1 .\" Copyright 1993 Rickard E. Faith (faith@cs.unc.edu)
2 .\" May be distributed under the GNU General Public License
3 .TH LOGIN 1 "4 November 1996" "Util-linux 1.6" "Linux Programmer's Manual"
7 .BR "login [ " name " ]"
11 .BR "login \-h " hostname
16 is used when signing onto a system.
18 If an argument is not given,
20 prompts for the username.
26 exists, the contents of this file are printed to the screen, and the
27 login is terminated. This is typically used to prevent logins when the
28 system is being taken down.
30 If special access restrictions are specified for the user in
32 these must be met, or the log in attempt will be denied and a
34 message will be generated. See the section on "Special Access Restrictions".
36 If the user is root, then the login must be occurring on a tty listed in
38 Failures will be logged with the
42 After these conditions have been checked, the password will be requested and
43 checked (if a password is required for this username). Ten attempts
46 dies, but after the first three, the response starts to get very slow.
47 Login failures are reported via the
49 facility. This facility is also used to report any successful root logins.
53 exists, then a "quiet" login is performed (this disables the checking
54 of mail and the printing of the last login time and message of the day).
57 exists, the last login time is printed (and the current login is
60 Random administrative things, such as setting the UID and GID of the
61 tty are performed. The TERM environment variable is preserved, if it
62 exists (other environment variables are preserved if the
64 option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME
65 environment variables are set. PATH defaults to
66 .I /usr/local/bin:/bin:/usr/bin
67 for normal users, and to
68 .I /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
69 for root. Last, if this is not a "quiet" login, the message of the
70 day is printed and the file with the user's name in
72 will be checked, and a message printed if it has non-zero length.
74 The user's shell is then started. If no shell is specified for the
79 is used. If there is no directory specified in
83 is used (the home directory is checked for the
85 file described above).
93 not to destroy the environment
96 Used to skip a second login authentication. This specifically does
98 work for root, and does not appear to work well under Linux.
101 Used by other servers (i.e.,
103 to pass the name of the remote host to
105 so that it may be placed in utmp and wtmp. Only the superuser may use
108 Note that the \fB-h\fP option has impact on the \fBPAM service name\fP. The standard
109 service name is "login", with the \fB-h\fP option the name is "remote". It's
110 necessary to create a proper PAM config files (e.g.
116 .SH "SPECIAL ACCESS RESTRICTIONS"
119 lists the names of the ttys where root is allowed to log in. One name
120 of a tty device without the /dev/ prefix must be specified on each
121 line. If the file does not exist, root is allowed to log in on any
124 On most modern Linux systems PAM (Pluggable Authentication Modules)
125 is used. On systems that do not use PAM, the file
127 specifies additional access restrictions for specific users.
128 If this file does not exist, no additional access restrictions are
129 imposed. The file consists of a sequence of sections. There are three
130 possible section types: CLASSES, GROUPS and USERS. A CLASSES section
131 defines classes of ttys and hostname patterns, A GROUPS section
132 defines allowed ttys and hosts on a per group basis, and a USERS
133 section defines allowed ttys and hosts on a per user basis.
135 Each line in this file in may be no longer than 255
136 characters. Comments start with # character and extend to the end of
139 .SS "The CLASSES Section"
140 A CLASSES section begins with the word CLASSES at the start of a line
141 in all upper case. Each following line until the start of a new
142 section or the end of the file consists of a sequence of words
143 separated by tabs or spaces. Each line defines a class of ttys and
146 The word at the beginning of a line becomes defined as a collective
147 name for the ttys and host patterns specified at the rest of the
148 line. This collective name can be used in any subsequent GROUPS or
149 USERS section. No such class name must occur as part of the definition
150 of a class in order to avoid problems with recursive classes.
152 An example CLASSES section:
158 myclass2 tty3 @.foo.com
162 This defines the classes
166 as the corresponding right hand sides.
169 .SS "The GROUPS Section"
170 A GROUPS section defines allowed ttys and hosts on a per Unix group basis. If
171 a user is a member of a Unix group according to
175 and such a group is mentioned in a GROUPS section in
177 then the user is granted access if the group is.
179 A GROUPS section starts with the word GROUPS in all upper case at the start of
180 a line, and each following line is a sequence of words separated by spaces
181 or tabs. The first word on a line is the name of the group and the rest
182 of the words on the line specifies the ttys and hosts where members of that
183 group are allowed access. These specifications may involve the use of
184 classes defined in previous CLASSES sections.
186 An example GROUPS section.
196 This example specifies that members of group
198 may log in on tty1 and from hosts in the bar.edu domain. Users in
201 may log in from hosts/ttys specified in the class myclass1 or from
205 .SS "The USERS Section"
206 A USERS section starts with the word USERS in all upper case at the
207 start of a line, and each following line is a sequence of words
208 separated by spaces or tabs. The first word on a line is a username
209 and that user is allowed to log in on the ttys and from the hosts
210 mentioned on the rest of the line. These specifications may involve
211 classes defined in previous CLASSES sections. If no section header is
212 specified at the top of the file, the first section defaults to be a
215 An example USERS section:
220 zacho tty1 @130.225.16.0/255.255.255.0
225 This lets the user zacho login only on tty1 and from hosts with IP
226 addreses in the range 130.225.16.0 \- 130.225.16.255, and user blue is
227 allowed to log in from tty3 and whatever is specified in the class
230 There may be a line in a USERS section starting with a username of
231 *. This is a default rule and it will be applied to any user not
232 matching any other line.
234 If both a USERS line and GROUPS line match a user then the user is
235 allowed access from the union of all the ttys/hosts mentioned in these
239 The tty and host pattern specifications used in the specification of
240 classes, group and user access are called origins. An origin string
241 may have one of these formats:
243 The name of a tty device without the /dev/ prefix, for example tty1 or
247 The string @localhost, meaning that the user is allowed to
248 telnet/rlogin from the local host to the same host. This also allows
249 the user to for example run the command: xterm -e /bin/login.
252 A domain name suffix such as @.some.dom, meaning that the user may
253 rlogin/telnet from any host whose domain name has the suffix
257 A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where x.x.x.x is
258 the IP address in the usual dotted quad decimal notation, and y.y.y.y
259 is a bitmask in the same notation specifying which bits in the address
260 to compare with the IP address of the remote host. For example
261 @130.225.16.0/255.255.254.0 means that the user may rlogin/telnet from
262 any host whose IP address is in the range 130.225.16.0 \-
266 An range of IPv6 addresses, written @[n:n:n:n:n:n:n:n]/m is interpreted as a
267 [net]/prefixlen pair. An IPv6 host address is matched if prefixlen bits of
268 net is equal to the prefixlen bits of the address. For example, the
269 [net]/prefixlen pattern [3ffe:505:2:1::]/64 matches every address in the
270 range 3ffe:505:2:1:: through 3ffe:505:2:1:ffff:ffff:ffff:ffff.
272 Any of the above origins may be prefixed by a time specification
273 according to the syntax:
276 timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
277 day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
278 hour ::= '0' | '1' | ... | '23'
279 hourspec ::= <hour> | <hour> '\-' <hour>
280 day-or-hour ::= <day> | <hourspec>
283 For example, the origin [mon:tue:wed:thu:fri:8\-17]tty3 means that log
284 in is allowed on mondays through fridays between 8:00 and 17:59 (5:59
285 pm) on tty3. This also shows that an hour range a\-b includes all
286 moments between a:00 and b:59. A single hour specification (such as
287 10) means the time span between 10:00 and 10:59.
289 Not specifying any time prefix for a tty or host means log in from
290 that origin is allowed any time. If you give a time prefix be sure to
291 specify both a set of days and one or more hours or hour ranges. A
292 time specification may not include any white space.
294 If no default rule is given then users not matching any line
296 are allowed to log in from anywhere as is standard behavior.
324 option is not supported. This may be required by some
328 A recursive login, as used to be possible in the good old days,
329 no longer works; for most purposes
331 is a satisfactory substitute. Indeed, for security reasons,
332 login does a vhangup() system call to remove any possible
333 listening processes on the tty. This is to avoid password
334 sniffing. If one uses the command "login", then the surrounding shell
335 gets killed by vhangup() because it's no longer the true owner of the tty.
336 This can be avoided by using "exec login" in a top-level shell or xterm.
338 Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
341 Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
343 The login command is part of the util-linux-ng package and is available from
344 ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng/.