Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Reference > L

login(1)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

login — sign on, start terminal session

SYNOPSIS

login [name [env-var]...]

DESCRIPTION

The login command is used at the beginning of each terminal session to properly identify a prospective user. login can be invoked as a user command or by the system as an incoming connection is established. login can also be invoked by the system when a previous user shell terminates but the terminal does not disconnect.

If login is invoked as a command, it must replace the initial command interpreter (the user's login shell). This is accomplished with the shell command

exec login

The user's login name is requested, if it is not specified on the command line, and the corresponding password is obtained, if required, with the following prompts:

login: Password:

Terminal echo is turned off (where possible) during password entry to prevent written records of the password. If the account does not have a password, and the authentication profile for the account requires one, login invokes pam_chauthtok() to establish one for the account.

On a trusted system, login displays the last successful and unsuccessful login times and terminal devices. On a standard system, login optionally displays the last successful and unsuccessful login times. See the DISPLAY_LAST_LOGIN attribute in security(4).

As a security precaution, some installations use an option that requires a second "dialup" password. This occurs only for dialup connections, and is requested with the prompt:

dialup password:

Both passwords must be correct for a successful login (see dialups(4) for details on dialup security).

If password aging is activated, the user's password may have expired. pam_chauthtok() is invoked to change the password. On a standard system, the user is required to re-login after a successful password change (see passwd(1)).

After three unsuccessful login attempts, a HANGUP signal is issued. If a login is not successfully completed within a certain period of time (for example, one minute), the terminal is silently disconnected.

After a successful login, the accounting files are updated, user and group IDs, group access list, and working directory are initialized, and the user's command interpreter (shell) is determined from corresponding user entries in the files /etc/passwd and /etc/logingroup (see passwd(4) and group(4)). If /etc/passwd does not specify a shell for the user name, /usr/bin/sh is used by default. login then forks the appropriate shell by using the last component of the shell path name preceded by a - (for example, -sh or -ksh). When the command interpreter is invoked with its name preceded by a minus in this manner, the shell performs its own initialization, including execution of profile, login, or other initialization scripts.

For example, if the user login shell is the Korn or POSIX shell (see ksh(1) or sh-posix(1), respectively), the shell executes the profile files /etc/profile and $HOME/.profile if they exist (and possibly others as well). Depending on what these profile files contain, messages regarding mail in the user's mail file or any messages the user may have received since the user's last login may be displayed.

If the command name field is *, a chroot() to the directory named in the directory field of the entry is performed. At that point, login is re-executed at the new level, which must have its own root structure, including a /usr/bin/login command and an /etc/passwd file.

For the normal user, the basic environment variables (see environ(5)) are initialized to:

HOME=login_directory LOGNAME=login_name MAIL=/var/mail/login_name PATH=:/usr/bin SHELL=login_shell

login_directory, login_name, and login_shell are taken from the corresponding fields of the passwd file entry (see passwd(4)).

For superuser, PATH is set to:

PATH=:/usr/sbin:/usr/bin:/sbin

In the case of a remote login, the environment variable TERM is also set to the remote user's terminal type.

The environment can be expanded or modified by supplying additional arguments to login, either at execution time or when login requests the user's login name. The arguments can take either the form value or varname=value, where varname is a new or existing environment variable name and value is a value to be assigned to the variable.

An argument in the first form (without an equals sign) is placed in the environment as if it were entered in the form

Ln=value

where n is a number starting at 0 that is incremented each time a new variable name is required.

An argument in the second form (with an equals sign) is placed into the environment without modification.

If the variable name (Ln or varname) already appears in the environment, the new value replaces the older one.

There are two exceptions. The variables PATH and SHELL cannot be changed. This prevents users logged in with restricted shell environments from spawning secondary shells that are not restricted.

Both login and getty understand simple single-character quoting conventions. Typing a backslash in front of a character quotes it and allows the inclusion of such things as spaces and tabs.

The user accounting database, /etc/utmps, is updated by the utmpd daemon (see utmpd(1M)). This is the database of currently logged-in users.

If /var/adm/btmps exists, all unsuccessful login attempts are logged to that file. The lastb command, (see last(1)), displays a summary of bad login attempts for users with read access to btmps.

If the /etc/securetty file is present, login security is in effect, i.e., root is allowed to log in successfully only on the ttys listed in this file. Restricted ttys are listed by device name, one per line. Valid tty names are dependent on the installation. An example is

console tty01 ttya1 etc.

Note that this feature does not inhibit a normal user from using the su command (see su(1)).

HP-UX Smart Card Login

If the user account is configured to use a Smart Card, the user password is stored in the card. This password has characteristics identical to a normal password stored on the system.

In order to login using a Smart Card account, the card must be inserted into the Smart Card reader. The user is prompted for a PIN (personal identification number) instead of a password during authentication. The prompts are:

login: Enter PIN:

The password is retrieved automatically from the Smart Card when a valid PIN is entered. Therefore, it is not necessary to know the password, only the PIN.

The card is locked if an incorrect PIN is entered three consecutive times. It may be unlocked only by the card issuer.

SECURITY FEATURES

On a standard system, login prohibits a user from logging in if any of the following is true:

  • The password for the account has expired and the user cannot successfully change the password.

  • The password for the account has expired and the password was not changed within the specified number of days after the expiration (see shadow(4)).

  • The account lifetime has passed (see shadow(4)).

On a trusted system, login prohibits a user from logging in if any of the following is true:

  • The password for the account has expired and the user cannot successfully change the password.

  • The password lifetime for the account has passed.

  • The time between the last login and the current time exceeds the time allowed for login intervals.

  • The administrative lock on the account has been set.

  • The maximum number of unsuccessful login attempts for the account has been exceeded.

  • The maximum number of unsuccessful login attempts for the terminal has been exceeded.

  • The administrative lock on the terminal has been set.

  • The terminal has an authorized user list and the user is not on it.

  • The terminal has time of day restrictions and the current time is not within the allowable period.

On a trusted system, login allows superuser to log in on the console unless /etc/securetty exists and does not contain console.

Refer to the /etc/default/security file in the security(4) manpage for detailed information on configurable attributes that affect the behavior of this command. Currently supported attributes are:

  • ABORT_LOGIN_ON_MISSING_HOMEDIR NOLOGIN NUMBER_OF_LOGINS_ALLOWED DISPLAY_LAST_LOGIN AUTH_MAXTRIES ALLOW_NULL_PASSWORD INACTIVITY_MAXDAYS LOGIN_TIMES

EXTERNAL INFLUENCES

Environment Variables

HOME

User's home directory.

MAIL

Where to look for mail.

PATH

Path to be searched for commands.

SHELL

Which command interpreter is being used.

TERM

User's terminal type.

varname

User-specified named variables.

Ln

User-specified unnamed variables.

DIAGNOSTICS

The following diagnostics appear if the associated condition occurs:

.rhosts is a soft link

  • The personal equivalence file is a symbolic link.

Bad .rhosts ownership

  • The personal equivalence file is not owned by the local user or by a user with appropriate privileges.

Bad group id

Bad user id

Cannot open password file

  • Consult the system administrator.

Locuser too long

  • The indicated string was too long for login's internal buffer.

Login incorrect

  • User name and password cannot be matched.

No /usr/bin/login or /etc/login on root

  • Attempted to log in to a subdirectory root that does not have a subroot login command. That is, the passwd file entry had shell path *, but the system cannot find a login command under the given home directory.

No directory

  • Consult system administrator.

No Root Directory

  • Attempted to log in to a subdirectory root that does not exist. That is, the passwd file entry had shell path *, but the system cannot chroot() to the given home directory.

No shell

  • The user shell (/usr/bin/sh if shell name is null in /etc/passwd) could not be started with the exec command. Consult system administrator.

No utmp entry. You must exec "login" from the lowest level "sh"

  • Attempted to execute login as a command without using the shell's exec internal command or from other than the initial shell. The current shell is terminated.

Remuser too long

  • The indicated string was too long for login's internal buffer.

Terminal type too long

  • The indicated string was too long for login's internal buffer.

Unable to change to directory name

  • Cannot chdir to the user's home directory.

Your password has expired. Choose a new one

  • Password aging is enabled and the user's password has expired.

WARNINGS

If /etc/group is linked to /etc/logingroup, and group membership for the user trying to log in is managed by the Network Information Service (NIS), and no NIS server is able to respond, login waits until a server does respond.

HP-UX 11i Version 3 is the last release to support trusted systems functionality.

DEPENDENCIES

Pluggable Authentication Modules (PAM)

PAM is an Open Group standard for user authentication, password modification, and validation of accounts. In particular, pam_authenticate() is invoked to perform all functions related to login. This includes retrieving the password, validating the account, and displaying error messages. pam_chauthtok() is invoked during password expiration or establishment.

HP Process Resource Manager

If the optional HP Process Resource Manager (PRM) software is installed and configured, the login shell is launched in the user's initial process resource group. If the user's initial group is not defined, the shell runs in the user default group (PRMID=1). See prmconfig(1) for a description of how to configure HP PRM, and prmconf(4) for a description of how the user's initial process resource group is determined.

AUTHOR

login was developed by AT&T and HP.

FILES

$HOME/.profile

Personal profile (individual user initialization)

$HOME/.rhosts

Personal equivalence file for the remote login server.

/etc/d_passwd

Dialup security encrypted passwords.

/etc/default/security

Security defaults configuration file.

/etc/dialups

Lines which require dialup security.

/etc/hosts.equiv

System list of equivalent hosts allowing logins without passwords.

/etc/logingroup

Group file — defines group access lists.

/etc/motd

Message-of-the-day.

/etc/passwd

Password file — defines users, passwords, and primary groups.

/etc/profile

System profile (initialization for all users).

/etc/securetty

List of valid ttys for root login.

/etc/shadow

Shadow Password file.

/etc/utmps

The user accounting database, (see utmpd(1M)).

/tcb/files/auth/*/*

The trusted system password database.

/var/adm/btmps

History of bad login attempts.

/var/adm/wtmps

History of logins, logouts, and date changes.

/var/mail/login_name

Mailbox for user, login_name.

SEE ALSO

csh(1), groups(1), ksh(1), last(1), mail(1), newgrp(1), passwd(1), sh(1), sh-posix(1), su(1), getty(1M), userstat(1M), initgroups(3C), btmps(4), dialups(4), group(4), passwd(4), profile(4), security(4), shadow(4), utmpd(1M), wtmps(4), environ(5).

HP Process Resource Manager

prmconfig(1), prmconf(4) in HP Process Resource Manager Users Guide.

Pluggable Authentication Modules (PAM)

pam_acct_mgmt(3), pam_authenticate(3), pam_chauthtok(3).

HP-UX Smart Card Login

scpin(1), scsync(1).



logger
  		 


logname  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.