KBTAG: kben10000149
URL: http://www.securityportal.com/lskb/10000100/kben10000149.html
Date created: 10/08/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Limiting root logins
Keywords: Console
Restricting root logins to console is a very good idea (in fact I also usually disable the root account).
You can restrict root logins a number of ways, for different services it varies but there are a few common ways:
/etc/securetty
file which lists ttys from which root can log in, basically the console ones are: tty1, tty2, tty3, tty4, tty5, tty6, tty7, tty8. If you want to leave root enabled (so you can do maitenance or whatever) you can safely remove all but tty1, you shouldn't be logging in as root at the console generally (use sudo).
login shell
by setting root's login shell to something that doesn't exist and is not listed in /etc/shells such as /bin/nologin you will generally end up disabling any remote access for root since most daemons check for a valid shell/etc.
PAM
you can use the listfile directive in PAM to restrict access for users to services, and pam_console can be removed from config files which generally disabled most console access (good for servers), you could also limit root to 0 logins, but then you would need to be very careful as this will probably break things.
Limiting user access to network services with PAM
Limiting user access to resources with PAM
Notes:
These are alternatives to using the root account: