login(1)login(1)NAMElogin - sign on, start terminal session
SYNOPSIS
[name [env-var]...]
DESCRIPTION
The command is used at the beginning of each terminal session to prop‐
erly identify a prospective user. can be invoked as a user command or
by the system as an incoming connection is established. can also be
invoked by the system when a previous user shell terminates but the
terminal does not disconnect.
If is invoked as a command, it must replace the initial command inter‐
preter (the user's login shell). This is accomplished with the shell
command
The user's login name is requested, if it is not specified on the com‐
mand line, and the corresponding password is obtained, if required,
with the following prompts:
Terminal echo is turned off (where possible) during password entry to
prevent written records of the password. If the account does not have
a password, and the authentication profile for the account requires
one, invokes to establish one for the account.
On a trusted system, displays the last successful and unsuccessful
login times and terminal devices. On a standard system, optionally
displays the last successful and unsuccessful login times. See the
attribute in security(4).
As a security precaution, some installations use an option that
requires a second "dialup" password. This occurs only for dialup con‐
nections, and is requested with the prompt:
Both passwords must be correct for a successful login (see dialups(4)
for details on dialup security).
If password aging is activated, the user's password may have expired.
is invoked to change the password. On a standard system, the user is
required to re-login after a successful password change (see
passwd(1)).
After three unsuccessful login attempts, a signal is issued. If a
login is not successfully completed within a certain period of time
(for example, one minute), the terminal is silently disconnected.
After a successful login, the accounting files are updated, user and
group IDs, group access list, and working directory are initialized,
and the user's command interpreter (shell) is determined from corre‐
sponding user entries in the files and (see passwd(4) and group(4)).
If does not specify a shell for the user name, is used by default.
then forks the appropriate shell by using the last component of the
shell path name preceded by a (for example, or When the command inter‐
preter is invoked with its name preceded by a minus in this manner, the
shell performs its own initialization, including execution of profile,
login, or other initialization scripts.
For example, if the user login shell is the Korn or POSIX shell (see
ksh(1) or sh-posix(1), respectively), the shell executes the profile
files and if they exist (and possibly others as well). Depending on
what these profile files contain, messages regarding mail in the user's
mail file or any messages the user may have received since the user's
last login may be displayed.
If the command name field is a to the directory named in the directory
field of the entry is performed. At that point, is re-executed at the
new level, which must have its own root structure, including a command
and an file.
For the normal user, the basic environment variables (see environ(5))
are initialized to:
login_directory, login_name, and login_shell are taken from the corre‐
sponding fields of the file entry (see passwd(4)).
For superuser, is set to:
In the case of a remote login, the environment variable is also set to
the remote user's terminal type.
The environment can be expanded or modified by supplying additional
arguments to either at execution time or when requests the user's login
name. The arguments can take either the form value or where varname is
a new or existing environment variable name and value is a value to be
assigned to the variable.
An argument in the first form (without an equals sign) is placed in the
environment as if it were entered in the form
where n is a number starting at 0 that is incremented each time a new
variable name is required.
An argument in the second form (with an equals sign) is placed into the
environment without modification.
If the variable name or varname) already appears in the environment,
the new value replaces the older one.
There are two exceptions. The variables and cannot be changed. This
prevents users logged in with restricted shell environments from spawn‐
ing secondary shells that are not restricted.
Both and understand simple single-character quoting conventions. Typ‐
ing a backslash in front of a character quotes it and allows the inclu‐
sion of such things as spaces and tabs.
The user accounting database, is updated by the daemon (see utmpd(1M)).
This is the database of currently logged-in users.
If exists, all unsuccessful login attempts are logged to that file.
The command, (see last(1)), displays a summary of bad login attempts
for users with read access to
If the file is present, login security is in effect, i.e., is allowed
to log in successfully only on the ttys listed in this file.
Restricted ttys are listed by device name, one per line. Valid tty
names are dependent on the installation. An example is
etc.
Note that this feature does not inhibit a normal user from using the
command (see su(1)).
HP-UX Smart Card Login
If the user account is configured to use a Smart Card, the user pass‐
word is stored in the card. This password has characteristics identi‐
cal to a normal password stored on the system.
In order to login using a Smart Card account, the card must be inserted
into the Smart Card reader. The user is prompted for a PIN (personal
identification number) instead of a password during authentication.
The prompts are:
The password is retrieved automatically from the Smart Card when a
valid PIN is entered. Therefore, it is not necessary to know the pass‐
word, only the PIN.
The card is locked if an incorrect PIN is entered three consecutive
times. It may be unlocked only by the card issuer.
SECURITY FEATURES
On a standard system, prohibits a user from logging in if any of the
following is true:
· The password for the account has expired and the user cannot suc‐
cessfully change the password.
· The password for the account has expired and the password was not
changed within the specified number of days after the expiration
(see shadow(4)).
· The account lifetime has passed (see shadow(4)).
On a trusted system, prohibits a user from logging in if any of the
following is true:
· The password for the account has expired and the user cannot suc‐
cessfully change the password.
· The password lifetime for the account has passed.
· The time between the last login and the current time exceeds the
time allowed for login intervals.
· The administrative lock on the account has been set.
· The maximum number of unsuccessful login attempts for the account
has been exceeded.
· The maximum number of unsuccessful login attempts for the terminal
has been exceeded.
· The administrative lock on the terminal has been set.
· The terminal has an authorized user list and the user is not on
it.
· The terminal has time of day restrictions and the current time is
not within the allowable period.
On a trusted system, allows superuser to log in on the console unless
exists and does not contain
Refer to the file in the security(4) manpage for detailed information
on configurable attributes that affect the behavior of this command.
Currently supported attributes are:
EXTERNAL INFLUENCES
Environment Variables
User's home directory.
Where to look for mail.
Path to be searched for commands.
Which command interpreter is being used.
User's terminal type.
varname User-specified named variables.
User-specified unnamed variables.
DIAGNOSTICS
The following diagnostics appear if the associated condition occurs:
The personal equivalence file is a symbolic link.
The personal equivalence file is not owned by the local user or
by a user with appropriate privileges.
failed (see setuid(2)).
failed (see setuid(2)).
Consult the system administrator.
The indicated string was too long for internal buffer.
User name and password cannot be matched.
Attempted to log in to a subdirectory root that does not have a
subroot login command. That is, the file entry had shell path
but the system cannot find a command under the given home direc‐
tory.
Consult system administrator.
Attempted to log in to a subdirectory root that does not exist.
That is, the file entry had shell path but the system cannot to
the given home directory.
The user shell if shell name is null in could not be started
with the command. Consult system administrator.
Attempted to execute as a command without using the shell's
internal command or from other than the initial shell. The cur‐
rent shell is terminated.
The indicated string was too long for internal buffer.
The indicated string was too long for internal buffer.
Cannot to the user's home directory.
Password aging is enabled and the user's password has expired.
WARNINGS
If is linked to and group membership for the user trying to log in is
managed by the Network Information Service (NIS), and no NIS server is
able to respond, waits until a server does respond.
HP-UX 11i Version 3 is the last release to support trusted systems
functionality.
DEPENDENCIES
Pluggable Authentication Modules (PAM)
PAM is an Open Group standard for user authentication, password modifi‐
cation, and validation of accounts. In particular, is invoked to per‐
form all functions related to This includes retrieving the password,
validating the account, and displaying error messages. is invoked dur‐
ing password expiration or establishment.
HP Process Resource Manager
If the optional HP Process Resource Manager (PRM) software is installed
and configured, the login shell is launched in the user's initial
process resource group. If the user's initial group is not defined,
the shell runs in the user default group See prmconfig(1) for a
description of how to configure HP PRM, and prmconf(4) for a descrip‐
tion of how the user's initial process resource group is determined.
AUTHOR
was developed by AT&T and HP.
FILES
Personal profile (individual user initialization)
Personal equivalence file for the remote login server.
Dialup security encrypted passwords.
Security defaults configuration file.
Lines which require dialup security.
System list of equivalent hosts allowing logins without passwords.
Group file — defines group access lists.
Message-of-the-day.
Password file — defines users, passwords, and primary groups.
System profile (initialization for all users).
List of valid ttys for root login.
Shadow Password file.
The user accounting database, (see
utmpd(1M)).
The trusted system password database.
History of bad login attempts.
History of logins, logouts, and date changes.
Mailbox for user, login_name.
SEE ALSOcsh(1), groups(1), ksh(1), last(1), mail(1), newgrp(1), passwd(1),
sh(1), sh-posix(1), su(1), getty(1M), userstat(1M), initgroups(3C),
btmps(4), dialups(4), group(4), passwd(4), profile(4), security(4),
shadow(4), utmpd(1M), wtmps(4), environ(5).
HP Process Resource Manager
prmconfig(1), prmconf(4) in
Pluggable Authentication Modules (PAM)
pam_acct_mgmt(3), pam_authenticate(3), pam_chauthtok(3).
HP-UX Smart Card Login
scpin(1), scsync(1).
login(1)