Alan Coopersmith wrote: > Darren J Moffat wrote: >> This check is currently implemented in login(1) rather than in a > > ...and in xdm, gdm, and dtlogin too... > >> PAM module where it really belongs. > > Yes! Please!
+1 >> Solution >> -------- >> This case proposes the introduction of a pam_securetty(5) module >> and the removal of the explicity check for CONSOLE= from login(1). >> The OpenSolaris pam_securetty will perform the CONSOLE= check, so >> that that interface is preserved. > > Will we be able to remove this check from the gui logins too? > What will they need to do? (For some reason, the community xdm > & gdm sources passes the X display as the PAM_TTY value, so we'd > either need to change them or add :0 to /etc/securetty. From > looking at the dtlogin code, it appears to pass /dev/console as > PAM_TTY.) It would definitely be great from both a configuration and assessment point of view to have this type of policy set in just one place ;-) g