Find the answer to your Linux question:
Results 1 to 5 of 5
Like Tree1Likes
  • 1 Post By atreyu
Hi, I'm trying to lock down the securetty file. So far I've gathered that I'll leave a couple of "tty" devices enabled, and comment out/delete everything else. However, our sysadmin ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2012
    Posts
    2

    "console" in /etc/securetty


    Hi,

    I'm trying to lock down the securetty file. So far I've gathered that I'll leave a couple of "tty" devices enabled, and comment out/delete everything else. However, our sysadmin expressed concern about commenting out "console", because then how could one log on as root from the real terminal (KVM)?

    I remember reading somewhere that the /etc/securetty file is read by the corresponding PAM module when a user logs on. However, I can't remember if that specific PAM module is invoked when a user logs using a KVM.

    What would be the actual result of me commenting out "console" in the securetty file?

    Thanks in advance,
    Pedro

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    I believe your sysadmin is on the money. Read upon securetty in the login man page.

    Code:
    man login
    If you lock out root, just be sure that there is a local account available for you or your sysadmin to log in with, so that you can then su to root if you need. otherwise, you'll be booting w/a Linux Live CD...
    pedro- likes this.

  3. #3
    Just Joined!
    Join Date
    Sep 2012
    Posts
    2
    Thanks for pointing out the man page -- when I took a look at it, I saw that it referred to "tty" in the securetty config file, not "console". I went ahead and logged in via ssh from my workstation so I could keep a session open (in case I broke something). I then went to the actual machine and logged in as root, commented out "console" and tested whether I could log out and log back in, with success! I even rebooted the machine just in case something needed to restart, and was again able to log in successfully. So, I guess login only cares about the "tty" entries. It still makes me wonder what the "console" entry is really for, and what gets affected by commenting it out.

    Thanks again!
    Pedro

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    then i'd guess that console refers to an actual console port, a physical port that you would plug a terminal into - from back in the olden days. you probably need to remove the vc/N and/or ttyN entries in /etc/securetty to lock out root.

  5. #5
    Just Joined!
    Join Date
    Sep 2012
    Posts
    5
    /etc/securetty can be used to prohibit the root login in a particular console. To prohibit root user login in console 2, comment out tty2 instead of vc/2.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •