topic Restrict Login of Root on TTY1-6 in Operating System - Linux

Restrict Login of Root on TTY1-6

Francis Ancheta — Tue, 30 Sep 2003 23:57:41 GMT

How dow I restrict loggin of Root to tty1-6? I would like all users to login using an identified ID then use SU as necessary. How do I also disable single user login to my system. I am using RH 9. Thanks in Advance.

Re: Restrict Login of Root on TTY1-6

Stuart Browne — Wed, 01 Oct 2003 00:16:15 GMT

By default, 'root' won't be able to log in directly fron anywhere but the physical TTY.

All other root access is via SU. Now, limiting the users that can 'su' is a job for the Pluggable Authentican Modules (PAM). In particular, the pam_access (see /usr/share/doc/pam-*/txts/README.pam_access for more details).

This module allows you to specifiy a list of users which are allowed access. To enable this access list, you just need to insert a line similar to 'auth require /lib/security/pam_access.so accessfile=/path/to/list/of/names' in '/etc/pam.d/su' (after 'pam_rootok.so')

Re: Restrict Login of Root on TTY1-6

Mark Grant — Wed, 01 Oct 2003 00:16:26 GMT

the file /etc/securetty tells "login" which tty's root can log in on so I guess if you have a /etc/securetty without /dev/tty1 etc in it, then root will not be able to log in on them.

However, I do not think is a particularly good idea though I'm stuggling to think of a good reason why not except I feel you will find yourself in a position that you can not log in at all someday!. Certainly do not do this if you use NIS.

Re: Restrict Login of Root on TTY1-6

Francis Ancheta — Wed, 01 Oct 2003 00:43:07 GMT

Thanks. Securetty did the job. With regards to PAM, I am looking at this option but for the meantime I am using /bin/false as the login shell of those users that I do not want to loggin to the system.

Re: Restrict Login of Root on TTY1-6

Huc_1 — Wed, 01 Oct 2003 05:09:39 GMT

I thing the answer is realy to protect your console/system behind a closed door with a badge reader recording presence and a video recording camera pointed on/to the system console if security is realy a requirement.

I agree taking out the console tty could leave you in a bad spot someday !

You should also protect your grub or lilo with a password as well as the bio setting.

a key/lock to make accessing mb,device,ram,battery could also be part of a realy secure scheme.

I know the above is not all about the sofware protection of your system and sounds paternalistic (it is not), but Your question implide that security is an issue.
keeping track of system change is also a must in a DR (disater recovery) plan I always try to keep the configuration/setup of bios,disk,tape,label,partions,particulare tailoring,etc,etc as well as the backup in an other location also under safe guard.

You (the system admin and management) are the only juge of the level you need and can afford.

So pls look at the above just as a check list that your question triggerd for me.

J-P

Re: Restrict Login of Root on TTY1-6

Francis Ancheta — Wed, 01 Oct 2003 21:37:04 GMT

Thanks. I'll keep that in mind. I have left one tty open for root loggin just incase something goes wrong.

Thanks for the input guys.