blob: 12273815942d1e85723b6f0452fc31521798912e [file] [log] [blame] [edit]
.\" Copyright 1993 Rickard E. Faith (faith@cs.unc.edu)
.\" May be distributed under the GNU General Public License
.TH LOGIN 1 "4 November 1996" "Util-linux 1.6" "Linux Programmer's Manual"
.SH NAME
login \- sign on
.SH SYNOPSIS
.BR "login [ " name " ]"
.br
.B "login \-p"
.br
.BR "login \-h " hostname
.br
.BR "login \-f " name
.SH DESCRIPTION
.B login
is used when signing onto a system.
If an argument is not given,
.B login
prompts for the username.
If the user is
.I not
root, and if
.I /etc/nologin
exists, the contents of this file are printed to the screen, and the
login is terminated. This is typically used to prevent logins when the
system is being taken down.
If special access restrictions are specified for the user in
.IR /etc/usertty ,
these must be met, or the log in attempt will be denied and a
.B syslog
message will be generated. See the section on "Special Access Restrictions".
If the user is root, then the login must be occurring on a tty listed in
.IR /etc/securetty .
Failures will be logged with the
.B syslog
facility.
After these conditions have been checked, the password will be requested and
checked (if a password is required for this username). Ten attempts
are allowed before
.B login
dies, but after the first three, the response starts to get very slow.
Login failures are reported via the
.B syslog
facility. This facility is also used to report any successful root logins.
If the file
.I .hushlogin
exists, then a "quiet" login is performed (this disables the checking
of mail and the printing of the last login time and message of the day).
Otherwise, if
.I /var/log/lastlog
exists, the last login time is printed (and the current login is
recorded).
Random administrative things, such as setting the UID and GID of the
tty are performed. The TERM environment variable is preserved, if it
exists (other environment variables are preserved if the
.B \-p
option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME
environment variables are set. PATH defaults to
.I /usr/local/bin:/bin:/usr/bin
for normal users, and to
.I /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
for root. Last, if this is not a "quiet" login, the message of the
day is printed and the file with the user's name in
.I /var/spool/mail
will be checked, and a message printed if it has non-zero length.
The user's shell is then started. If no shell is specified for the
user in
.BR /etc/passwd ,
then
.B /bin/sh
is used. If there is no directory specified in
.IR /etc/passwd ,
then
.I /
is used (the home directory is checked for the
.I .hushlogin
file described above).
.SH OPTIONS
.TP
.B \-p
Used by
.BR getty (8)
to tell
.B login
not to destroy the environment
.TP
.B \-f
Used to skip a second login authentication. This specifically does
.B not
work for root, and does not appear to work well under Linux.
.TP
.B \-h
Used by other servers (i.e.,
.BR telnetd (8))
to pass the name of the remote host to
.B login
so that it may be placed in utmp and wtmp. Only the superuser may use
this option.
Note that the \fB-h\fP option has impact on the \fBPAM service name\fP. The standard
service name is "login", with the \fB-h\fP option the name is "remote". It's
necessary to create a proper PAM config files (e.g.
.I /etc/pam.d/login
and
.I /etc/pam.d/remote
).
.SH "SPECIAL ACCESS RESTRICTIONS"
The file
.I /etc/securetty
lists the names of the ttys where root is allowed to log in. One name
of a tty device without the /dev/ prefix must be specified on each
line. If the file does not exist, root is allowed to log in on any
tty.
.PP
On most modern Linux systems PAM (Pluggable Authentication Modules)
is used. On systems that do not use PAM, the file
.I /etc/usertty
specifies additional access restrictions for specific users.
If this file does not exist, no additional access restrictions are
imposed. The file consists of a sequence of sections. There are three
possible section types: CLASSES, GROUPS and USERS. A CLASSES section
defines classes of ttys and hostname patterns, A GROUPS section
defines allowed ttys and hosts on a per group basis, and a USERS
section defines allowed ttys and hosts on a per user basis.
.PP
Each line in this file in may be no longer than 255
characters. Comments start with # character and extend to the end of
the line.
.PP
.SS "The CLASSES Section"
A CLASSES section begins with the word CLASSES at the start of a line
in all upper case. Each following line until the start of a new
section or the end of the file consists of a sequence of words
separated by tabs or spaces. Each line defines a class of ttys and
host patterns.
.PP
The word at the beginning of a line becomes defined as a collective
name for the ttys and host patterns specified at the rest of the
line. This collective name can be used in any subsequent GROUPS or
USERS section. No such class name must occur as part of the definition
of a class in order to avoid problems with recursive classes.
.PP
An example CLASSES section:
.PP
.nf
.in +.5
CLASSES
myclass1 tty1 tty2
myclass2 tty3 @.foo.com
.in -.5
.fi
.PP
This defines the classes
.I myclass1
and
.I myclass2
as the corresponding right hand sides.
.PP
.SS "The GROUPS Section"
A GROUPS section defines allowed ttys and hosts on a per Unix group basis. If
a user is a member of a Unix group according to
.I /etc/passwd
and
.I /etc/group
and such a group is mentioned in a GROUPS section in
.I /etc/usertty
then the user is granted access if the group is.
.PP
A GROUPS section starts with the word GROUPS in all upper case at the start of
a line, and each following line is a sequence of words separated by spaces
or tabs. The first word on a line is the name of the group and the rest
of the words on the line specifies the ttys and hosts where members of that
group are allowed access. These specifications may involve the use of
classes defined in previous CLASSES sections.
.PP
An example GROUPS section.
.PP
.nf
.in +0.5
GROUPS
sys tty1 @.bar.edu
stud myclass1 tty4
.in -0.5
.fi
.PP
This example specifies that members of group
.I sys
may log in on tty1 and from hosts in the bar.edu domain. Users in
group
.I stud
may log in from hosts/ttys specified in the class myclass1 or from
tty4.
.PP
.SS "The USERS Section"
A USERS section starts with the word USERS in all upper case at the
start of a line, and each following line is a sequence of words
separated by spaces or tabs. The first word on a line is a username
and that user is allowed to log in on the ttys and from the hosts
mentioned on the rest of the line. These specifications may involve
classes defined in previous CLASSES sections. If no section header is
specified at the top of the file, the first section defaults to be a
USERS section.
.PP
An example USERS section:
.PP
.nf
.in +0.5
USERS
zacho tty1 @130.225.16.0/255.255.255.0
blue tty3 myclass2
.in -0.5
.fi
.PP
This lets the user zacho login only on tty1 and from hosts with IP
addreses in the range 130.225.16.0 \- 130.225.16.255, and user blue is
allowed to log in from tty3 and whatever is specified in the class
myclass2.
.PP
There may be a line in a USERS section starting with a username of
*. This is a default rule and it will be applied to any user not
matching any other line.
.PP
If both a USERS line and GROUPS line match a user then the user is
allowed access from the union of all the ttys/hosts mentioned in these
specifications.
.SS Origins
The tty and host pattern specifications used in the specification of
classes, group and user access are called origins. An origin string
may have one of these formats:
.IP o
The name of a tty device without the /dev/ prefix, for example tty1 or
ttyS0.
.PP
.IP o
The string @localhost, meaning that the user is allowed to
telnet/rlogin from the local host to the same host. This also allows
the user to for example run the command: xterm -e /bin/login.
.PP
.IP o
A domain name suffix such as @.some.dom, meaning that the user may
rlogin/telnet from any host whose domain name has the suffix
\&.some.dom.
.PP
.IP o
A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where x.x.x.x is
the IP address in the usual dotted quad decimal notation, and y.y.y.y
is a bitmask in the same notation specifying which bits in the address
to compare with the IP address of the remote host. For example
@130.225.16.0/255.255.254.0 means that the user may rlogin/telnet from
any host whose IP address is in the range 130.225.16.0 \-
130.225.17.255.
.PP
.IP o
An range of IPv6 addresses, written @[n:n:n:n:n:n:n:n]/m is interpreted as a
[net]/prefixlen pair. An IPv6 host address is matched if prefixlen bits of
net is equal to the prefixlen bits of the address. For example, the
[net]/prefixlen pattern [3ffe:505:2:1::]/64 matches every address in the
range 3ffe:505:2:1:: through 3ffe:505:2:1:ffff:ffff:ffff:ffff.
.PP
Any of the above origins may be prefixed by a time specification
according to the syntax:
.PP
.nf
timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
hour ::= '0' | '1' | ... | '23'
hourspec ::= <hour> | <hour> '\-' <hour>
day-or-hour ::= <day> | <hourspec>
.fi
.PP
For example, the origin [mon:tue:wed:thu:fri:8\-17]tty3 means that log
in is allowed on mondays through fridays between 8:00 and 17:59 (5:59
pm) on tty3. This also shows that an hour range a\-b includes all
moments between a:00 and b:59. A single hour specification (such as
10) means the time span between 10:00 and 10:59.
.PP
Not specifying any time prefix for a tty or host means log in from
that origin is allowed any time. If you give a time prefix be sure to
specify both a set of days and one or more hours or hour ranges. A
time specification may not include any white space.
.PP
If no default rule is given then users not matching any line
.I /etc/usertty
are allowed to log in from anywhere as is standard behavior.
.PP
.SH FILES
.nf
.I /var/run/utmp
.I /var/log/wtmp
.I /var/log/lastlog
.I /var/spool/mail/*
.I /etc/motd
.I /etc/passwd
.I /etc/nologin
.I /etc/usertty
.I /etc/pam.d/login
.I /etc/pam.d/remote
.I .hushlogin
.fi
.SH "SEE ALSO"
.BR init (8),
.BR getty (8),
.BR mail (1),
.BR passwd (1),
.BR passwd (5),
.BR environ (7),
.BR shutdown (8)
.SH BUGS
The undocumented BSD
.B \-r
option is not supported. This may be required by some
.BR rlogind (8)
programs.
A recursive login, as used to be possible in the good old days,
no longer works; for most purposes
.BR su (1)
is a satisfactory substitute. Indeed, for security reasons,
login does a vhangup() system call to remove any possible
listening processes on the tty. This is to avoid password
sniffing. If one uses the command "login", then the surrounding shell
gets killed by vhangup() because it's no longer the true owner of the tty.
This can be avoided by using "exec login" in a top-level shell or xterm.
.SH AUTHOR
Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
for HP-UX
.br
Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
.SH AVAILABILITY
The login command is part of the util-linux-ng package and is available from
ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng/.