login Command

Purpose

Initiates a user session.

Syntax

login [ -h HostName ] [ -p ] [ -f User | -k ] [-e Label ] [ -t Label ] [ User [ Environment ] ]

Description

The login command (part of the tsm command) initiates sessions on the system for the user specified by the User parameter. You can also specify environment variables to be added to the user's environment. These are strings of the form Variable=Value. The login command is not normally entered on the command line.

You can configure the login command to create your home directory at your login if you do not have a home directory already. The login command calls the mkuser.sys command to create the home directory and customize the account. To enable this capability, set the mkhomeatlogin attribute of the usw stanza in the /etc/security/login.cfg file to true.

Notes:
  1. The PATH, IFS, HOME, and SHELL environment variables may not be initialized from the command line.
  2. The login command supports multibyte user names. It is recommended that the system administrator restrict the user names to characters within the portable character set to remove any ambiguity.
  3. If the /etc/nologin file exists, the system prevents the user from logging in and displays the contents of the /etc/nologin file. The system does allow the root user to log in if this file exists. The /etc/nologin file is removed when you reboot the system.

The login command can handle Distributed Computing Environment (DCE) user names of up to 1024 characters. DCE user names are stored in the LOGIN environment variable. Because DCE user names do not conform to standard operating system requirements, the first 8 characters of the DCE user name are stored in all standard operating system files and environments.

The login command performs the following functions:

Item Description
Checks accounts The login command validates the user's account, ensuring authentication, logins enabled properly, and correct capacity for the port used for the login.
Authenticates users The login command verifies the user's identity by using the system defined authentication methods for each user. If a password has expired, the user must supply a new password. If secondary authentication methods are defined, these methods are invoked but need not be successful in order to log in to the system.
Establishes credentials The login command establishes the initial credentials for the user from the user database. These credentials define the user's access rights and accountability on the system.
Initiates a session The login command initializes the user environment from the user database, from the command line, and from the /etc/environment configuration file; changes the current directory to the user's home directory (normally); and runs the user's initial program.

These functions are performed in the order given; if one fails, the functions that follow are not performed.

When a user logs in successfully, the login command makes entries in the /etc/utmp file that tracks current user logins and the /var/adm/wtmp file that is used for accounting purposes. The login command also sets the LOGIN and LOGNAME environment variables.

Information pertaining to each unsuccessful login is recorded in the /etc/security/failedlogin file. The information stored is the same as that in the /etc/utmp file, except that unrecognizable user names are logged as UNKNOWN_USER. This ensures that a password accidentally entered as a user name, for example, is not allowed into the system unencrypted.

After a successful login, the login command displays the message of the day, the date and time of the last successful and unsuccessful login attempts for this account, and the total number of unsuccessful login attempts for this account since the last successful login. These messages are suppressed if there is a .hushlogin file in your home directory.

The login command also changes the ownership of the login port to the user. This includes any ports noted as synonyms in the /etc/security/login.cfg file.

In order to preserve the integrity of the system, only one session at a time is allowed to be logged in to a port. This means that the login command entered from the shell prompt cannot succeed, as both the original session and the new login session would be on the same port. However, the exec login command succeeds because a new shell replaces the current one. The login command is typically a built-in shell command, causing the shell to replace itself.

On a Trusted AIX® system, you can specify an effective sensitivity label (SL) at login time by specifying the label with the -e flag along with the user name. To specify an effective integrity label (TL) during login, specify the label using the -t flag.

If the label has spaces, specify it within quotation marks. The default login SL and TL are defined in the /etc/security/user file as user attributes. If no label attribute is specified in the file, the label attributes that are defined in the default stanza are used.

The labels that you supply must be dominated by your clearance and contained in the system accreditation range. You can specify the SL with the -e flag and the TL with the -t flag at login time. In a labeled network, unless the login is done using the console, the network’s label is assigned to you, regardless of the labels that you specified with the -e or -t flag.

Your SL clearance must be within the range that is defined for the TTY device in the /etc/security/login.cfg file. The effective TL of the user must be the same as the TL of the TTY. After successfully logging in, the clearance is assigned to the login port.

Tip: Unless your terminal displays only uppercase letters, do not use only uppercase characters for your user name.

To log in with multibyte user names, you must first open a Japanese window (aixterm) and initiate a new login from the Japanese window.

Flags

Item Description
-e Label Specifies the effective sensitivity label to be used to log into a Trusted AIX system.
Restriction: The -e flag applies only to systems running Trusted AIX.
-f User Identifies a user who has already been authenticated. If the real ID of the login process is root (0), then the user is not authenticated.
-h HostName Identifies the login as a remote login and specifies with the HostName variable the name of the machine requesting the login. This form of the login is used only by the telnetd and rlogind daemons.
-k Identifies the login as using Kerberos authentication and causes login to pass control to /usr/bin/k5dcelogin to handle authentication. This form of login is only used by the krshd daemon.
-p Preserves the current terminal type by setting it the value of the $TERM environment variable instead of the type contained in the CuAt/PdAt object classes database.
-t Label Specifies the effective integrity label to be used to log into a Trusted AIX system.
Restriction: The -t flag applies only to systems running Trusted AIX.

Security

The login command is a PAM-enabled application with a service name of login. System-wide configuration to use PAM for authentication is set by modifying the value of the auth_type attribute, in the usw stanza of /etc/security/login.cfg, to PAM_AUTH as the root user.

The authentication mechanisms used when PAM is enabled depend on the configuration for the login service in /etc/pam.conf. The login command requires /etc/pam.conf entries for the auth, account, password, and session module types. Listed below is a recommended configuration in /etc/pam.conf for the login service:
#
# AIX login configuration
#
login auth required /usr/lib/security/pam_aix

login account required /usr/lib/security/pam_aix

login session required /usr/lib/security/pam_aix

login password required /usr/lib/security/pam_aix

Examples

  1. To log in to the system as user jamesd, enter the following at the login prompt:
    login: jamesd
    If a password is defined, the password prompt appears. Enter your password at this prompt.
  2. On a Trusted AIX system, to log in to the system as user james, with the effective SL of TOP SECRET, enter the following command:
    login: james –e “TOP SECRET”
  3. To log in with the effective SL of SECRET, and the effective TL of TOP SECRET, enter the following command:
    login: james –e “TOP SECRET” –t “TOP SECRET”
  4. On the command line the following can be used:
    $ login –e “TOP SECRET” james

Files

Item Description
/usr/sbin/login Contains the login command.
/etc/utmp Contains accounting information.
/var/adm/wtmp Contains accounting information.
/etc/motd Contains the message of the day.
/etc/passwd Contains passwords.
$HOME/.hushlogin Suppresses login messages.
/etc/environment Contains user environment configuration information.
/etc/security/login.cfg Contains port synonyms.
/etc/security/lastlog Contains information pertaining to the most recent successful and unsuccessful login attempts.
/etc/security/failedlogin Contains information pertaining to each unsuccessful login.
/etc/security/enc/LabelEncodings Contains label definitions for the Trusted AIX system.