Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-18-2012, 12:52 PM   #1
LQ Newbie
Registered: Sep 2012
Posts: 2

Rep: Reputation: Disabled
"console" in /etc/securetty


I'm trying to lock down the securetty file. So far I've gathered that I'll leave a couple of "tty" devices enabled, and comment out/delete everything else. However, our sysadmin expressed concern about commenting out "console", because then how could one log on as root from the real terminal (KVM)?

I remember reading somewhere that the /etc/securetty file is read by the corresponding PAM module when a user logs on. However, I can't remember if that specific PAM module is invoked when a user logs using a KVM.

What would be the actual result of me commenting out "console" in the securetty file?

Thanks in advance,
Old 09-19-2012, 08:38 AM   #2
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
There's nothing like empirically testing things so:
- the PAM securetty has a "debug" switch. Maybe using it shows which TTY device is accessed when logging in over KVM, or
- just log in over KVM and then check which TTY device is used, or
- unset console anyway, try logging in over KVM and use a timer to reset 10 minutes afterwards:
sed -i 's|^console|#\0|' /etc/securetty
/sbin/service atd restart && echo "sed -i 's|^#console$|console|' /etc/securetty"|/usr/bin/at now + 10 minutes
Old 09-20-2012, 09:46 AM   #3
LQ Newbie
Registered: Sep 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
I went ahead and tested, and was able to comment out "console" and log in as root. So now my securetty file only has tty0-6. I still wonder what commenting out "console" does to the system - like, what process actually looks for "console" to be present in that file. I just hope I didn't break anything with the change!

Old 09-21-2012, 03:39 AM   #4
Senior Member
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.0
Posts: 1,336

Rep: Reputation: 255Reputation: 255Reputation: 255
In openSUSE there are just 6 tty entries in this file. man 4 console shows some explanations.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
unpredictable "delete" "move to trash" or "cut" file menu option dorianrenato Linux - General 3 11-28-2011 06:41 PM
No more utf-8 console when using "su", but "su -" works. Linux.tar.gz Linux - Software 3 08-18-2011 07:21 AM
"s" "d" and "f" don't type in console krose Linux - General 11 05-30-2008 11:42 PM
Standard commands give "-bash: open: command not found" even in "su -" and "su root" mibo12 Linux - General 4 11-11-2007 10:18 PM
LXer: Displaying "MyComputer", "Trash", "Network Servers" Icons On A GNOME Desktop LXer Syndicated Linux News 0 04-02-2007 08:31 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:47 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration