Seth Woolley's Man Viewer

Manual for login - man login

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title

LOGIN(1)                   Linux Programmer's Manual                  LOGIN(1)

       login(1,3,5) - sign on

       login(1,3,5) [ name ]
       login(1,3,5) -p
       login(1,3,5) -h hostname
       login(1,3,5) -f name

       login(1,3,5)  is  used  when  signing  onto  a system.  It can also be used to
       switch(1,n) from one user to another at any time(1,2,n) (most  modern  shells  have
       support for this feature built into them, however).

       If an argument is not given, login(1,3,5) prompts for the username.

       If  the  user  is not root, and if(3,n) /etc/nologin exists, the contents of
       this file(1,n) are printed to the screen, and the login(1,3,5) is terminated.  This
       is  typically  used  to  prevent  logins when the system is being taken

       If  special  access(2,5)  restrictions  are  specified  for  the   user   in(1,8)
       /etc/usertty,  these  must be met, or the log in(1,8) attempt will be denied
       and a syslog(2,3,5,3 Sys::Syslog) message will be generated. See  the  section  on  "Special
       Access Restrictions".

       If  the  user is root, then the login(1,3,5) must be occurring on a tty(1,4) listed
       in(1,8) /etc/securetty.  Failures will be logged with the syslog(2,3,5,3 Sys::Syslog) facility.

       After  these  conditions  have  been  checked,  the  password  will  be
       requested  and  checked  (if(3,n) a password is required for this username).
       Ten attempts are allowed before login(1,3,5) dies, but after the first  three,
       the  response starts to get very slow.  Login failures are reported via
       the syslog(2,3,5,3 Sys::Syslog) facility.  This facility is also used to report any success-
       ful root logins.

       If  the file(1,n) .hushlogin exists, then a "quiet" login(1,3,5) is performed (this
       disables the checking of mail(1,8) and the printing of the last  login(1,3,5)  time(1,2,n)
       and  message  of  the day).  Otherwise, if(3,n) /var/log/lastlog exists, the
       last login(1,3,5) time(1,2,n) is printed (and the current login(1,3,5) is recorded).

       Random administrative things, such as setting the UID and  GID  of  the
       tty(1,4)  are  performed.  The TERM environment variable is preserved, if(3,n) it
       exists (other environment variables are preserved if(3,n) the -p  option  is
       used).  Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment
       variables are set.  PATH defaults to  /usr/local/bin:/bin:/usr/bin  for
       normal                  users(1,5),                  and                  to
       /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for  root.
       Last, if(3,n) this is not a "quiet" login(1,3,5), the message of the day is printed
       and the file(1,n) with the user's name in(1,8) /usr/spool/mail(1,8) will  be  checked,
       and a message printed if(3,n) it has non-zero length.

       The  user's  shell  is  then started.  If no shell is specified for the
       user in(1,8) /etc/passwd(1,5), then /bin/sh is used.  If there  is  no  directory
       specified in(1,8) /etc/passwd(1,5), then / is used (the home directory is checked
       for the .hushlogin file(1,n) described above).

       -p     Used by getty(8) to tell login(1,3,5) not to destroy the environment

       -f     Used to skip a second login(1,3,5) authentication.   This  specifically
              does  not  work for root, and does not appear to work well under

       -h     Used by other servers (i.e., telnetd(8)) to pass the name of the
              remote  host(1,5) to login(1,3,5) so that it may be placed in(1,8) utmp and wtmp.
              Only the superuser may use this option.

       The file(1,n) /etc/securetty lists the names  of  the  ttys  where  root  is
       allowed  to  log  in. One name of a tty(1,4) device without the /dev/ prefix
       must be specified on each line.  If the file(1,n) does not  exist,  root  is
       allowed to log in(1,8) on any tty.

       On  most modern Linux systems PAM (Pluggable Authentication Modules) is
       used. On systems that do not use PAM, the file(1,n)  /etc/usertty  specifies
       additional  access(2,5)  restrictions for specific users.  If this file(1,n) does
       not exist, no additional access(2,5) restrictions are imposed. The file(1,n) con-
       sists  of  a  sequence  of  sections.  There are three possible section
       types: CLASSES, GROUPS and USERS. A CLASSES section defines classes  of
       ttys  and  hostname patterns, A GROUPS section defines allowed ttys and
       hosts on a per group basis, and a USERS section  defines  allowed  ttys
       and hosts on a per user basis.

       Each  line  in(1,8)  this file(1,n) in(1,8) may be no longer than 255 characters. Com-
       ments start with # character and extend to the end of the line.

   The CLASSES Section
       A CLASSES section begins with the word CLASSES at the start of  a  line
       in(1,8) all upper case. Each following line until the start of a new section
       or the end of the file(1,n) consists of a sequence  of  words  separated  by
       tabs or spaces. Each line defines a class of ttys and host(1,5) patterns.

       The  word  at  the  beginning of a line becomes defined as a collective
       name for the ttys and host(1,5) patterns specified at the rest of the  line.
       This collective name can be used in(1,8) any subsequent GROUPS or USERS sec-
       tion. No such class name must occur as part  of  the  definition  of  a
       class in(1,8) order to avoid problems with recursive classes.

       An example CLASSES section:

       myclass1       tty1 tty2
       myclass2       tty3

       This  defines  the  classes  myclass1 and myclass2 as the corresponding
       right hand sides.

   The GROUPS Section
       A GROUPS section defines allowed ttys and hosts on  a  per  Unix  group
       basis.  If  a user is a member of a Unix group according to /etc/passwd(1,5)
       and /etc/group and such a group is mentioned in(1,8)  a  GROUPS  section  in(1,8)
       /etc/usertty then the user is granted access(2,5) if(3,n) the group is.

       A  GROUPS  section starts with the word GROUPS in(1,8) all upper case at the
       start of a line, and each following line is a sequence of  words  sepa-
       rated  by  spaces  or tabs. The first word on a line is the name of the
       group and the rest of the words on the  line  specifies  the  ttys  and
       hosts  where members of that group are allowed access. These specifica-
       tions may involve the use of classes defined in(1,8) previous  CLASSES  sec-

       An example GROUPS section.

       sys       tty1
       stud      myclass1 tty4

       This example specifies that members of group sys may log in(1,8) on tty1 and
       from hosts in(1,8) the domain. Users in(1,8) group stud may log  in(1,8)  from
       hosts/ttys specified in(1,8) the class myclass1 or from tty4.

   The USERS Section
       A  USERS  section  starts  with the word USERS in(1,8) all upper case at the
       start of a line, and each following line is a sequence of  words  sepa-
       rated  by  spaces  or  tabs. The first word on a line is a username and
       that user is allowed to log in(1,8) on the ttys and from the hosts mentioned
       on  the  rest  of  the  line.  These specifications may involve classes
       defined in(1,8) previous CLASSES sections.  If no section header  is  speci-
       fied  at  the top of the file(1,n), the first section defaults to be a USERS

       An example USERS section:

       zacho          tty1 @
       blue      tty3 myclass2

       This lets the user zacho login(1,3,5) only on tty1  and  from  hosts  with  IP
       addreses  in(1,8)  the range -, and user blue is
       allowed to log in(1,8) from tty3 and whatever  is  specified  in(1,8)  the  class

       There  may  be a line in(1,8) a USERS section starting with a username of *.
       This is a default rule and it will be applied to any user not  matching
       any other line.

       If  both  a  USERS  line  and GROUPS line match a user then the user is
       allowed access(2,5) from the union of all the ttys/hosts mentioned in(1,8)  these

       The  tty(1,4)  and  host(1,5) pattern specifications used in(1,8) the specification of
       classes, group and user access(2,5) are called origins. An origin string(3,n) may
       have one of these formats:

       o      The  name  of a tty(1,4) device without the /dev/ prefix, for example
              tty1 or ttyS0.

       o      The string(3,n) @localhost, meaning that the user is allowed to  tel-
              net/rlogin  from  the  local  host(1,5)  to  the same host. This also
              allows the user  to  for  example  run  the  command:  xterm  -e

       o      A  domain  name suffix such as @.some.dom, meaning that the user
              may rlogin/telnet from any host(1,5) whose domain name has the suffix

       o      A  range  of  IPv4  addresses,  written  @x.x.x.x/y.y.y.y  where
              x.x.x.x is the IP address in(1,8) the usual dotted quad decimal nota-
              tion,  and  y.y.y.y is a bitmask in(1,8) the same notation specifying
              which bits in(1,8) the address to compare with the IP address of  the
              remote  host. For example @ means that
              the user may rlogin/telnet from any host(1,5) whose IP address is  in(1,8)
              the range -

       Any  of  the  above  origins  may  be  prefixed by a time(1,2,n) specification
       according to the syntax:

       timespec    ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
       day         ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
       hour        ::= '0' | '1' | ... | '23'
       hourspec    ::= <hour> | <hour> '-' <hour>
       day-or-hour ::= <day> | <hourspec>

       For example, the origin [mon:tue:wed:thu:fri:8-17]tty3 means  that  log
       in(1,8)  is  allowed on mondays through fridays between 8:00 and 17:59 (5:59
       pm) on tty3.  This also shows that  an  hour  range  a-b  includes  all
       moments between a:00 and b:59. A single hour specification (such as 10)
       means the time(1,2,n) span between 10:00 and 10:59.

       Not specifying any time(1,2,n) prefix for a tty(1,4) or host(1,5) means log in(1,8) from that
       origin  is allowed any time. If you give a time(1,2,n) prefix be sure to spec-
       ify both a set(7,n,1 builtins) of days and one or more hours or  hour  ranges.  A  time(1,2,n)
       specification may not include any white space.

       If  no  default  rule  is  given  then  users(1,5)  not  matching  any  line
       /etc/usertty are allowed to log in(1,8) from anywhere as is standard  behav-


       init(8),  getty(8),  mail(1,8)(1),  passwd(1,5)(1),  passwd(1,5)(5), environ(7), shut-

       The undocumented(2,3) BSD -r option is not supported.  This may be  required
       by some rlogind(8) programs.

       A  recursive  login(1,3,5),  as  used  to be possible in(1,8) the good old days, no
       longer works; for most purposes su(1)  is  a  satisfactory  substitute.
       Indeed,  for  security  reasons,  login(1,3,5) does a vhangup() system call to
       remove any possible listening processes on the tty. This  is  to  avoid
       password  sniffing. If one uses the command "login(1,3,5)", then the surround-
       ing shell gets(3,n) killed by vhangup() because  it's  no  longer  the  true
       owner  of the tty.  This can be avoided by using "exec(3,n,1 builtins) login(1,3,5)" in(1,8) a top-
       level shell or xterm.

       Derived from BSD login(1,3,5) 5.40 (5/9/89) by  Michael  Glad  (
       for HP-UX
       Ported to Linux 0.12: Peter Orbaek (

Util-linux 1.6                  4 November 1996                       LOGIN(1)

References for this manual (incoming links)