I was looking through my sshd_config file and I found this:
#Uselogin no
I know it's commented but there is no explanation above it and when I google it, I get this:
Don't use the traditional login(1) service to log in users. Because we are using privilege separation, as soon as the user logs in ths login(1) service is disabled.
OR
Specifies whether login(1) is used for interactive login ses-
sions. The default is "no". Note that login(1) is never used
for remote command execution. Note also, that if this is
enabled, X11Forwarding will be disabled because login(1) does not
know how to handle xauth(1) cookies. If UsePrivilegeSeparation
is specified, it will be disabled after authentication.
As far as understand no
prevent ssh to use "traditional login" but I can't find anything about "traditional" login.
Could someone explain what it does?
Best Answer
Ok, we need some history here, back in the days that the primary way to access a UNIX box was a Terminal and a serial line there were four programs involved in logging in. They were init, getty, login, and a shell. init started getty and kept it running. getty opened a serial port (and maybe did modem specific stuff), and then displayed the login prompt and waited for a user name to be entered. When a user name was entered getty ran login with the username and login would then prompt for the password, do account stuff then run the shell, at which point you were able to use the system. This is still used in data centers, virtual machines and many other places.
Next came telnet. Telnet did not use a serial port so things changed a little. init would in addition to getty also start telnetd (or inetd which would start telnetd) telnetd would get the username and then run login and everything would run pretty much the same from there.
Now along comes secure shell. Now secure shell allows you to login without a password (using a key or maybe depending on version GSS) so there were a couple ways to do things, you could do things exactly like telnet and not use the nice features or you can let sshd handle the login and start the shell which allows you to do all sorts of cool things. Unless you have a custom version of login, I recommend that you let sshd handle the logins. (And if you have pam there is not many reasons to make a custom login anymore.)