"console" in /etc/securetty
I'm trying to lock down the securetty file. So far I've gathered that I'll leave a couple of "tty" devices enabled, and comment out/delete everything else. However, our sysadmin expressed concern about commenting out "console", because then how could one log on as root from the real terminal (KVM)?
I remember reading somewhere that the /etc/securetty file is read by the corresponding PAM module when a user logs on. However, I can't remember if that specific PAM module is invoked when a user logs using a KVM.
What would be the actual result of me commenting out "console" in the securetty file?
Thanks in advance,