[CHANGE PROPOSAL] The securetty file is empty by default

Chris Adams linux at cmadams.net
Wed Apr 9 21:03:19 UTC 2014

Once upon a time, Matthew Miller <mattdm at fedoraproject.org> said:
> On Wed, Apr 09, 2014 at 10:20:36PM +0200, Lennart Poettering wrote:
> [technical reasoning snipped]
> > Hence: please let's just remove securetty entirely from the default PAM
> > stacks. It's annoying, it creates a false sense of security, it's a
> > relict of a different time and not compatible with modern device
> > management, hotplug, containers, and so on!
> That makes sense to me. And unlike tcpwrappers, it's just a runtime config
> file change to put back for cases where it's wanted.

Yeah, I think that's a decent way forward.  AFAIK the securetty thing
right now only affects console terminals and telnet logins.  Since
consoles are all in there, and hardly anybody runs a telnet server (I
ran one on a couple of servers at PPOE to handle specific cases, but I
wouldn't have had a problem with adding securetty checks if I needed
it), it really is a meaningless check.

Chris Adams <linux at cmadams.net>

More information about the devel mailing list