Bug 1650701
Summary: | Empty /etc/securetty does not prevent console login for root | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | bugzilla |
Component: | doc-Release_Notes-8-en-US | Assignee: | Ioanna Gkioka <igkioka> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
Priority: | high | ||
Version: | 8.0 | CC: | dapospis, jwboyer, rhel-docs, tmraz |
Target Milestone: | rc | Keywords: | Documentation |
Target Release: | 8.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Removed functionality | |
Doc Text: |
.`securetty` is now disabled by default
Because of the dynamic nature of `tty` device files on modern Linux systems, the `securetty` PAM module has been disabled by default and the `/etc/securetty` configuration file is no longer included in RHEL. Since `/etc/securetty` listed many possible devices so that the practical effect in most cases was to allow by default, this change has only a minor impact. However, if you use a more restrictive configuration, you need to add a line enabling the `pam_securetty.so` module to the appropriate files in the `/etc/pam.d` directory, and create a new `/etc/securetty` file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-14 01:23:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
bugzilla
2018-11-16 21:49:57 UTC
I believe this was an intentional change that came through Fedora back in 2014 (?!) via bug 1090638. However, I don't know what the replacement is. I do not remember details, but it seems like expected default in PAM setting. And I guess you can still use pam_securetty in .pamd files. Anyway, let's ask PAM guys for more details :-) (needinfo) There is no 1:1 replacement however you can either modify the /еtc/pam.d/login and add pam_securetty.so back or you can try to workaround it by settings in access.conf. However access.conf is applied to everything, not just login so if you need to allow su to root when being logged in on console tty*, it will be a problem. adding the line back into /etc/pam.d/login from rhel 7.6 works - i can't login directly as root but i can su to root: auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so these docs need updating perhaps for rhel8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access it seems odd to remove the functionality just because of it breaking zlogin or whatever is used to log into containers. surely they should be doing the workaround not baremetal/vm's, or just don't ship an empty /etc/securetty file...? |