2 LOGIN(1) UNIX Reference Manual LOGIN(1)
5 l
\blo
\bog
\bgi
\bin
\bn - authenticate a user and start new session
7 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
8 l
\blo
\bog
\bgi
\bin
\bn [-
\b-f
\bfp
\bp] [-
\b-a
\ba _
\bl_
\be_
\bv_
\be_
\bl] [-
\b-h
\bh _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be] _
\b[_
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be_
\b]
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 This manual page documents the l
\blo
\bog
\bgi
\bin
\bn program distributed with the Heim-
12 dal Kerberos 5 implementation, it may differ in important ways from your
15 The l
\blo
\bog
\bgi
\bin
\bn programs logs users into the system. It is intended to be run
16 by system daemons like getty(8) or telnetd(8). If you are already logged
17 in, but want to change to another user, you should use su(1).
19 A username can be given on the command line, else one will be prompted
22 A password is required to login, unless the -
\b-f
\bf option is given (indicat-
23 ing that the calling program has already done proper authentication).
24 With -
\b-f
\bf the user will be logged in without further questions.
26 For password authentication Kerberos 5, Kerberos 4 (if compiled in), OTP
27 (if compiled in) and local (_
\b/_
\be_
\bt_
\bc_
\b/_
\bp_
\ba_
\bs_
\bs_
\bw_
\bd) passwords are supported. OTP
28 will be used if the the user is registered to use it, and l
\blo
\bog
\bgi
\bin
\bn is given
29 the option -
\b-a
\ba otp. When using OTP, a challenge is shown to the user.
33 -
\b-a
\ba _
\bs_
\bt_
\br_
\bi_
\bn_
\bg
34 Which authentication mode to use, the only supported value is
37 -
\b-f
\bf Indicates that the user is already authenticated. This happens,
38 for instance, when login is started by telnetd, and the user has
39 proved authentic via Kerberos.
41 -
\b-h
\bh _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be
42 Indicates which host the user is logging in from. This is passed
43 from telnetd, and is entered into the login database.
45 -
\b-p
\bp This tells l
\blo
\bog
\bgi
\bin
\bn to preserve all environment variables. If not
46 given, only the TERM and TZ variables are preserved. It could be
47 a security risk to pass random variables to l
\blo
\bog
\bgi
\bin
\bn or the user
48 shell, so the calling daemon should make sure it only passes
51 The process of logging user in proceeds as follows.
53 First a check is made that logins are allowed at all. This usually means
54 checking _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bo_
\bl_
\bo_
\bg_
\bi_
\bn. If it exists, and the user trying to login is not
55 root, the contents is printed, and then login exits.
57 Then various system parameters are set up, like changing the owner of the
58 tty to the user, setting up signals, setting the group list, and user and
59 group id. Also various machine specific tasks are performed.
61 Next l
\blo
\bog
\bgi
\bin
\bn changes to the users home directory, or if that fails, to _
\b/.
62 The environment is setup, by adding some required variables (such as
63 PATH), and also authentication related ones (such as KRB5CCNAME). If an
64 environment file exists (_
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt), variables are set according
67 If one or more login message files are configured, their contents is
68 printed to the terminal.
70 If a login time command is configured, it is executed. A logout time com-
71 mand can also be configured, which makes l
\blo
\bog
\bgi
\bin
\bn fork, and wait for the us-
72 er shell to exit, and then run the command. This can be used to clean up
75 Finally, the user's shell is executed. If the user logging in is root,
76 and root's login shell does not exist, a default shell (usually _
\b/_
\bb_
\bi_
\bn_
\b/_
\bs_
\bh)
77 is also tried before giving up.
79 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
80 These environment variables are set by login (not including ones set by
81 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt):
83 PATH the default system path
84 HOME the user's home directory (or possibly _
\b/)
85 USER, LOGNAME both set to the username
86 SHELL the user's shell
87 TERM, TZ set to whatever is passed to l
\blo
\bog
\bgi
\bin
\bn
88 KRB5CCNAME if the password is verified via Kerberos 5, this will
89 point to the credentials cache file
90 KRBTKFILE if the password is verified via Kerberos 4, this will
91 point to the ticket file
95 Contains a set of environment variables that should be set in ad-
96 dition to the ones above. It should contain sh-style assignments
97 like ``VARIABLE=value''. Note that they are not parsed the way a
98 shell would. No variable expansion is performed, and all strings
99 are literal, and quotation marks should not be used. Everything
100 after a hash mark is considered a comment. The following are all
101 different (the last will set the variable BAR, not FOO).
104 FOO="this is a string"
105 BAR= FOO='this is a string'
109 This is a termcap style configuration file, that contains various
110 settings used by l
\blo
\bog
\bgi
\bin
\bn. Currently only the ``default'' capability
111 record is used. The possible capability strings include:
114 This is a comma separated list of environment files that
115 are read in the order specified. If this is missing the
116 default _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt is used.
118 This program will be executed just before the user's
119 shell is started. It will be called without arguments.
121 This program will be executed just after the user's shell
122 has terminated. It will be called without arguments. This
123 program will be the parent process of the spawned shell.
124 motd A comma separated list of text files that will be printed
125 to the user's terminal before starting the shell. The
126 string welcome works similarly, but points to a single
129 If it exists, login is denied to all but root. The contents of
130 this file is printed before login exits.
133 Other l
\blo
\bog
\bgi
\bin
\bn programs typically print all sorts of information by default,
134 such as last time you logged in, if you have mail, and system message
135 files. This version of l
\blo
\bog
\bgi
\bin
\bn does not, so there is no reason for
136 _
\b._
\bh_
\bu_
\bs_
\bh_
\bl_
\bo_
\bg_
\bi_
\bn files or similar. We feel that these tasks are best left to
137 the user's shell, but the login_program facility allows for a shell inde-
138 pendent solution, if that is desired.
140 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
141 A _
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf file could look like:
144 :motd=/etc/motd,/etc/motd.local:
146 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
147 su(1), login.access(5), getty(8), telnetd(8)
149 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
150 This login program was written for the Heimdal Kerberos 5 implementation.
151 The login.access code was written by Wietse Venema.
153 HEIMDAL March 24, 2003 3