[systemd-devel] systemd-nspawn and pam_securetty
Mantas Mikulėnas
grawity at gmail.com
Sat Dec 7 11:22:09 PST 2013
On Sat, Dec 7, 2013 at 9:00 PM, Kay Sievers <kay at vrfy.org> wrote:
> On Sat, Dec 7, 2013 at 7:25 PM, Colin Guthrie <gmane at colin.guthr.ie> wrote:
>> So playing around a bit it seems our default pam config for pam.d/login
>> uses a pam_securetty to only allow root logins via "secure" seats.
>>
>> The file /etc/securetty are tty0-6 and vc/1-6
>>
>> When "booting" with nspawn, the tty is "console" and thus I cannot login
>> as root.
>>
>> Can I ask people here a few questions:
>>
>> 1. Is pam_securetty worth it?
>> 2. If so, is adding "console" to the default /etc/securetty safe?
>> 3. And finally, if we should not add "console", could nspawn do
>> something clever with a temporary file + bind mount to temporarily allow
>> console logins in the /etc/securetty without actually modifying it.
>
> I never really understood what securetty was good for, it is usually
> nothing but annoying. I don't think it makes much sense in a default
> setup.
Agreed – on modern systems, the only place it's useful is to forbid
root logins through the old telnetd or rlogind daemons, since they
just spawn /sbin/login. (Not that anyone still uses telnetd
anymore...)
But the tty check also affects kmscon or systemd-consoled, as they
also use pts/* terminals, so pam_securetty is going to really become
more harmful than useful.
(And even for old crap like telnetd, ensuring empty rhost with
pam_succeed_if.so would work just as well, if not better.)
--
Mantas Mikulėnas <grawity at gmail.com>
More information about the systemd-devel
mailing list