F21 System Wide Change: The securetty file is empty by default
Jaroslav Reznik
jreznik at redhat.com
Fri Apr 11 14:30:00 UTC 2014
= Proposed System Wide Change: The securetty file is empty by default =
https://fedoraproject.org/wiki/Changes/securetty_file_is_empty_by_default
Change owner(s): quickbooks <quickbooks.office at gmail.com>
The securetty file is empty by default
There's on-going discussion for this Change on the devel list.
https://lists.fedoraproject.org/pipermail/devel/2014-April/197344.html
== Detailed Description ==
Per: [1] it states:
=== Method ===
Disabling root access via any console device (tty).
=== Description ===
An empty /etc/securetty file prevents root login on any devices attached to
the computer.
=== Effects ===
Prevents access to the root account via the console or the network. The
following programs are '''prevented''' from accessing the root account: login,
gdm, kdm, xdm, Other network services that open a tty
=== Does Not Affect ===
Programs that do not log in as root, but perform administrative tasks through
setuid or other mechanisms.
The following programs are not prevented from accessing the root account: su,
sudo, ssh, scp, sftp
=== More Details ===
To further limit access to the root account, administrators can disable root
logins at the console by editing the /etc/securetty file. This file lists all
devices the root user is allowed to log into. If the file does not exist at
all, the root user can log in through any communication device on the system,
whether via the console or a raw network interface. This is dangerous, because
a user can log in to his machine as root via Telnet, which transmits the
password in plain text over the network. By default, Fedora's /etc/securetty
file only allows the root user to log in at the console physically attached to
the machine. To prevent root from logging in, remove the contents of this file
by typing the following command: echo > /etc/securetty
Warning: A blank /etc/securetty file does not prevent the root user from
logging in remotely using the OpenSSH suite of tools because the console is
not opened until after authentication.
== Scope ==
* Proposal owners: implement the change
* Other developers: None
* Release engineering: None
* Policies and guidelines: The Security Document mentioned above will need to
be updated.
[1] https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account
_______________________________________________
devel-announce mailing list
devel-announce at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
More information about the devel
mailing list