Alan Coopersmith wrote:
> Darren J Moffat wrote:
>> This check is currently implemented in login(1) rather than in a
> ...and in xdm, gdm, and dtlogin too...
>> PAM module where it really belongs.
> Yes! Please!
>> This case proposes the introduction of a pam_securetty(5) module
>> and the removal of the explicity check for CONSOLE= from login(1).
>> The OpenSolaris pam_securetty will perform the CONSOLE= check, so
>> that that interface is preserved.
> Will we be able to remove this check from the gui logins too?
> What will they need to do? (For some reason, the community xdm
> & gdm sources passes the X display as the PAM_TTY value, so we'd
> either need to change them or add :0 to /etc/securetty. From
> looking at the dtlogin code, it appears to pass /dev/console as
It would definitely be great from both a configuration and
assessment point of view to have this type of policy set in
just one place ;-)