Date: Fri, 12 Nov 2004 23:27:12 -0800 From: Doug Hardie <bc979@lafn.org> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: f-questions List <freebsd-questions@freebsd.org> Subject: Re: Root login at console Message-ID: <6FCD9DAC-3545-11D9-900C-000393681B06@lafn.org> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNEEKHEPAA.tedm@toybox.placo.com> References: <LOBBIFDAGNMAMLGJJCKNEEKHEPAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 12, 2004, at 23:18, Ted Mittelstaedt wrote: > > >> -----Original Message----- >> From: owner-freebsd-questions@freebsd.org >> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Doug Hardie >> Sent: Friday, November 12, 2004 10:52 PM >> To: f-questions List >> Subject: Root login at console >> >> >> I am setting up some 5.3 systems and have encountered a situation I >> can't figure out. I have had the following (and only) active line in >> 4.6 systems /etc/login.allow: >> >> -:ALL EXCEPT user1 user2 user3: ALL >> >> That only permitted logins from those 3 users and not root. The users >> had to su to get to root - even on the console. However that same >> line >> in 5.3 doesn't let anyone su to root (terminal or console). I have to >> add root to the list: >> >> -:ALL EXCEPT root user1 user2 user3: ALL >> >> Then the users can su to root. However root can login on the console >> directly which I don't want. I have tried a few diferent approaches >> to >> make this work but none have succeeded. What am I missing? Thanks. >> > > I don't think that the /etc/login.allow should have blocked root login > at > the console. If it did in 4.x that is a bug and 5.3 corrected it. > > If you want to block root login at the console then edit /etc/ttys and > change the keyword from "secure" to "insecure" for the console. > > Ted Thanks. I just checked ttys in my 4.6 system and they all say secure. I see the instructions in ttys now and that makes sense. A quick check also shows it works. I guess there was a bug in 4.6. The instructions seem to indicate that removing the secure keyword is all that is required. Thats what I checked and it worked. I presume thats the same as using the insecure key which I really didn't see mentioned.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6FCD9DAC-3545-11D9-900C-000393681B06>