Hey all,
raising this one from the crypt
So the security benefit isn't in preventing users from logging in as root
over certain serial lines, it's in preventing users from logging in as root
over *pseudo*ttys.
It is unix museumware from time when people didn't use ssh and su/sudo
all time.
I just did a clean install of debian jessie (via debootstrap into a
systemd-nspawn container) and noticed that I could not login using
machinectl login <container>
securtty bites us.
The reason it bites is that by default, the container comes up with a
console on pts/0.
I see in securetty there are workarounds for LXC already and adding
pts/0 as a work around for systemd-nspawn then makes me wonder, is this
not a pseudo tty? And thus, the only argument made in 2012, with systemd
containers will make that last argument fall? As you always need a
pseudo-tty here.
So I also suggest, opt-in vs opt-out on the pam_securetty module so that
'museums' can still enable them if needed.
Olliver