Passing ownership of mingetty

Lennart Poettering mzerqung at 0pointer.de
Wed Nov 24 20:52:43 UTC 2010


On Wed, 24.11.10 14:29, Chris Adams (cmadams at hiwaay.net) wrote:

> 
> Once upon a time, Lennart Poettering <mzerqung at 0pointer.de> said:
> > We currently still use the old securetty tool to patch those terminals
> > into /etc/securetty on demand. I have submitted a patch to pam_securetty
> > however, to make it look for console= on the kernel cmdline internally,
> > which when merged allows us to get rid of the tool and have this work on
> > r/o root fine as well.
> 
> Please don't do that.  Not all serial consoles are necessarily secure.

This behaviour has been the default sicne quite some time. I am not the
one who's going to change that. As soon as the patch i posted is merged
into pam-securetty you can easily disable this behaviour by passing
noconsole on the PAM config line.

I think pam_securetty is mostly snake oil anyway. An admin should be
smart enough to choose a safe root password instead of relying on this
kind of snake oil.

Note that with that pam_securetty patch in place thins become safe
anyway, since booting with console on ttyS0 once won't change
/etc/securetty for all the future, but only for this one boot.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the devel mailing list