We saw how password aging can prevent individual users from logging in. Now we show how to restrict where root can log in by using /etc/securetty. Login for every non-root attempt can be prevented with /etc/nologin.
The /etc/securetty file is intended as a method for limiting root logins to a list of tty devices. If /etc/securetty exists, root login is permitted only from those devices. For example:
console vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 tty12
The tty devices are for the KDE virtual console windows. The vc devices are the virtual console devfs devices.
It is common practice to restrict root login to the console. This forces users to su - root after a normal login. This practice makes it easy to track who all those root logins are. The /var/log/messages file shows the su attempts:
Jan 19 13:41:28 sawnee sshd(pam_unix): session opened for user dave by (uid=501) Jan 19 13:41:36 sawnee su(pam_unix): session opened for user root by dave(uid=501)
Please note that whether /etc/securetty is honored depends on the PAM configuration for each login method and whether the login application uses PAM. The PAM configuration file for the login application needs the auth (authentication) pam_securetty.so module. See the PAM configuration section for details.
The /etc/nologin file gives the system administrator a way to keep users off the Linux system during maintenance. If /etc/nologin exists, non-root login attempts fail, and the contents of /etc/nologin are displayed. For example:
#cat /etc/nologin Sorry. System Maintenance in progress. System unavailable until 15:00 on 1/19.
When someone attempts to log in, he or she sees
Red Hat Linux release 9 (Shrike) Kernel 2.4.20-8 on an i686 sawnee.somecomp.com login: dave Password: Sorry. System Maintenance in progress. System unavailable until 15:00 on 1/19. Login incorrect login:
A zero-byte /etc/nologin disables non-root logins but prints no special message. Please note that whether /etc/nologin is honored depends on the PAM configuration for each login method. The PAM configuration file for the login application needs the auth "pam_nologin.so" module. See the PAM configuration section for details.
SSH does not look at the /etc/nologin file. A login attempt using ssh succeeds when /etc/nologin exists.