Effect of entries in /etc/securetty

/etc/securetty is consulted by pam_securetty module to decide from which virtual terminals (tty*) root is allowed to login from.

In the past, /etc/securetty was consulted by programs like login directly, but now PAM handles that. So changes to /etc/securetty will affect anything using PAM with a configuration file that uses pam_securetty.so. So, only the login program is affected by default.

/etc/pam.d/login is used for local logins and /etc/pam.d/remote is used for remote logins (like telnet).

The primary entry types and their affects are as follows:

  • If /etc/securetty doesn't exist, root is allowed to login from any tty
  • If /etc/securetty exist and is empty, root access will be restricted to single user mode or programs that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp)
  • If you are using devfs (a deprecated filesystem for handling /dev), adding entries of the form vc/[0-9]* will permit root login from the given virtual console number.
  • If you are using udev (for dynamic device management and replacement for devfs), adding entries of the form tty[0-9]* will permit root login from the given virtual console number.
  • Listing console in /etc/securetty normally has no effect since /dev/console points to the current console and is normally only used as the tty filename in single user mode, which is unaffected by /etc/securetty
  • Adding entries like pts/[0-9]* will allow programs that use pseudo-terminals (pty) and pam_securetty to login into root assuming the allocated pty is one of the ones listed; it's normally a good idea not to include these entries because it's a security risk; it would allow, for instance, someone to login into root via telnet, which sends passwords in plaintext (note that pts/[0-9]* is the format for udev which is used in RHEL 5.5; it will be different if using devfs or some other form of device management).

For single user mode, /etc/securetty is not consulted because the sulogin is used instead of login (see the sulogin man page for more info). Also you can change the login program used in /etc/inittab for each runlevel.

Note that to you should not use /etc/securetty to control root logins via ssh. To do that change the value of PermitRootLogin in /etc/ssh/sshd_config. By default /etc/pam.d/sshd is not configured to consult pam_securetty (and therefore /etc/securetty). You could add a line to do so, but ssh doesn't set the actual tty until sometime after the auth stage, so it doesn't work as expected. During the auth and account stages - at least for openssh - the tty (PAM_TTY) is hardcoded to ssh.

The above answer is based on RHEL 5.5. Much of it will pertain to current distributions of other *nix systems, but there are differences, some of which I noted, but not all.

I answered this myself because the other answers were incomplete and/or inaccurate. Many other forums, blogs, etc online have inaccurate and incomplete information in this topic as well, so I've done extensive research and testing to try to get the correct details. If anything I've said is wrong, please let me know though.

Sources:

  • http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sec-network.html#s1-wstation-privileges
  • http://www.mathematik.uni-marburg.de/local-doc/centos5/pam-0.99.6.2/html/sag-pam_securetty.html
  • http://linux.die.net/man/1/login
  • http://www.tldp.org/HOWTO/html_single/Text-Terminal-HOWTO/
  • http://www.kernel.org/doc/Documentation/devices.txt
  • http://en.wikipedia.org/wiki/Virtual_console
  • http://en.wikipedia.org/wiki/Linux_console
  • http://www.kernel.org/doc/man-pages/online/pages/man4/console.4.html
  • http://www.unix.com/security/8527-restricting-root-login.html
  • http://www.redhat.com/mirrors/LDP/HOWTO/Serial-HOWTO-11.html#ss11.3
  • http://www.mathematik.uni-marburg.de/local-doc/centos5/udev-095/udev_vs_devfs

vc/X and ttyX are synonyms: different paths to the same devices. The point of the redundancy is to catch various cases so as not to lock you out.

Traditionally, login (and possibly getty, I can't remember for sure) would check /etc/securetty and deny root logins on unlisted terminals. On modern systems, there are other ways to do this and other security measures too. Check out the contents of /etc/login.defs (which also covers securetty's functionality and is recommended by the securetty(5) manpage), and also /etc/pam.d/login, where you can control the behaviour of this feature.

Since securetty is only checked by login, means of logging in that don't use login (e.g. SSH with use_login=no, X display managers, etc) aren't affected.

Tags:

Security

Login

Pam

Recent Posts