The user is then prompted for a password, where appropriate. Echoing is disabled to prevent revealing the password. Only a number of password failures are permitted before login exits and the communications link is severed. See LOGIN_RETRIES in CONFIG FILE ITEMS section.
If password aging has been enabled for the account, the user may be prompted for a new password before proceeding. In such case old password must be provided and the new password entered before continuing. Please refer to passwd(1) for more information.
The user and group ID will be set according to their values in the /etc/passwd file. There is one exception if the user ID is zero. In this case, only the primary group ID of the account is set. This should allow the system administrator to login even in case of network problems. The environment variable values for $HOME, $USER, $SHELL, $PATH, $LOGNAME, and $MAIL are set according to the appropriate fields in the password entry. $PATH defaults to /usr/local/bin:/bin:/usr/bin for normal users, and to /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for root, if not otherwise configured.
The environment variable $TERM will be preserved, if it exists, else it will be initialized to the terminal type on your tty. Other environment variables are preserved if the -p option is given.
Then the user’s shell is started. If no shell is specified for the user in /etc/passwd, then /bin/sh is used. If there is no home directory specified in /etc/passwd, then / is used, followed by .hushlogin check as described below.
If the file .hushlogin exists, then a "quiet" login is performed. This disables the checking of mail and the printing of the last login time and message of the day. Otherwise, if /var/log/lastlog exists, the last login time is printed, and the current login is recorded.
Note that the -h option has an impact on the PAM service name. The standard service name is login, but with the -h option, the name is remote. It is necessary to create proper PAM config files (for example, /etc/pam.d/login and /etc/pam.d/remote).
The default value is /usr/share/misc/motd:/run/motd:/etc/motd. If the MOTD_FILE item is empty or a quiet login is enabled, then the message of the day is not displayed. Note that the same functionality is also provided by the pam_motd(8) PAM module.
The directories in the MOTD_FILE are supported since version 2.36.
Note that login does not implement any filenames overriding behavior like pam_motd (see also MOTD_FIRSTONLY), but all content from all files is displayed. It is recommended to keep extra logic in content generators and use /run/motd.d rather than rely on overriding behavior hardcoded in system tools.
The TTYGROUP can be either the name of a group or a numeric group identifier.
If a full pathname is not specified, then hushed mode will be enabled if the file exists in the user’s home directory.
The default is to check /etc/hushlogins and if it does not exist then ~/.hushlogin.
If the HUSHLOGIN_FILE item is empty, then all the checks are disabled.
LASTLOG_UID_MAX (unsigned number)
Note that logging unknown usernames may be a security issue if a user enters their password instead of their login name.
ENV_ROOTPATH (string), ENV_SUPATH (string)
A recursive login, as used to be possible in the good old days, no longer works; for most purposes su(1) is a satisfactory substitute. Indeed, for security reasons, login does a vhangup(2) system call to remove any possible listening processes on the tty. This is to avoid password sniffing. If one uses the command login, then the surrounding shell gets killed by vhangup(2) because it’s no longer the true owner of the tty. This can be avoided by using exec login in a top-level shell or xterm.