Description of problem:
To disable console login, traditionally we have removed the tty/pty entries from /etc/securetty. Doing so in RHEL 8.0 beta 1 has no effect.
Version-Release number of selected component (if applicable):
RHEL 8.0 beta 1
Steps to Reproduce:
1. echo > /etc/securetty
2. login to the console as root
root login is successful.
root login is not allowed.
I believe this was an intentional change that came through Fedora back in 2014 (?!) via bug 1090638. However, I don't know what the replacement is.
I do not remember details, but it seems like expected default in PAM setting. And I guess you can still use pam_securetty in .pamd files.
Anyway, let's ask PAM guys for more details :-) (needinfo)
There is no 1:1 replacement however you can either modify the /еtc/pam.d/login and add pam_securetty.so back or you can try to workaround it by settings in access.conf. However access.conf is applied to everything, not just login so if you need to allow su to root when being logged in on console tty*, it will be a problem.
adding the line back into /etc/pam.d/login from rhel 7.6 works - i can't login directly as root but i can su to root:
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
these docs need updating perhaps for rhel8:
it seems odd to remove the functionality just because of it breaking zlogin or whatever is used to log into containers. surely they should be doing the workaround not baremetal/vm's, or just don't ship an empty /etc/securetty file...?