"console" in /etc/securetty

pedro- · 09-18-2012, 12:52 PM

Hi,

I'm trying to lock down the securetty file. So far I've gathered that I'll leave a couple of "tty" devices enabled, and comment out/delete everything else. However, our sysadmin expressed concern about commenting out "console", because then how could one log on as root from the real terminal (KVM)?

I remember reading somewhere that the /etc/securetty file is read by the corresponding PAM module when a user logs on. However, I can't remember if that specific PAM module is invoked when a user logs using a KVM.

What would be the actual result of me commenting out "console" in the securetty file?

Thanks in advance,
Pedro

unSpawn · 09-19-2012, 08:38 AM

There's nothing like empirically testing things so:
- the PAM securetty has a "debug" switch. Maybe using it shows which TTY device is accessed when logging in over KVM, or
- just log in over KVM and then check which TTY device is used, or
- unset console anyway, try logging in over KVM and use a timer to reset 10 minutes afterwards:

Code:

sed -i 's|^console|#\0|' /etc/securetty
/sbin/service atd restart && echo "sed -i 's|^#console$|console|' /etc/securetty"|/usr/bin/at now + 10 minutes

pedro- · 09-20-2012, 09:46 AM

I went ahead and tested, and was able to comment out "console" and log in as root. So now my securetty file only has tty0-6. I still wonder what commenting out "console" does to the system - like, what process actually looks for "console" to be present in that file. I just hope I didn't break anything with the change!

Thanks,
Pedro

Reuti · 09-21-2012, 03:39 AM

In openSUSE there are just 6 tty entries in this file. man 4 console shows some explanations.