On Wed, 24.11.10 14:29, Chris Adams (cmadams@xxxxxxxxxx) wrote: > > Once upon a time, Lennart Poettering <mzerqung@xxxxxxxxxxx> said: > > We currently still use the old securetty tool to patch those terminals > > into /etc/securetty on demand. I have submitted a patch to pam_securetty > > however, to make it look for console= on the kernel cmdline internally, > > which when merged allows us to get rid of the tool and have this work on > > r/o root fine as well. > > Please don't do that. Not all serial consoles are necessarily secure. This behaviour has been the default sicne quite some time. I am not the one who's going to change that. As soon as the patch i posted is merged into pam-securetty you can easily disable this behaviour by passing noconsole on the PAM config line. I think pam_securetty is mostly snake oil anyway. An admin should be smart enough to choose a safe root password instead of relying on this kind of snake oil. Note that with that pam_securetty patch in place thins become safe anyway, since booting with console on ttyS0 once won't change /etc/securetty for all the future, but only for this one boot. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
