• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Monday, September 29, 2014

    How does a successful or failed login process works in Linux

    In this article I will try to explain all the events which happens in the background after your Linux machine boots up and you make an attempt to login into the console.

    In my last article I had told you regarding Step by Step Procedures of Linux Booting Process in which I ended the article where you get the GUI prompt if loaded into level 5 or a CLI terminal if loaded into level 3. 

    Lets continue the story of what happens to our hero and heroine after that... :-)

    When the Linux system boots up you get a console similar to below,
    machine_name login:

    This prompt is generated by a program called getty which is regenerated every time when an incorrect password is provided, by the init process which is again created by fork function.

    NOTE: Fork is a function which creates a new process by duplicating the calling process. The new process, referred to as the child, is an exact duplicate of the calling process, referred to as the parent.

    To be brief the Linux login works as per the below steps

    1. Getty process presents the login prompt to the user console
    2. Once the username is provided, the password is validated and if successful the user is allowed to login into the shell
    3. If there is a failure getty process is re-initiated by the fork function and the password prompt re-appears.
    4. The maximum number of failure attempts would be allowed as defined under the pam configuration.
    5. Eventually once the maximum no. of failure attempts is reached the gety process would be suspended for a timeout value as defined in pam configuration after which again the login prompt would appear starting from Step 1.

    Now the above steps were explained only in relative to the process used and it functions. But there are alot of other things happening in the background so lets get a overview on those topics as well.

    Below are the steps using which the login process can be summarized

    Login Prompt

    Getty Process
    As soon as you reach the console you will get a login console which is presented to you by getty process as explained above where you need to put the username using which you will be login into your account.

    Files checked
    Once you enter the username below are few files which are checked w.r.t. the name provided which determines the next course of action.

    If this file exists and the user is not root then the contents of this file will be printed to the screen and the login is terminated.
    If special access restrictions are specified for the user logging in in this file, the restrictions must be met or the log in will be denied and the program syslog will log the attempt.
    Next if any content has been stored inside this file is printed on the screen before the password prompt appears. This is basically a pre-login message and identification file.

    Now if the above conditions are met you will get a successful password prompt

    Password Prompt

    Next you get the prompt as shown below where you provide the password for your username(which is hidden as you type).

    But how does the system verifies if the password provided is correct or incorrect?

    If you recall there are two files which stores information about each user's password i.e. /etc/passwd and /etc/shadow, so the password is verified as per the username provided  from the password section inside /etc/passwd and /etc/shadow file.

    From here there are two possibilities whether the password provided is correct or incorrect so we will look into both the scenarios

    Password Incorrect
    • If the provided pasword is incorrect the getty process will be re-initiated again prompting for the password.
    • This will continue till you reach maximum allowed failed attempts of login as defined under the below mentioned files, a login failure message will be reported in syslog facility.
    /etc/pam.d/sshd (if logging in through ssh)

    • Once the maximum no. of failed attempts is reached the login process is suspended for a timeout value again as defined in /etc/pam.d/system-auth file.
    • In this period you won't be allowed to make another attempt of login. Once the timeout value is finished again you will get a login prompt where you will have to give your username.

    Password Correct
    • The password provided is verified with respect to the encrypted password as present in /etc/shadow.
    • Also other password aging factors are verified in case the password is expired or locked using the same file as well as /etc/passwd.
    • If the provided password ad all other required parameters are correct the getty process will next check for all other functions of the user profile as provided under /etc/passwd and /etc/shadow
    At this point the login program would perform the below task
    • Setting up UID and GID
    • The HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment variables are set.
    • Setting up environment variables as defined under user's login shell i.e. ~/.bash_profile for /bin/bash shell
    • The users shell is started. The shell is specified in the file "/etc/passwd

    NOTE: If the user has /sbin/nologin or any other shell restricting his/her login access then the below steps would not be executed and the user login process would be terminated here itself.

    • If the file "~/.hushlogin" exists in the user's home directory then a "quiet" login is performed which disables checking of mail and the printing of the last login time and the message of the day.
    • Otherwise if the file "/var/log/lastlog" exists the last login time is printed and then the current login is recorded in this file.
    • Next in case you have added any content to /etc/motd file then that will echoed to the screen. After which you will get you login console in your home directory as specified by user's HOME variable.
    • Another function that login will perform is to update the user accounting login files which are "/var/run/utmp" and "/var/log/wtmp" which hold information about the amount of time users have been on the system along with when they logged on and off.

    Files used by the login program

    This file is used to prevent users from logging into the system.
    Controls the terminals that the root user can login on
    When this file exists in the user's home directory, it will prevent check for mail, printing of the last login time, and the message of the day when the user logs in.
    Contains information about the last time a login was done on the system.
    Contains information about the user including the ID, name, home directory, and the path to the preferred shell program.

    I would appreciate your feedback in case I missed something or you would like to update my content, do notify me through the below comment box.

    Related Articles:
    How to prevent a command from getting stored in history in Linux
    How to check the lock status of any user account in Linux
    How to track all the successful and failed login attempts by users in Linux
    How to check last login time for users in Linux

    Follow the below links for more tutorials

    How to configure iscsi target using Red Hat Linux
    What are the different types of Virtual Web Hosting in Apache
    Comparison and Difference between VMFS 3 and VMFS 5
    How to configure PXE boot server in Linux using Red Hat 6
    How to secure Apache web server in Linux using password (.htaccess)
    How to register Red Hat Linux with RHN (Red Hat Network )
    15 tips to enhance security of your Linux machine
    How does a DNS query works when you type a URL on your browser?
    How to create password less ssh connection for multiple non-root users
    How to create user without useradd command in Linux
    How to give normal user root privileges using sudo in Linux/Unix
    How to do Ethernet/NIC bonding/teaming in Red Hat Linux
    How to install/uninstall/upgrade rpm package with/without dependencies
    Why is Linux more secure than windows and any other OS
    What is the difference between "su" and "su -" in Linux?
    What is the difference/comparison between Unix and Linux ?


    Post a Comment