The Linux Login Process
After the system boots, at serial terminals or virtual terminals, the user will see a login prompt similar to:
This prompt is being generated by a program, usually getty or mingetty, which is regenerated by the init process every time a user ends a session on the console. The getty program will call login, and login, if successful will call the users shell. The steps of the process are:
- The init process spawns the getty process.
- The getty process invokes the login process when the user enters their name and passes the user name to login.
- The login process prompts the user for a password, checks it, then if there is success, the user's shell is started. On failure the program displays an error message, ends and then init will respawn getty.
- The user will run their session and eventually logout. On logout, the shell program exits and we return to step 1.
Note: This process is what happens for runlevel 3, but runlevel 5 uses some different programs to perform similar functions. These X programs are called X clients.
The init process revisited
Recall that in /etc/inittab file there were lines like this:
These lines cause init to spawn the mingetty process on runlevels 2 through 5 for tty1 and other terminals. To do this init will use the "fork" function to make a new copy of itself and use an "exec" function to run the mingetty program. Getty will wait for the user, then read the username. Then mingetty will invoke login with the user's name as an argument. If the password entered does not match for the user, init will load and run mingetty again. If the login is successful, init will use the "exec" function to run the user's shell program. When the shell exits through the "logout" command, init will load and run the mingetty program again (the reason for the "respawn" command in the /etc/inittab file). The file "/etc/passwd" determines the shell to be used for the user who is logging in. This version of Linux uses the mingetty program which is a minimum getty program used for virtual terminals. On some systems and normally Unix systems traditionally the getty program is used which has more capabilities. In this section, the getty program is described, but you should be aware that many of the special features of getty will not apply to mingetty.
Note that network logins are handled differently than console logins since it is impractical to have a getty provided for each potential network login. Network logins are normally handled through the internet super daemon, inetd using either the telnet or rlogin communication protocol. The telnet daemon will invoke the login program when a session starts, then if successful, the login program will invoke the user's shell.
Getty performs the following functions:
- Open tty lines and set their modes
- Print the login prompt and get the user's name
- Begin a login process for the user
A detailed analysis:
- At startup, it parses its command line, then reads it's default file, usually "/etc/conf.getty" to determine runtime values. After setting up the "line" or virtual line, getty outputs the contents of the "/etc/issue" file. Then getty reads the user's name and invokes login with the user's name as an argument. While reading the user's name, getty attempts to adapt the system to the speed of the terminal being used, and also sets certain terminal parameters to conform with the user's login procedure. See the termio man page.
- The tty device used by getty is determined by the argument on the command line. This argument is normally determined by the entry in /etc/inittab. The speed argument is a label to an entry in the "/etc/gettydefs" file. this entry defines the initial speed and tty settings, the login prompt to be used, the final speed and tty settings and a pointer to another entry to try if the user indicates that the speed is not correct. This is done by sending a break character.
- Getty scans the gettydefs file looking for a matching entry to the speed. The first entry is used if no speed was given or no match was found.
- The type argument names the type of terminal attached to the line such as 3101. The type should be a valid name listed in the termcap database. Getty uses this value to determine how to clear the video display and sets the environment variable "TERM" to the contents of this value. On most Linux systems, this value will be "linux".
- The lined argument describes the line discipline to use on the line. The default is "LDISC0".
During its startup, getty looks for the file "/etc/conf.getty.line" or "/etc/conf.getty". It reads the contents for lines with the form "NAME=value". The name strings are listed below:
- SYSTEM=name - Sets the nodename value. The default is the value returned by uname(3) which returns your system information, usually "Linux".
- VERSION=string - Sets the @V parameter to the value of the string or the contents of the file (if the string begins with "/") pointed to by the string.
- LOGIN=name - The name of the login program to be run when the user enters their name. The default is /bin/login.
- INIT=string - A string used to initialize the line before being used by getty
- ISSUE=string - This string is typed rather than the contents of the /etc/issue file.
- SCHED=range1 range2 range3
These commands are explained better in the getty(1m) man page.
The login program will prompt for the user name if no argument is given on the command line.
If the file "/etc/nologin" exists and the user is not root, the contents of the "/etc/nologin" file are printed to the screen and the login is terminated. If special access restrictions are specified for the user logging in in the file "etc/usertty", the restrictions must be met or the log in will be denied and the program syslog will log the attempt. If the user is root the login must be on a terminal listed in the file "etc/securetty".
If the above conditions are met, the user password will be requested and then it will be checked (If a password is required for this username). After three unsuccessful attempts to login the response gets very slow, and after 10 attempts, login dies. As usual all login failures will be reported by the syslog facility. If the file ".hushlogin" exists in the user's home directory then a "quiet" login is performed which disables checking of mail and the printing of the last login time and the message of the day. Otherwise if the file "var/log/lastlog" exists the last login time is printed and then the current login is recorded in this file. Is the current login recorded in this file if it does not already exist or if the file ".hushlogin" exists? I think it does but have found no documentation that says.
At this point the login program will perform standard administrative tasks. These include:
- Setting the UID and GID of the tty
- Preserving the TERM environment variable if it exists.
- Preserving other environment variables if the –p option is used
- The HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment variables are set.
- The default path is set to "/usr/local/bin:/bin:/usr/bin:." for normal users and "/sbin:/bin:/usr/sbin" for root.
- If this is not a "quiet" login, the message of the day is printed and the file with the user's name in "/usr/spool/mail" will be checked and a message will be printed if it has non-zero length.
- The users shell is started. The shell is specified in the file "/etc/passwd". If it is not specified, login will use "/bin/sh" as a default shell. This shell will be run with the user's privileges rather than root privileges as login was run.
- If there is no directory specified for the user in "/etc/passwd", login will use "/" by default for the user's home directory.
Another function that login will perform is to update the user accounting login files which are "/var/run/utmp" and "var/log/wtmp" which hold information about the amount of time users have been on the system along with when they logged on and off. Also the init program and getty may write to these files.
How login uses the /etc/passwd file:
Once the user has successfully logged in, the login program will invoke the user's shell. The login program will look in the /etc/passwd file to determine which shell program to run. The /etc/passwd file contains entries containing the complete path of the shell. A sample /etc/passwd file is listed below:
xfs:x:100:101:X Font Server:/etc/X11/fs:/bin/false
the syntax is:
where the fields are defined as:
- account - The user's name.
- password - The users encrypted passwrod or a place holding character if the system is using shadow passwords and storing the password in the /etc/shadow file which is readable only by root.
- UID - The users numerical identification.
- GID - The number of the primary group for the user.
- GECOS - Usually has the full user name. This field is only for information purposes and is optional. This information is sometimes called the user's finger information.
- directory - The full path of the user's home directory.
- shell - The full path and filename of the user's shell. If no value is here /bin/sh is assumed. This value can be changed with the chsh command.
The login program will use the account field to find the username and therefore get the UID of the user. Login will also use the password (or the /etc/shadow file) to be sure the entered password is a match. Login will look up the user's home directory and use that to set the $HOME environment variable. Login will use the shell field to determine what shell program (such as bash, sh, tsh, etc) to run for that user. then login will pass program control to the shell program. There is an important difference in the control passed at this point, however! The shell program will run with the user's privileges and not with root privileges. The programs to this point (init, getty, login) have all run with root privileges.
Files used by the login program:
- /etc/nologin - This file is used to prevent users who are not root from logging into the system.
- /etc/usertty - This file is used to impose special access restrictions on users.
- /etc/securetty - Controls the terminals that the root user can login on.
- .hushlogin - When this file exists in the user's home directory, it will prevent check for mail, printing of the last login time, and the message of the day when the user logs in.
- /var/log/lastlog - Contains information about the last time a login was done on the system.
- /etc/passwd - Contains information about the user including the ID, name, home directory, and the path to the preferred shell program. If not using shadow passwords, this file may also contain user passwords.