F21 System Wide Change: The securetty file is empty by default

Reindl Harald h.reindl at thelounge.net
Fri Apr 11 15:05:45 UTC 2014

Am 11.04.2014 16:30, schrieb Jaroslav Reznik:
> === Description ===
> An empty /etc/securetty file prevents root login on any devices attached to 
> the computer.
> === Effects ===
> Prevents access to the root account via the console or the network. The 
> following programs are '''prevented''' from accessing the root account: login

interesting how someone manages a stripped down machine only having
a root account and nothing else or how do you imagine that on machines
with all users except the local root are on network services in case
of troubleshooting the network setup

i also can't remember that the RHEL7-Beta1 i installed in 2013/12
had any other account than root for the final setup

especially in case your network card is not supported until a kernel update
you are unable to setup the OS at all because you need to download the new
kernel somewhere else, put it on a USB media, login as local root and update
the machine - happened 2011 with Fedora 14 on real hardware for me

on servers running virtual machines that is also the last ressort if
ssh breaks which happens easily in case only key-auth is allowed and
you are at switching all ssh-keys on a infrastructure

changes in ~/.ssh/authorized_keys get active instantaneously
frankly it happened twice to me last december due changing all ssh-host-kyes
and private keys to 3072 bit keylength that i needed a local root login
for allow temporary password-login over SSH and get the new public key
on the machine - without the local root account and in case of encrypted
disks you are mostly done with that machine with the new defaults

hence is why you should re-consider lock out the local root in a default
setup which needs physical access while the door for SSH login with the
password over the network is opened - the other way around would make sense

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140411/7d584f63/attachment.sig>

More information about the devel mailing list