How does a successful or failed login process works in Linux

In this article I will try to explain all the events which happens in the background after your Linux machine boots up and you make an attempt to login into the console.

 
In my last article I had told you regarding Step by Step Procedures of Linux Booting Process in which I ended the article where you get the GUI prompt if loaded into level 5 or a CLI terminal if loaded into level 3.
Lets continue the story of what happens to our hero and heroine after that... 🙂
When the Linux system boots up you get a console similar to below,
machine_name login:
This prompt is generated by a program called getty which is regenerated every time when an incorrect password is provided, by the init process which is again created by fork function.
NOTE: Fork is a function which creates a new process by duplicating the calling process. The new process, referred to as the child, is an exact duplicate of the calling process, referred to as the parent.
 
To be brief the Linux login works as per the below steps

  1. Getty process presents the login prompt to the user console
  2. Once the username is provided, the password is validated and if successful the user is allowed to login into the shell
  3. If there is a failure getty process is re-initiated by the fork function and the password prompt re-appears.
  4. The maximum number of failure attempts would be allowed as defined under the pam configuration.
  5. Eventually once the maximum no. of failure attempts is reached the gety process would be suspended for a timeout value as defined in pam configuration after which again the login prompt would appear starting from Step 1.

 
Now the above steps were explained only in relative to the process used and it functions. But there are alot of other things happening in the background so lets get a overview on those topics as well.
Below are the steps using which the login process can be summarized
 

Login Prompt

Getty Process
As soon as you reach the console you will get a login console which is presented to you by getty process as explained above where you need to put the username using which you will be login into your account.
Files checked
Once you enter the username below are few files which are checked w.r.t. the name provided which determines the next course of action.

Filename Desciption
/etc/nologin If this file exists and the user is not root then the contents of this file will be printed to the screen and the login is terminated.
/etc/usertty If special access restrictions are specified for the user logging in in this file, the restrictions must be met or the log in will be denied and the program syslog will log the attempt.
/etc/issue Next if any content has been stored inside this file is printed on the screen before the password prompt appears. This is basically a pre-login message and identification file.

Now if the above conditions are met you will get a successful password prompt
 

Password Prompt

Next you get the prompt as shown below where you provide the password for your username(which is hidden as you type).
But how does the system verifies if the password provided is correct or incorrect?
If you recall there are two files which stores information about each user's password i.e. /etc/passwd and /etc/shadow, so the password is verified as per the username provided  from the password section inside /etc/passwd and /etc/shadow file.
From here there are two possibilities whether the password provided is correct or incorrect so we will look into both the scenarios
Password Incorrect

  • If the provided pasword is incorrect the getty process will be re-initiated again prompting for the password.
  • This will continue till you reach maximum allowed failed attempts of login as defined under the below mentioned files, a login failure message will be reported in syslog facility.

/etc/pam.d/login,
/etc/pam.d/system-auth
/etc/pam.d/sshd (if logging in through ssh)

  • Once the maximum no. of failed attempts is reached the login process is suspended for a timeout value again as defined in /etc/pam.d/system-auth file.
  • In this period you won't be allowed to make another attempt of login. Once the timeout value is finished again you will get a login prompt where you will have to give your username.

Password Correct

  • The password provided is verified with respect to the encrypted password as present in /etc/shadow.
  • Also other password aging factors are verified in case the password is expired or locked using the same file as well as /etc/passwd.
  • If the provided password ad all other required parameters are correct the getty process will next check for all other functions of the user profile as provided under /etc/passwd and /etc/shadow

At this point the login program would perform the below task

  • Setting up UID and GID
  • The HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment variables are set.
  • Setting up environment variables as defined under user's login shell i.e. ~/.bash_profile for /bin/bash shell
  • The users shell is started. The shell is specified in the file "/etc/passwd"

 
NOTE: If the user has /sbin/nologin or any other shell restricting his/her login access then the below steps would not be executed and the user login process would be terminated here itself.

  • If the file "~/.hushlogin" exists in the user's home directory then a "quiet" login is performed which disables checking of mail and the printing of the last login time and the message of the day.
  • Otherwise if the file "/var/log/lastlog" exists the last login time is printed and then the current login is recorded in this file.
  • Next in case you have added any content to /etc/motd file then that will echoed to the screen. After which you will get you login console in your home directory as specified by user's HOME variable.
  • Another function that login will perform is to update the user accounting login files which are "/var/run/utmp" and "/var/log/wtmp" which hold information about the amount of time users have been on the system along with when they logged on and off.

 
Files used by the login program

Filename Description
/etc/nologin This file is used to prevent users from logging into the system.
/etc/securetty Controls the terminals that the root user can login on
~/.hushlogin When this file exists in the user's home directory, it will prevent check for mail, printing of the last login time, and the message of the day when the user logs in.
/var/log/lastlog Contains information about the last time a login was done on the system.
/etc/passwd Contains information about the user including the ID, name, home directory, and the path to the preferred shell program.

I would appreciate your feedback in case I missed something or you would like to update my content, do notify me through the below comment box.
 
Related Articles:
How to prevent a command from getting stored in history in Linux
How to check the lock status of any user account in Linux
How to track all the successful and failed login attempts by users in Linux
How to check last login time for users in Linux