login(1) General Commands Manual login(1)
NAME
login - sign on, start terminal session
SYNOPSIS
[name [env-var]...]
DESCRIPTION
The command is used at the beginning of each terminal session to properly identify a prospective user. can be invoked as a user command or
by the system as an incoming connection is established. can also be invoked by the system when a previous user shell terminates but the
terminal does not disconnect.
If is invoked as a command, it must replace the initial command interpreter (the user's login shell). This is accomplished with the shell
command
The user's login name is requested, if it is not specified on the command line, and the corresponding password is obtained, if required,
with the following prompts:
Terminal echo is turned off (where possible) during password entry to prevent written records of the password. If the account does not
have a password, and the authentication profile for the account requires one, invokes to establish one for the account.
On a trusted system, displays the last successful and unsuccessful login times and terminal devices. On a standard system, optionally dis-
plays the last successful and unsuccessful login times. See the attribute in security(4).
As a security precaution, some installations use an option that requires a second "dialup" password. This occurs only for dialup connec-
tions, and is requested with the prompt:
Both passwords must be correct for a successful login (see dialups(4) for details on dialup security).
If password aging is activated, the user's password may have expired. is invoked to change the password. On a standard system, the user
is required to re-login after a successful password change (see passwd(1)).
After three unsuccessful login attempts, a signal is issued. If a login is not successfully completed within a certain period of time (for
example, one minute), the terminal is silently disconnected.
After a successful login, the accounting files are updated, user and group IDs, group access list, and working directory are initialized,
and the user's command interpreter (shell) is determined from corresponding user entries in the files and (see passwd(4) and group(4)). If
does not specify a shell for the user name, is used by default. then forks the appropriate shell by using the last component of the shell
path name preceded by a (for example, or When the command interpreter is invoked with its name preceded by a minus in this manner, the
shell performs its own initialization, including execution of profile, login, or other initialization scripts.
For example, if the user login shell is the Korn or POSIX shell (see ksh(1) or sh-posix(1), respectively), the shell executes the profile
files and if they exist (and possibly others as well). Depending on what these profile files contain, messages regarding mail in the
user's mail file or any messages the user may have received since the user's last login may be displayed.
If the command name field is a to the directory named in the directory field of the entry is performed. At that point, is re-executed at
the new level, which must have its own root structure, including a command and an file.
For the normal user, the basic environment variables (see environ(5)) are initialized to:
login_directory, login_name, and login_shell are taken from the corresponding fields of the file entry (see passwd(4)).
For superuser, is set to:
In the case of a remote login, the environment variable is also set to the remote user's terminal type.
The environment can be expanded or modified by supplying additional arguments to either at execution time or when requests the user's login
name. The arguments can take either the form value or where varname is a new or existing environment variable name and value is a value to
be assigned to the variable.
An argument in the first form (without an equals sign) is placed in the environment as if it were entered in the form
where n is a number starting at 0 that is incremented each time a new variable name is required.
An argument in the second form (with an equals sign) is placed into the environment without modification.
If the variable name or varname) already appears in the environment, the new value replaces the older one.
There are two exceptions. The variables and cannot be changed. This prevents users logged in with restricted shell environments from
spawning secondary shells that are not restricted.
Both and understand simple single-character quoting conventions. Typing a backslash in front of a character quotes it and allows the
inclusion of such things as spaces and tabs.
The user accounting database, is updated by the daemon (see utmpd(1M)). This is the database of currently logged-in users.
If exists, all unsuccessful login attempts are logged to that file. The command, (see last(1)), displays a summary of bad login attempts
for users with read access to
If the file is present, login security is in effect, i.e., is allowed to log in successfully only on the ttys listed in this file.
Restricted ttys are listed by device name, one per line. Valid tty names are dependent on the installation. An example is
etc.
Note that this feature does not inhibit a normal user from using the command (see su(1)).
HP-UX Smart Card Login
If the user account is configured to use a Smart Card, the user password is stored in the card. This password has characteristics identi-
cal to a normal password stored on the system.
In order to login using a Smart Card account, the card must be inserted into the Smart Card reader. The user is prompted for a PIN (per-
sonal identification number) instead of a password during authentication. The prompts are:
The password is retrieved automatically from the Smart Card when a valid PIN is entered. Therefore, it is not necessary to know the pass-
word, only the PIN.
The card is locked if an incorrect PIN is entered three consecutive times. It may be unlocked only by the card issuer.
SECURITY FEATURES
On a standard system, prohibits a user from logging in if any of the following is true:
o The password for the account has expired and the user cannot successfully change the password.
o The password for the account has expired and the password was not changed within the specified number of days after the expiration
(see shadow(4)).
o The account lifetime has passed (see shadow(4)).
On a trusted system, prohibits a user from logging in if any of the following is true:
o The password for the account has expired and the user cannot successfully change the password.
o The password lifetime for the account has passed.
o The time between the last login and the current time exceeds the time allowed for login intervals.
o The administrative lock on the account has been set.
o The maximum number of unsuccessful login attempts for the account has been exceeded.
o The maximum number of unsuccessful login attempts for the terminal has been exceeded.
o The administrative lock on the terminal has been set.
o The terminal has an authorized user list and the user is not on it.
o The terminal has time of day restrictions and the current time is not within the allowable period.
On a trusted system, allows superuser to log in on the console unless exists and does not contain
Refer to the file in the security(4) manpage for detailed information on configurable attributes that affect the behavior of this command.
Currently supported attributes are:
EXTERNAL INFLUENCES
Environment Variables
User's home directory.
Where to look for mail.
Path to be searched for commands.
Which command interpreter is being used.
User's terminal type.
varname User-specified named variables.
User-specified unnamed variables.
DIAGNOSTICS
The following diagnostics appear if the associated condition occurs:
The personal equivalence file is a symbolic link.
The personal equivalence file is not owned by the local user or by a user with appropriate privileges.
failed (see setuid(2)).
failed (see setuid(2)).
Consult the system administrator.
The indicated string was too long for internal buffer.
User name and password cannot be matched.
Attempted to log in to a subdirectory root that does not have a subroot login command. That is, the file entry had shell path but
the system cannot find a command under the given home directory.
Consult system administrator.
Attempted to log in to a subdirectory root that does not exist. That is, the file entry had shell path but the system cannot to the
given home directory.
The user shell if shell name is null in could not be started with the command. Consult system administrator.
Attempted to execute as a command without using the shell's internal command or from other than the initial shell. The current
shell is terminated.
The indicated string was too long for internal buffer.
The indicated string was too long for internal buffer.
Cannot to the user's home directory.
Password aging is enabled and the user's password has expired.
WARNINGS
If is linked to and group membership for the user trying to log in is managed by the Network Information Service (NIS), and no NIS server
is able to respond, waits until a server does respond.
HP-UX 11i Version 3 is the last release to support trusted systems functionality.
DEPENDENCIES
Pluggable Authentication Modules (PAM)
PAM is an Open Group standard for user authentication, password modification, and validation of accounts. In particular, is invoked to
perform all functions related to This includes retrieving the password, validating the account, and displaying error messages. is invoked
during password expiration or establishment.
HP Process Resource Manager
If the optional HP Process Resource Manager (PRM) software is installed and configured, the login shell is launched in the user's initial
process resource group. If the user's initial group is not defined, the shell runs in the user default group See prmconfig(1) for a
description of how to configure HP PRM, and prmconf(4) for a description of how the user's initial process resource group is determined.
AUTHOR
was developed by AT&T and HP.
FILES
Personal profile (individual user initialization)
Personal equivalence file for the remote login server.
Dialup security encrypted passwords.
Security defaults configuration file.
Lines which require dialup security.
System list of equivalent hosts allowing logins without passwords.
Group file -- defines group access lists.
Message-of-the-day.
Password file -- defines users, passwords, and primary groups.
System profile (initialization for all users).
List of valid ttys for root login.
Shadow Password file.
The user accounting database, (see
utmpd(1M)).
The trusted system password database.
History of bad login attempts.
History of logins, logouts, and date changes.
Mailbox for user, login_name.
SEE ALSO
csh(1), groups(1), ksh(1), last(1), mail(1), newgrp(1), passwd(1), sh(1), sh-posix(1), su(1), getty(1M), userstat(1M), initgroups(3C),
btmps(4), dialups(4), group(4), passwd(4), profile(4), security(4), shadow(4), utmpd(1M), wtmps(4), environ(5).
HP Process Resource Manager
prmconfig(1), prmconf(4) in
Pluggable Authentication Modules (PAM)
pam_acct_mgmt(3), pam_authenticate(3), pam_chauthtok(3).
HP-UX Smart Card Login
scpin(1), scsync(1).
login(1)