files,
     with usr/lib32/libc.so.1 normally being a symlink to
     ../../lib32/libc.so.1.  A home directory must also exist, as well as the
     shell for the user(s) being chroot'ed.  It is possible to have the shell,
     password, and home directory be different in the new environment.  In
     this example, the shell used is /sbin/csh, and the home directory is
     /usr/people/olson.  Given the following password entry, the directories
     and files listed below would exist below the directory /home/secure.

          Entry in /etc/passwd:
            olson:hl0njohzc0uC2:2117:10:Dave Olson:/home/secure:*
          Entry in /home/secure/etc/passwd:
            olson:am34670a63463:2117:10:Dave Olson:/usr/people/olson:/sbin/csh

          dev:
          tty    zero
          etc:
          group    passwd
          lib32:
          libc.so.1  rld
          sbin:
          csh
          usr/bin:
          login
          usr/lib32:
          libc.so.1@      libcrypt.so     libgen.so       libpthread.so
          usr/people/olson:
          .cshrc

     These files allow login to execute correctly, but you may also need to
     include additional files or applications that the user is allowed to
     execute.  Since these applications can in turn rely on additional shared
     libraries, it may also be necessary to place additional shared objects in
     /usr/lib32.  See the ftpd(1M) reference page for more information about
     setting up a root environment.

     The basic environment is initialized to:

          HOME=your-login-directory
          LOGNAME=your-login-name
          PATH=/usr/bin
          SHELL=last-field-of-passwd-entry
          MAIL=/var/mail/your-login-name
          LANG=language-specification
          TZ=timezone-specification




                                                                        Page 5





login(1)                                                              login(1)



     The environment can be expanded or modified by supplying additional
     arguments when login prints the prompt requesting the user's login name.
     The arguments can take either of two forms:  xxx or xxx=yyy.  Arguments
     without an equal sign are placed in the environment as

          Ln=xxx

     where n is a number that starts at 0 and is incremented each time a new
     variable name is required.  Variables containing = are placed in the
     environment without modification.  If such a variable is already defined,
     the new value replaces the old value.  To prevent users who log in to
     restricted shell environments from spawning secondary shells that are not
     restricted, the following environment variables cannot be changed:

          HOME
          IFS
          LOGNAME
          PATH
          SHELL

     Attempts to set environment variables beginning with the following
     strings (see the rld(1) reference page) are ignored, and such attempts
     are logged via syslogd:

          RLD
          LDLIBRARY

     login understands simple, single-character quoting conventions.  Typing a
     backslash in front of a character quotes it and allows the inclusion of
     such characters as spaces and tabs.

     To enable dial-in line password protection, two files are required.  The
     file /etc/dialups must contain of the name of any dialup ports (for
     example, /dev/ttyd2) that require password protection.  These are
     specified one per line.  The second file, /etc/dpasswd consists of lines
     with the following format:

          shell:password:

     This file is scanned when the user logs in, and if the shell portion of
     any line matches the command interpreter that the user gets, the user is
     prompted for an additional dialin password, which is encoded and compared
     to that specified in the password portion of the line.  If the command
     interpreter cannot be found, the entry for the default shell, /sbin/sh,
     (or, for compatibility with existing configurations, /bin/sh) is used.
     (If both are present, the last one in file is used.)  If there is no such
     entry, no dialup password is required.  In other words, the /etc/dpasswd
     entry for /sbin/sh is the default.







                                                                        Page 6





login(1)                                                              login(1)



SHARE II ACTIONS
     If the Share II system is installed and enabled, login prints the
     message:

          Share login on ttyname.

     The following privilege and resource checks are made after you have
     successfully entered your password, but before the initial shell is
     started:

     1.  If your nologin flag is set, or you are already logged on and your
         onelogin flag is set, you are denied login.

     2.  If a disk usage exceeds its soft disk limit in any of your domains, a
         message is printed and you are given a warning.  If you accumulate
         too many warnings, further login attempts are denied and you must see
         your subadministrator to rectify the situation.  Whenever you log in
         or connect by remote shell with no disk usages in excess of any soft
         limits, all your accumulated warnings are cleared.

     3.  If you do not have permission to use the terminal, as determined by
         the respective terminal permission flag, you are denied login.

     4.  Some installations place limits on terminal connect time, both
         through logins and remote shell connections.  If you have already
         reached your connect time limit, you are denied login.  Otherwise, if
         the terminal costs more or less to use than normal terminals, its
         cost is printed.  Your remaining connect time is also printed.

     If all these checks are passed, login proceeds normally.

NOTES
     Autologin is controlled by the existence of the /etc/autologin.on file.
     The file is normally created at boot time to automate the login process
     and then removed by login to disable the autologin process for succeeding
     terminal sessions.

     In the default configuration, encrypted passwords for users are kept in
     the system password file, /etc/passwd, which is a text file and is
     readable by any system user.  The program pwconv(1M) can be used by the
     system administrator to activate the shadow password mechanism.  When
     shadow passwords are enabled, the encrypted passwords are kept only in
     /etc/shadow, a file that is only readable by the superuser.  Refer to the
     pwconv(1M) reference page for more information about shadow passwords.

FILES
     /etc/dialups
     /etc/dpasswd
     /etc/motd            message of the day
     /etc/passwd          password file





                                                                        Page 7





login(1)                                                              login(1)



     /etc/shadow          shadow password file
     /etc/profile         system profile
     $HOME/.profile       user's login profile
     $HOME/.lang          user's login language specification
     /usr/lib/iaf/scheme  login authentication scheme
     /var/adm/lastlog     time of last login
     /var/adm/loginlog    record of failed login attempts
     /var/adm/utmp        accounting
     /var/adm/wtmp        accounting
     /etc/default/login   to determine default behavior
     /var/mail/login_name mailbox for user login_name
     /usr/lib/locale/locale/LCMESSAGES/uxcore
                          language-specific message file (see LANG in
                          environ(5))
     /etc/limconf         the compiled Share II configuration file (machine
                          readable)

SEE ALSO
     mail(1), newgrp(1), pwconv(1M), rexecd(1M), rshd(1M), sh(1), su(1M),
     loginlog(4), passwd(4), profile(4), shadow(4), environ(5), share(5).

DIAGNOSTICS
     The message

          UX:login: ERROR: Login incorrect

     is printed if the user name or the password cannot be matched or if the
     user's login account has expired or remained inactive for a period
     greater than the system threshold.

     The message

          UX:login: ioctl() failed: TCSETA

     is printed if the tty line does not support a requested baud rate
     (specified for remote logins).  A similar message is also sent to syslog.
     See serial(7) for information on which baud rates are supported.

     The Share II-specific diagnostic messages are:

     Warning X of Y: soft disk limit exceeded.
          One of your domains has a disk usage in excess of its soft limit.

     Connection denied.  Too many warnings.
          You have reached your warning limit.  See your system administrator.

     Connection denied.  Already logged in - only one login allowed.
          You are already logged in at another terminal or connected to the
          system by remote shell and your onelogin flag is set.






                                                                        Page 8





login(1)                                                              login(1)



     Connection denied.  Currently barred from logging in.
          Your nologin flag is set.

     Connection denied.  No permission to use this terminal.
          You are not allowed to log in at this terminal because of a clear
          terminal permission flag.

     Share login on ttyname - terminal cost is X times normal.
          You are charged for use of this terminal at X times the rate of a
          normal terminal.

     You have a remaining terminal connect time of Y.
          You may use this terminal until you have used up your remaining
          connect time, at which point you are forced to log out.

     Connection denied.  Terminal connect time limit exceeded.
          You have already reached your terminal connect time limit.

     Share not configured - no limit checks.
          The configuration file is unreadable for some reason, so terminal
          privileges, connect time limits, and disk space limits could not be
          checked.

































                                                                        Page 9



Typewritten Software • bear@typewritten.org • Edmonds, WA 98026