Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1‎ > ‎


     login - sign on to the system

     login [-p] [-d device] [-R repository] [-s service] [-t ter-
     minal]  [-u  identity]  [-U ruser] [-h hostname [terminal] |
     -r hostname]  [  name [environ]...]

     The login command is used at the beginning of each  terminal
     session  to identify oneself to the system. login is invoked
     by the system when a connection is first established,  after
     the  previous user has terminated the login shell by issuing
     the exit command.

     If login is invoked as a command, it must replace  the  ini-
     tial  command  interpreter. To invoke login in this fashion,

     exec login

     from the initial shell. The C  shell  and  Korn  shell  have
     their  own  builtins  of  login.  See  ksh(1) and csh(1) for
     descriptions of login builtins and usage.

     login asks for your user name, if it is not supplied  as  an
     argument, and your password, if appropriate. Where possible,
     echoing is turned off while you type your  password,  so  it
     will not appear on the written record of the session.

     If you make any mistake in the login procedure, the message:

     Login incorrect

     is printed and a new login prompt will appear. If  you  make
     five  incorrect  login  attempts,  all five may be logged in
     /var/adm/loginlog, if  it  exists.  The  TTY  line  will  be

     If password aging is turned on and the password  has  "aged"
     (see  passwd(1) for more information), the user is forced to
     changed the password. In this  case  the  /etc/nsswitch.conf
     file  is  consulted  to determine password repositories (see
     nsswitch.conf(4)). The password update  configurations  sup-
     ported are limited to the following five cases.

       o  passwd: files

       o  passwd: files nis

       o  passwd: files nisplus

       o  passwd: compat (==> files nis)

       o  passwd: compat (==> files nisplus)

          passwd_compat: nisplus

     Failure to comply with the configurations will  prevent  the
     user  from  logging  onto  the system because passwd(1) will
     fail. If you do not complete the login successfully within a
     certain  period  of  time,  it  is  likely  that you will be
     silently disconnected.

     After a successful login, accounting files are updated. Dev-
     ice  owner,  group, and permissions are set according to the
     contents of the /etc/logindevperm file,  and  the  time  you
     last logged in is printed (see logindevperm(4)).

     The user-ID, group-ID, supplementary group list, and working
     directory are initialized, and the command interpreter (usu-
     ally ksh) is started.

     The basic environment is initialized to:


     For Bourne shell and Korn shell logins, the  shell  executes
     /etc/profile  and  $HOME/.profile, if it exists. For C shell
     logins, the shell executes  /etc/.login,  $HOME/.cshrc,  and
     $HOME/.login. The default /etc/profile and /etc/.login files
     check quotas (see quota(1M)), print /etc/motd, and check for
     mail.   None  of  the  messages  are  printed  if  the  file
     $HOME/.hushlogin  exists. The name  of  the  command  inter-
     preter is set to - (dash), followed by the last component of
     the interpreter's path name, for example, -sh.

     If  the  login-shell  field  in  the  password   file   (see
     passwd(4))  is  empty, then the default command interpreter,
     /usr/bin/sh, is used. If this field is  *  (asterisk),  then
     the  named  directory  becomes  the  root directory. At that
     point, login is re-executed at the  new  level,  which  must
     have its own root structure.

     The environment may be expanded  or  modified  by  supplying
     additional  arguments  to login, either at execution time or
     when login requests your login name. The arguments may  take
     either  the  form  xxx  or  xxx=yyy.  Arguments without an =
     (equal sign) are placed in the environment as:


     where n is a number starting at 0 and  is  incremented  each
     time  a  new variable name is required. Variables containing
     an = (equal sign) are  placed  in  the  environment  without
     modification.  If  they  already  appear in the environment,
     then they replace the older values.

     There are two exceptions: The variables PATH and SHELL  can-
     not  be changed. This prevents people logged into restricted
     shell environments from spawning secondary shells  that  are
     not  restricted.  login  understands simple single-character
     quoting conventions.  Typing a \ (backslash) in front  of  a
     character quotes it and allows the inclusion of such charac-
     ters as spaces and tabs.

     Alternatively, you can pass the current environment by  sup-
     plying  the  -p  flag to login. This flag indicates that all
     currently defined environment variables should be passed, if
     possible,  to  the  new  environment.  This  option does not
     bypass  any  environment  variable  restrictions   mentioned
     above.  Environment  variables  specified  on the login line
     take precedence, if a variable is passed by both methods.

     To enable remote logins by root, edit the /etc/default/login
     file   by   inserting   a   #   (pound   sign)   before  the
     CONSOLE=/dev/console entry. See FILES.

     For  accounts  in  name  services  which  support  automatic
     account  locking,  the  account  may  be  configured  to  be
     automatically locked (see user_attr(4)  and  policy.conf(4))
     if  successive  failed  login  attempts  equals  or  exceeds
     RETRIES.   Currently,  only  the  "files"  repository   (see
     passwd(4) and shadow(4)) supports automatic account locking.
     See also pam_unix_auth(5).

     The login command uses pam(3PAM) for authentication, account
     management, session management, and password management. The
     PAM  configuration  policy,  listed  through  /etc/pam.conf,
     specifies  the  modules to be used for login. Here is a par-
     tial pam.conf file with entries for the login command  using
     the  UNIX  authentication,  account  management, and session
     management modules:

     login  auth       required  pam_authtok_get.so.1
     login  auth       required  pam_dhkeys.so.1
     login  auth       required  pam_unix_auth.so.1
     login  auth       required  pam_dial_auth.so.1

     login  account    requisite pam_roles.so.1
     login  account    required  pam_projects.so.1
     login  account    required  pam_unix_account.so.1

     login  session    required  pam_unix_session.so.1

     The Password Management stack looks like the following:

     other  password   required   pam_dhkeys.so.1
     other  password   requisite  pam_authtok_get.so.1
     other  password   requisite  pam_authtok_check.so.1
     other  password   required   pam_authtok_store.so.1

     If there are no entries for the service,  then  the  entries
     for  the "other" service will be used. If multiple authenti-
     cation modules are listed, then the user may be prompted for
     multiple passwords.

     When login is invoked through rlogind or telnetd,  the  ser-
     vice name used by PAM is rlogin or telnet, respectively.

     The following options are supported:

     -d device

         login accepts a device option, device. device  is  taken
         to  be the path name of the TTY port login is to operate
         on. The use of the device  option  can  be  expected  to
         improve  login performance, since login will not need to
         call ttyname(3C). The -d option  is  available  only  to
         users  whose  UID  and effective UID are root. Any other
         attempt to use -d will cause login to quietly exit.

     -h hostname [ terminal ]

         Used by in.telnetd(1M) to  pass  information  about  the
         remote host and terminal type.

         Terminal type as a second  argument  to  the  -h  option
         should not start with a hyphen (-).


         Used to pass environment variables to the login shell.

     -r hostname

         Used by in.rlogind(1M) to  pass  information  about  the
         remote host.

     -R repository

         Used to specify the PAM repository that should  be  used
         to  tell PAM about the "identity" (see option -u below).
         If no "identity" information is passed,  the  repository
         is not used.

     -s service

         Indicates the PAM service name that should be used. Nor-
         mally,  this  argument is not necessary and is used only
         for specifying alternative PAM service names. For  exam-
         ple: "ktelnet" for the Kerberized telnet process.

     -u identity

         Specifies the "identity" string associated with the user
         who is being authenticated. This will usually not be the
         same as that user's  Unix  login  name.  For  Kerberized
         login sessions, this will be the Kerberos principal name
         associated with the user.

     -U ruser

         Indicates the name of the person attempting to login  on
         the   remote   side   of  the  rlogin  connection.  When
         in.rlogind(1M) is operating  in  Kerberized  mode,  that
         daemon  will  process  the terminal and remote user name
         information prior to invoking login, so the "ruser" data
         is indicated using this command line parameter. Normally
         (non-Kerberos authenticated rlogin),  the  login  daemon
         will read the remote user information from the client.

     The following exit values are returned:

     0               Successful operation.

     non-zero        Error.

     $HOME/.cshrc            initial commands for each csh

     $HOME/.hushlogin        suppresses login messages

     $HOME/.login            user's login commands for csh

     $HOME/.profile          user's login commands for sh and ksh

     $HOME/.rhosts           private     list     of      trusted
                             hostname/username combinations

     /etc/.login             system-wide csh login commands

     /etc/issue              issue or project identification

     /etc/logindevperm       login-based device permissions

     /etc/motd               message-of-the-day

     /etc/nologin            message displayed to users  attempt-
                             ing to login during machine shutdown

     /etc/passwd             password file

     /etc/profile            system-wide sh and  ksh  login  com-

     /etc/shadow             list of users' encrypted passwords

     /usr/bin/sh             user's default command interpreter

     /var/adm/lastlog        time of last login

     /var/adm/loginlog       record of failed login attempts

     /var/adm/utmpx          accounting

     /var/adm/wtmpx          accounting

     /var/mail/your-name     mailbox for user your-name

     /etc/default/login      Default value can  be  set  for  the
                             following          flags          in
                             /etc/default/login.  Default  values
                             are  specified  as  comments  in the
                             /etc/default/login file,  for  exam-
                             ple, TIMEZONE=EST5EDT.


                                 Sets the TZ environment variable
                                 of the shell (see environ(5)).


                                 Sets the HZ environment variable
                                 of the shell.


                                 Sets the file size limit for the
                                 login.  Units  are  disk blocks.
                                 Default is zero (no limit).


                                 If set, root can login  on  that
                                 device   only.   This  will  not
                                 prevent execution of remote com-
                                 mands  with  rsh(1). Comment out
                                 this  line  to  allow  login  by


                                 Determines if login  requires  a
                                 non-null password.


                                 Determines if login  should  set
                                 the SHELL environment variable.


                                 Sets  the  initial  shell   PATH


                                 Sets  the  initial  shell   PATH
                                 variable for root.


                                 Sets  the  number   of   seconds
                                 (between  0  and  900)  to  wait
                                 before abandoning a  login  ses-


                                 Sets  the  initial  shell   file
                                 creation    mode    mask.    See


                                 Determines      whether      the
                                 syslog(3C)   LOG_AUTH   facility
                                 should be used to log  all  root
                                 logins  at  level LOG_NOTICE and
                                 multiple failed  login  attempts


                                 If  present,  and  greater  than
                                 zero, the number of seconds that
                                 login will  wait  after  RETRIES
                                 failed   attempts   or  the  PAM
                                 framework   returns   PAM_ABORT.
                                 Default  is  20 seconds. Minimum
                                 is  0  seconds.  No  maximum  is


                                 If present, sets the  number  of
                                 seconds to wait before the login
                                 failure message  is  printed  to
                                 the  screen.  This  is  for  any
                                 login   failure    other    than
                                 PAM_ABORT. Another login attempt
                                 is  allowed,  providing  RETRIES
                                 has  not been reached or the PAM
                                 framework      is       returned
                                 PAM_MAXTRIES.   Default   is   4
                                 seconds. Minimum is  0  seconds.
                                 Maximum is 5 seconds.

                                 Both su(1M) and sulogin(1M)  are
                                 affected  by the value of SLEEP-


                                 Sets the number of  retries  for
                                 logging  in (see pam(3PAM)). The
                                 default is 5. The maximum number
                                 of  retries  is 15. For accounts
                                 configured with automatic  lock-
                                 ing  (see  SECURITY  above), the
                                 account  is  locked  and   login
                                 exits.  If automatic locking has
                                 not been configured, login exits
                                 without locking the account.


                                 Used  to  determine   how   many
                                 failed  login  attempts  will be
                                 allowed by the system  before  a
                                 failed  login message is logged,
                                 using the syslog(3C)  LOG_NOTICE
                                 facility.  For  example,  if the
                                 variable is set to 0, login will
                                 log all failed login attempts.

     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWcsu                     |
    | Interface Stability         | Evolving                    |

     csh(1),  exit(1),  ksh(1),  mail(1),  mailx(1),   newgrp(1),
     passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), tel-
     net(1),    umask(1),     in.rlogind(1M),     in.telnetd(1M),
     logins(1M),  quota(1M),  su(1M),  sulogin(1M),  syslogd(1M),
     useradd(1M),    userdel(1M),    pam(3PAM),    rcmd(3SOCKET),
     syslog(3C),    ttyname(3C),    auth_attr(4),   exec_attr(4),
     hosts.equiv(4),  issue(4),   logindevperm(4),   loginlog(4),
     nologin(4),    nsswitch.conf(4),   pam.conf(4),   passwd(4),
     policy.conf(4),   profile(4),    shadow(4),    user_attr(4),
     utmpx(4),      wtmpx(4),      attributes(5),     environ(5),
     pam_unix_account(5), pam_unix_auth(5),  pam_unix_session(5),
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),

     Login incorrect

         The user name or the password cannot be matched.

     Not on system console

         Root  login  denied.  Check  the  CONSOLE   setting   in

     No directory! Logging in with home=/

         The user's home directory named in the  passwd(4)  data-
         base cannot be found or has the wrong permissions.  Con-
         tact your system administrator.

     No shell

         Cannot execute the shell named in  the  passwd(4)  data-
         base. Contact your system administrator.

     NO LOGINS: System going down in N minutes

         The machine is in the process of  being  shut  down  and
         logins have been disabled.

     Users with a UID greater than 76695844 are  not  subject  to
     password  aging,  and  the system does not record their last
     login time.

     If you use the CONSOLE setting to disable root  logins,  you
     should arrange that remote command execution by root is also
     disabled. See rsh(1), rcmd(3SOCKET), and hosts.equiv(4)  for
     further details.

     The pam_unix(5) module is no longer supported. Similar func-
     tionality     is     provided     by    pam_unix_account(5),
     pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5),
     pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.