As mentioned, securetty is documented in the login man page. However, the man page is not too clear about the tty names. What is missing is the caution: do not use full pathnames, as in: /dev/console.
The reason is that login prefaces each line in /etc/securetty with /dev/ which means a full pathname would look like: /dev//dev/console and this would fail since the name of the console is /dev/console.
What if there are no valid tty names in the file, or perhaps there is nothing in the file? Again, the man page is not clear, but the behavior is: no root logins from *any* device on the system. That includes the console (pretty darn secure, eh?)
Actually, there is a real good reason for this. With a null /etc/securetty file, all root access requires 2 logins and 2 passwords, one set for a normal user and a second set for su. NOTE: always use su -, never su by itself and this goes for all users (ie, su - lp).
Finally, for 11.0 and 11.11, there is an additional level of security rules available which are controlled by (oddly enough) the /etc/default/security file. Read the details in the man page called security (11i) or see the man page at
http://docs.hp.com, search for: /etc/default/security.
Bill Hassell, sysadmin
