man-pages/man8/pam_securetty.8.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of PAM_SECURETTY</TITLE>
</HEAD><BODY>
<H1>PAM_SECURETTY</H1>
Section: Linux-PAM Manual (8)<BR>Updated: 05/18/2017<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>





















<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

pam_securetty - Limit root login to special devices
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<DL COMPACT>
<DT id="1">
<B>pam_securetty.so</B> [debug]
</DL>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<P>

<DD>pam_securetty is a PAM module that allows root logins only if the user is logging in on a &quot;secure&quot; tty, as defined by the listing in
/etc/securetty. pam_securetty also checks to make sure that
/etc/securetty
is a plain file and not world writable. It will also allow root logins on the tty specified with
<B>console=</B>
switch on the kernel command line and on ttys from the
/sys/class/tty/console/active.
<P>

This module has no effect on non-root users and requires that the application fills in the
<B>PAM_TTY</B>
item correctly.
<P>

For canonical usage, should be listed as a
<B>required</B>
authentication method before any
<B>sufficient</B>
authentication methods.
<A NAME="lbAE">&nbsp;</A>
<H2>OPTIONS</H2>

<P>

<B>debug</B>
<DL COMPACT><DT id="2"><DD>
Print debug information.
</DL>

<P>

<B>noconsole</B>
<DL COMPACT><DT id="3"><DD>
Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the
/etc/securetty
file.
</DL>

<A NAME="lbAF">&nbsp;</A>
<H2>MODULE TYPES PROVIDED</H2>

<P>

Only the
<B>auth</B>
module type is provided.
<A NAME="lbAG">&nbsp;</A>
<H2>RETURN VALUES</H2>

<P>

PAM_SUCCESS
<DL COMPACT><DT id="4"><DD>
The user is allowed to continue authentication. Either the user is not root, or the root user is trying to log in on an acceptable device.
</DL>

<P>

PAM_AUTH_ERR
<DL COMPACT><DT id="5"><DD>
Authentication is rejected. Either root is attempting to log in via an unacceptable device, or the
/etc/securetty
file is world writable or not a normal file.
</DL>

<P>

PAM_INCOMPLETE
<DL COMPACT><DT id="6"><DD>
An application error occurred. pam_securetty was not able to get information it required from the application that called it.
</DL>

<P>

PAM_SERVICE_ERR
<DL COMPACT><DT id="7"><DD>
An error occurred while the module was determining the user's name or tty, or the module could not open
/etc/securetty.
</DL>

<P>

PAM_USER_UNKNOWN
<DL COMPACT><DT id="8"><DD>
The module could not find the user name in the
/etc/passwd
file to verify whether the user had a UID of 0. Therefore, the results of running this module are ignored.
</DL>

<A NAME="lbAH">&nbsp;</A>
<H2>EXAMPLES</H2>

<P>

<DL COMPACT><DT id="9"><DD>



<PRE>
auth  required  pam_securetty.so
auth  required  pam_unix.so
      
</PRE>

</DL>




<P>
<A NAME="lbAI">&nbsp;</A>
<H2>SEE ALSO</H2>

<P>

<B><A HREF="/cgi-bin/man/man2html?5+securetty">securetty</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?5+pam.conf">pam.conf</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?5+pam.d">pam.d</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?7+pam">pam</A></B>(7)
<A NAME="lbAJ">&nbsp;</A>
<H2>AUTHOR</H2>

<P>

pam_securetty was written by Elliot Lee &lt;<A HREF="mailto:sopwith@cuc.edu">sopwith@cuc.edu</A>&gt;.
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="10"><A HREF="#lbAB">NAME</A><DD>
<DT id="11"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="12"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="13"><A HREF="#lbAE">OPTIONS</A><DD>
<DT id="14"><A HREF="#lbAF">MODULE TYPES PROVIDED</A><DD>
<DT id="15"><A HREF="#lbAG">RETURN VALUES</A><DD>
<DT id="16"><A HREF="#lbAH">EXAMPLES</A><DD>
<DT id="17"><A HREF="#lbAI">SEE ALSO</A><DD>
<DT id="18"><A HREF="#lbAJ">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:14 GMT, March 31, 2021
</BODY>
</HTML>