12.5 Controlling Access to Serial Lines


Most Unix versions provide some mechanism for limiting direct root logins to certain terminal lines. Note that these mechanisms have no effect on the ability of a user to gain root access via the su command. We'll consider the ones offered by each operating system in turn.

As we've seen earlier in this chapter, FreeBSD allows you to state explicitly whether direct root logins may take place on a line-by-line basis via the secure keyword in /etc/ttys . For example, these entries allow root logins on the terminal connected to the first serial line, but not on the terminal connected to the second serial line:

# name  getty                           type    flags  ttyd0   "/usr/libexec/getty std.9600"   vt100   on secure    ttyd1   "/usr/libexec/getty std.9600"   vt100   on

FreeBSD also provides general user class-based terminal restrictions via the ttys.allow and ttys.deny attributes in /etc/login.conf. See Section 6.2 for details.

Under Solaris, if the file /etc/default/login contains a CONSOLE entry, direct root logins are limited to that device. For example, this entry limits root logins to the system console:

CONSOLE=/dev/console

On HP-UX systems, the file /etc/securetty lists devices where root is allowed to log in. Here are some sample entries:

console  tty00  tty01

Note that /dev/ is not included in the line designation. The HP-UX file restricts access to the listed terminal lines to privileged users, rather than applying only to root.

Tru64 uses the file /etc/securettys in a similar manner:

/dev/console     # console  :0               # X display local:0

Note that the full special filename is included in the Digital Unix file. The second and third entries are also typically found in these files and refer to X-based sessions.

Linux systems can restrict terminal access via the PAM facility. The pam_securetty module provides support for a HP-UX style /etc/securetty file, and the pam_time module allows you to specify terminal access by user, group, PAM service and/or day and time. See Section 6.5 for details.

Under AIX, the lsuser command can be used to determine the terminals on which root is allowed to log in directly:

# lsuser -fa ttys rlogin root  root:        ttys=ALL       rlogin=true

This command also indicates whether direct root logins can come in over the network. The following command will disable network-based root logins and limit root logins to the console device and the terminal on the first serial port:

# chuser ttys="/dev/lft,/dev/tty0" rlogin=false root

The ttys attribute takes a comma-separated list of TTY special files, indicating the terminals upon which the specified user may log in note that this mechanism is available for all users, not just root. The keyword ALL applies to all terminal lines (including network connections), and prefacing any special filename with an exclamation point excludes that terminal. For example, this command prevents direct root logins on serial lines 0 and 1:

# chuser ttys="!/dev/tty0,!/dev/tty1" rlogin=false root

This mechanism is an interface to the ttys attribute in root's stanza in /etc/security/user. It may be used to set up restrictions for any user, as well as a default terminal list via the default stanza. The file may also be edited directly.



Essential System Administration
Essential System Administration, Third Edition
ISBN: 0596003439
EAN: 2147483647
Year: 2002
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net