On 2016-11-17 12:01 +0100, Olliver Schinagl wrote: > Hey all, > > raising this one from the crypt > >> >>> So the security benefit isn't in preventing users from logging in as root >>> over certain serial lines, it's in preventing users from logging in as root >>> over *pseudo*ttys. >> >> It is unix museumware from time when people didn't use ssh and su/sudo >> all time. > > I just did a clean install of debian jessie (via debootstrap into a > systemd-nspawn container) and noticed that I could not login using > machinectl login <container> > > securtty bites us. > > The reason it bites is that by default, the container comes up with a > console on pts/0. > > I see in securetty there are workarounds for LXC already and adding > pts/0 as a work around for systemd-nspawn then makes me wonder, is > this not a pseudo tty? And thus, the only argument made in 2012, with > systemd containers will make that last argument fall? As you always > need a pseudo-tty here. > > So I also suggest, opt-in vs opt-out on the pam_securetty module so > that 'museums' can still enable them if needed.
FWIW, the latest login upload to unstable (1:4.7-1) dropped support for /etc/securetty and removed that file on upgrades, due to the numerous complaints it caused: ,---- | shadow (1:4.7-1) unstable; urgency=medium | | [ Balint Reczey ] | * Stop shipping and honoring /etc/securetty | (Closes: #731656, #830255, #879903, #920764, #771675, #917893, #607073) `---- This lead to complaints by pam_unix in the system logs on every login, see #931899. I think it's time to disable pam_securetty by default, it was useful twenty years ago but it no longer is. Cheers, Sven