What login does

The login  program takes care of authenticating the user (making sure that the username and password match), and of setting up an initial environment for the user by setting permissions for the serial line and starting the shell.

Part of the initial setup is outputting the contents of the file /etc/motd  (short for message of the day) and checking for electronic mail. These can be disabled by creating a file called .hushlogin  in the user's home directory.

If the file /etc/nologin  exists, logins are disabled. That file is typically created by shutdown  and relatives. login  checks for this file, and will refuse to accept a login if it exists. If it does exist, login  outputs its contents to the terminal before it quits.

login  logs all failed login attempts in a system log file (via syslog ). It also logs all logins by root. Both of these can be useful when tracking down intruders.

Currently logged in people are listed in /var/run/utmp . This file is valid only until the system is next rebooted or shut down; it is cleared when the system is booted. It lists each user and the terminal (or network connection) he is using, along with some other useful information. The who , w , and other similar commands look in utmp  to see who are logged in.

All successful logins are recorded into /var/log/wtmp . This file will grow without limit, so it must be cleaned regularly, for example by having a weekly cron  job to clear it. The last  command browses wtmp .

Both utmp  and wtmp  are in a binary format (see the utmp  manual page); it is unfortunately not convenient to examine them without special programs.