NAME¶
login
—
authenticate a user and start new session
SYNOPSIS¶
login |
[ -fp ]
[-a
level ]
[-h
hostname ]
[username] |
DESCRIPTION¶
This manual page documents the
login
program
distributed with the Heimdal Kerberos 5 implementation, it may differ in
important ways from your system version.
The
login
programs logs users into the
system. It is intended to be run by system daemons like
getty(8) or
telnetd(8). If you are already logged in, but
want to change to another user, you should use
su(1).
A username can be given on the command line, else one will be prompted for.
A password is required to login, unless the
-f
option is given (indicating that the
calling program has already done proper authentication). With
-f
the user will be logged in without
further questions.
For password authentication Kerberos 5, Kerberos 4 (if compiled in), OTP (if
compiled in) and local (
/etc/passwd)
passwords are supported. OTP will be used if the the user is registered to use
it, and
login
is given the option
-a
otp
. When using
OTP, a challenge is shown to the user.
Further options are:
-a
string
- Which authentication mode to use, the only supported value is currently
“otp”.
-f
- Indicates that the user is already authenticated. This happens, for
instance, when login is started by telnetd, and the user has proved
authentic via Kerberos.
-h
hostname
- Indicates which host the user is logging in from. This is passed from
telnetd, and is entered into the login database.
-p
- This tells
login
to preserve all
environment variables. If not given, only the
TERM
and
TZ
variables are preserved. It could be
a security risk to pass random variables to
login
or the user shell, so the calling
daemon should make sure it only passes “safe”
variables.
The process of logging user in proceeds as follows.
First a check is made that logins are allowed at all. This usually means
checking
/etc/nologin. If it exists, and
the user trying to login is not root, the contents is printed, and then login
exits.
Then various system parameters are set up, like changing the owner of the tty to
the user, setting up signals, setting the group list, and user and group id.
Also various machine specific tasks are performed.
Next
login
changes to the users home
directory, or if that fails, to
/. The
environment is setup, by adding some required variables (such as
PATH
), and also authentication related ones
(such as
KRB5CCNAME
). If an environment
file exists (
/etc/environment), variables
are set according to it.
If one or more login message files are configured, their contents is printed to
the terminal.
If a login time command is configured, it is executed. A logout time command can
also be configured, which makes
login
fork,
and wait for the user shell to exit, and then run the command. This can be
used to clean up user credentials.
Finally, the user's shell is executed. If the user logging in is root, and
root's login shell does not exist, a default shell (usually
/bin/sh) is also tried before giving up.
ENVIRONMENT¶
These environment variables are set by login (not including ones set by
/etc/environment):
PATH
- the default system path
HOME
- the user's home directory (or possibly
/)
USER
,
LOGNAME
- both set to the username
SHELL
- the user's shell
TERM
,
TZ
- set to whatever is passed to
login
KRB5CCNAME
- if the password is verified via Kerberos 5, this will point to the
credentials cache file
KRBTKFILE
- if the password is verified via Kerberos 4, this will point to the ticket
file
FILES¶
- /etc/environment
- Contains a set of environment variables that should be set in addition to
the ones above. It should contain sh-style assignments like
“VARIABLE=value”. Note that they are not parsed the way a
shell would. No variable expansion is performed, and all strings are
literal, and quotation marks should not be used. Everything after a hash
mark is considered a comment. The following are all different (the last
will set the variable
BAR
, not
FOO
).
FOO=this is a string
FOO="this is a string"
BAR= FOO='this is a string'
- /etc/login.access
- See login.access(5).
- /etc/login.conf
- This is a termcap style configuration file, that contains various settings
used by
login
. Currently only the
“default” capability record is used. The possible capability
strings include:
environment
- This is a comma separated list of environment files that are read in
the order specified. If this is missing the default
/etc/environment is used.
login_program
- This program will be executed just before the user's shell is started.
It will be called without arguments.
logout_program
- This program will be executed just after the user's shell has
terminated. It will be called without arguments. This program will be
the parent process of the spawned shell.
motd
- A comma separated list of text files that will be printed to the
user's terminal before starting the shell. The string
welcome
works similarly, but points to a
single file.
limits
- Points to a file containing ulimit settings for various users. Syntax
is inspired by what pam_limits uses, and the default is
/etc/security/limits.conf.
- /etc/nologin
- If it exists, login is denied to all but root. The contents of this file
is printed before login exits.
Other
login
programs typically print all
sorts of information by default, such as last time you logged in, if you have
mail, and system message files. This version of
login
does not, so there is no reason for
.hushlogin files or similar. We feel that
these tasks are best left to the user's shell, but the
login_program
facility allows for a shell independent
solution, if that is desired.
EXAMPLES¶
A
login.conf file could look like:
default:\
:motd=/etc/motd,/etc/motd.local:\
:limits=/etc/limits.conf:
The
limits.conf file consists of a table with
four whitespace separated fields. First field is a username or a groupname
(prefixed with ‘@’), or ‘*’. Second field is
‘soft’, ‘hard’, or ‘-’ (the last
meaning both soft and hard). Third field is a limit name (such as
‘cpu’ or ‘core’). Last field is the limit value (a
number or ‘-’ for unlimited). In the case of data sizes, the
value is in kilobytes, and cputime is in minutes.
SEE ALSO¶
su(1),
login.access(5),
getty(8),
telnetd(8)
AUTHORS¶
This login program was written for the Heimdal Kerberos 5 implementation. The
login.access code was written by Wietse Venema.