login
Initiate a user session on the system
TLDR
Log in as a user
Log in as user without authentication if user is preauthenticated
Log in as user and preserve environment
Log in as a user on a remote host
SYNOPSIS
login [options] [username]
PARAMETERS
-p
Preserves the environment of the calling process, rather than resetting it completely. Useful when invoked by programs like su.
-f
Force login, bypassing the password prompt. This option is typically used by programs that have already authenticated the user (e.g., su) or requires root privileges.
-h host
Specifies the hostname of the remote host from which the user is logging in. Primarily used for remote login protocols like rlogin.
-r service
Specifies the PAM service name to use for authentication and session management. This allows custom PAM configurations for different login scenarios.
-L
Log failed login attempts to the lastlog file. This is often the default behavior to track security incidents.
DESCRIPTION
The login command is a fundamental utility on Linux and Unix-like systems, primarily responsible for authenticating a user and establishing a new interactive session. It is typically invoked by getty (for local console logins) or sshd (for remote SSH logins) after a connection has been established.
Upon execution, login prompts the user for their username and then their password. It verifies these credentials against the system's authentication database. If successful, login sets up the user's environment, including variables like HOME, SHELL, PATH, TERM, USER, and LOGNAME. It then changes the current directory to the user's home directory and executes the user's default shell as specified in /etc/passwd.
login plays a crucial security role by enforcing authentication policies, managing failed login attempts, and logging successful and unsuccessful access attempts to system logs like lastlog and faillog. Its behavior is highly configurable via Pluggable Authentication Modules (PAM).
CAVEATS
The login command is rarely executed directly by end-users; it is usually invoked by system daemons like getty for local console access or sshd for remote access. Its behavior is heavily dependent on the system's Pluggable Authentication Modules (PAM) configuration, which determines authentication methods, session setup, and account restrictions. Misconfiguration of PAM can lead to users being unable to log in.
PAM INTEGRATION
Modern implementations of login heavily rely on Pluggable Authentication Modules (PAM). PAM provides a modular framework for authentication, account management, session management, and password management. When login runs, it consults the PAM configuration files (e.g., /etc/pam.d/login) to determine the exact steps for authenticating the user, setting up their session environment, and enforcing security policies. This modularity makes login highly adaptable to various authentication backends and security requirements.
ENVIRONMENT SETUP
After successful authentication, login is responsible for setting up the user's initial environment. This includes setting critical environment variables such as HOME (user's home directory), SHELL (user's default shell), PATH (directories for executable commands), TERM (terminal type), USER, and LOGNAME. It also typically changes the current working directory to the user's home directory. Furthermore, it executes initialization scripts like /etc/profile and the user's shell-specific startup files (e.g., ~/.profile, ~/.bashrc, ~/.zshrc) to fully configure the session before handing control to the user's shell.
HISTORY
The login command is one of the oldest and most fundamental utilities in Unix-like operating systems, existing since the early versions of Unix. Its core function of authenticating users and establishing sessions has remained consistent. Over time, its capabilities expanded to integrate with various authentication mechanisms, notably with the introduction of Pluggable Authentication Modules (PAM) in the mid-1990s. PAM externalized the authentication logic, allowing login to use different authentication methods (e.g., local passwords, Kerberos, LDAP) without requiring code changes, significantly enhancing its flexibility and security.