Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
login(1)							      login(1)

       login - sign on to the system

       login  [-p]  [-d	device]	[-R repository]	[-s service] [-t terminal] [-u
       identity] [-U ruser] [-h	hostname [terminal] |  -r hostname]   [	  name

       The  login command is used at the beginning of each terminal session to
       identify	oneself	to the system. login is	invoked	by the system  when  a
       connection is first established,	after the previous user	has terminated
       the login shell by issuing the exit command.

       If login	is invoked as a	command, it must replace the  initial  command
       interpreter. To invoke login in this fashion, type:

       exec login

       from  the  initial  shell.  The	C  shell and Korn shell	have their own
       builtins	of login. See ksh(1) and  csh(1)  for  descriptions  of	 login
       builtins	and usage.

       login  asks  for	 your user name, if it is not supplied as an argument,
       and your	password, if appropriate. Where	possible,  echoing  is	turned
       off  while you type your	password, so it	will not appear	on the written
       record of the session.

       If you make any mistake in the login procedure, the message:

       Login incorrect

       is printed and a	new login prompt will appear. If you make five	incor-
       rect login attempts, all	five may be logged in /var/adm/loginlog, if it
       exists. The TTY line will be dropped.

       If password aging is  turned  on	 and  the  password  has  "aged"  (see
       passwd(1)  for  more  information),  the	 user is forced	to changed the
       password. In this case the /etc/nsswitch.conf file is consulted to  de-
       termine	password repositories (see nsswitch.conf(4)). The password up-
       date configurations supported are limited to the	following five cases.

	 o  passwd: files

	 o  passwd: files nis

	 o  passwd: files nisplus

	 o  passwd: compat (==>	files nis)

	 o  passwd: compat (==>	files nisplus)

	    passwd_compat: nisplus

       Failure to comply with the configurations will prevent  the  user  from
       logging onto the	system because passwd(1) will fail. If you do not com-
       plete the login successfully within a certain period  of	 time,	it  is
       likely that you will be silently	disconnected.

       After  a	 successful login, accounting files are	updated. Device	owner,
       group, and permissions  are  set	 according  to	the  contents  of  the
       /etc/logindevperm file, and the time you	last logged in is printed (see

       The user-ID, group-ID, supplementary group list,	and working  directory
       are initialized,	and the	command	interpreter (usually ksh) is started.

       The basic environment is	initialized to:


       For Bourne shell	and Korn shell logins, the shell executes /etc/profile
       and $HOME/.profile, if it exists. For C shell logins,  the  shell  exe-
       cutes   /etc/.login,   $HOME/.cshrc,   and  $HOME/.login.  The  default
       /etc/profile and	/etc/.login files check	quotas (see quota(1M)),	 print
       /etc/motd,  and check for mail. None of the messages are	printed	if the
       file $HOME/.hushlogin  exists. The name of the command  interpreter  is
       set  to	-  (dash), followed by the last	component of the interpreter's
       path name, for example, -sh.

       If the login-shell field	in the password	file (see passwd(4)) is	empty,
       then  the  default  command  interpreter, /usr/bin/sh, is used. If this
       field is	* (asterisk), then the named directory becomes the root	direc-
       tory.  At that point, login is re-executed at the new level, which must
       have its	own root structure.

       The environment may be expanded or modified by supplying	additional ar-
       guments	to login, either at execution time or when login requests your
       login name. The arguments may take either the form xxx or xxx=yyy.  Ar-
       guments without an = (equal sign) are placed in the environment as:


       where  n	 is  a number starting at 0 and	is incremented each time a new
       variable	name is	required. Variables containing an = (equal  sign)  are
       placed  in the environment without modification.	If they	already	appear
       in the environment, then	they replace the older values.

       There are two exceptions:  The  variables  PATH	and  SHELL  cannot  be
       changed.	This prevents people logged into restricted shell environments
       from spawning secondary shells that are not  restricted.	 login	under-
       stands  simple single-character quoting conventions.  Typing a \	(back-
       slash) in front of a character quotes it	and allows  the	 inclusion  of
       such characters as spaces and tabs.

       Alternatively, you can pass the current environment by supplying	the -p
       flag to login. This flag	indicates that all currently defined  environ-
       ment  variables	should be passed, if possible, to the new environment.
       This option does	not bypass any environment variable restrictions  men-
       tioned  above.  Environment  variables specified	on the login line take
       precedence, if a	variable is passed by both methods.

       To enable remote	logins by root,	edit the  /etc/default/login  file  by
       inserting a # (pound sign) before the CONSOLE=/dev/console entry. See .

       For  accounts in	name services which support automatic account locking,
       the  account  may  be  configured  to  be  automatically	 locked	  (see
       user_attr(4)  and  policy.conf(4))  if successive failed	login attempts
       equals or exceeds RETRIES.  Currently, only the "files" repository (see
       passwd(4)  and  shadow(4)) supports automatic account locking. See also

       The login command uses pam(3PAM)	for  authentication,  account  manage-
       ment,  session  management, and password	management. The	PAM configura-
       tion policy, listed through /etc/pam.conf, specifies the	modules	to  be
       used  for  login.  Here is a partial pam.conf file with entries for the
       login command using the UNIX authentication,  account  management,  and
       session management modules:

       login  auth	 required
       login  auth	 required
       login  auth	 required
       login  auth	 required

       login  account	 requisite
       login  account	 required
       login  account	 required

       login  session	 required

       The Password Management stack looks like	the following:

       other  password	 required
       other  password	 requisite
       other  password	 requisite
       other  password	 required

       If  there  are  no  entries  for	 the service, then the entries for the
       "other" service will be used. If	multiple  authentication  modules  are
       listed, then the	user may be prompted for multiple passwords.

       When login is invoked through rlogind or	telnetd, the service name used
       by PAM is rlogin	or telnet, respectively.

       The following options are supported:

       -d device

	   login accepts a device option, device. device is taken  to  be  the
	   path	 name  of  the TTY port	login is to operate on.	The use	of the
	   device option can be	expected to improve login  performance,	 since
	   login will not need to call ttyname(3C). The	-d option is available
	   only	to users whose UID and effective UID are root. Any  other  at-
	   tempt to use	-d will	cause login to quietly exit.

       -h hostname [ terminal ]

	   Used	 by  in.telnetd(1M)  to	pass information about the remote host
	   and terminal	type.

	   Terminal type as a second argument to  the  -h  option  should  not
	   start with a	hyphen (-).


	   Used	to pass	environment variables to the login shell.

       -r hostname

	   Used	by in.rlogind(1M) to pass information about the	remote host.

       -R repository

	   Used	 to specify the	PAM repository that should be used to tell PAM
	   about the "identity"	(see option -u below). If no "identity"	infor-
	   mation is passed, the repository is not used.

       -s service

	   Indicates  the PAM service name that	should be used.	Normally, this
	   argument is not necessary and is used only for specifying  alterna-
	   tive	 PAM  service names. For example: "ktelnet" for	the Kerberized
	   telnet process.

       -u identity

	   Specifies the "identity" string associated with the user who	is be-
	   ing authenticated. This will	usually	not be the same	as that	user's
	   Unix	login name. For	Kerberized login sessions, this	 will  be  the
	   Kerberos principal name associated with the user.

       -U ruser

	   Indicates  the name of the person attempting	to login on the	remote
	   side	of the rlogin connection. When in.rlogind(1M) is operating  in
	   Kerberized  mode,  that daemon will process the terminal and	remote
	   user	name  information prior	to invoking login, so the "ruser" data
	   is  indicated using this command line parameter. Normally (non-Ker-
	   beros authenticated rlogin),	the login daemon will read the	remote
	   user	information from the client.

       The following exit values are returned:

       0	       Successful operation.

       non-zero	       Error.

       $HOME/.cshrc	       initial commands	for each csh

       $HOME/.hushlogin	       suppresses login	messages

       $HOME/.login	       user's login commands for csh

       $HOME/.profile	       user's login commands for sh and	ksh

       $HOME/.rhosts	       private	list of	trusted	hostname/username com-

       /etc/.login	       system-wide csh login commands

       /etc/issue	       issue or	project	identification

       /etc/logindevperm       login-based device permissions

       /etc/motd	       message-of-the-day

       /etc/nologin	       message displayed to users attempting to	 login
			       during machine shutdown

       /etc/passwd	       password	file

       /etc/profile	       system-wide sh and ksh login commands

       /etc/shadow	       list of users' encrypted	passwords

       /usr/bin/sh	       user's default command interpreter

       /var/adm/lastlog	       time of last login

       /var/adm/loginlog       record of failed	login attempts

       /var/adm/utmpx	       accounting

       /var/adm/wtmpx	       accounting

       /var/mail/your-name     mailbox for user	your-name

       /etc/default/login      Default	value  can  be	set  for the following
			       flags in	/etc/default/login. Default values are
			       specified as comments in	the /etc/default/login
			       file, for example, TIMEZONE=EST5EDT.


				   Sets	the TZ	environment  variable  of  the
				   shell (see environ(5)).


				   Sets	 the  HZ  environment  variable	of the


				   Sets	the file size  limit  for  the	login.
				   Units are disk blocks.  Default is zero (no


				   If set, root	can login on that device only.
				   This	 will  not prevent execution of	remote
				   commands with rsh(1). Comment out this line
				   to allow login by root.


				   Determines  if  login  requires  a non-null


				   Determines if login should  set  the	 SHELL
				   environment variable.


				   Sets	the initial shell PATH variable.


				   Sets	 the  initial  shell PATH variable for


				   Sets	the number of seconds (between	0  and
				   900)	to wait	before abandoning a login ses-


				   Sets	the initial shell file	creation  mode
				   mask. See umask(1).


				   Determines  whether the syslog(3C) LOG_AUTH
				   facility should be used to log all root lo-
				   gins	  at  level  LOG_NOTICE	 and  multiple
				   failed login	attempts atLOG_CRIT.


				   If present, and greater than	zero, the num-
				   ber	of  seconds that login will wait after
				   RETRIES failed attempts or the  PAM	frame-
				   work	 returns PAM_ABORT. Default is 20 sec-
				   onds. Minimum is 0 seconds. No  maximum  is


				   If  present,	 sets the number of seconds to
				   wait	before the login  failure  message  is
				   printed  to the screen. This	is for any lo-
				   gin failure other than  PAM_ABORT.  Another
				   login attempt is allowed, providing RETRIES
				   has not been	reached	or the	PAM  framework
				   is returned PAM_MAXTRIES. Default is	4 sec-
				   onds. Minimum is 0 seconds.	Maximum	 is  5

				   Both	su(1M) and sulogin(1M) are affected by
				   the value of	SLEEPTIME.


				   Sets	the number of retries for  logging  in
				   (see	pam(3PAM)). The	default	is 5. The max-
				   imum	number of retries is 15. For  accounts
				   configured  with automatic locking (see SE-
				   CURITY above), the account  is  locked  and
				   login  exits.  If automatic locking has not
				   been	configured, login exits	without	 lock-
				   ing the account.


				   Used	to determine how many failed login at-
				   tempts will be allowed by the system	before
				   a failed login message is logged, using the
				   syslog(3C) LOG_NOTICE facility.  For	 exam-
				   ple,	 if  the  variable  is set to 0, login
				   will	log all	failed login attempts.

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWcsu			   |
       |Interface Stability	     |Evolving			   |

       csh(1),	exit(1),  ksh(1),  mail(1),  mailx(1),	newgrp(1),  passwd(1),
       rlogin(1),   rsh(1),  sh(1),  shell_builtins(1),	 telnet(1),  umask(1),
       in.rlogind(1M), in.telnetd(1M), logins(1M),  quota(1M),	su(1M),	 sulo-
       gin(1M),	    syslogd(1M),    useradd(1M),    userdel(1M),    pam(3PAM),
       rcmd(3SOCKET),  syslog(3C),  ttyname(3C),  auth_attr(4),	 exec_attr(4),
       hosts.equiv(4),	issue(4),  logindevperm(4),  loginlog(4),  nologin(4),
       nsswitch.conf(4), pam.conf(4), passwd(4),  policy.conf(4),  profile(4),
       shadow(4), user_attr(4),	utmpx(4), wtmpx(4), attributes(5), environ(5),
       pam_unix_account(5), pam_unix_auth(5),  pam_unix_session(5),  pam_auth-
       tok_check(5),  pam_authtok_get(5), pam_authtok_store(5),	pam_dhkeys(5),
       pam_passwd_auth(5), termio(7I)

       Login incorrect

	   The user name or the	password cannot	be matched.

       Not on system console

	   Root	login denied. Check the	CONSOLE	setting	in /etc/default/login.

       No directory! Logging in	with home=/

	   The user's home directory named in the passwd(4) database cannot be
	   found  or  has the wrong permissions.  Contact your system adminis-

       No shell

	   Cannot execute the shell named in the passwd(4)  database.  Contact
	   your	system administrator.

       NO LOGINS: System going down in N minutes

	   The	machine	 is  in	the process of being shut down and logins have
	   been	disabled.

       Users with a UID	greater	than 76695844 are not subject to password  ag-
       ing, and	the system does	not record their last login time.

       If  you	use the	CONSOLE	setting	to disable root	logins,	you should ar-
       range that remote command execution  by	root  is  also	disabled.  See
       rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further details.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	by pam_unix_account(5),	pam_unix_auth(5), pam_unix_session(5),
       pam_authtok_check(5),	 pam_authtok_get(5),	 pam_authtok_store(5),
       pam_dhkeys(5), and pam_passwd_auth(5).

				  24 May 2005			      login(1)


Want to link to this manual page? Use this URL:

home | help