[CHANGE PROPOSAL] The securetty file is empty by default

Paul Wouters paul at nohats.ca
Wed Apr 9 21:06:03 UTC 2014

On Wed, 9 Apr 2014, Chris Adams wrote:

> Once upon a time, Matthew Miller <mattdm at fedoraproject.org> said:
>> On Wed, Apr 09, 2014 at 10:20:36PM +0200, Lennart Poettering wrote:
>> [technical reasoning snipped]
>>> Hence: please let's just remove securetty entirely from the default PAM
>>> stacks. It's annoying, it creates a false sense of security, it's a
>>> relict of a different time and not compatible with modern device
>>> management, hotplug, containers, and so on!
>> That makes sense to me. And unlike tcpwrappers, it's just a runtime config
>> file change to put back for cases where it's wanted.
> Yeah, I think that's a decent way forward.  AFAIK the securetty thing
> right now only affects console terminals

As long as it does not lock out root from kvm/uml console/serial logins.


More information about the devel mailing list