login - sign on to the system
login [-p] [-d device] [-R repository] [-s service]
[-t terminal] [-u identity] [-U ruser]
[-h hostname [terminal] | -r hostname]
The login command is used at the beginning of each terminal session to
identify oneself to the system. login is invoked by the system when a
connection is first established, after the previous user has terminated the
login shell by issuing the exit command.
If login is invoked as a command, it must replace the
initial command interpreter. To invoke login in this fashion,
from the initial shell. The C shell and Korn shell have their own
built-ins of login. See ksh(1), ksh93(1), and
csh(1) for descriptions of login built-ins and usage.
login asks for your user name, if it is not supplied as an
argument, and your password, if appropriate. Where possible, echoing is
turned off while you type your password, so it does not appear on the
written record of the session.
If you make any mistake in the login procedure, the message:
is printed and a new login prompt appears. If you make five
incorrect login attempts, all five can be logged in
/var/adm/loginlog, if it exists. The TTY line is dropped.
If password aging is turned on and the password has aged (see
passwd(1) for more information), the user is forced to changed the
password. In this case the /etc/nsswitch.conf file is consulted to
determine password repositories. See nsswitch.conf(4) for a list of
valid nameservice configurations that are permitted for the passwd:
database if password aging is enabled.
Failure to comply with the configurations prevents the user from
logging onto the system because passwd(1) fails. If you do not
complete the login successfully within a certain period of time, it is
likely that you are silently disconnected.
After a successful login, accounting files are updated. Device
owner, group, and permissions are set according to the contents of the
/etc/logindevperm file, and the time you last logged in is printed
The user-ID, group-ID, supplementary group list, and working
directory are initialized, and the command interpreter (usually ksh)
The basic environment is initialized to:
For Bourne shell and Korn shell logins, the shell executes
/etc/profile and $HOME/.profile, if it exists.
For the ksh93 Korn shell, an interactive shell then
executes /etc/ksh.kshrc, followed by the file specified by the
ENV environment variable. If $ENV is not set, this defaults to
$HOME/.kshrc. For the ksh and /usr/xpg4/bin/sh Korn
Shell, an interactive shell executes the file named by $ENV (no
For C shell logins, the shell executes /etc/.login,
$HOME/.cshrc, and $HOME/.login. The default
/etc/profile and /etc/.login files check quotas (see
quota(1M)), print /etc/motd, and check for mail. None of the
messages are printed if the file $HOME/.hushlogin exists. The name of
the command interpreter is set to − (dash), followed by the
last component of the interpreter's path name, for example,
If the login-shell field in the password file (see
passwd(4)) is empty, then the default command interpreter,
/usr/bin/sh, is used. If this field is * (asterisk), then the named
directory becomes the root directory. At that point, login is
re-executed at the new level, which must have its own root structure.
The environment can be expanded or modified by supplying
additional arguments to login, either at execution time or when
login requests your login name. The arguments can take either the
form xxx or xxx=yyy. Arguments without an = (equal
sign) are placed in the environment as:
where n is a number starting at 0 and is incremented
each time a new variable name is required. Variables containing an =
(equal sign) are placed in the environment without modification. If they
already appear in the environment, then they replace the older values.
There are two exceptions: The variables PATH and
SHELL cannot be changed. This prevents people logged into restricted
shell environments from spawning secondary shells that are not restricted.
login understands simple single-character quoting conventions. Typing
a \ (backslash) in front of a character quotes it and allows the
inclusion of such characters as spaces and tabs.
Alternatively, you can pass the current environment by supplying
the -p flag to login. This flag indicates that all currently
defined environment variables should be passed, if possible, to the new
environment. This option does not bypass any environment variable
restrictions mentioned above. Environment variables specified on the login
line take precedence, if a variable is passed by both methods.
To enable remote logins by root, edit the
/etc/default/login file by inserting a # (pound sign) before
the CONSOLE=/dev/console entry. See FILES.
For accounts in name services which support automatic account locking, the
account can be configured to be automatically locked (see user_attr(4)
and policy.conf(4)) if successive failed login attempts equals or
exceeds RETRIES. Currently, only the files repository (see
passwd(4) and shadow(4)) supports automatic account locking. See
The login command uses pam(3PAM) for authentication,
account management, session management, and password management. The
PAM configuration policy, listed through /etc/pam.conf,
specifies the modules to be used for login. Here is a partial
pam.conf file with entries for the login command using the
UNIX authentication, account management, and session management modules:
login auth required pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login account requisite pam_roles.so.1
login account required pam_unix_account.so.1
login session required pam_unix_session.so.1
The Password Management stack looks like the following:
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
If there are no entries for the service, then the entries for the
other service is used. If multiple authentication modules are listed,
then the user can be prompted for multiple passwords.
When login is invoked through rlogind or
telnetd, the service name used by PAM is rlogin or
The following options are supported:
accepts a device option, device
is taken to be the path name of the TTY
is to operate on. The use of the device option can be expected to improve
performance, since login
does not need to call
. The -d
option is available only to users whose
and effective UID
are root. Any other attempt to use
to quietly exit.
-h hostname [terminal]
Used by in.telnetd(1M)
to pass information about
the remote host and terminal type.
Terminal type as a second argument to the -h option should
not start with a hyphen (-).
Used to pass environment variables to the login
Used to specify the PAM repository that should be
used to tell PAM about the "identity" (see option
-u below). If no "identity" information is passed, the
repository is not used.
Indicates the PAM service name that should be
used. Normally, this argument is not necessary and is used only for specifying
alternative PAM service names. For example: "ktelnet"
for the Kerberized telnet process.
Specifies the "identity" string
associated with the user who is being authenticated. This usually is
not be the same as that user's Unix login name. For Kerberized login
sessions, this is the Kerberos principal name associated with the user.
The following exit values are returned:
Indicates the name of the person attempting to login on
the remote side of the rlogin connection. When in.rlogind(1M)
operating in Kerberized mode, that daemon processes the terminal and remote
user name information prior to invoking login
, so the
" data is indicated using this command line parameter.
Normally (non-Kerberos authenticated rlogin
), the login
reads the remote user information from the client.
Initial commands for each csh.
Suppresses login messages.
User's commands for interactive ksh93, if
$ENV is unset; executes after /etc/ksh.kshrc.
User's login commands for csh.
User's login commands for sh, ksh, and
Private list of trusted hostname/username
System-wide csh login commands.
Issue or project identification.
System-wide commands for interactive ksh93.
Login-based device permissions.
Message displayed to users attempting to login during
System-wide sh, ksh, and ksh93 login
List of users' encrypted passwords.
User's default command interpreter.
Time of last login.
Record of failed login attempts.
Mailbox for user your-name.
See attributes(5) for descriptions of the following attributes:
Default value can be set for the following flags in
. Default values are specified as comments in the
file, for example, TIMEZONE=EST5EDT
Sets the TZ
environment variable of the shell (see
Sets the HZ environment variable of the
Sets the file size limit for the login. Units are disk
blocks. Default is zero (no limit).
If set, root can login on that device only. This does not
prevent execution of remote commands with rsh(1)
. Comment out this line
to allow login by root.
Determines if login requires a non-null password.
Determines if login should set the SHELL
Sets the initial shell PATH variable.
Sets the initial shell PATH variable for
Sets the number of seconds (between 0 and
900) to wait before abandoning a login session.
Sets the initial shell file creation mode mask. See
Determines whether the syslog(3C) LOG_AUTH
facility should be used to log all root logins at level LOG_NOTICE
multiple failed login attempts at LOG_CRIT
If present, and greater than zero, the number of seconds
that login waits after RETRIES failed attempts or the PAM
framework returns PAM_ABORT. Default is 20 seconds. Minimum
is 0 seconds. No maximum is imposed.
If present, sets the number of seconds to wait before the
login failure message is printed to the screen. This is for any login failure
other than PAM_ABORT
. Another login attempt is allowed, providing
has not been reached or the PAM
framework is returned
. Default is 4
seconds. Minimum is 0
Maximum is 5
Both su(1M) and sulogin(1M) are affected by the
value of SLEEPTIME.
Sets the number of retries for logging in (see
). The default is 5. The maximum number of retries is 15. For
accounts configured with automatic locking (see SECURITY
account is locked and login
exits. If automatic locking has not been
exits without locking the account.
Used to determine how many failed login attempts are
allowed by the system before a failed login message is logged, using the
facility. For example, if the variable is
set to 0
failed login attempts.
csh(1), exit(1), ksh(1), ksh93(1), mail(1),
mailx(1), newgrp(1), passwd(1), rlogin(1),
rsh(1), sh(1), shell_builtins(1), telnet(1),
umask(1), in.rlogind(1M), in.telnetd(1M),
logins(1M), quota(1M), su(1M), sulogin(1M),
syslogd(1M), useradd(1M), userdel(1M), pam(3PAM),
rcmd(3SOCKET), syslog(3C), ttyname(3C),
auth_attr(4), exec_attr(4), hosts.equiv(4),
issue(4), logindevperm(4), loginlog(4),
nologin(4), nsswitch.conf(4), pam.conf(4),
passwd(4), policy.conf(4), profile(4), shadow(4),
user_attr(4), utmpx(4), wtmpx(4), attributes(5),
environ(5), pam_unix_account(5), pam_unix_auth(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
The user name or the password cannot be matched.
Not on system console
Root login denied. Check the CONSOLE setting in
No directory! Logging in with home=/
The user's home directory named in the passwd(4)
database cannot be found or has the wrong permissions. Contact your system
Cannot execute the shell named in the passwd(4)
database. Contact your system administrator.
NO LOGINS: System going down in N
The machine is in the process of being shut down and
logins have been disabled.
Users with a UID greater than 76695844 are not subject to password aging,
and the system does not record their last login time.
If you use the CONSOLE setting to disable root logins, you
should arrange that remote command execution by root is also disabled. See
rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further