6057 login(1) "Last login" hostname is too short Reviewed by: Gary Mills <gary_mills@fastmail.fm> Reviewed by: Albert Lee <trisk@omniti.com> Reviewed by: Jason King <jason.brian.king@gmail.com> Reviewed by: Alex Wilson <alex.wilson@joyent.com>
1 LOGIN(1) User Commands LOGIN(1) 2 3 4 5 NAME 6 login - sign on to the system 7 8 SYNOPSIS 9 login [-p] [-d device] [-R repository] [-s service] 10 [-t terminal] [-u identity] [-U ruser] 11 [-h hostname [terminal] | -r hostname] 12 [name [environ]...] 13 14 15 DESCRIPTION 16 The login command is used at the beginning of each terminal session to 17 identify oneself to the system. login is invoked by the system when a 18 connection is first established, after the previous user has terminated 19 the login shell by issuing the exit command. 20 21 22 If login is invoked as a command, it must replace the initial command 23 interpreter. To invoke login in this fashion, type: 24 25 exec login 26 27 28 29 30 from the initial shell. The C shell and Korn shell have their own 31 built-ins of login. See ksh(1), ksh93(1), and csh(1) for descriptions 32 of login built-ins and usage. 33 34 35 login asks for your user name, if it is not supplied as an argument, 36 and your password, if appropriate. Where possible, echoing is turned 37 off while you type your password, so it does not appear on the written 38 record of the session. 39 40 41 If you make any mistake in the login procedure, the message: 42 43 Login incorrect 44 45 46 47 48 is printed and a new login prompt appears. If you make five incorrect 49 login attempts, all five can be logged in /var/adm/loginlog, if it 50 exists. The TTY line is dropped. 51 52 53 If password aging is turned on and the password has aged (see passwd(1) 54 for more information), the user is forced to changed the password. In 55 this case the /etc/nsswitch.conf file is consulted to determine 56 password repositories (see nsswitch.conf(4)). The password update 57 configurations supported are limited to the following five cases. 58 59 o passwd: files 60 61 o passwd: files nis 62 63 o passwd: files nisplus 64 65 o passwd: compat (==> files nis) 66 67 o passwd: compat (==> files nisplus) 68 69 passwd_compat: nisplus 70 71 72 Failure to comply with the configurations prevents the user from 73 logging onto the system because passwd(1) fails. If you do not complete 74 the login successfully within a certain period of time, it is likely 75 that you are silently disconnected. 76 77 78 After a successful login, accounting files are updated. Device owner, 79 group, and permissions are set according to the contents of the 80 /etc/logindevperm file, and the time you last logged in is printed (see 81 logindevperm(4)). 82 83 84 The user-ID, group-ID, supplementary group list, and working directory 85 are initialized, and the command interpreter (usually ksh) is started. 86 87 88 The basic environment is initialized to: 89 90 HOME=your-login-directory 91 LOGNAME=your-login-name 92 PATH=/usr/bin: 93 SHELL=last-field-of-passwd-entry 94 MAIL=/var/mail/ 95 TZ=timezone-specification 96 97 98 99 For Bourne shell and Korn shell logins, the shell executes /etc/profile 100 and $HOME/.profile, if it exists. 101 102 103 For the ksh93 Korn shell, an interactive shell then executes 104 /etc/ksh.kshrc, followed by the file specified by the ENV environment 105 variable. If $ENV is not set, this defaults to $HOME/.kshrc. For the 106 ksh and /usr/xpg4/bin/sh Korn Shell, an interactive shell executes the 107 file named by $ENV (no default). 108 109 110 For C shell logins, the shell executes /etc/.login, $HOME/.cshrc, and 111 $HOME/.login. The default /etc/profile and /etc/.login files check 112 quotas (see quota(1M)), print /etc/motd, and check for mail. None of 113 the messages are printed if the file $HOME/.hushlogin exists. The name 114 of the command interpreter is set to - (dash), followed by the last 115 component of the interpreter's path name, for example, -sh. 116 117 118 If the login-shell field in the password file (see passwd(4)) is empty, 119 then the default command interpreter, /usr/bin/sh, is used. If this 120 field is * (asterisk), then the named directory becomes the root 121 directory. At that point, login is re-executed at the new level, which 122 must have its own root structure. 123 124 125 The environment can be expanded or modified by supplying additional 126 arguments to login, either at execution time or when login requests 127 your login name. The arguments can take either the form xxx or xxx=yyy. 128 Arguments without an = (equal sign) are placed in the environment as: 129 130 Ln=xxx 131 132 133 134 135 where n is a number starting at 0 and is incremented each time a new 136 variable name is required. Variables containing an = (equal sign) are 137 placed in the environment without modification. If they already appear 138 in the environment, then they replace the older values. 139 140 141 There are two exceptions: The variables PATH and SHELL cannot be 142 changed. This prevents people logged into restricted shell environments 143 from spawning secondary shells that are not restricted. login 144 understands simple single-character quoting conventions. Typing a \ 145 (backslash) in front of a character quotes it and allows the inclusion 146 of such characters as spaces and tabs. 147 148 149 Alternatively, you can pass the current environment by supplying the -p 150 flag to login. This flag indicates that all currently defined 151 environment variables should be passed, if possible, to the new 152 environment. This option does not bypass any environment variable 153 restrictions mentioned above. Environment variables specified on the 154 login line take precedence, if a variable is passed by both methods. 155 156 157 To enable remote logins by root, edit the /etc/default/login file by 158 inserting a # (pound sign) before the CONSOLE=/dev/console entry. See 159 FILES. 160 161 SECURITY 162 For accounts in name services which support automatic account locking, 163 the account can be configured to be automatically locked (see 164 user_attr(4) and policy.conf(4)) if successive failed login attempts 165 equals or exceeds RETRIES. Currently, only the files repository (see 166 passwd(4) and shadow(4)) supports automatic account locking. See also 167 pam_unix_auth(5). 168 169 170 The login command uses pam(3PAM) for authentication, account 171 management, session management, and password management. The PAM 172 configuration policy, listed through /etc/pam.conf, specifies the 173 modules to be used for login. Here is a partial pam.conf file with 174 entries for the login command using the UNIX authentication, account 175 management, and session management modules: 176 177 login auth required pam_authtok_get.so.1 178 login auth required pam_dhkeys.so.1 179 login auth required pam_unix_auth.so.1 180 login auth required pam_dial_auth.so.1 181 182 login account requisite pam_roles.so.1 183 login account required pam_unix_account.so.1 184 185 login session required pam_unix_session.so.1 186 187 188 189 The Password Management stack looks like the following: 190 191 other password required pam_dhkeys.so.1 192 other password requisite pam_authtok_get.so.1 193 other password requisite pam_authtok_check.so.1 194 other password required pam_authtok_store.so.1 195 196 197 198 If there are no entries for the service, then the entries for the other 199 service is used. If multiple authentication modules are listed, then 200 the user can be prompted for multiple passwords. 201 202 203 When login is invoked through rlogind or telnetd, the service name used 204 by PAM is rlogin or telnet, respectively. 205 206 OPTIONS 207 The following options are supported: 208 209 -d device 210 login accepts a device option, device. device 211 is taken to be the path name of the TTY port 212 login is to operate on. The use of the device 213 option can be expected to improve login 214 performance, since login does not need to 215 call ttyname(3C). The -d option is available 216 only to users whose UID and effective UID are 217 root. Any other attempt to use -d causes 218 login to quietly exit. 219 220 221 -h hostname [terminal] 222 Used by in.telnetd(1M) to pass information 223 about the remote host and terminal type. 224 225 Terminal type as a second argument to the -h 226 option should not start with a hyphen (-). 227 228 229 -p 230 Used to pass environment variables to the 231 login shell. 232 233 234 -r hostname 235 Used by in.rlogind(1M) to pass information 236 about the remote host. 237 238 239 -R repository 240 Used to specify the PAM repository that 241 should be used to tell PAM about the 242 "identity" (see option -u below). If no 243 "identity" information is passed, the 244 repository is not used. 245 246 247 -s service 248 Indicates the PAM service name that should be 249 used. Normally, this argument is not 250 necessary and is used only for specifying 251 alternative PAM service names. For example: 252 "ktelnet" for the Kerberized telnet process. 253 254 255 -u identity 256 Specifies the "identity" string associated 257 with the user who is being authenticated. 258 This usually is not be the same as that 259 user's Unix login name. For Kerberized login 260 sessions, this is the Kerberos principal name 261 associated with the user. 262 263 264 -U ruser 265 Indicates the name of the person attempting 266 to login on the remote side of the rlogin 267 connection. When in.rlogind(1M) is operating 268 in Kerberized mode, that daemon processes the 269 terminal and remote user name information 270 prior to invoking login, so the "ruser" data 271 is indicated using this command line 272 parameter. Normally (non-Kerberos 273 authenticated rlogin), the login daemon reads 274 the remote user information from the client. 275 276 277 EXIT STATUS 278 The following exit values are returned: 279 280 0 281 Successful operation. 282 283 284 non-zero 285 Error. 286 287 288 FILES 289 $HOME/.cshrc 290 Initial commands for each csh. 291 292 293 $HOME/.hushlogin 294 Suppresses login messages. 295 296 297 $HOME/.kshrc 298 User's commands for interactive ksh93, if $ENV 299 is unset; executes after /etc/ksh.kshrc. 300 301 302 $HOME/.login 303 User's login commands for csh. 304 305 306 $HOME/.profile 307 User's login commands for sh, ksh, and ksh93. 308 309 310 $HOME/.rhosts 311 Private list of trusted hostname/username 312 combinations. 313 314 315 /etc/.login 316 System-wide csh login commands. 317 318 319 /etc/issue 320 Issue or project identification. 321 322 323 /etc/ksh.kshrc 324 System-wide commands for interactive ksh93. 325 326 327 /etc/logindevperm 328 Login-based device permissions. 329 330 331 /etc/motd 332 Message-of-the-day. 333 334 335 /etc/nologin 336 Message displayed to users attempting to login 337 during machine shutdown. 338 339 340 /etc/passwd 341 Password file. 342 343 344 /etc/profile 345 System-wide sh, ksh, and ksh93 login commands. 346 347 348 /etc/shadow 349 List of users' encrypted passwords. 350 351 352 /usr/bin/sh 353 User's default command interpreter. 354 355 356 /var/adm/lastlog.v2 357 Time of last login. 358 359 360 /var/adm/loginlog 361 Record of failed login attempts. 362 363 364 /var/adm/utmpx 365 Accounting. 366 367 368 /var/adm/wtmpx 369 Accounting. 370 371 372 /var/mail/your-name 373 Mailbox for user your-name. 374 375 376 /etc/default/login 377 Default value can be set for the following flags 378 in /etc/default/login. Default values are 379 specified as comments in the /etc/default/login 380 file, for example, TIMEZONE=EST5EDT. 381 382 TIMEZONE 383 Sets the TZ environment 384 variable of the shell 385 (see environ(5)). 386 387 388 HZ 389 Sets the HZ environment 390 variable of the shell. 391 392 393 ULIMIT 394 Sets the file size limit 395 for the login. Units are 396 disk blocks. Default is 397 zero (no limit). 398 399 400 CONSOLE 401 If set, root can login 402 on that device only. 403 This does not prevent 404 execution of remote 405 commands with rsh(1). 406 Comment out this line to 407 allow login by root. 408 409 410 PASSREQ 411 Determines if login 412 requires a non-null 413 password. 414 415 416 ALTSHELL 417 Determines if login 418 should set the SHELL 419 environment variable. 420 421 422 PATH 423 Sets the initial shell 424 PATH variable. 425 426 427 SUPATH 428 Sets the initial shell 429 PATH variable for root. 430 431 432 TIMEOUT 433 Sets the number of 434 seconds (between 0 and 435 900) to wait before 436 abandoning a login 437 session. 438 439 440 UMASK 441 Sets the initial shell 442 file creation mode mask. 443 See umask(1). 444 445 446 SYSLOG 447 Determines whether the 448 syslog(3C) LOG_AUTH 449 facility should be used 450 to log all root logins 451 at level LOG_NOTICE and 452 multiple failed login 453 attempts atLOG_CRIT. 454 455 456 DISABLETIME 457 If present, and greater 458 than zero, the number of 459 seconds that login waits 460 after RETRIES failed 461 attempts or the PAM 462 framework returns 463 PAM_ABORT. Default is 20 464 seconds. Minimum is 0 465 seconds. No maximum is 466 imposed. 467 468 469 SLEEPTIME 470 If present, sets the 471 number of seconds to 472 wait before the login 473 failure message is 474 printed to the screen. 475 This is for any login 476 failure other than 477 PAM_ABORT. Another login 478 attempt is allowed, 479 providing RETRIES has 480 not been reached or the 481 PAM framework is 482 returned PAM_MAXTRIES. 483 Default is 4 seconds. 484 Minimum is 0 seconds. 485 Maximum is 5 seconds. 486 487 Both su(1M) and 488 sulogin(1M) are affected 489 by the value of 490 SLEEPTIME. 491 492 493 RETRIES 494 Sets the number of 495 retries for logging in 496 (see pam(3PAM)). The 497 default is 5. The 498 maximum number of 499 retries is 15. For 500 accounts configured with 501 automatic locking (see 502 SECURITY above), the 503 account is locked and 504 login exits. If 505 automatic locking has 506 not been configured, 507 login exits without 508 locking the account. 509 510 511 SYSLOG_FAILED_LOGINS 512 Used to determine how 513 many failed login 514 attempts are allowed by 515 the system before a 516 failed login message is 517 logged, using the 518 syslog(3C) LOG_NOTICE 519 facility. For example, 520 if the variable is set 521 to 0, login logs all 522 failed login attempts. 523 524 525 526 ATTRIBUTES 527 See attributes(5) for descriptions of the following attributes: 528 529 530 531 532 +--------------------+-----------------+ 533 | ATTRIBUTE TYPE | ATTRIBUTE VALUE | 534 +--------------------+-----------------+ 535 |Interface Stability | Committed | 536 +--------------------+-----------------+ 537 538 SEE ALSO 539 csh(1), exit(1), ksh(1), ksh93(1), mail(1), mailx(1), newgrp(1), 540 passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), telnet(1), 541 umask(1), in.rlogind(1M), in.telnetd(1M), logins(1M), quota(1M), 542 su(1M), sulogin(1M), syslogd(1M), useradd(1M), userdel(1M), pam(3PAM), 543 rcmd(3SOCKET), syslog(3C), ttyname(3C), auth_attr(4), exec_attr(4), 544 hosts.equiv(4), issue(4), logindevperm(4), loginlog(4), nologin(4), 545 nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4), profile(4), 546 shadow(4), user_attr(4), utmpx(4), wtmpx(4), attributes(5), environ(5), 547 pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5), 548 pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), 549 pam_dhkeys(5), pam_passwd_auth(5), termio(7I) 550 551 DIAGNOSTICS 552 Login incorrect 553 The user name or the password cannot be matched. 554 555 556 Not on system console 557 Root login denied. Check the CONSOLE setting in /etc/default/login. 558 559 560 No directory! Logging in with home=/ 561 The user's home directory named in the passwd(4) database cannot be 562 found or has the wrong permissions. Contact your system 563 administrator. 564 565 566 No shell 567 Cannot execute the shell named in the passwd(4) database. Contact 568 your system administrator. 569 570 571 NO LOGINS: System going down in N minutes 572 The machine is in the process of being shut down and logins have 573 been disabled. 574 575 576 WARNINGS 577 Users with a UID greater than 76695844 are not subject to password 578 aging, and the system does not record their last login time. 579 580 581 If you use the CONSOLE setting to disable root logins, you should 582 arrange that remote command execution by root is also disabled. See 583 rsh(1), rcmd(3SOCKET), and hosts.equiv(4) for further details. 584 585 NOTES 586 The pam_unix(5) module is no longer supported. Similar functionality is 587 provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5), 588 pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), 589 pam_dhkeys(5), and pam_passwd_auth(5). 590 591 592 593 November 9, 2015 LOGIN(1) --- EOF ---