327 lines
10 KiB
Groff
327 lines
10 KiB
Groff
.\" Copyright 1993 Rickard E. Faith (faith@cs.unc.edu)
|
|
.\" May be distributed under the GNU General Public License
|
|
.TH LOGIN 1 "4 November 1996" "Util-linux 1.6" "Linux Programmer's Manual"
|
|
.SH NAME
|
|
login \- sign on
|
|
.SH SYNOPSIS
|
|
.BR "login [ " name " ]"
|
|
.br
|
|
.B "login \-p"
|
|
.br
|
|
.BR "login \-h " hostname
|
|
.br
|
|
.BR "login \-f " name
|
|
.SH DESCRIPTION
|
|
.B login
|
|
is used when signing onto a system. It can also be used to switch from one
|
|
user to another at any time (most modern shells have support for this
|
|
feature built into them, however).
|
|
|
|
If an argument is not given,
|
|
.B login
|
|
prompts for the username.
|
|
|
|
If the user is
|
|
.I not
|
|
root, and if
|
|
.I /etc/nologin
|
|
exists, the contents of this file are printed to the screen, and the
|
|
login is terminated. This is typically used to prevent logins when the
|
|
system is being taken down.
|
|
|
|
If special access restrictions are specified for the user in
|
|
.IR /etc/usertty ,
|
|
these must be met, or the log in attempt will be denied and a
|
|
.B syslog
|
|
message will be generated. See the section on "Special Access Restrictions".
|
|
|
|
If the user is root, then the login must be occurring on a tty listed in
|
|
.IR /etc/securetty .
|
|
Failures will be logged with the
|
|
.B syslog
|
|
facility.
|
|
|
|
After these conditions have been checked, the password will be requested and
|
|
checked (if a password is required for this username). Ten attempts
|
|
are allowed before
|
|
.B login
|
|
dies, but after the first three, the response starts to get very slow.
|
|
Login failures are reported via the
|
|
.B syslog
|
|
facility. This facility is also used to report any successful root logins.
|
|
|
|
If the file
|
|
.I .hushlogin
|
|
exists, then a "quiet" login is performed (this disables the checking
|
|
of mail and the printing of the last login time and message of the day).
|
|
Otherwise, if
|
|
.I /var/log/lastlog
|
|
exists, the last login time is printed (and the current login is
|
|
recorded).
|
|
|
|
Random administrative things, such as setting the UID and GID of the
|
|
tty are performed. The TERM environment variable is preserved, if it
|
|
exists (other environment variables are preserved if the
|
|
.B \-p
|
|
option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME
|
|
environment variables are set. PATH defaults to
|
|
.I /usr/local/bin:/bin:/usr/bin:.
|
|
for normal users, and to
|
|
.I /sbin:/bin:/usr/sbin:/usr/bin
|
|
for root. Last, if this is not a "quiet" login, the message of the
|
|
day is printed and the file with the user's name in
|
|
.I /usr/spool/mail
|
|
will be checked, and a message printed if it has non-zero length.
|
|
|
|
The user's shell is then started. If no shell is specified for the
|
|
user in
|
|
.BR /etc/passwd ,
|
|
then
|
|
.B /bin/sh
|
|
is used. If there is no directory specified in
|
|
.IR /etc/passwd ,
|
|
then
|
|
.I /
|
|
is used (the home directory is checked for the
|
|
.I .hushlogin
|
|
file described above).
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-p
|
|
Used by
|
|
.BR getty (8)
|
|
to tell
|
|
.B login
|
|
not to destroy the environment
|
|
.TP
|
|
.B \-f
|
|
Used to skip a second login authentication. This specifically does
|
|
.B not
|
|
work for root, and does not appear to work well under Linux.
|
|
.TP
|
|
.B \-h
|
|
Used by other servers (i.e.,
|
|
.BR telnetd (8))
|
|
to pass the name of the remote host to
|
|
.B login
|
|
so that it may be placed in utmp and wtmp. Only the superuser may use
|
|
this option.
|
|
|
|
.SH "SPECIAL ACCESS RESTRICTIONS"
|
|
The file
|
|
.I /etc/securetty
|
|
lists the names of the ttys where root is allowed to log in. One name
|
|
of a tty device without the /dev/ prefix must be specified on each
|
|
line. If the file does not exist, root is allowed to log in on any
|
|
tty.
|
|
.PP
|
|
On most modern Linux systems PAM (Pluggable Authentication Modules)
|
|
is used. On systems that do not use PAM, the file
|
|
.I /etc/usertty
|
|
specifies additional access restrictions for specific users.
|
|
If this file does not exist, no additional access restrictions are
|
|
imposed. The file consists of a sequence of sections. There are three
|
|
possible section types: CLASSES, GROUPS and USERS. A CLASSES section
|
|
defines classes of ttys and hostname patterns, A GROUPS section
|
|
defines allowed ttys and hosts on a per group basis, and a USERS
|
|
section defines allowed ttys and hosts on a per user basis.
|
|
.PP
|
|
Each line in this file in may be no longer than 255
|
|
characters. Comments start with # character and extend to the end of
|
|
the line.
|
|
.PP
|
|
.SS "The CLASSES Section"
|
|
A CLASSES section begins with the word CLASSES at the start of a line
|
|
in all upper case. Each following line until the start of a new
|
|
section or the end of the file consists of a sequence of words
|
|
separated by tabs or spaces. Each line defines a class of ttys and
|
|
host patterns.
|
|
.PP
|
|
The word at the beginning of a line becomes defined as a collective
|
|
name for the ttys and host patterns specified at the rest of the
|
|
line. This collective name can be used in any subsequent GROUPS or
|
|
USERS section. No such class name must occur as part of the definition
|
|
of a class in order to avoid problems with recursive classes.
|
|
.PP
|
|
An example CLASSES section:
|
|
.PP
|
|
.nf
|
|
.in +.5
|
|
CLASSES
|
|
myclass1 tty1 tty2
|
|
myclass2 tty3 @.foo.com
|
|
.in -.5
|
|
.fi
|
|
.PP
|
|
This defines the classes
|
|
.I myclass1
|
|
and
|
|
.I myclass2
|
|
as the corresponding right hand sides.
|
|
.PP
|
|
|
|
.SS "The GROUPS Section"
|
|
A GROUPS section defines allowed ttys and hosts on a per Unix group basis. If
|
|
a user is a member of a Unix group according to
|
|
.I /etc/passwd
|
|
and
|
|
.I /etc/group
|
|
and such a group is mentioned in a GROUPS section in
|
|
.I /etc/usertty
|
|
then the user is granted access if the group is.
|
|
.PP
|
|
A GROUPS section starts with the word GROUPS in all upper case at the start of
|
|
a line, and each following line is a sequence of words separated by spaces
|
|
or tabs. The first word on a line is the name of the group and the rest
|
|
of the words on the line specifies the ttys and hosts where members of that
|
|
group are allowed access. These specifications may involve the use of
|
|
classes defined in previous CLASSES sections.
|
|
.PP
|
|
An example GROUPS section.
|
|
.PP
|
|
.nf
|
|
.in +0.5
|
|
GROUPS
|
|
sys tty1 @.bar.edu
|
|
stud myclass1 tty4
|
|
.in -0.5
|
|
.fi
|
|
.PP
|
|
This example specifies that members of group
|
|
.I sys
|
|
may log in on tty1 and from hosts in the bar.edu domain. Users in
|
|
group
|
|
.I stud
|
|
may log in from hosts/ttys specified in the class myclass1 or from
|
|
tty4.
|
|
.PP
|
|
|
|
.SS "The USERS Section"
|
|
A USERS section starts with the word USERS in all upper case at the
|
|
start of a line, and each following line is a sequence of words
|
|
separated by spaces or tabs. The first word on a line is a username
|
|
and that user is allowed to log in on the ttys and from the hosts
|
|
mentioned on the rest of the line. These specifications may involve
|
|
classes defined in previous CLASSES sections. If no section header is
|
|
specified at the top of the file, the first section defaults to be a
|
|
USERS section.
|
|
.PP
|
|
An example USERS section:
|
|
.PP
|
|
.nf
|
|
.in +0.5
|
|
USERS
|
|
zacho tty1 @130.225.16.0/255.255.255.0
|
|
blue tty3 myclass2
|
|
.in -0.5
|
|
.fi
|
|
.PP
|
|
This lets the user zacho login only on tty1 and from hosts with IP
|
|
addreses in the range 130.225.16.0 \- 130.225.16.255, and user blue is
|
|
allowed to log in from tty3 and whatever is specified in the class
|
|
myclass2.
|
|
.PP
|
|
There may be a line in a USERS section starting with a username of
|
|
*. This is a default rule and it will be applied to any user not
|
|
matching any other line.
|
|
.PP
|
|
If both a USERS line and GROUPS line match a user then the user is
|
|
allowed access from the union of all the ttys/hosts mentioned in these
|
|
specifications.
|
|
|
|
.SS Origins
|
|
The tty and host pattern specifications used in the specification of
|
|
classes, group and user access are called origins. An origin string
|
|
may have one of these formats:
|
|
.IP o
|
|
The name of a tty device without the /dev/ prefix, for example tty1 or
|
|
ttyS0.
|
|
.PP
|
|
.IP o
|
|
The string @localhost, meaning that the user is allowed to
|
|
telnet/rlogin from the local host to the same host. This also allows
|
|
the user to for example run the command: xterm -e /bin/login.
|
|
.PP
|
|
.IP o
|
|
A domain name suffix such as @.some.dom, meaning that the user may
|
|
rlogin/telnet from any host whose domain name has the suffix
|
|
\&.some.dom.
|
|
.PP
|
|
.IP o
|
|
A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where x.x.x.x is
|
|
the IP address in the usual dotted quad decimal notation, and y.y.y.y
|
|
is a bitmask in the same notation specifying which bits in the address
|
|
to compare with the IP address of the remote host. For example
|
|
@130.225.16.0/255.255.254.0 means that the user may rlogin/telnet from
|
|
any host whose IP address is in the range 130.225.16.0 \-
|
|
130.225.17.255.
|
|
.PP
|
|
Any of the above origins may be prefixed by a time specification
|
|
according to the syntax:
|
|
.PP
|
|
.nf
|
|
timespec ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
|
|
day ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
|
|
hour ::= '0' | '1' | ... | '23'
|
|
hourspec ::= <hour> | <hour> '\-' <hour>
|
|
day-or-hour ::= <day> | <hourspec>
|
|
.fi
|
|
.PP
|
|
For example, the origin [mon:tue:wed:thu:fri:8\-17]tty3 means that log
|
|
in is allowed on mondays through fridays between 8:00 and 17:59 (5:59
|
|
pm) on tty3. This also shows that an hour range a\-b includes all
|
|
moments between a:00 and b:59. A single hour specification (such as
|
|
10) means the time span between 10:00 and 10:59.
|
|
.PP
|
|
Not specifying any time prefix for a tty or host means log in from
|
|
that origin is allowed any time. If you give a time prefix be sure to
|
|
specify both a set of days and one or more hours or hour ranges. A
|
|
time specification may not include any white space.
|
|
.PP
|
|
If no default rule is given then users not matching any line
|
|
.I /etc/usertty
|
|
are allowed to log in from anywhere as is standard behavior.
|
|
.PP
|
|
.SH FILES
|
|
.nf
|
|
.I /var/run/utmp
|
|
.I /var/log/wtmp
|
|
.I /var/log/lastlog
|
|
.I /usr/spool/mail/*
|
|
.I /etc/motd
|
|
.I /etc/passwd
|
|
.I /etc/nologin
|
|
.I /etc/usertty
|
|
.I .hushlogin
|
|
.fi
|
|
.SH "SEE ALSO"
|
|
.BR init (8),
|
|
.BR getty (8),
|
|
.BR mail (1),
|
|
.BR passwd (1),
|
|
.BR passwd (5),
|
|
.BR environ (7),
|
|
.BR shutdown (8)
|
|
.SH BUGS
|
|
|
|
The undocumented BSD
|
|
.B \-r
|
|
option is not supported. This may be required by some
|
|
.BR rlogind (8)
|
|
programs.
|
|
|
|
A recursive login, as used to be possible in the good old days,
|
|
no longer works; for most purposes
|
|
.BR su (1)
|
|
is a satisfactory substitute. Indeed, for security reasons,
|
|
login does a vhangup() system call to remove any possible
|
|
listening processes on the tty. This is to avoid password
|
|
sniffing. If one uses the command "login", then the surrounding shell
|
|
gets killed by vhangup() because it's no longer the true owner of the tty.
|
|
This can be avoided by using "exec login" in a top-level shell or xterm.
|
|
.SH AUTHOR
|
|
Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk)
|
|
for HP-UX
|
|
.br
|
|
Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
|