manpage for login

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11904 ec53bebd-3082-4978-b11e-865c3cabbd6b

appl/login/login.1

@@ -0,0 +1,226 @@
+.\" $Id$
+.\" 
+.Dd March 24, 2003
+.Dt LOGIN 1
+.Os HEIMDAL
+.Sh NAME
+.Nm login
+.Nd
+authenticate a user and start new session
+.Sh SYNOPSIS
+.Nm
+.Op Fl fp
+.Op Fl a Ar level
+.Op Fl h Ar hostname
+.Ar [username]
+.Sh DESCRIPTION
+This manual page documents  the 
+.Nm login 
+program distributed with the Heimdal Kerberos 5 implementation, it may
+differ in important ways from your system version.
+.Pp
+The
+.Nm login
+programs logs users into the system. It is intended to be run by
+system daemons like
+.Xr getty 8 
+or
+.Xr telnetd 8 .
+If you are already logged in, but want to change to another user, you
+should use
+.Xr su 1 .
+.Pp
+A username can be given on the command line, else one will be prompted
+for.
+.Pp
+A password is required to login, unless the 
+.Fl f
+option is given (indicating that the calling program has already done
+proper authentication). With
+.Fl f
+the user will be logged in without further questions. 
+.Pp
+For password authentication Kerberos 5, Kerberos 4 (if compiled in),
+OTP (if compiled in) and local
+.No ( Pa /etc/passwd ) 
+passwords are supported. OTP will be used if the the user is
+registered to use it, and
+.Nm login
+is given the option
+.Fl a Li otp .
+When using OTP, a challenge is shown to the user.
+.Pp
+Further options are:
+.Bl -tag -width Ds
+.It Fl a Ar string
+Which authentication mode to use, the only supported value is
+currently
+.Dq otp .
+.It Fl f
+Indicates that the user is already authenticated. This happens, for
+instance, when login is started by telnetd, and the user has proved
+authentic via Kerberos.
+.It Fl h Ar hostname
+Indicates which host the user is logging in from. This is passed from
+telnetd, and is entered into the login database.
+.It Fl p
+This tells
+.Nm login
+to preserve all environment variables. If not given, only the
+.Dv TERM
+and
+.Dv TZ
+variables are preserved. It could be a security risk to pass random
+variables to 
+.Nm login
+or the user shell, so the calling daemon should make sure it only
+passes
+.Dq safe
+variables.
+.El
+.Pp
+The process of logging user in proceeds as follows.
+.Pp
+First a check is made that logins are allowed at all. This usually
+means checking
+.Pa /etc/nologin .
+If it exists, and the user trying to login is not root, the contents
+is printed, and then login exits.
+.Pp
+Then various system parameters are set up, like changing the owner of
+the tty to the user, setting up signals, setting the group list, and
+user and group id. Also various machine specific tasks are performed.
+.Pp
+Next 
+.Nm login
+changes to the users home directory, or if that fails, to 
+.Pa / .
+The environment is setup, by adding some required variables (such as
+.Dv PATH ) , 
+and also authentication related ones (such as
+.Dv KRB5CCNAME ) .
+If an environment file exists
+.No ( Pa /etc/environment ) ,
+variables are set according to
+it.
+.Pp
+If one or more login message files are configured, their contents is
+printed to the terminal.
+.Pp
+If a login time command is configured, it is executed. A logout time
+command can also be configured, which makes 
+.Nm login
+fork, and wait for the user shell to exit, and then run the command.
+This can be used to clean up user credentials.
+.Pp
+Finally, the user's shell is executed. If the user logging in is root,
+and root's login shell does not exist, a default shell (usually 
+.Pa /bin/sh )
+is also tried before giving up.
+.Sh ENVIRONMENT
+These environment variables are set by login (not including ones set by 
+.Pa /etc/environment ) :
+.Pp
+.Bl -tag -compact -width USERXXLOGNAME
+.It Dv PATH
+the default system path
+.It Dv HOME
+the user's home directory (or possibly 
+.Pa / )
+.It Dv USER , Dv LOGNAME
+both set to the username
+.It Dv SHELL
+the user's shell
+.It Dv TERM , Dv TZ
+set to whatever is passed to 
+.Nm login
+.It Dv KRB5CCNAME
+if the password is verified via Kerberos 5, this will point to the
+credentials cache file
+.It Dv KRBTKFILE
+if the password is verified via Kerberos 4, this will point to the
+ticket file
+.El
+.Sh FILES
+.Bl -tag -compact -width Ds
+.It Pa /etc/environment
+Contains a set of environment variables that should be set in addition
+to the ones above. It should contain sh-style assignments like 
+.Dq VARIABLE=value .
+Note that they are not parsed the way a shell would. No variable
+expansion is performed, and all strings are literal, and quotation
+marks should not be used. Everything after a hash mark is considered a
+comment. The following are all different (the last will set the
+variable
+.Dv BAR ,
+not
+.Dv FOO ) .
+.Bd -literal -offset indent
+FOO=this is a string
+FOO="this is a string"
+BAR= FOO='this is a string'
+.Ed
+.It Pa /etc/login.access
+See 
+.Xr login.access 5 .
+.It Pa /etc/login.conf
+This is a termcap style configuration file, that contains various
+settings used by
+.Nm login .
+Currently only the
+.Dq default
+capability record is used. The possible capability strings include:
+.Pp
+.Bl -tag -compact -width Ds
+.It Li environment
+This is a comma separated list of environment files that are read in
+the order specified. If this is missing the default
+.Pa /etc/environment
+is used.
+.It Li login_program
+This program will be executed just before the user's shell is started.
+It will be called without arguments.
+.It Li logout_program
+This program will be executed just after the user's shell has
+terminated. It will be called without arguments. This program will be
+the parent process of the spawned shell.
+.It Li motd
+A comma separated list of text files that will be printed to the
+user's terminal before starting the shell. The string
+.Li welcome
+works similarly, but points to a single file.
+.El
+.It Pa /etc/nologin
+If it exists, login is denied to all but root. The contents of this
+file is printed before login exits.
+.El
+.Pp
+Other
+.Nm login
+programs typically print all sorts of information by default, such as
+last time you logged in, if you have mail, and system message files.
+This version of
+.Nm login
+does not, so there is no reason for 
+.Pa .hushlogin
+files or similar. We feel that these tasks are best left to the user's
+shell, but the 
+.Li login_program
+facility allows for a shell independent solution, if that is desired.
+.Sh EXAMPLES
+A 
+.Pa login.conf
+file could look like:
+.Bd -literal -offset indent
+default:\\
+	:motd=/etc/motd,/etc/motd.local:
+.Ed
+.Sh SEE ALSO
+.Xr su 1 ,
+.Xr login.access 5 ,
+.Xr getty 8 ,
+.Xr telnetd 8
+.Sh AUTHORS
+This login program was written for the Heimdal Kerberos 5
+implementation. The login.access code was written by Wietse Venema.
+.\".Sh BUGS