Operating System - Linux
1831407 Members
3328 Online
110025 Solutions
New Discussion

Restrict Login of Root on TTY1-6

 
SOLVED
Go to solution
Francis Ancheta
Frequent Advisor

Restrict Login of Root on TTY1-6

How dow I restrict loggin of Root to tty1-6? I would like all users to login using an identified ID then use SU as necessary. How do I also disable single user login to my system. I am using RH 9. Thanks in Advance.
5 REPLIES 5
Stuart Browne
Honored Contributor
Solution

Re: Restrict Login of Root on TTY1-6

By default, 'root' won't be able to log in directly fron anywhere but the physical TTY.

All other root access is via SU. Now, limiting the users that can 'su' is a job for the Pluggable Authentican Modules (PAM). In particular, the pam_access (see /usr/share/doc/pam-*/txts/README.pam_access for more details).

This module allows you to specifiy a list of users which are allowed access. To enable this access list, you just need to insert a line similar to 'auth require /lib/security/pam_access.so accessfile=/path/to/list/of/names' in '/etc/pam.d/su' (after 'pam_rootok.so')
One long-haired git at your service...
Mark Grant
Honored Contributor

Re: Restrict Login of Root on TTY1-6

the file /etc/securetty tells "login" which tty's root can log in on so I guess if you have a /etc/securetty without /dev/tty1 etc in it, then root will not be able to log in on them.

However, I do not think is a particularly good idea though I'm stuggling to think of a good reason why not except I feel you will find yourself in a position that you can not log in at all someday!. Certainly do not do this if you use NIS.
Never preceed any demonstration with anything more predictive than "watch this"
Francis Ancheta
Frequent Advisor

Re: Restrict Login of Root on TTY1-6

Thanks. Securetty did the job. With regards to PAM, I am looking at this option but for the meantime I am using /bin/false as the login shell of those users that I do not want to loggin to the system.
Huc_1
Honored Contributor

Re: Restrict Login of Root on TTY1-6

I thing the answer is realy to protect your console/system behind a closed door with a badge reader recording presence and a video recording camera pointed on/to the system console if security is realy a requirement.

I agree taking out the console tty could leave you in a bad spot someday !

You should also protect your grub or lilo with a password as well as the bio setting.

a key/lock to make accessing mb,device,ram,battery could also be part of a realy secure scheme.


I know the above is not all about the sofware protection of your system and sounds paternalistic (it is not), but Your question implide that security is an issue.
keeping track of system change is also a must in a DR (disater recovery) plan I always try to keep the configuration/setup of bios,disk,tape,label,partions,particulare tailoring,etc,etc as well as the backup in an other location also under safe guard.

You (the system admin and management) are the only juge of the level you need and can afford.

So pls look at the above just as a check list that your question triggerd for me.

J-P





Smile I will feel the difference
Francis Ancheta
Frequent Advisor

Re: Restrict Login of Root on TTY1-6

Thanks. I'll keep that in mind. I have left one tty open for root loggin just incase something goes wrong.

Thanks for the input guys.