On 2016-11-17 12:01 +0100, Olliver Schinagl wrote:
> Hey all,
>
> raising this one from the crypt
>
>>
>>> So the security benefit isn't in preventing users from logging in as root
>>> over certain serial lines, it's in preventing users from logging in as root
>>> over *pseudo*ttys.
>>
>> It is unix museumware from time when people didn't use ssh and su/sudo
>> all time.
>
> I just did a clean install of debian jessie (via debootstrap into a
> systemd-nspawn container) and noticed that I could not login using
> machinectl login <container>
>
> securtty bites us.
>
> The reason it bites is that by default, the container comes up with a
> console on pts/0.
>
> I see in securetty there are workarounds for LXC already and adding
> pts/0 as a work around for systemd-nspawn then makes me wonder, is
> this not a pseudo tty? And thus, the only argument made in 2012, with
> systemd containers will make that last argument fall? As you always
> need a pseudo-tty here.
>
> So I also suggest, opt-in vs opt-out on the pam_securetty module so
> that 'museums' can still enable them if needed.
FWIW, the latest login upload to unstable (1:4.7-1) dropped support for
/etc/securetty and removed that file on upgrades, due to the numerous
complaints it caused:
,----
| shadow (1:4.7-1) unstable; urgency=medium
|
| [ Balint Reczey ]
| * Stop shipping and honoring /etc/securetty
| (Closes: #731656, #830255, #879903, #920764, #771675, #917893, #607073)
`----
This lead to complaints by pam_unix in the system logs on every login,
see #931899. I think it's time to disable pam_securetty by default, it
was useful twenty years ago but it no longer is.
Cheers,
Sven
