"console" in /etc/securetty
Hi,
I'm trying to lock down the securetty file. So far I've gathered that I'll leave a couple of "tty" devices enabled, and comment out/delete everything else. However, our sysadmin expressed concern about commenting out "console", because then how could one log on as root from the real terminal (KVM)? I remember reading somewhere that the /etc/securetty file is read by the corresponding PAM module when a user logs on. However, I can't remember if that specific PAM module is invoked when a user logs using a KVM. What would be the actual result of me commenting out "console" in the securetty file? Thanks in advance, Pedro |
There's nothing like empirically testing things so:
- the PAM securetty has a "debug" switch. Maybe using it shows which TTY device is accessed when logging in over KVM, or - just log in over KVM and then check which TTY device is used, or - unset console anyway, try logging in over KVM and use a timer to reset 10 minutes afterwards: Code:
sed -i 's|^console|#\0|' /etc/securetty |
I went ahead and tested, and was able to comment out "console" and log in as root. So now my securetty file only has tty0-6. I still wonder what commenting out "console" does to the system - like, what process actually looks for "console" to be present in that file. I just hope I didn't break anything with the change!
Thanks, Pedro |
In openSUSE there are just 6 tty entries in this file. man 4 console shows some explanations.
|
All times are GMT -5. The time now is 01:58 AM. |