ShareWiz Security

TTY devices are the virtual terminals connected to the Ubuntu Server. The /etc/securetty file contains a list of the TTY device names which the root user is allowed to login on to.

The file is read by the login program which is usually /bin/login; which uses the pam_securetty module in /etc/pam.d/login.

Disable any tty that you do not need by commenting them out by placing a hash (#) at the beginning of the line. root login is disallowed against entries that are either commented out or which do not appear in the file.

Warning: Changes to /etc/securetty will affect anything using PAM with a configuration file that uses pam_securetty.so.

A more detailed technical explanation on this is:

/etc/securetty is consulted by the pam_securetty module to decide from which virtual terminals (ttyS) root is allowed to login from. In the past, /etc/securetty was consulted by programs like login directly, but now PAM handles this.

WARNING: Any changes to /etc/securetty will affect anything using PAM with a configuration file that uses pam_securetty.so.

NOTE: Only the login program is affected by default. /etc/pam.d/login is used for local logins and /etc/pam.d/remote is used for remote logins (like telnet).

The primary entry types and their affects are as follows:

• If /etc/securetty doesn't exist, root is allowed to login from any tty.
• If /etc/securetty exists and is empty, root access will be restricted to single user mode or programs that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp).
• If you are using devfs (a deprecated filesystem for handling /dev), adding entries of the form vc/[0-9]* will permit root login from the given virtual console number.
• If you are using udev (for dynamic device management and replacement for devfs), adding entries of the form tty[0-9]* will permit root login from the given virtual console number.
• Listing console in securetty, normally has no effect since /dev/console points to the current console and is normally only used as the tty filename in single user mode, which is unaffected by /etc/securetty.
• Adding entries like pts/[0-9]* will allow programs that use pseudo-terminals (pty) and pam_securetty to login into root assuming the allocated pty is one of the ones listed; it's normally a good idea not to include these entries because it's a security risk; it would allow, for instance, someone to login into root via telenet, which sends passwords in plaintext (note that pts/[0-9]* is the format for udev which is used in some systems such as RHEL 5.5; it will be different if using devfs or some other form of device management).

For single user mode, /etc/securetty is not consulted because the sulogin is used instead of login. See the sulogin man page for more info. Also you can change the login program used in /etc/inittab for each runlevel.

Note that you should not use /etc/securetty to control root logins via ssh. To do that change the value of PermitRootLogin in /etc/ssh/sshd_config. By default /etc/pam.d/sshd is not configured to consult pam_securetty (and therefore /etc/securetty). You could add a line to do so, but ssh doesn't set the actual tty until sometime after the auth stage, so it doesn't work as expected. During the auth and account stages - at least for openssh - the tty (PAM_TTY) is hardcoded to "ssh".

Check out the contents of /etc/login.defs which also covers securetty's functionality and is recommended by the securetty(5) manpage, and also /etc/pam.d/login, where you can control the behaviour of this feature.