Provided by: heimdal-servers_1.7~git20150920+dfsg-4ubuntu1.16.04.1_amd64 bug

NAME
       login — authenticate a user and start new session


SYNOPSIS
       login [-fp] [-a level] [-h hostname] [username]


DESCRIPTION
       This  manual page documents  the login program distributed with the Heimdal Kerberos 5 implementation, it
       may differ in important ways from your system version.

       The login programs logs users into the system. It is intended to be run by system daemons  like  getty(8)
       or telnetd(8).  If you are already logged in, but want to change to another user, you should use su(1).

       A username can be given on the command line, else one will be prompted for.

       A  password  is required to login, unless the -f option is given (indicating that the calling program has
       already done proper authentication). With -f the user will be logged in without further questions.

       For password authentication Kerberos 5, OTP (if  compiled  in)  and  local  (/etc/passwd)  passwords  are
       supported.  OTP  will  be  used if the the user is registered to use it, and login is given the option -a
       otp.  When using OTP, a challenge is shown to the user.

       Further options are:

       -a string
               Which authentication mode to use, the only supported value is currently “otp”.

       -f      Indicates that the user is already authenticated. This  happens,  for  instance,  when  login  is
               started by telnetd, and the user has proved authentic via Kerberos.

       -h hostname
               Indicates  which  host  the  user is logging in from. This is passed from telnetd, and is entered
               into the login database.

       -p      This tells login to preserve all environment variables. If  not  given,  only  the  TERM  and  TZ
               variables  are  preserved.  It  could be a security risk to pass random variables to login or the
               user shell, so the calling daemon should make sure it only passes “safe” variables.

       The process of logging user in proceeds as follows.

       First a check is made that logins are allowed at all. This usually means checking  /etc/nologin.   If  it
       exists, and the user trying to login is not root, the contents is printed, and then login exits.

       Then  various  system  parameters  are set up, like changing the owner of the tty to the user, setting up
       signals, setting the group list, and  user  and  group  id.  Also  various  machine  specific  tasks  are
       performed.

       Next  login  changes  to  the users home directory, or if that fails, to /.  The environment is setup, by
       adding some required variables (such as PATH), and also authentication related ones (such as KRB5CCNAME).
       If an environment file exists (/etc/environment), variables are set according to it.

       If one or more login message files are configured, their contents is printed to the terminal.

       If a login time command is configured, it is executed. A logout time  command  can  also  be  configured,
       which  makes login fork, and wait for the user shell to exit, and then run the command.  This can be used
       to clean up user credentials.

       Finally, the user's shell is executed. If the user logging in is root, and root's login  shell  does  not
       exist, a default shell (usually /bin/sh) is also tried before giving up.


ENVIRONMENT
       These environment variables are set by login (not including ones set by /etc/environment):

       PATH           the default system path
       HOME           the user's home directory (or possibly /)
       USER, LOGNAME  both set to the username
       SHELL          the user's shell
       TERM, TZ       set to whatever is passed to login
       KRB5CCNAME     if the password is verified via Kerberos 5, this will point to the credentials cache file


FILES
       /etc/environment
               Contains  a  set  of  environment  variables that should be set in addition to the ones above. It
               should contain sh-style assignments like “VARIABLE=value”.  Note that they are not parsed the way
               a shell would. No variable expansion is performed, and all strings  are  literal,  and  quotation
               marks should not be used. Everything after a hash mark is considered a comment. The following are
               all different (the last will set the variable BAR, not FOO).

                     FOO=this is a string
                     FOO="this is a string"
                     BAR= FOO='this is a string'
       /etc/login.access
               See login.access(5).
       /etc/login.conf
               This  is  a  termcap  style  configuration  file,  that  contains various settings used by login.
               Currently only the “default” capability record is used. The possible capability strings include:

               environment
                       This is a comma separated list of environment files that are read in the order specified.
                       If this is missing the default /etc/environment is used.
               login_program
                       This program will be executed just before the user's shell is started.  It will be called
                       without arguments.
               logout_program
                       This program will be executed just after the user's shell  has  terminated.  It  will  be
                       called without arguments. This program will be the parent process of the spawned shell.
               motd    A  comma  separated list of text files that will be printed to the user's terminal before
                       starting the shell. The string welcome works similarly, but points to a single file.
               limits  Points to a file containing ulimit settings for various users. Syntax is inspired by what
                       pam_limits uses, and the default is /etc/security/limits.conf.
       /etc/nologin
               If it exists, login is denied to all but root. The contents of this file is printed before  login
               exits.

       Other  login  programs  typically print all sorts of information by default, such as last time you logged
       in, if you have mail, and system message files.  This version of login does not, so there  is  no  reason
       for  .hushlogin  files  or  similar.  We feel that these tasks are best left to the user's shell, but the
       login_program facility allows for a shell independent solution, if that is desired.


EXAMPLES
       A login.conf file could look like:

             default:\
                     :motd=/etc/motd,/etc/motd.local:\
                     :limits=/etc/limits.conf:

       The limits.conf file consists of a table with four whitespace separated fields. First field is a username
       or a groupname (prefixed with ‘@’), or ‘*’.  Second field is ‘soft’, ‘hard’, or  ‘-’  (the  last  meaning
       both  soft  and  hard).   Third field is a limit name (such as ‘cpu’ or ‘core’).  Last field is the limit
       value (a number or ‘-’ for unlimited). In the case of data sizes, the value is in kilobytes, and  cputime
       is in minutes.


SEE ALSO
       su(1), login.access(5), getty(8), telnetd(8)


AUTHORS
       This  login  program  was  written  for  the Heimdal Kerberos 5 implementation. The login.access code was
       written by Wietse Venema.

HEIMDAL                                          April 22, 2005                                         LOGIN(1)