[CHANGE PROPOSAL] The securetty file is empty by default
mitr at volny.cz
Thu Apr 3 16:53:13 UTC 2014
2014-04-02 20:12 GMT+02:00 Simo Sorce <simo at redhat.com>:
> On Wed, 2014-04-02 at 09:12 -0700, quickbooks office wrote:
> > [CHANGE PROPOSAL] The securetty file is empty by default
> > All the info has been sitting here @
> I often install machines with root only as my users are all in my
> FreeIPA/LDAP server and I expect to be able to login as root on the
> console for maintenance purposes.
> This change makes it very hard to do necessary maintenance. I can
> understand blocking SSH login as root with password by default, but I do
> not understand what is the point of blocking console login as root.
In larger organizations there is a legitimate need to be able to attribute
every action as "root" to a specific individual, which is easiest to do by
requiring a login from a non-root account to establish the session, and
then tracking actions done by that session. OTOH this all works reliably
enough only with a non-default auditing setup, so restricting root logins
by default is alone not at all sufficient.
> Please explain the logic of blocking console logins but allowing SSH
> logins, it is completely backwards.
Of the various problems with the proposal, this one seems the easiest to
 I'm not listing them here; I'd much rather have the Change officially
announced and have the official comment period, instead of starting a
tradition of pre-announcements.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the devel