[Pkg-shadow-devel] Bug#731656: Please disable securetty by default

Alan Jenkins alan.christopher.jenkins at gmail.com
Mon Jan 15 11:51:07 UTC 2018


On Thu, 19 Jan 2017 18:20:17 +0100 Balint Reczey 
<balint at balintreczey.hu> wrote:
 > Control: tags -1 confirmed
 >
 > Hi Josh,
 >
 > On Sat, 07 Dec 2013 15:13:28 -0800 Josh Triplett <josh at joshtriplett.org>
 > wrote:
 > > Package: login
 > > Version: 1:4.1.5.1-1
 > > Severity: wishlist
 > >
 > > securetty dates back to the days when people still logged into systems
 > > via telnet and rlogin. These days, remote access occurs via SSH, which
 > > has its own configuration mechanism to determine whether to allow root
 > > logins (including more flexible approaches such as disallowing root
 > > logins by password but allowing them by key). And any local TTY should
 > > be considered a securetty by definition. Thus, I don't think securetty
 > > has any value anymore as part of the default configuration of login. I
 > > would suggest removing it by default.
 >
 > I will look into that in the Buster cycle, this change would be too
 > intrusive now.
 >
 > Cheers,
 > Balint

Hi

I recently ran a stretch->unstable upgrade, and noticed some 
modification to securetty (conffile conflict v.s. my deletion of 
/etc/securetty).

Can I ask if we've missed the boat for Buster, or is it still a 
possibility to get securetty removed from the pam config?

I understand making any change to PAM configs can be pretty 
nerve-wracking :).

Thanks
Alan



More information about the Pkg-shadow-devel mailing list