login - sign on to the system
login [-p] [-d device] [-h hostname | [terminal] |
-r hostname] [ name [environ]...]
The login command is used at the beginning of each terminal
session to identify oneself to the system. login is invoked
by the system when a connection is first established, after
the previous user has terminated the login shell by issuing
the exit command.
If login is invoked as a command, it must replace the ini-
tial command interpreter. To invoke login in this fashion,
from the initial shell. The C shell and Korn shell have
their own builtins of login. See ksh(1) and csh(1) for
descriptions of login builtins and usage.
login asks for your user name, if it is not supplied as an
argument, and your password, if appropriate. Where possible,
echoing is turned off while you type your password, so it
will not appear on the written record of the session.
If you make any mistake in the login procedure, the message:
is printed and a new login prompt will appear. If you make
five incorrect login attempts, all five may be logged in
/var/adm/loginlog, if it exists. The TTY line will be
If password aging is turned on and the password has "aged"
(see passwd(1) for more information), the user is forced to
changed the password. In this case the /etc/nsswitch.conf
file is consulted to determine password repositories (see
nsswitch.conf(4)). The password update configurations sup-
ported are limited to the following five cases.
o passwd: files
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files nisplus)
Failure to comply with the configurations will prevent the
user from logging onto the system because passwd(1) will
fail. If you do not complete the login successfully within a
certain period of time, it is likely that you will be
After a successful login, accounting files are updated. Dev-
ice owner, group, and permissions are set according to the
contents of the /etc/logindevperm file, and the time you
last logged in is printed (see logindevperm(4)).
The user-ID, group-ID, supplementary group list, and working
directory are initialized, and the command interpreter (usu-
ally ksh) is started.
The basic environment is initialized to:
For Bourne shell and Korn shell logins, the shell executes
/etc/profile and $HOME/.profile, if it exists. For C shell
logins, the shell executes /etc/.login, $HOME/.cshrc, and
$HOME/.login. The default /etc/profile and /etc/.login files
check quotas (see quota(1M)), print /etc/motd, and check for
mail. None of the messages are printed if the file
$HOME/.hushlogin exists. The name of the command inter-
preter is set to - (dash), followed by the last component of
the interpreter's path name, for example, -sh.
If the login-shell field in the password file (see
passwd(4)) is empty, then the default command interpreter,
/usr/bin/sh, is used. If this field is * (asterisk), then
the named directory becomes the root directory. At that
point, login is re-executed at the new level, which must
have its own root structure.
The environment may be expanded or modified by supplying
additional arguments to login, either at execution time or
when login requests your login name. The arguments may take
either the form xxx or xxx=yyy. Arguments without an =
(equal sign) are placed in the environment as:
where n is a number starting at 0 and is incremented each
time a new variable name is required. Variables containing
an = (equal sign) are placed in the environment without
modification. If they already appear in the environment,
then they replace the older values.
There are two exceptions: The variables PATH and SHELL can-
not be changed. This prevents people logged into restricted
shell environments from spawning secondary shells that are
not restricted. login understands simple single-character
quoting conventions. Typing a \ (backslash) in front of a
character quotes it and allows the inclusion of such charac-
ters as spaces and tabs.
Alternatively, you can pass the current environment by sup-
plying the -p flag to login. This flag indicates that all
currently defined environment variables should be passed, if
possible, to the new environment. This option does not
bypass any environment variable restrictions mentioned
above. Environment variables specified on the login line
take precedence, if a variable is passed by both methods.
To enable remote logins by root, edit the /etc/default/login
file by inserting a # (pound sign) before the
CONSOLE=/dev/console entry. See FILES.
The login command uses pam(3PAM) for authentication, account
management, session management, and password management. The
PAM configuration policy, listed through /etc/pam.conf,
specifies the modules to be used for login. Here is a par-
tial pam.conf file with entries for the login command using
the UNIX authentication, account management, and session
login auth required pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account required pam_unix_account.so.1
login session required pam_unix_session.so.1
The Password Management stack looks like the following:
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
If there are no entries for the service, then the entries
for the "other" service will be used. If multiple authenti-
cation modules are listed, then the user may be prompted for
When login is invoked through rlogind or telnetd, the ser-
vice name used by PAM is rlogin or telnet, respectively.
The following options are supported:
login accepts a device option, device. device is taken
to be the path name of the TTY port login is to
operate on. The use of the device option can be
expected to improve login performance, since login
will not need to call ttyname(3C). The -d option is
available only to users whose UID and effective UID
are root. Any other attempt to use -d will cause login
to quietly exit.
-h hostname [ terminal ]
Used by in.telnetd(1M) to pass information about the
remote host and terminal type.
-p Used to pass environment variables to the login shell.
Used by in.rlogind(1M) to pass information about the
The following exit values are returned:
0 Successful operation.
initial commands for each csh
suppresses login messages
user's login commands for csh
user's login commands for sh and ksh
private list of trusted hostname/username combinations
system-wide csh login commands
issue or project identification
login-based device permissions
message displayed to users attempting to login during
system-wide sh and ksh login commands
list of users' encrypted passwords
user's default command interpreter
time of last login
record of failed login attempts
mailbox for user your-name
Default value can be set for the following flags in
/etc/default/login. For example: TIMEZONE=EST5EDT
Sets the TZ environment variable of the shell
HZ Sets the HZ environment variable of the shell.
Sets the file size limit for the login. Units
are disk blocks. Default is zero (no limit).
If set, root can login on that device only. This
will not prevent execution of remote commands
with rsh(1). Comment out this line to allow
login by root.
Determines if login requires a non-null pass-
Determines if login should set the SHELL
PATH Sets the initial shell PATH variable.
Sets the initial shell PATH variable for root.
Sets the number of seconds (between 0 and 900)
to wait before abandoning a login session.
UMASK Sets the initial shell file creation mode mask.
Determines whether the syslog(3C) LOG_AUTH
facility should be used to log all root logins
at level LOG_NOTICE and multiple failed login
If present, and greater than zero, the number of
seconds that login will wait after RETRIES
failed attempts or the PAM framework returns
PAM_ABORT. Default is 20 seconds. Minimum is 0
seconds. No maximum is imposed.
If present, sets the number of seconds to wait
before the login failure message is printed to
the screen. This is for any login failure other
than PAM_ABORT. Another login attempt is
allowed, providing RETRIES has not been reached
or the PAM framework is returned PAM_MAXTRIES.
Default is 4 seconds. Minimum is 0 seconds. Max-
imum is 5 seconds.
Sets the number of retries for logging in (see
pam(3PAM)). The default is 5.
Used to determine how many failed login attempts
will be allowed by the system before a failed
login message is logged, using the syslog(3C)
LOG_NOTICE facility. For example, if the vari-
able is set to 0, login will log all failed
See attributes(5) for descriptions of the following attri-
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| Availability | SUNWcsu |
csh(1), exit(1), ksh(1), mail(1), mailx(1), newgrp(1),
passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), tel-
net(1), umask(1), in.rlogind(1M), in.telnetd(1M),
logins(1M), quota(1M), su(1M), syslogd(1M), useradd(1M),
userdel(1M), pam(3PAM), rcmd(3SOCKET), syslog(3C),
ttyname(3C), auth_attr(4), exec_attr(4), hosts.equiv(4),
issue(4), logindevperm(4), loginlog(4), nologin(4),
nsswitch.conf(4), pam.conf(4), passwd(4), profile(4), sha-
dow(4), user_attr(4), utmpx(4), wtmpx(4), attributes(5),
environ(5), pam_unix_account(5), pam_unix_auth(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
The user name or the password cannot be matched.
Not on system console
Root login denied. Check the CONSOLE setting in
No directory! Logging in with home=/
The user's home directory named in the passwd(4) data-
base cannot be found or has the wrong permissions.
Contact your system administrator.
Cannot execute the shell named in the passwd(4) data-
base. Contact your system administrator.
NO LOGINS: System going down in N minutes
The machine is in the process of being shut down and
logins have been disabled.
Users with a UID greater than 76695844 are not subject to
password aging, and the system does not record their last
If you use the CONSOLE setting to disable root logins, you
should arrange that remote command execution by root is also
disabled. See rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for
The pam_unix(5) module might not be supported in a future
release. Similar functionality is provided by
pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
pam_authtok_store(5), pam_dhkeys(5), and pam_passwd_auth(5).
Man(1) output converted with