1

how does one restrict logging into the TTY consoles as 'root' in Debian 11 (bullseye)? In past versions I would empty the contents of /etc/securetty and that would prevent a direct login as 'root' from a TTY. It seems that bullseye doesn't have securetty any more, and creating the same empty file has no effect. the Securing Debian Manual has not yet been updated, and I can't find any alternative methods. Thanks!

EDIT: hoping to find an alternative to access.conf that doesn't expose the success or failure of the root credentials, even if it doesn't grant access to the shell.

Improve this question

2 Answers 2

Reset to default
2

Add the following line to /etc/security/access.conf

-:root:tty1 tty2 tty3 tty4 tty5 tty6

Uncomment this line in /etc/pam.d/login:

account  required       pam_access.so

see man access.conf

Improve this answer
4
  • 1
    thanks this is definitely a workable solution. One thing to note for anyone else finding this, you also need to uncomment "account required pam_access.so" in /etc/pam.d/login Commented Sep 22, 2021 at 13:38
  • @BenMcMahon Right! Commented Sep 22, 2021 at 13:40
  • I'm going to leave this open for a little while to see if there are any other workable solutions. One thing I don't like about this approach is it can be used to confirm root credentials. even without the ability to get a shell, the TTY behavior is different for login attempts with good or bad (even root) credentials. Someone can use this to confirm if they have good credentials. Commented Sep 22, 2021 at 13:46
  • if the credentials are bad, you get the ~2second delay and you're dropped back to the 'login' prompt. If the credentials are good you are immediately returned to a 'getty' prompt indicating that your credentials were good, but you're still not allowed in. it's a small hole, but a hole. hoping there's another method similar to how securetty behaved in that using good root credentials would behave just like any other failed login attempt. Commented Sep 22, 2021 at 13:46
1

After some digging in the manual I was able to restore the securetty function.

In /etc/pam.d/login:

auth       requisite  pam_nologin.so
auth       requisite  pam_securetty.so

This properly restores the function of the /etc/securetty file, attempting to log in as root never even gets to the password prompt.

See man pam_securetty

Improve this answer
1
  • Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. Commented Feb 7, 2023 at 13:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.