blob: 95747fea691c8c3689ef299b7897989be9ebdf76 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
'\" t
.\" Title: pam_securetty
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 05/18/2017
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
.TH "PAM_SECURETTY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_securetty \- Limit root login to special devices
.SH "SYNOPSIS"
.HP \w'\fBpam_securetty\&.so\fR\ 'u
\fBpam_securetty\&.so\fR [debug]
.SH "DESCRIPTION"
.PP
pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in
/etc/securetty\&. pam_securetty also checks to make sure that
/etc/securetty
is a plain file and not world writable\&. It will also allow root logins on the tty specified with
\fBconsole=\fR
switch on the kernel command line and on ttys from the
/sys/class/tty/console/active\&.
.PP
This module has no effect on non\-root users and requires that the application fills in the
\fBPAM_TTY\fR
item correctly\&.
.PP
For canonical usage, should be listed as a
\fBrequired\fR
authentication method before any
\fBsufficient\fR
authentication methods\&.
.SH "OPTIONS"
.PP
\fBdebug\fR
.RS 4
Print debug information\&.
.RE
.PP
\fBnoconsole\fR
.RS 4
Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the
/etc/securetty
file\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
Only the
\fBauth\fR
module type is provided\&.
.SH "RETURN VALUES"
.PP
PAM_SUCCESS
.RS 4
The user is allowed to continue authentication\&. Either the user is not root, or the root user is trying to log in on an acceptable device\&.
.RE
.PP
PAM_AUTH_ERR
.RS 4
Authentication is rejected\&. Either root is attempting to log in via an unacceptable device, or the
/etc/securetty
file is world writable or not a normal file\&.
.RE
.PP
PAM_INCOMPLETE
.RS 4
An application error occurred\&. pam_securetty was not able to get information it required from the application that called it\&.
.RE
.PP
PAM_SERVICE_ERR
.RS 4
An error occurred while the module was determining the user\*(Aqs name or tty, or the module could not open
/etc/securetty\&.
.RE
.PP
PAM_USER_UNKNOWN
.RS 4
The module could not find the user name in the
/etc/passwd
file to verify whether the user had a UID of 0\&. Therefore, the results of running this module are ignored\&.
.RE
.SH "EXAMPLES"
.PP
.if n \{\
.RS 4
.\}
.nf
auth required pam_securetty\&.so
auth required pam_unix\&.so
.fi
.if n \{\
.RE
.\}
.sp
.SH "SEE ALSO"
.PP
\fBsecuretty\fR(5),
\fBpam.conf\fR(5),
\fBpam.d\fR(5),
\fBpam\fR(8)
.SH "AUTHOR"
.PP
pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&.
|
