| blob | 9936fc6cb0cce3680f5703b6a243c9b02fd5d734 |
1 .\" $Heimdal: login.1 14891 2005-04-22 15:49:25Z joda $
2 .\" $NetBSD$
3 .\"
4 .Dd April 22, 2005
5 .Dt LOGIN 1
6 .Os
7 .Sh NAME
8 .Nm login
9 .Nd
10 authenticate a user and start new session
11 .Sh SYNOPSIS
12 .Nm
13 .Op Fl fp
14 .Op Fl a Ar level
15 .Op Fl h Ar hostname
16 .Ar [username]
17 .Sh DESCRIPTION
18 This manual page documents the
19 .Nm login
20 program distributed with the Heimdal Kerberos 5 implementation, it may
21 differ in important ways from your system version.
22 .Pp
23 The
24 .Nm login
25 programs logs users into the system. It is intended to be run by
26 system daemons like
27 .Xr getty 8
28 or
29 .Xr telnetd 8 .
30 If you are already logged in, but want to change to another user, you
31 should use
32 .Xr su 1 .
33 .Pp
34 A username can be given on the command line, else one will be prompted
35 for.
36 .Pp
37 A password is required to login, unless the
38 .Fl f
39 option is given (indicating that the calling program has already done
40 proper authentication). With
41 .Fl f
42 the user will be logged in without further questions.
43 .Pp
44 For password authentication Kerberos 5, Kerberos 4 (if compiled in),
45 OTP (if compiled in) and local
46 .No ( Pa /etc/passwd )
47 passwords are supported. OTP will be used if the the user is
48 registered to use it, and
49 .Nm login
50 is given the option
51 .Fl a Li otp .
52 When using OTP, a challenge is shown to the user.
53 .Pp
54 Further options are:
55 .Bl -tag -width Ds
56 .It Fl a Ar string
57 Which authentication mode to use, the only supported value is
58 currently
59 .Dq otp .
60 .It Fl f
61 Indicates that the user is already authenticated. This happens, for
62 instance, when login is started by telnetd, and the user has proved
63 authentic via Kerberos.
64 .It Fl h Ar hostname
65 Indicates which host the user is logging in from. This is passed from
66 telnetd, and is entered into the login database.
67 .It Fl p
68 This tells
69 .Nm login
70 to preserve all environment variables. If not given, only the
71 .Dv TERM
72 and
73 .Dv TZ
74 variables are preserved. It could be a security risk to pass random
75 variables to
76 .Nm login
77 or the user shell, so the calling daemon should make sure it only
78 passes
79 .Dq safe
80 variables.
81 .El
82 .Pp
83 The process of logging user in proceeds as follows.
84 .Pp
85 First a check is made that logins are allowed at all. This usually
86 means checking
87 .Pa /etc/nologin .
88 If it exists, and the user trying to login is not root, the contents
89 is printed, and then login exits.
90 .Pp
91 Then various system parameters are set up, like changing the owner of
92 the tty to the user, setting up signals, setting the group list, and
93 user and group id. Also various machine specific tasks are performed.
94 .Pp
95 Next
96 .Nm login
97 changes to the users home directory, or if that fails, to
98 .Pa / .
99 The environment is setup, by adding some required variables (such as
100 .Dv PATH ) ,
101 and also authentication related ones (such as
102 .Dv KRB5CCNAME ) .
103 If an environment file exists
104 .No ( Pa /etc/environment ) ,
105 variables are set according to
106 it.
107 .Pp
108 If one or more login message files are configured, their contents is
109 printed to the terminal.
110 .Pp
111 If a login time command is configured, it is executed. A logout time
112 command can also be configured, which makes
113 .Nm login
114 fork, and wait for the user shell to exit, and then run the command.
115 This can be used to clean up user credentials.
116 .Pp
117 Finally, the user's shell is executed. If the user logging in is root,
118 and root's login shell does not exist, a default shell (usually
119 .Pa /bin/sh )
120 is also tried before giving up.
121 .Sh ENVIRONMENT
122 These environment variables are set by login (not including ones set by
123 .Pa /etc/environment ) :
124 .Pp
125 .Bl -tag -compact -width USERXXLOGNAME
126 .It Dv PATH
127 the default system path
128 .It Dv HOME
129 the user's home directory (or possibly
130 .Pa / )
131 .It Dv USER , Dv LOGNAME
132 both set to the username
133 .It Dv SHELL
134 the user's shell
135 .It Dv TERM , Dv TZ
136 set to whatever is passed to
137 .Nm login
138 .It Dv KRB5CCNAME
139 if the password is verified via Kerberos 5, this will point to the
140 credentials cache file
141 .It Dv KRBTKFILE
142 if the password is verified via Kerberos 4, this will point to the
143 ticket file
144 .El
145 .Sh FILES
146 .Bl -tag -compact -width Ds
147 .It Pa /etc/environment
148 Contains a set of environment variables that should be set in addition
149 to the ones above. It should contain sh-style assignments like
150 .Dq VARIABLE=value .
151 Note that they are not parsed the way a shell would. No variable
152 expansion is performed, and all strings are literal, and quotation
153 marks should not be used. Everything after a hash mark is considered a
154 comment. The following are all different (the last will set the
155 variable
156 .Dv BAR ,
157 not
158 .Dv FOO ) .
159 .Bd -literal -offset indent
160 FOO=this is a string
161 FOO="this is a string"
162 BAR= FOO='this is a string'
163 .Ed
164 .It Pa /etc/login.access
165 See
166 .Xr login.access 5 .
167 .It Pa /etc/login.conf
168 This is a termcap style configuration file, that contains various
169 settings used by
170 .Nm login .
171 Currently only the
172 .Dq default
173 capability record is used. The possible capability strings include:
174 .Pp
175 .Bl -tag -compact -width Ds
176 .It Li environment
177 This is a comma separated list of environment files that are read in
178 the order specified. If this is missing the default
179 .Pa /etc/environment
180 is used.
181 .It Li login_program
182 This program will be executed just before the user's shell is started.
183 It will be called without arguments.
184 .It Li logout_program
185 This program will be executed just after the user's shell has
186 terminated. It will be called without arguments. This program will be
187 the parent process of the spawned shell.
188 .It Li motd
189 A comma separated list of text files that will be printed to the
190 user's terminal before starting the shell. The string
191 .Li welcome
192 works similarly, but points to a single file.
193 .It Li limits
194 Points to a file containing ulimit settings for various users. Syntax
195 is inspired by what pam_limits uses, and the default is
196 .Pa /etc/security/limits.conf .
197 .El
198 .It Pa /etc/nologin
199 If it exists, login is denied to all but root. The contents of this
200 file is printed before login exits.
201 .El
202 .Pp
203 Other
204 .Nm login
205 programs typically print all sorts of information by default, such as
206 last time you logged in, if you have mail, and system message files.
207 This version of
208 .Nm login
209 does not, so there is no reason for
210 .Pa .hushlogin
211 files or similar. We feel that these tasks are best left to the user's
212 shell, but the
213 .Li login_program
214 facility allows for a shell independent solution, if that is desired.
215 .Sh EXAMPLES
216 A
217 .Pa login.conf
218 file could look like:
219 .Bd -literal -offset indent
220 default:\\
221 :motd=/etc/motd,/etc/motd.local:\\
222 :limits=/etc/limits.conf:
223 .Ed
224 .Pp
225 The
226 .Pa limits.conf
227 file consists of a table with four whitespace separated fields. First
228 field is a username or a groupname (prefixed with
229 .Sq @ ) ,
230 or
231 .Sq * .
232 Second field is
233 .Sq soft ,
234 .Sq hard ,
235 or
236 .Sq -
237 (the last meaning both soft and hard).
238 Third field is a limit name (such as
239 .Sq cpu
240 or
241 .Sq core ) .
242 Last field is the limit value (a number or
243 .Sq -
244 for unlimited). In the case of data sizes, the value is in kilobytes,
245 and cputime is in minutes.
246 .Sh SEE ALSO
247 .Xr su 1 ,
248 .Xr login.access 5 ,
249 .Xr getty 8 ,
250 .Xr telnetd 8
251 .Sh AUTHORS
252 This login program was written for the Heimdal Kerberos 5
253 implementation. The login.access code was written by Wietse Venema.
254 .\".Sh BUGS