8 .Nd authenticate a user and start new session
16 This manual page documents the
18 program distributed with the Heimdal Kerberos 5 implementation, it may
19 differ in important ways from your system version.
23 programs logs users into the system. It is intended to be run by
28 If you are already logged in, but want to change to another user, you
32 A username can be given on the command line, else one will be prompted
35 A password is required to login, unless the
37 option is given (indicating that the calling program has already done
38 proper authentication). With
40 the user will be logged in without further questions.
42 For password authentication Kerberos 5, Kerberos 4 (if compiled in),
43 OTP (if compiled in) and local
44 .No ( Pa /etc/passwd )
45 passwords are supported. OTP will be used if the the user is
46 registered to use it, and
50 When using OTP, a challenge is shown to the user.
55 Which authentication mode to use, the only supported value is
59 Indicates that the user is already authenticated. This happens, for
60 instance, when login is started by telnetd, and the user has proved
61 authentic via Kerberos.
63 Indicates which host the user is logging in from. This is passed from
64 telnetd, and is entered into the login database.
68 to preserve all environment variables. If not given, only the
72 variables are preserved. It could be a security risk to pass random
75 or the user shell, so the calling daemon should make sure it only
81 The process of logging user in proceeds as follows.
83 First a check is made that logins are allowed at all. This usually
86 If it exists, and the user trying to login is not root, the contents
87 is printed, and then login exits.
89 Then various system parameters are set up, like changing the owner of
90 the tty to the user, setting up signals, setting the group list, and
91 user and group id. Also various machine specific tasks are performed.
95 changes to the users home directory, or if that fails, to
97 The environment is setup, by adding some required variables (such as
99 and also authentication related ones (such as
101 If an environment file exists
102 .No ( Pa /etc/environment ) ,
103 variables are set according to
106 If one or more login message files are configured, their contents is
107 printed to the terminal.
109 If a login time command is configured, it is executed. A logout time
110 command can also be configured, which makes
112 fork, and wait for the user shell to exit, and then run the command.
113 This can be used to clean up user credentials.
115 Finally, the user's shell is executed. If the user logging in is root,
116 and root's login shell does not exist, a default shell (usually
118 is also tried before giving up.
120 These environment variables are set by login (not including ones set by
121 .Pa /etc/environment ) :
123 .Bl -tag -compact -width USERXXLOGNAME
125 the default system path
127 the user's home directory (or possibly
129 .It Dv USER , Dv LOGNAME
130 both set to the username
134 set to whatever is passed to
137 if the password is verified via Kerberos 5, this will point to the
138 credentials cache file
140 if the password is verified via Kerberos 4, this will point to the
144 .Bl -tag -compact -width Ds
145 .It Pa /etc/environment
146 Contains a set of environment variables that should be set in addition
147 to the ones above. It should contain sh-style assignments like
149 Note that they are not parsed the way a shell would. No variable
150 expansion is performed, and all strings are literal, and quotation
151 marks should not be used. Everything after a hash mark is considered a
152 comment. The following are all different (the last will set the
157 .Bd -literal -offset indent
159 FOO="this is a string"
160 BAR= FOO='this is a string'
162 .It Pa /etc/login.access
165 .It Pa /etc/login.conf
166 This is a termcap style configuration file, that contains various
171 capability record is used. The possible capability strings include:
173 .Bl -tag -compact -width Ds
175 This is a comma separated list of environment files that are read in
176 the order specified. If this is missing the default
180 This program will be executed just before the user's shell is started.
181 It will be called without arguments.
182 .It Li logout_program
183 This program will be executed just after the user's shell has
184 terminated. It will be called without arguments. This program will be
185 the parent process of the spawned shell.
187 A comma separated list of text files that will be printed to the
188 user's terminal before starting the shell. The string
190 works similarly, but points to a single file.
192 Points to a file containing ulimit settings for various users. Syntax
193 is inspired by what pam_limits uses, and the default is
194 .Pa /etc/security/limits.conf .
197 If it exists, login is denied to all but root. The contents of this
198 file is printed before login exits.
203 programs typically print all sorts of information by default, such as
204 last time you logged in, if you have mail, and system message files.
207 does not, so there is no reason for
209 files or similar. We feel that these tasks are best left to the user's
212 facility allows for a shell independent solution, if that is desired.
216 file could look like:
217 .Bd -literal -offset indent
219 :motd=/etc/motd,/etc/motd.local:\\
220 :limits=/etc/limits.conf:
225 file consists of a table with four whitespace separated fields. First
226 field is a username or a groupname (prefixed with
235 (the last meaning both soft and hard).
236 Third field is a limit name (such as
240 Last field is the limit value (a number or
242 for unlimited). In the case of data sizes, the value is in kilobytes,
243 and cputime is in minutes.
250 This login program was written for the Heimdal Kerberos 5
251 implementation. The login.access code was written by Wietse Venema.
projects / FreeBSD / releng / 10.0.git / blob