Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
login(1)		    General Commands Manual		      login(1)

       login - sign on;	start terminal session

       [name [env-var] ...]

       The  command is used at the beginning of	each terminal session to prop-
       erly identify a prospective user.  can be invoked as a user command  or
       by  the	system	as an incoming connection is established.  can also be
       invoked by the system when a previous user  shell  terminates  but  the
       terminal	does not disconnect.

       If  is invoked as a command, it must replace the	initial	command	inter-
       preter (the user's login	shell).	 This is accomplished with  the	 shell

       The  user's login name is requested, if it is not specified on the com-
       mand line, and the corresponding	password  is  obtained,	 if  required,
       with the	following prompts:

       Terminal	 echo  is turned off (where possible) during password entry to
       prevent written records of the password.	 If the	account	does not  have
       a  password,  and  the  authentication profile for the account requires
       one, invokes to establish one for the account.  On  a  trusted  system,
       displays	 the last successful and unsuccessful login times and terminal

       As a security precaution, some installations use	 an  option  that  re-
       quires a	second "dialup"	password.  This	occurs only for	dialup connec-
       tions, and is requested with the	prompt:

       Both passwords must be correct for a successful login  (see  dialups(4)
       for details on dialup security).

       If  password  aging is activated, the user's password may have expired.
       is invoked to change the	password.  In an  untrusted  environment,  the
       user  is	 required  to re-login after a successful password change (see

       After three unsuccessful	login attempts,	a signal is issued.  If	a  lo-
       gin  is not successfully	completed within a certain period of time (for
       example,	one minute), the terminal is silently disconnected.

       After a successful login, the accounting	files are  updated,  user  and
       group  IDs,  group  access list,	and working directory are initialized,
       and the user's command interpreter (shell) is  determined  from	corre-
       sponding	 user  entries	in the files and (see passwd(4)	and group(4)).
       If does not specify a shell for the user	 name,	is  used  by  default.
       then  forks  the	 appropriate  shell by using the last component	of the
       shell path name preceded	by a (for example, or When the command	inter-
       preter is invoked with its name preceded	by a minus in this manner, the
       shell performs its own initialization, including	execution of  profile,
       login, or other initialization scripts.

       For  example,  if  the user login shell is the Korn or POSIX shell (see
       ksh(1) or sh-posix(1), respectively), the shell	executes  the  profile
       files  and  if  they exist (and possibly	others as well).  Depending on
       what these profile files	contain, messages regarding mail in the	user's
       mail  file  or any messages the user may	have received since the	user's
       last login may be displayed.

       If the command name field is a to the directory named in	the  directory
       field  of the entry is performed.  At that point, is re-executed	at the
       new level, which	must have its own root structure, including a  command
       and an file.

       For  the	 normal	user, the basic	environment variables (see environ(5))
       are initialized to:

       login_directory,	login_name, and	login_shell are	taken from the	corre-
       sponding	fields of the file entry (see passwd(4)).

       For superuser, is set to:

       In  the case of a remote	login, the environment variable	is also	set to
       the remote user's terminal type.

       The environment can be expanded or modified by supplying	additional ar-
       guments	to  either at execution	time or	when requests the user's login
       name.  The arguments can	take either the	form value or where varname is
       a  new or existing environment variable name and	value is a value to be
       assigned	to the variable.

       An argument in the first	form (without an equals	sign) is placed	in the
       environment as if it were entered in the	form

       where  n	 is a number starting at 0 that	is incremented each time a new
       variable	name is	required.

       An argument in the second form (with an equals sign) is placed into the
       environment without modification.

       If  the	variable  name or varname) already appears in the environment,
       the new value replaces the older	one.

       There are two exceptions.  The variables	and cannot be  changed.	  This
       prevents	users logged in	with restricted	shell environments from	spawn-
       ing secondary shells that are not restricted.

       Both and	understand simple single-character quoting conventions.	  Typ-
       ing a backslash in front	of a character quotes it and allows the	inclu-
       sion of such things as spaces and tabs.

       If is present, all unsuccessful login attempts are logged to that file.
       This feature is disabled	if the file is not present.  The command, (see
       last(1)), displays a summary of bad login attempts for users with  read
       access to

       If  the	file is	present, login security	is in effect, i.e., is allowed
       to log in successfully only on the  ttys	 listed	 in  this  file.   Re-
       stricted	ttys are listed	by device name,	one per	line.  Valid tty names
       are dependent on	the installation.  An example is


       Note that this feature does not inhibit a normal	user  from  using  the
       command (see su(1)).

   HP-UX Smart Card Login
       If  the	user account is	configured to use a Smart Card,	the user pass-
       word is stored in the card.  This password has characteristics  identi-
       cal to a	normal password	stored on the system.

       In order	to login using a Smart Card account, the card must be inserted
       into the	Smart Card reader.  The	user is	prompted for a	PIN  (personal
       identification  number)	instead	 of  a password	during authentication.
       The prompts are:

       The password is retrieved automatically from  the  Smart	 Card  when  a
       valid PIN is entered.  Therefore, it is not necessary to	know the pass-
       word, only the PIN.

       The card	is locked if an	incorrect PIN  is  entered  three  consecutive
       times.  It may be unlocked only by the card issuer.

       On  a standard system, login prohibits a	user from logging in if	any of
       the following is	true:

	 o  The	password for the account has expired and the user cannot  suc-
	    cessfully change the password.

	 o  The	 password for the account has expired and the password was not
	    changed within the specified number	of days	after  the  expiration
	    (see shadow(4)).

	 o  The	account	lifetime has passed (see shadow(4)).

       On  a  trusted  system,	prohibits a user from logging in if any	of the
       following is true:

	 o  The	password for the account has expired and the user cannot  suc-
	    cessfully change the password.

	 o  The	password lifetime for the account has passed.

	 o  The	 time  between the last	login and the current time exceeds the
	    time allowed for login intervals.

	 o  The	administrative lock on the account has been set.

	 o  The	maximum	number of unsuccessful login attempts for the  account
	    has	been exceeded.

	 o  The	maximum	number of unsuccessful login attempts for the terminal
	    has	been exceeded.

	 o  The	administrative lock on the terminal has	been set.

	 o  The	terminal has an	authorized user	list and the user  is  not  on

	 o  The	 terminal has time of day restrictions and the current time is
	    not	within the allowable period.

       On a trusted system, allows superuser to	log in on the  console	unless
       exists and does not contain

       Refer  to  the file in the security(4) manpage for detailed information
       on configurable parameters that affect the behavior  of	this  command.
       Currently supported parameters are:

   Environment Variables
       User's home directory.
       Where to	look for mail.
       Path to be searched for commands.
       Which command interpreter is being used.
       User's terminal type.
       varname	 User-specified	named variables.
       User-specified unnamed variables.

       The following diagnostics appear	if the associated condition occurs:

	      The personal equivalence file is a symbolic link.

	      The  personal equivalence	file is	not owned by the local user or
	      by a user	with appropriate privileges.

	      failed (see setuid(2)).

	      failed (see setuid(2)).

	      Consult the system administrator.

	      The indicated string was too long	for internal buffer.

	      User name	and password cannot be matched.

	      Attempted	to log in to a subdirectory root that does not have  a
	      subroot  login  command.	That is, the file entry	had shell path
	      but the system cannot find a command under the given home	direc-

	      Consult system administrator.

	      Attempted	 to log	in to a	subdirectory root that does not	exist.
	      That is, the file	entry had shell	path but the system cannot  to
	      the given	home directory.

	      The  user	 shell	if  shell name is null in could	not be started
	      with the command.	 Consult system	administrator.

	      Attempted	to execute as a	command	without	using the shell's  in-
	      ternal  command  or from other than the initial shell.  The cur-
	      rent shell is terminated.

	      The indicated string was too long	for internal buffer.

	      The indicated string was too long	for internal buffer.

	      Cannot to	the user's home	directory.

	      Password aging is	enabled	and the	user's password	has expired.

       If is linked to and group membership for	the user trying	to log	in  is
       managed	by the Network Information Service (NIS), and no NIS server is
       able to respond,	waits until a server does respond.

   Pluggable Authentication Modules (PAM)
       PAM is an Open Group standard for user authentication, password modifi-
       cation,	and validation of accounts.  In	particular, is invoked to per-
       form all	functions related to This includes  retrieving	the  password,
       validating the account, and displaying error messages.  is invoked dur-
       ing password expiration or establishment.

   HP Process Resource Manager
       If the optional HP Process Resource Manager (PRM) software is installed
       and  configured,	 the  login  shell  is	launched in the	user's initial
       process resource	group.	If the user's initial group  is	 not  defined,
       the  shell  runs	 in  the user default group See	prmconfig(1) for a de-
       scription of how	to configure HP	PRM, and prmconf(4) for	a  description
       of how the user's initial process resource group	is determined.

       was developed by	AT&T and HP.

       Personal	profile	(individual user initialization)
       Personal	equivalence file for the remote	login server.
       Dialup security encrypted passwords.
       Lines which require dialup security.
       System list of equivalent hosts allowing	logins without passwords.
       Group file -- defines group access lists.
       Password	file --	defines	users, passwords, and primary groups.
       System profile (initialization for all users).
       List of valid ttys for root login.
       Shadow Password file.
       Users currently logged-in.
       The trusted system password database.
       History of bad login attempts.
       History of logins, logouts, and date changes.
       Mailbox for user.	login_name
       Security	defaults configuration file.

       csh(1),	groups(1),  ksh(1),  last(1),  mail(1),	 newgrp(1), passwd(1),
       sh(1),  sh-posix(1),  su(1),  getty(1M),	 initgroups(3C),   dialups(4),
       group(4), passwd(4), profile(4),	security(4), shadow(4),	utmp(4), envi-

   HP Process Resource Manager
       prmconfig(1), prmconf(4)	in HP Process Resource Manager Users Guide.

   Pluggable Authentication Modules (PAM)
       pam_acct_mgmt(3), pam_authenticate(3), pam_chauthtok(3).

   HP-UX Smart Card Login
       scpin(1), scsync(1).



Want to link to this manual page? Use this URL:

home | help