*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->IRIX man pages -> login (1)              


login(1)							      login(1)

NAME    [Toc]    [Back]

     login - sign on

SYNOPSIS    [Toc]    [Back]

     login [ -d	device ] [ name	[ environ ... ]]

DESCRIPTION    [Toc]    [Back]

     The login command is used at the beginning	of each	terminal session and
     allows you	to identify yourself to	the system.  It	is invoked by the
     system when a connection is first established.  It	is invoked by the
     system when a previous user has terminated	the initial shell by typing a
     <Ctrl-d> to indicate an end-of-file.

     If	login is invoked as a command, it must replace the initial command
     interpreter.  This	is accomplished	by typing

	  exec login

     from the initial shell.

     login asks	for your user name (if it is not supplied as an	argument) and,
     if	appropriate, your password.  Echoing is	turned off (where possible)
     during the	typing of your password, so it does not	appear on the written
     record of the session.

     login reads /etc/default/login to determine default behavior.  To change
     the defaults, the system administrator should edit	this file.  The	syntax
     of	the below lines	within the /etc/default/login file must	not contain
     any whitespaces.  The examples shown below	are login defaults.
     Recognized	values are:

     CONSOLE=device   If defined, only allows root logins on the device
		      specified, typically /dev/console.  This MUST NOT	be
		      defined as either	/dev/syscon or /dev/systty.  If
		      undefined, root can log in on any	device.

     PASSREQ=NO	      Determines whether all accounts must have	passwords.  If
		      YES, and user has	no password, they are prompted for one
		      at login time.

     MANDPASS=NO      Like PASSREQ, but	doesn't	allow users with no password
		      to log in.

     ALTSHELL=YES     If YES, the environment variable SHELL is	initialized.

     UMASK=022	      Default umask, in	octal.

     TIMEOUT=60	      Exit login after this many seconds of inactivity
		      (maximum 900, or 15 minutes)

									Page 1

login(1)							      login(1)

     SLEEPTIME=1      Sleep for	this many seconds before issuing "login
		      incorrect" message (maximum 60 seconds).

     DISABLETIME=20   After LOGFAILURES	or MAXTRYS unsuccessful	attempts,
		      sleep for	DISABLETIME seconds before exiting (no

     MAXTRYS=3	      Exit login after MAXTRYS unsuccessful attempts (0	=
		      unlimited	attempts).

     LOGFAILURES=3    If there are LOGFAILURES consecutive unsuccessful	login
		      attempts,	each of	them is	logged in /var/adm/loginlog,
		      if it exists.  LOGFAILURES has a maximum value of	20.

		      Note:  Users get at most the minimum of (MAXTRYS,
		      LOGFAILURES) unsuccessful	attempts.

     IDLEWEEKS=-1     If nonnegative, specify a	grace period during which
		      users with expired passwords are allowed to enter	a new
		      password.	 In other words, accounts with expired
		      passwords	can stay idle up to this long before being
		      "locked out."  If	IDLEWEEKS is 0,	there is no grace
		      period, and expired passwords are	the same as
		      invalidated passwords.

     PATH=	      Path for normal users (from /usr/include/paths.h).

     SUPATH=	      Path for superuser (from /usr/include/paths.h).

     SYSLOG=FAIL      Log to syslog all	login failures (SYSLOG=FAIL) or	all
		      successes	and failures (SYSLOG=ALL).  Log	entries	are
		      written to the LOG_AUTH facility (see syslog(3C) and
		      syslogd(1M) for details).	 No messages are sent to
		      syslog if	not set.  Note that this is separate from the
		      login log, /var/adm/loginlog.

     INITGROUPS=YES   If YES, make the user session be a member	of all of the
		      user's supplementary groups (see multgrps(1) or

     LANG=C	      If LANG is set, make this	the default login language.
		      This is used if no LANG comes from environment (rlogind,
		      getty, ...) and $HOME/.lang does not exist or does not
		      contain a	lang id.  Only LANG is supported, not other
		      locale categories	such as	LC_CTYPE.

     SVR4_SIGNALS=YES Use the SVR4 semantics for the SIGXCPU and SIGXFSZ
		      signals.	If SVR4_SIGNALS=YES, the SVR4 semantics	are
		      preserved	and all	processes ignore SIGXCPU and SIGXFSZ
		      by default.  If SVR4_SIGNALS=NO, these two signals
		      retain their default action, which is to cause the
		      receiving	process	to core	dump.  If users	intend to make

									Page 2

login(1)							      login(1)

		      use of the CPU and filesize resource limits,
		      SVR4_SIGNALS should be set to NO.	 Note that using these
		      signals while SVR4_SIGNALS is set	to YES causes behavior
		      that varies depending on the login shell.	 This setting
		      has no affect on processes that explicitly alter the
		      behavior of these	signals	using the signal(2) system

     SITECHECK=	      Use an external program to authenticate users instead of
		      using the	encrypted password field.  This	allows sites
		      to implement other means of authentication, such as card
		      keys, biometrics,	etc.  The program is invoked with user
		      name as the first	argument, and remote hostname and
		      username,	if applicable.	The action taken depend	on
		      exit status, as follows:

		      0	      Success; user was	authenticated, log in.

		      1	      Failure; exit login.

		      2	      Failure; try again (don't	exit login).

		      other   Use normal UNIX authentication.

		      If authentication	fails, the program can chose to
		      indicate either exit code	1 or 2,	as appropriate.	 If
		      the program is not owned by root,	is writable by others,
		      or cannot	be executed, normal password authentication is
		      performed.  It is	recommended that the program be	given
		      a	mode of	500.

		      Warning:	Because	this option has	the potential to
		      defeat normal IRIX security, any program used in this
		      way must be designed and tested very carefully.

     LOCKOUT=	      If nonzero, after	this number of consecutive
		      unsuccessful login attempts by the same user, by all
		      instances	of xdm and login, lock the account by invoking
		      passwd -l	username.  Note	that this feature allows a
		      denial of	service	attack that may	require	booting	from
		      the miniroot to fix, as even the root accounts can be
		      locked out.

     LOCKOUTEXEMPT=   If LOCKOUT is greater than zero, the users listed	as
		      LOCKOUTEXEMPT will NOT be	subject	to the LOCKOUT option.
		      Usernames	are separated by spaces, the list must be
		      terminated by end-of-line, maximum list length is	240
		      characters. LOCKOUTEXEMPT	is ignored unless LOCKOUT is
		      enabled, and the list is not empty. Including privileged
		      accounts (such as	root) in the LOCKOUTEXEMPT list, is
		      not recommended, as it allows an indefinite number of
		      attacks on the exempt accounts. Also, if LOCKOUTEXEMPT

									Page 3

login(1)							      login(1)

		      is enabled, the /etc/default/login file should be	given
		      a	mode 400 or 600	to prevent unauthorized	viewing	and/or
		      tampering	with the LOCKOUTEXEMPT list.

		      If SESSION, the session label of a remote	login session
		      is always	the same as that of the	current	login session.
		      If CLEARANCE, the	default	and permitted session labels
		      of a remote login	session	become those specified in

     At	some installations, you	may be required	to enter a dialup password for
     dialup connections	as well	as a login password.  In this case, the	prompt
     for the dialup password is:

	  Dialup Password:

     Both passwords are	required for a successful login.

     For remote	logins over the	network, login prints the contents of
     /etc/issue	before prompting for a username	or password.  The file
     /etc/nologin disables remote logins if it exists; login prints the
     contents of this file before disconnecting	the session.

     The system	can be configured to automate the login	process	after a	system
     restart.  When the	file /etc/autologin exists and contains	a valid	user
     name, the system logs in as the specified user without prompting for a
     user name or password.  The automatic login takes place only after	a
     system restart; once the user logs	out, the normal	interactive login
     session is	used until the next restart.  This is intended to be used at
     sites where the normal security mechanisms	provided by login are not
     needed or desired.	 If you	make five incorrect login attempts, all	five
     are logged	in /var/adm/loginlog (if it exists) and	the TTY	line is
     dropped.  /etc/autologin.TTYLINE is like /etc/autologin except it is used
     by	getty(1m) when initiating a terminal session for the device named by
     TTYLINE, and it will prompt for a password.  For example
     /etc/autologin.ttyd1 will control the login processes on /dev/ttyd1.

     If	you do not complete the	login successfully within a certain period of
     time (by default, 20 seconds), you	are likely to be silently

     After a successful	login, accounting files	are updated, the /etc/profile
     script is executed, the time you last logged in is	printed	(unless	a file
     .hushlogin	is present in the user's home directory), /etc/motd is
     printed, the user ID, group ID, supplementary group list, working
     directory,	and command interpreter	(usually sh) are initialized, and the
     file .profile in the working directory is executed, if it exists.	The
     name of the command interpreter is	- followed by the last component of
     the interpreter's pathname	(for example, -sh).  If	this field in the
     password file is empty, the default command interpreter, /usr/bin/sh is

									Page 4

login(1)							      login(1)

     If	the shell field	is *, the named	directory becomes the root directory
     (a	chroot(2) is done to the home directory, and the home directory	is
     therefore the starting point (/) for path searches	for pathnames
     beginning with a /.  At that point	login is re-executed following the

     At	the very least,	this root structure must include the following files,
     with usr/lib32/libc.so.1 normally being a symlink to
     ../../lib32/libc.so.1.  A home directory must also	exist, as well as the
     shell for the user(s) being chroot'ed.  It	is possible to have the	shell,
     password, and home	directory be different in the new environment.	In
     this example, the shell used is /sbin/csh,	and the	home directory is
     /usr/people/olson.	 Given the following password entry, the directories
     and files listed below would exist	below the directory /home/secure.

	  Entry	in /etc/passwd:
	    olson:hl0njohzc0uC2:2117:10:Dave Olson:/home/secure:*
	  Entry	in /home/secure/etc/passwd:
	    olson:am34670a63463:2117:10:Dave Olson:/usr/people/olson:/sbin/csh

	  tty	 zero
	  group	   passwd
	  libc.so.1  rld
	  libc.so.1@	  libcrypt.so	  libgen.so	  libpthread.so

     These files allow login to	execute	correctly, but you may also need to
     include additional	files or applications that the user is allowed to
     execute.  Since these applications	can in turn rely on additional shared
     libraries,	it may also be necessary to place additional shared objects in
     /usr/lib32.  See the ftpd(1M) reference page for more information about
     setting up	a root environment.

     The basic environment is initialized to:


									Page 5

login(1)							      login(1)

     The environment can be expanded or	modified by supplying additional
     arguments when login prints the prompt requesting the user's login	name.
     The arguments can take either of two forms:  xxx or xxx<b>=yyy.  Arguments
     without an	equal sign are placed in the environment as


     where n is	a number that starts at	0 and is incremented each time a new
     variable name is required.	 Variables containing =	are placed in the
     environment without modification.	If such	a variable is already defined,
     the new value replaces the	old value.  To prevent users who log in	to
     restricted	shell environments from	spawning secondary shells that are not
     restricted, the following environment variables cannot be changed:


     Attempts to set environment variables beginning with the following
     strings (see the rld(1) reference page) are ignored, and such attempts
     are logged	via syslogd:


     login understands simple, single-character	quoting	conventions.  Typing a
     backslash in front	of a character quotes it and allows the	inclusion of
     such characters as	spaces and tabs.

     The capability set	and MAC	label of a Trusted IRIX	login session can also
     be	modified by supplying the CAP (see capability(4)) and MAC (see
     dominance(5)) arguments in	addition to the	login name.  The arguments
     take the following	form:


     For example, the following	login prompt will set the MAC label of the
     login shell to userlow with all capabilities:

	  login: username MAC=userlow CAP=all+eip

     To	enable dial-in line password protection, two files are required.  The
     file /etc/dialups must contain of the name	of any dialup ports (for
     example, /dev/ttyd2) that require password	protection.  These are
     specified one per line.  The second file, /etc/d_passwd consists of lines
     with the following	format:

									Page 6

login(1)							      login(1)


     This file is scanned when the user	logs in, and if	the shell portion of
     any line matches the command interpreter that the user gets, the user is
     prompted for an additional	dialin password, which is encoded and compared
     to	that specified in the password portion of the line.  If	the command
     interpreter cannot	be found, the entry for	the default shell, /sbin/sh,
     (or, for compatibility with existing configurations, /bin/sh) is used.
     (If both are present, the last one	in file	is used.)  If there is no such
     entry, no dialup password is required.  In	other words, the /etc/d_passwd
     entry for /sbin/sh	is the default.

SHARE II ACTIONS    [Toc]    [Back]

     If	the Share II system is installed and enabled, login prints the

	  Share	login on ttyname.

     The following privilege and resource checks are made after	you have
     successfully entered your password, but before the	initial	shell is

     1.	 If your nologin flag is set, or you are already logged	on and your
	 onelogin flag is set, you are denied login.

     2.	 If a disk usage exceeds its soft disk limit in	any of your domains, a
	 message is printed and	you are	given a	warning.  If you accumulate
	 too many warnings, further login attempts are denied and you must see
	 your subadministrator to rectify the situation.  Whenever you log in
	 or connect by remote shell with no disk usages	in excess of any soft
	 limits, all your accumulated warnings are cleared.

     3.	 If you	do not have permission to use the terminal, as determined by
	 the respective	terminal permission flag, you are denied login.

     4.	 Some installations place limits on terminal connect time, both
	 through logins	and remote shell connections.  If you have already
	 reached your connect time limit, you are denied login.	 Otherwise, if
	 the terminal costs more or less to use	than normal terminals, its
	 cost is printed.  Your	remaining connect time is also printed.

     If	all these checks are passed, login proceeds normally.

NOTES    [Toc]    [Back]

     Autologin is controlled by	the existence of the /etc/autologin.on file.
     The file is normally created at boot time to automate the login process
     and then removed by login to disable the autologin	process	for succeeding
     terminal sessions.

     In	the default configuration, encrypted passwords for users are kept in
     the system	password file, /etc/passwd, which is a text file and is
     readable by any system user.  The program pwconv(1M) can be used by the

									Page 7

login(1)							      login(1)

     system administrator to activate the shadow password mechanism.  When
     shadow passwords are enabled, the encrypted passwords are kept only in
     /etc/shadow, a file that is only readable by the superuser.  Refer	to the
     pwconv(1M)	reference page for more	information about shadow passwords.

FILES    [Toc]    [Back]

     /etc/motd		  message of the day
     /etc/passwd	  password file
     /etc/shadow	  shadow password file
     /etc/profile	  system profile
     $HOME/.profile	  user's login profile
     $HOME/.lang	  user's login language	specification
     /usr/lib/iaf/scheme  login	authentication scheme
     /var/adm/lastlog	  time of last login
     /var/adm/loginlog	  record of failed login attempts
     /var/adm/utmp	  accounting
     /var/adm/wtmp	  accounting
     /etc/default/login	  to determine default behavior
     /var/mail/login_name mailbox for user login_name
			  language-specific message file (see LANG in
     /etc/limconf	  the compiled Share II	configuration file (machine

SEE ALSO    [Toc]    [Back]

     mail(1), newgrp(1), pwconv(1M), rexecd(1M), rshd(1M), sh(1), su(1M),
     capability(4), dominance(5), loginlog(4), passwd(4), profile(4),
     shadow(4),	environ(5), share(5).

DIAGNOSTICS    [Toc]    [Back]

     The message

	  UX:login: ERROR: Login incorrect

     is	printed	if the user name or the	password cannot	be matched or if the
     user's login account has expired or remained inactive for a period
     greater than the system threshold.

     The message

	  UX:login: ioctl() failed: TCSETA

     is	printed	if the tty line	does not support a requested baud rate
     (specified	for remote logins).  A similar message is also sent to syslog.
     See serial(7) for information on which baud rates are supported.

     The Share II-specific diagnostic messages are:

									Page 8

login(1)							      login(1)

     Warning X <b>of Y<b>: soft disk limit exceeded.
	  One of your domains has a disk usage in excess of its	soft limit.

     Connection	denied.	 Too many warnings.
	  You have reached your	warning	limit.	See your system	administrator.

     Connection	denied.	 Already logged	in - only one login allowed.
	  You are already logged in at another terminal	or connected to	the
	  system by remote shell and your onelogin flag	is set.

     Connection	denied.	 Currently barred from logging in.
	  Your nologin flag is set.

     Connection	denied.	 No permission to use this terminal.
	  You are not allowed to log in	at this	terminal because of a clear
	  terminal permission flag.

     Share login on ttyname <b>- terminal cost is X <b>times normal.
	  You are charged for use of this terminal at X	times the rate of a
	  normal terminal.

     You have a	remaining terminal connect time	of Y.
	  You may use this terminal until you have used	up your	remaining
	  connect time,	at which point you are forced to log out.

     Connection	denied.	 Terminal connect time limit exceeded.
	  You have already reached your	terminal connect time limit.

     Share not configured - no limit checks.
	  The configuration file is unreadable for some	reason,	so terminal
	  privileges, connect time limits, and disk space limits could not be

									PPPPaaaaggggeeee 9999
[ Back ]
 Similar pages
Name OS Title
ieee_copy_sign IRIX Returns x with the sign of y
CL_CrlSign Tru64 Sign a CRL (CDSA)
CSSM_CL_CrlSign Tru64 Sign a CRL (CDSA)
copysign Linux copy sign of a number
CL_CertSign Tru64 Sign a certificate (CDSA)
CSSM_CL_CertSign Tru64 Sign a certificate (CDSA)
euro Tru64 Euro currency sign
Euro Tru64 Euro currency sign
EUR Tru64 Euro currency sign
SignData Tru64 Sign all buffer data (CDSA)
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service