On Sat, Dec 7, 2013 at 9:00 PM, Kay Sievers <k...@vrfy.org> wrote: > On Sat, Dec 7, 2013 at 7:25 PM, Colin Guthrie <gm...@colin.guthr.ie> wrote: >> So playing around a bit it seems our default pam config for pam.d/login >> uses a pam_securetty to only allow root logins via "secure" seats. >> >> The file /etc/securetty are tty0-6 and vc/1-6 >> >> When "booting" with nspawn, the tty is "console" and thus I cannot login >> as root. >> >> Can I ask people here a few questions: >> >> 1. Is pam_securetty worth it? >> 2. If so, is adding "console" to the default /etc/securetty safe? >> 3. And finally, if we should not add "console", could nspawn do >> something clever with a temporary file + bind mount to temporarily allow >> console logins in the /etc/securetty without actually modifying it. > > I never really understood what securetty was good for, it is usually > nothing but annoying. I don't think it makes much sense in a default > setup.
Agreed – on modern systems, the only place it's useful is to forbid root logins through the old telnetd or rlogind daemons, since they just spawn /sbin/login. (Not that anyone still uses telnetd anymore...) But the tty check also affects kmscon or systemd-consoled, as they also use pts/* terminals, so pam_securetty is going to really become more harmful than useful. (And even for old crap like telnetd, ensuring empty rhost with pam_succeed_if.so would work just as well, if not better.) -- Mantas Mikulėnas <graw...@gmail.com> _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
