Most Unix versions provide some mechanism for limiting direct root logins to certain terminal lines. Note that these mechanisms have no effect on the ability of a user to gain root access via the su command. We'll consider the ones offered by each operating system in turn.
As we've seen earlier in this chapter, FreeBSD allows you to state explicitly whether direct root logins may take place on a line-by-line basis via the secure keyword in /etc/ttys . For example, these entries allow root logins on the terminal connected to the first serial line, but not on the terminal connected to the second serial line:
# name getty type flags ttyd0 "/usr/libexec/getty std.9600" vt100 on secure ttyd1 "/usr/libexec/getty std.9600" vt100 on
FreeBSD also provides general user class-based terminal restrictions via the ttys.allow and ttys.deny attributes in /etc/login.conf. See Section 6.2 for details.
Under Solaris, if the file /etc/default/login contains a CONSOLE entry, direct root logins are limited to that device. For example, this entry limits root logins to the system console:
On HP-UX systems, the file /etc/securetty lists devices where root is allowed to log in. Here are some sample entries:
console tty00 tty01
Note that /dev/ is not included in the line designation. The HP-UX file restricts access to the listed terminal lines to privileged users, rather than applying only to root.
Tru64 uses the file /etc/securettys in a similar manner:
/dev/console # console :0 # X display local:0
Note that the full special filename is included in the Digital Unix file. The second and third entries are also typically found in these files and refer to X-based sessions.
Linux systems can restrict terminal access via the PAM facility. The pam_securetty module provides support for a HP-UX style /etc/securetty file, and the pam_time module allows you to specify terminal access by user, group, PAM service and/or day and time. See Section 6.5 for details.
Under AIX, the lsuser command can be used to determine the terminals on which root is allowed to log in directly:
# lsuser -fa ttys rlogin root root: ttys=ALL rlogin=true
This command also indicates whether direct root logins can come in over the network. The following command will disable network-based root logins and limit root logins to the console device and the terminal on the first serial port:
# chuser ttys="/dev/lft,/dev/tty0" rlogin=false root
The ttys attribute takes a comma-separated list of TTY special files, indicating the terminals upon which the specified user may log in note that this mechanism is available for all users, not just root. The keyword ALL applies to all terminal lines (including network connections), and prefacing any special filename with an exclamation point excludes that terminal. For example, this command prevents direct root logins on serial lines 0 and 1:
# chuser ttys="!/dev/tty0,!/dev/tty1" rlogin=false root
This mechanism is an interface to the ttys attribute in root's stanza in /etc/security/user. It may be used to set up restrictions for any user, as well as a default terminal list via the default stanza. The file may also be edited directly.