LOGIN(1) UNIX Reference Manual LOGIN(1) NNAAMMEE llooggiinn - authenticate a user and start new session SSYYNNOOPPSSIISS llooggiinn [--ffpp] [--aa _l_e_v_e_l] [--hh _h_o_s_t_n_a_m_e] _[_u_s_e_r_n_a_m_e_] DDEESSCCRRIIPPTTIIOONN This manual page documents the llooggiinn program distributed with the Heim- dal Kerberos 5 implementation, it may differ in important ways from your system version. The llooggiinn programs logs users into the system. It is intended to be run by system daemons like getty(8) or telnetd(8). If you are already logged in, but want to change to another user, you should use su(1). A username can be given on the command line, else one will be prompted for. A password is required to login, unless the --ff option is given (indicat- ing that the calling program has already done proper authentication). With --ff the user will be logged in without further questions. For password authentication Kerberos 5, Kerberos 4 (if compiled in), OTP (if compiled in) and local (_/_e_t_c_/_p_a_s_s_w_d) passwords are supported. OTP will be used if the the user is registered to use it, and llooggiinn is given the option --aa otp. When using OTP, a challenge is shown to the user. Further options are: --aa _s_t_r_i_n_g Which authentication mode to use, the only supported value is currently ``otp''. --ff Indicates that the user is already authenticated. This happens, for instance, when login is started by telnetd, and the user has proved authentic via Kerberos. --hh _h_o_s_t_n_a_m_e Indicates which host the user is logging in from. This is passed from telnetd, and is entered into the login database. --pp This tells llooggiinn to preserve all environment variables. If not given, only the TERM and TZ variables are preserved. It could be a security risk to pass random variables to llooggiinn or the user shell, so the calling daemon should make sure it only passes ``safe'' variables. The process of logging user in proceeds as follows. First a check is made that logins are allowed at all. This usually means checking _/_e_t_c_/_n_o_l_o_g_i_n. If it exists, and the user trying to login is not root, the contents is printed, and then login exits. Then various system parameters are set up, like changing the owner of the tty to the user, setting up signals, setting the group list, and user and group id. Also various machine specific tasks are performed. Next llooggiinn changes to the users home directory, or if that fails, to _/. The environment is setup, by adding some required variables (such as PATH), and also authentication related ones (such as KRB5CCNAME). If an environment file exists (_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t), variables are set according to it. If one or more login message files are configured, their contents is printed to the terminal. If a login time command is configured, it is executed. A logout time com- mand can also be configured, which makes llooggiinn fork, and wait for the us- er shell to exit, and then run the command. This can be used to clean up user credentials. Finally, the user's shell is executed. If the user logging in is root, and root's login shell does not exist, a default shell (usually _/_b_i_n_/_s_h) is also tried before giving up. EENNVVIIRROONNMMEENNTT These environment variables are set by login (not including ones set by _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t): PATH the default system path HOME the user's home directory (or possibly _/) USER, LOGNAME both set to the username SHELL the user's shell TERM, TZ set to whatever is passed to llooggiinn KRB5CCNAME if the password is verified via Kerberos 5, this will point to the credentials cache file KRBTKFILE if the password is verified via Kerberos 4, this will point to the ticket file FFIILLEESS /etc/environment Contains a set of environment variables that should be set in ad- dition to the ones above. It should contain sh-style assignments like ``VARIABLE=value''. Note that they are not parsed the way a shell would. No variable expansion is performed, and all strings are literal, and quotation marks should not be used. Everything after a hash mark is considered a comment. The following are all different (the last will set the variable BAR, not FOO). FOO=this is a string FOO="this is a string" BAR= FOO='this is a string' /etc/login.access See login.access(5). /etc/login.conf This is a termcap style configuration file, that contains various settings used by llooggiinn. Currently only the ``default'' capability record is used. The possible capability strings include: environment This is a comma separated list of environment files that are read in the order specified. If this is missing the default _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t is used. login_program This program will be executed just before the user's shell is started. It will be called without arguments. logout_program This program will be executed just after the user's shell has terminated. It will be called without arguments. This program will be the parent process of the spawned shell. motd A comma separated list of text files that will be printed to the user's terminal before starting the shell. The string welcome works similarly, but points to a single file. /etc/nologin If it exists, login is denied to all but root. The contents of this file is printed before login exits. Other llooggiinn programs typically print all sorts of information by default, such as last time you logged in, if you have mail, and system message files. This version of llooggiinn does not, so there is no reason for _._h_u_s_h_l_o_g_i_n files or similar. We feel that these tasks are best left to the user's shell, but the login_program facility allows for a shell inde- pendent solution, if that is desired. EEXXAAMMPPLLEESS A _l_o_g_i_n_._c_o_n_f file could look like: default:\ :motd=/etc/motd,/etc/motd.local: SSEEEE AALLSSOO su(1), login.access(5), getty(8), telnetd(8) AAUUTTHHOORRSS This login program was written for the Heimdal Kerberos 5 implementation. The login.access code was written by Wietse Venema. HEIMDAL March 24, 2003 3