From Bugzilla Helper: User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i686) Description of problem: pam_securetty.so, used quite successfully to lock out remote root login attempts for telnet and freinds cannot be set for applications that don't set PAM_TTY. Setting it locks out all users, not just root. How reproducible: Always Steps to Reproduce: 1. Chose PAM app that does not specify PAM_TTY. 2. Add pam_securetty.so to apps pam config 3. Watch ALL logins for this app fail. Actual Results: All logins failed, not just root logins. Expected Results: Unspecified terminal names should be treated as if they were unlisted in /etc/securettys, and allowed normal user logins. Root should be banned as they terminal (not specified) is not listed in /etc/securettys/ Additional info: This results from the fact that the pam_securetty module checks that PAM_TTY is set BEFORE it checks if the user is root, hence the tty check fails and all users are locked out. If these checks were reversed, pam_securetty could be set in /etc/pam.d/system-auth, allowing the admin to know with confidence that network root logins are not possible. Admins wanting samba/OpenSSH root logins could add 'samba'/'sshd' as the terminal name in those specific cases, or just reconfigure PAM for that particuar application. (Samba 2.2.0 and above specify 'samba' as their terminal name, OpenSSH does likewise if a define is set.).
This should be fixed as of pam-0.75-9. Thanks!