Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    "console" in /etc/securetty


    I'm trying to lock down the securetty file. So far I've gathered that I'll leave a couple of "tty" devices enabled, and comment out/delete everything else. However, our sysadmin expressed concern about commenting out "console", because then how could one log on as root from the real terminal (KVM)?

    I remember reading somewhere that the /etc/securetty file is read by the corresponding PAM module when a user logs on. However, I can't remember if that specific PAM module is invoked when a user logs using a KVM.

    What would be the actual result of me commenting out "console" in the securetty file?

    Thanks in advance,

  2. #2
    I believe your sysadmin is on the money. Read upon securetty in the login man page.

    man login
    If you lock out root, just be sure that there is a local account available for you or your sysadmin to log in with, so that you can then su to root if you need. otherwise, you'll be booting w/a Linux Live CD...

  3. #3
    Thanks for pointing out the man page -- when I took a look at it, I saw that it referred to "tty" in the securetty config file, not "console". I went ahead and logged in via ssh from my workstation so I could keep a session open (in case I broke something). I then went to the actual machine and logged in as root, commented out "console" and tested whether I could log out and log back in, with success! I even rebooted the machine just in case something needed to restart, and was again able to log in successfully. So, I guess login only cares about the "tty" entries. It still makes me wonder what the "console" entry is really for, and what gets affected by commenting it out.

    Thanks again!

  4. $spacer_open
  5. #4
    then i'd guess that console refers to an actual console port, a physical port that you would plug a terminal into - from back in the olden days. you probably need to remove the vc/N and/or ttyN entries in /etc/securetty to lock out root.

  6. #5
    /etc/securetty can be used to prohibit the root login in a particular console. To prohibit root user login in console 2, comment out tty2 instead of vc/2.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts