LinuxQuestions.org - /etc/securetty --> I commented out all lines and I can still log in as root

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - /etc/securetty --> I commented out all lines and I can still log in as root (https://www.linuxquestions.org/questions/linux-security-4/etc-securetty-i-commented-out-all-lines-and-i-can-still-log-in-as-root-10316/)

/etc/securetty --> I commented out all lines and I can still log in as root

I dont want root to be able to login. He can su in but not directly login. I commented out all entries in /etc/securetty and i can still directly ssh into my server

Any ideas why?

Adam

If you mean you can ssh into your box as root, then add the directive
"PermitRootLogin no" to /etc/ssh/sshd_conf
If this doesnt work, check your syslogs for errormessages and post some.

Which distribution do you have. Linux uses Pluggable Authentication Modules to control that sort of thing. Its possible that if the policy is set to allow root login that the securetty file isn't referenced. But I'm just guessing.

Here are the first two lines of my /etc/pam.d/login file:

Code:

#%PAM-1.0

auth      required    pam_securetty.so

Your distribution probably has a place to change the root login policy, which will save you from having to setup the /etc/pam.d/ entries yourself. In Mandrake Linux you go to MCC -> Security -> Levels and Checks -> System Options Tab. There you can disallow remote root login, or even direct root login.

I'm sure your distro has a similar tool.

Not allowing root log-in is a good idea if there is more then one person with root access. Then when ever something is done as root, you can tell from the logs which root-user made the change by checking who su-ed to root , and you know who to ask if you have any questions.