How can I block a normal user on a Ubuntu/Redhat from logging in via the serial console (ttyS0) without blocking root ?
Only root needs console access, no other users.
I have cleared /etc/securetty, can anyone suggest the right method ?
Asked
Active
Viewed 848 times
1
-
3This is the opposite of decades of recommended general good security practice, note, which is to restrict or outright eliminate direct superuser login in favour of logging in as distinct unprivileged users and then each elevating to superuser. Make sure that you have done a sound analysis and considered your threat model properly before going with a superuser-everywhere strategy. – JdeBP Jul 25 '20 at 13:59
2 Answers
1
I suggest using PAM to set these restrictions. Most likely, you’ve got a file called /etc/pam.d/login, which is used by the login process spawned by getty running on ttyS0.
It probably includes one of the generic authentication files, so you could just block anything with a uid > 0 in that.
You could also use pam_access access.conf to limit just root for ttyS0.
jsbillings
- 24,406
-1
Something to clear up first so that we can arrive at the correct solution and not what you are trying to do:
- On a modern Linux distro you no longer have root passwords.
Although it might sound secure, it isn't. Instead you either run a command as root withsudo commandor become root withsudo -i. This implies that logging as root on the serial console is impossible and should stay that way. - You mentioned regular users should not have access to ttyS0. If this is the case then it's better not to use ttyS0 at all. (This is neither good nor bad, it's just a choice)
If you want root login without sudo just in case your /home is broken then you probably have a couple of other problems also. In that case I would suggest booting from a live-medium, that way you can also give yourself all necessary permissions to fix the problem(s).
Garo
- 2,059
- 11
- 16