Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

getty(1M)

mail(1)

newgrp(1)

sh(1)

su(1)

passwd(4)

profile(4)

environ(5)

shutdown(1M)

login(1)

NAME

login − sign on

SYNOPSIS

login [ name [ env-var ... ]]
login [−p] [−v|−d] [−b label|−l level|−a priv] [−g grp] name [ env-var ... ]

DESCRIPTION

The login command is used at the beginning of each terminal session and allows you to identify yourself to the system.  It may be invoked as a command or by the system when a connection is first established.  It is invoked by the system when a previous user has terminated the initial shell by typing a cntrl-d to indicate an end-of-file. 

If login is invoked as a command it must replace the initial command interpreter.  This is accomplished by typing:

exec login

from the initial shell. 

login asks for your user name (if not supplied as an argument), and, if appropriate, your password.  Echoing is turned off (where possible) during the typing of your password, so it will not appear on the written record of the session. 

At some installations, an option may be invoked that will require you to enter a second dialup password.  This will occur only for dial-up connections, and will be prompted by the message “Dialup Password:”.  Both passwords are required for a successful login. 

If you make any mistake in the login procedure, the message

Login incorrect

is printed and a new login prompt will appear.  If you make several incorrect login attempts, you will be disconnected. 

If you do not complete the login successfully within a certain period of time (e.g., one minute), you are likely to be silently disconnected. 

If the file /etc/nologin exists, login prints its contents on the user’s terminal and exits.  This is used by shutdown(1M) to stop users logging in when the system is about to go down. 

After a successful login, accounting files are updated, the /etc/profile script is executed, the message-of-the-day, if any, is printed, the user-ID, the group-ID, supplementary group list, the working directory, and the command interpreter (usually sh(1)) are initialized, and the file .profile in the working directory is executed, if it exists.  These specifications are found in the /etc/passwd file entry for the user.  The name of the command interpreter is − followed by the last component of the interpreter’s pathname (i.e., −sh).  If this field in the password file is empty, then the default command interpreter, /usr/bin/sh is used.  If this field is “∗”, then the named directory becomes the root directory, the starting point for path searches for path names beginning with a /.  At that point login is re-executed at the new level which must have its own root structure, including /usr/bin/login and /etc/passwd. 

The basic environment (see environ(5)) is initialized to:

HOME=your-login-directory
LOGNAME=your-login-name
PATH=/usr/bin
SHELL=last-field-of-passwd-entry
MAIL=/usr/mail/your-login-name
TZ=timezone-specification

The environment may be expanded or modified by supplying additional arguments to login, either at execution time or when login requests your login name.  The arguments may take either the form xxx or xxx=yyy .  Arguments without an equal sign are placed in the environment as

Ln=xxx

where n is a number starting at 0 and is incremented each time a new variable name is required.  Variables containing an = are placed into the environment without modification.  If they already appear in the environment, then they replace the older value.  There are two exceptions.  The variables PATH and SHELL cannot be changed.  This prevents people, logging into restricted shell environments, from spawning secondary shells which are not restricted.  login understands simple single-character quoting conventions.  Typing a backslash in front of a character quotes it and allows the inclusion of such things as spaces and tabs. 

SECURITY FEATURES

Except for the provision for customized login options, the following security features are available only with CX/SX. 

login will accept various flags before the user name if the system is configured to B1 security.  These flags include:

−l −b
requests that the session start with an initial classification level of level, or an initial classification label of label.  The classification can be specified in human readable or canonical form as defined in labels(1SX) and libmls(3SX). 

−g requests that the session start with the user operating in group grp at the user’s default classification level. 

−a requests that the session start with an initial privilege (level + group) of priv.  The privilege name is essentially an alias for a given level within a given group.  For example:

login −l secret,nato,crypto −g demo cwf

may be equivalent to:

login −a demox cwf

if the owner of group demo chooses. 

−d −v
when used in conjunction with −l, −h, −a, or −g, reset the default login privilege (level and group) to the privilege selected for this session.  The default privilege is the default level and group selected by login if no arguments are provided requesting a level or group change.  The default is stored as the login GID in the password file (passwd(4)). 

−p invokes passwd(1) via a trusted path.  This guarantees that the user is talking to the trusted password command, not some Trojan Horse pretending to be passwd.  A trusted path to passwd is as critical as a trusted path to login since a user must reveal his/her password to both.

additional access checks

In order to login successfully, a user must be a member of the group selected (groups(1)).  If the system is configured to B1 security, the user must also be cleared to the level requested (clearances(1SX)).  login enforces these restrictions.

login port device labels

If the system is configured to B1 security, each login port is assigned a minimum and maximum allowable security label.  login guarantees that the user is prevented from operating at a level that dominates the maximum or is dominated by the minimum level assigned to the port being used. (See mkdevclr(1SX) and getdevclr(3SX).) 

login trusted path

Once a user has logged into the system, login forks a shell for the user and remains as the process group leader for the session.  As a result (and since CX/SX control terminal ports cannot be set clocal), login is sure to recognize a SIGHUP sent via a disconnect key sequence, network disconnect, or by turning the terminal off.  When operating in conjunction with getty(1M) (see also sessions(3SX)) this provides protection against “Login Trojan Horse” attacks. 

Remember: ALWAYS disconnect before trusting a login prompt!

anonymous logins disallowed

Login by root is prohibited from any port.  Administrative functions requiring superuser privilege are available from authorized ports via su(1) only.  The use of su allows the audit mechanisms to maintain an accurate record of which users were granted superuser privilege. 

protected passwords

This login command uses the CX/SX versions of functions getpwent(3C) and getgrent(3C) to access the true (unsanitized) versions of the /etc/passwd and /etc/group files.  This eliminates the possibility of an ordinary user writing a program to guess passwords without going through privileged (audited) commands such as login itself.  This possibility is further reduced as follows. 

login failures reported/logged

If the user fails to get his name/password correct within 2 tries, login reports the failed login attempt to the console terminal, listing the name of the port on which the failed attempt occured.  If the user name attempted is a valid user name on the system, the name is reported as well. 

If the user fails to get his name/password correct within 3 tries, login exits with a unique exit code (33).  An execution of login exiting with an exit code of 33 will be flagged in the audit trail (and also in /etc/wtmp and /usr/adm/acct) to indicate a possible attempt at guessing a password.  The audit trail includes the UID of the user whose password was being guessed.  The security officer should also check for excessive HUP interrupt terminations, also logged, that may be an attempt to mask guessing attempts. 

Note: by setting HUPCL in the 2nd and 3rd fields of the /etc/gettydefs entries corresponding to the login port in question, the administrator can cause the line to hang up after this exit.  Hanging up forces the outsider to make another call which will cause further delay, make the attempt more noticeable, and will help flag the perpetrator’s phone bill.  Alternately, holding the line up and letting him repeatedly go through the init-login-exit33 sequence may allow the call to be traced once the exit33 has alerted the security officer.  The appropriate action depends on your local security action plan. 

customized login options

Certain features of login can be controlled by the system administrator using the file /etc/default/login.  This file is most effective in CX/UX systems; it should probably not be used (i.e., it may be removed) in CX/SX systems because it would tend only to weaken the secure environment.  The administrator may set the following options:

CONSOLE the name of the terminal to which to restrict root logins, usually /dev/console. 

TIMEOUT The number of seconds during which to allow a login attempt before disconnecting (between 30 seconds and 15 minutes). 

ALTSHELL “YES” to to allow a non-standard shell name to be the value of the SHELL environment variable. 

PASSREQ “YES” to require all users to have passwords. 

ULIMIT A limit on the user’s file sizes. 

UMASK An initial umask(2) value. 

PATH An initial value for the PATH environment variable. 

SUPATH An initial value for the PATH environment variable if the user is the superuser. 

TIMEZONE An initial timezone specification for the TZ environment variable. 

FILES

/etc/utmp accounting

/etc/wtmp accounting

/usr/mail/your-name mailbox for user your-name

/etc/motd message-of-the-day

/etc/nologin stops logins

/etc/passwd password file

/etc/default/login login options

/etc/profile system profile

.profile user’s login profile

/mls/passwd CX/SX password file

/mls/group CX/SX group file

SEE ALSO

getty(1M), mail(1), newgrp(1), sh(1), su(1). 
passwd(4), profile(4), environ(5) in the CX/UX Programmer’s Reference Manual. 
shutdown(1M) in the CX/UX Administrator’s Reference Manual. 

DIAGNOSTICS

Login incorrect if the user name or the password cannot be matched. 
No shell, Cannot open /etc/passwd, or Unable to change directory: consult a CX/UX system programming counselor. 
No utmp entry. You must exec "login" from the lowest level "sh". if you attempted to execute login as a command without using the shell’s exec internal command or from other than the initial shell. 
Login as root not allowed.  Login as yourself and su to root. if you attempted to login as root on a CX/SX system. 

BUGS

An undocumented option, −r is used by the remote login server, rlogind(1M) to force login to enter into an initial connection protocol. 

Another undocumented option, −h is used by the telnetd(1M) server to force login to enter into an initial connection protocol. 

An automatic procedure should be developed to quickly alert the security officer of excessive failed login attempts. 

CX/UX User’s Reference Manual

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026