1*ae771770SStanislav Sedov.\" $Id$ 2bbd80c28SJacques Vidrine.\" 3c19800e8SDoug Rabson.Dd April 22, 2005 4bbd80c28SJacques Vidrine.Dt LOGIN 1 5bbd80c28SJacques Vidrine.Os HEIMDAL 6bbd80c28SJacques Vidrine.Sh NAME 7bbd80c28SJacques Vidrine.Nm login 8*ae771770SStanislav Sedov.Nd authenticate a user and start new session 9bbd80c28SJacques Vidrine.Sh SYNOPSIS 10bbd80c28SJacques Vidrine.Nm 11bbd80c28SJacques Vidrine.Op Fl fp 12bbd80c28SJacques Vidrine.Op Fl a Ar level 13bbd80c28SJacques Vidrine.Op Fl h Ar hostname 14bbd80c28SJacques Vidrine.Ar [username] 15bbd80c28SJacques Vidrine.Sh DESCRIPTION 16bbd80c28SJacques VidrineThis manual page documents the 17bbd80c28SJacques Vidrine.Nm login 18bbd80c28SJacques Vidrineprogram distributed with the Heimdal Kerberos 5 implementation, it may 19bbd80c28SJacques Vidrinediffer in important ways from your system version. 20bbd80c28SJacques Vidrine.Pp 21bbd80c28SJacques VidrineThe 22bbd80c28SJacques Vidrine.Nm login 23bbd80c28SJacques Vidrineprograms logs users into the system. It is intended to be run by 24bbd80c28SJacques Vidrinesystem daemons like 25bbd80c28SJacques Vidrine.Xr getty 8 26bbd80c28SJacques Vidrineor 27bbd80c28SJacques Vidrine.Xr telnetd 8 . 28bbd80c28SJacques VidrineIf you are already logged in, but want to change to another user, you 29bbd80c28SJacques Vidrineshould use 30bbd80c28SJacques Vidrine.Xr su 1 . 31bbd80c28SJacques Vidrine.Pp 32bbd80c28SJacques VidrineA username can be given on the command line, else one will be prompted 33bbd80c28SJacques Vidrinefor. 34bbd80c28SJacques Vidrine.Pp 35bbd80c28SJacques VidrineA password is required to login, unless the 36bbd80c28SJacques Vidrine.Fl f 37bbd80c28SJacques Vidrineoption is given (indicating that the calling program has already done 38bbd80c28SJacques Vidrineproper authentication). With 39bbd80c28SJacques Vidrine.Fl f 40bbd80c28SJacques Vidrinethe user will be logged in without further questions. 41bbd80c28SJacques Vidrine.Pp 42bbd80c28SJacques VidrineFor password authentication Kerberos 5, Kerberos 4 (if compiled in), 43bbd80c28SJacques VidrineOTP (if compiled in) and local 44bbd80c28SJacques Vidrine.No ( Pa /etc/passwd ) 45bbd80c28SJacques Vidrinepasswords are supported. OTP will be used if the the user is 46bbd80c28SJacques Vidrineregistered to use it, and 47bbd80c28SJacques Vidrine.Nm login 48bbd80c28SJacques Vidrineis given the option 49bbd80c28SJacques Vidrine.Fl a Li otp . 50bbd80c28SJacques VidrineWhen using OTP, a challenge is shown to the user. 51bbd80c28SJacques Vidrine.Pp 52bbd80c28SJacques VidrineFurther options are: 53bbd80c28SJacques Vidrine.Bl -tag -width Ds 54bbd80c28SJacques Vidrine.It Fl a Ar string 55bbd80c28SJacques VidrineWhich authentication mode to use, the only supported value is 56bbd80c28SJacques Vidrinecurrently 57bbd80c28SJacques Vidrine.Dq otp . 58bbd80c28SJacques Vidrine.It Fl f 59bbd80c28SJacques VidrineIndicates that the user is already authenticated. This happens, for 60bbd80c28SJacques Vidrineinstance, when login is started by telnetd, and the user has proved 61bbd80c28SJacques Vidrineauthentic via Kerberos. 62bbd80c28SJacques Vidrine.It Fl h Ar hostname 63bbd80c28SJacques VidrineIndicates which host the user is logging in from. This is passed from 64bbd80c28SJacques Vidrinetelnetd, and is entered into the login database. 65bbd80c28SJacques Vidrine.It Fl p 66bbd80c28SJacques VidrineThis tells 67bbd80c28SJacques Vidrine.Nm login 68bbd80c28SJacques Vidrineto preserve all environment variables. If not given, only the 69bbd80c28SJacques Vidrine.Dv TERM 70bbd80c28SJacques Vidrineand 71bbd80c28SJacques Vidrine.Dv TZ 72bbd80c28SJacques Vidrinevariables are preserved. It could be a security risk to pass random 73bbd80c28SJacques Vidrinevariables to 74bbd80c28SJacques Vidrine.Nm login 75bbd80c28SJacques Vidrineor the user shell, so the calling daemon should make sure it only 76bbd80c28SJacques Vidrinepasses 77bbd80c28SJacques Vidrine.Dq safe 78bbd80c28SJacques Vidrinevariables. 79bbd80c28SJacques Vidrine.El 80bbd80c28SJacques Vidrine.Pp 81bbd80c28SJacques VidrineThe process of logging user in proceeds as follows. 82bbd80c28SJacques Vidrine.Pp 83bbd80c28SJacques VidrineFirst a check is made that logins are allowed at all. This usually 84bbd80c28SJacques Vidrinemeans checking 85bbd80c28SJacques Vidrine.Pa /etc/nologin . 86bbd80c28SJacques VidrineIf it exists, and the user trying to login is not root, the contents 87bbd80c28SJacques Vidrineis printed, and then login exits. 88bbd80c28SJacques Vidrine.Pp 89bbd80c28SJacques VidrineThen various system parameters are set up, like changing the owner of 90bbd80c28SJacques Vidrinethe tty to the user, setting up signals, setting the group list, and 91bbd80c28SJacques Vidrineuser and group id. Also various machine specific tasks are performed. 92bbd80c28SJacques Vidrine.Pp 93bbd80c28SJacques VidrineNext 94bbd80c28SJacques Vidrine.Nm login 95bbd80c28SJacques Vidrinechanges to the users home directory, or if that fails, to 96bbd80c28SJacques Vidrine.Pa / . 97bbd80c28SJacques VidrineThe environment is setup, by adding some required variables (such as 98bbd80c28SJacques Vidrine.Dv PATH ) , 99bbd80c28SJacques Vidrineand also authentication related ones (such as 100bbd80c28SJacques Vidrine.Dv KRB5CCNAME ) . 101bbd80c28SJacques VidrineIf an environment file exists 102bbd80c28SJacques Vidrine.No ( Pa /etc/environment ) , 103bbd80c28SJacques Vidrinevariables are set according to 104bbd80c28SJacques Vidrineit. 105bbd80c28SJacques Vidrine.Pp 106bbd80c28SJacques VidrineIf one or more login message files are configured, their contents is 107bbd80c28SJacques Vidrineprinted to the terminal. 108bbd80c28SJacques Vidrine.Pp 109bbd80c28SJacques VidrineIf a login time command is configured, it is executed. A logout time 110bbd80c28SJacques Vidrinecommand can also be configured, which makes 111bbd80c28SJacques Vidrine.Nm login 112bbd80c28SJacques Vidrinefork, and wait for the user shell to exit, and then run the command. 113bbd80c28SJacques VidrineThis can be used to clean up user credentials. 114bbd80c28SJacques Vidrine.Pp 115bbd80c28SJacques VidrineFinally, the user's shell is executed. If the user logging in is root, 116bbd80c28SJacques Vidrineand root's login shell does not exist, a default shell (usually 117bbd80c28SJacques Vidrine.Pa /bin/sh ) 118bbd80c28SJacques Vidrineis also tried before giving up. 119bbd80c28SJacques Vidrine.Sh ENVIRONMENT 120bbd80c28SJacques VidrineThese environment variables are set by login (not including ones set by 121bbd80c28SJacques Vidrine.Pa /etc/environment ) : 122bbd80c28SJacques Vidrine.Pp 123bbd80c28SJacques Vidrine.Bl -tag -compact -width USERXXLOGNAME 124bbd80c28SJacques Vidrine.It Dv PATH 125bbd80c28SJacques Vidrinethe default system path 126bbd80c28SJacques Vidrine.It Dv HOME 127bbd80c28SJacques Vidrinethe user's home directory (or possibly 128bbd80c28SJacques Vidrine.Pa / ) 129bbd80c28SJacques Vidrine.It Dv USER , Dv LOGNAME 130bbd80c28SJacques Vidrineboth set to the username 131bbd80c28SJacques Vidrine.It Dv SHELL 132bbd80c28SJacques Vidrinethe user's shell 133bbd80c28SJacques Vidrine.It Dv TERM , Dv TZ 134bbd80c28SJacques Vidrineset to whatever is passed to 135bbd80c28SJacques Vidrine.Nm login 136bbd80c28SJacques Vidrine.It Dv KRB5CCNAME 137bbd80c28SJacques Vidrineif the password is verified via Kerberos 5, this will point to the 138bbd80c28SJacques Vidrinecredentials cache file 139bbd80c28SJacques Vidrine.It Dv KRBTKFILE 140bbd80c28SJacques Vidrineif the password is verified via Kerberos 4, this will point to the 141bbd80c28SJacques Vidrineticket file 142bbd80c28SJacques Vidrine.El 143bbd80c28SJacques Vidrine.Sh FILES 144bbd80c28SJacques Vidrine.Bl -tag -compact -width Ds 145bbd80c28SJacques Vidrine.It Pa /etc/environment 146bbd80c28SJacques VidrineContains a set of environment variables that should be set in addition 147bbd80c28SJacques Vidrineto the ones above. It should contain sh-style assignments like 148bbd80c28SJacques Vidrine.Dq VARIABLE=value . 149bbd80c28SJacques VidrineNote that they are not parsed the way a shell would. No variable 150bbd80c28SJacques Vidrineexpansion is performed, and all strings are literal, and quotation 151bbd80c28SJacques Vidrinemarks should not be used. Everything after a hash mark is considered a 152bbd80c28SJacques Vidrinecomment. The following are all different (the last will set the 153bbd80c28SJacques Vidrinevariable 154bbd80c28SJacques Vidrine.Dv BAR , 155bbd80c28SJacques Vidrinenot 156bbd80c28SJacques Vidrine.Dv FOO ) . 157bbd80c28SJacques Vidrine.Bd -literal -offset indent 158bbd80c28SJacques VidrineFOO=this is a string 159bbd80c28SJacques VidrineFOO="this is a string" 160bbd80c28SJacques VidrineBAR= FOO='this is a string' 161bbd80c28SJacques Vidrine.Ed 162bbd80c28SJacques Vidrine.It Pa /etc/login.access 163bbd80c28SJacques VidrineSee 164bbd80c28SJacques Vidrine.Xr login.access 5 . 165bbd80c28SJacques Vidrine.It Pa /etc/login.conf 166bbd80c28SJacques VidrineThis is a termcap style configuration file, that contains various 167bbd80c28SJacques Vidrinesettings used by 168bbd80c28SJacques Vidrine.Nm login . 169bbd80c28SJacques VidrineCurrently only the 170bbd80c28SJacques Vidrine.Dq default 171bbd80c28SJacques Vidrinecapability record is used. The possible capability strings include: 172bbd80c28SJacques Vidrine.Pp 173bbd80c28SJacques Vidrine.Bl -tag -compact -width Ds 174bbd80c28SJacques Vidrine.It Li environment 175bbd80c28SJacques VidrineThis is a comma separated list of environment files that are read in 176bbd80c28SJacques Vidrinethe order specified. If this is missing the default 177bbd80c28SJacques Vidrine.Pa /etc/environment 178bbd80c28SJacques Vidrineis used. 179bbd80c28SJacques Vidrine.It Li login_program 180bbd80c28SJacques VidrineThis program will be executed just before the user's shell is started. 181bbd80c28SJacques VidrineIt will be called without arguments. 182bbd80c28SJacques Vidrine.It Li logout_program 183bbd80c28SJacques VidrineThis program will be executed just after the user's shell has 184bbd80c28SJacques Vidrineterminated. It will be called without arguments. This program will be 185bbd80c28SJacques Vidrinethe parent process of the spawned shell. 186bbd80c28SJacques Vidrine.It Li motd 187bbd80c28SJacques VidrineA comma separated list of text files that will be printed to the 188bbd80c28SJacques Vidrineuser's terminal before starting the shell. The string 189bbd80c28SJacques Vidrine.Li welcome 190bbd80c28SJacques Vidrineworks similarly, but points to a single file. 191c19800e8SDoug Rabson.It Li limits 192c19800e8SDoug RabsonPoints to a file containing ulimit settings for various users. Syntax 193c19800e8SDoug Rabsonis inspired by what pam_limits uses, and the default is 194c19800e8SDoug Rabson.Pa /etc/security/limits.conf . 195bbd80c28SJacques Vidrine.El 196bbd80c28SJacques Vidrine.It Pa /etc/nologin 197bbd80c28SJacques VidrineIf it exists, login is denied to all but root. The contents of this 198bbd80c28SJacques Vidrinefile is printed before login exits. 199bbd80c28SJacques Vidrine.El 200bbd80c28SJacques Vidrine.Pp 201bbd80c28SJacques VidrineOther 202bbd80c28SJacques Vidrine.Nm login 203bbd80c28SJacques Vidrineprograms typically print all sorts of information by default, such as 204bbd80c28SJacques Vidrinelast time you logged in, if you have mail, and system message files. 205bbd80c28SJacques VidrineThis version of 206bbd80c28SJacques Vidrine.Nm login 207bbd80c28SJacques Vidrinedoes not, so there is no reason for 208bbd80c28SJacques Vidrine.Pa .hushlogin 209bbd80c28SJacques Vidrinefiles or similar. We feel that these tasks are best left to the user's 210bbd80c28SJacques Vidrineshell, but the 211bbd80c28SJacques Vidrine.Li login_program 212bbd80c28SJacques Vidrinefacility allows for a shell independent solution, if that is desired. 213bbd80c28SJacques Vidrine.Sh EXAMPLES 214bbd80c28SJacques VidrineA 215bbd80c28SJacques Vidrine.Pa login.conf 216bbd80c28SJacques Vidrinefile could look like: 217bbd80c28SJacques Vidrine.Bd -literal -offset indent 218bbd80c28SJacques Vidrinedefault:\\ 219c19800e8SDoug Rabson :motd=/etc/motd,/etc/motd.local:\\ 220c19800e8SDoug Rabson :limits=/etc/limits.conf: 221bbd80c28SJacques Vidrine.Ed 222c19800e8SDoug Rabson.Pp 223c19800e8SDoug RabsonThe 224c19800e8SDoug Rabson.Pa limits.conf 225c19800e8SDoug Rabsonfile consists of a table with four whitespace separated fields. First 226c19800e8SDoug Rabsonfield is a username or a groupname (prefixed with 227c19800e8SDoug Rabson.Sq @ ) , 228c19800e8SDoug Rabsonor 229c19800e8SDoug Rabson.Sq * . 230c19800e8SDoug RabsonSecond field is 231c19800e8SDoug Rabson.Sq soft , 232c19800e8SDoug Rabson.Sq hard , 233c19800e8SDoug Rabsonor 234c19800e8SDoug Rabson.Sq - 235c19800e8SDoug Rabson(the last meaning both soft and hard). 236c19800e8SDoug RabsonThird field is a limit name (such as 237c19800e8SDoug Rabson.Sq cpu 238c19800e8SDoug Rabsonor 239c19800e8SDoug Rabson.Sq core ) . 240c19800e8SDoug RabsonLast field is the limit value (a number or 241c19800e8SDoug Rabson.Sq - 242c19800e8SDoug Rabsonfor unlimited). In the case of data sizes, the value is in kilobytes, 243c19800e8SDoug Rabsonand cputime is in minutes. 244bbd80c28SJacques Vidrine.Sh SEE ALSO 245bbd80c28SJacques Vidrine.Xr su 1 , 246bbd80c28SJacques Vidrine.Xr login.access 5 , 247bbd80c28SJacques Vidrine.Xr getty 8 , 248bbd80c28SJacques Vidrine.Xr telnetd 8 249bbd80c28SJacques Vidrine.Sh AUTHORS 250bbd80c28SJacques VidrineThis login program was written for the Heimdal Kerberos 5 251bbd80c28SJacques Vidrineimplementation. The login.access code was written by Wietse Venema. 252bbd80c28SJacques Vidrine.\".Sh BUGS 253