Package: libpam-modules Version: 1.1.3-7.1 Severity: wishlist Hi,
The /etc/securetty file lists every tty known to mankind, but only upto a randomly selected amout. And whenever a new serial driver is added to the kernel, this file needs to be updated. Thus, in practice, the default setting is Allow root login on random consoles, for example serial lines 0-5 but serial lines 6-191 are considered dangerous as well as any new serial drivers. Checking against the default securetty is no additional security. To be of any practical advantage, the system administrator has to tailor the file to match their own serial port setup. In it's current form securetty check is just a nuisance to people with many serial ports or new serial drivers. I suggest disabling pam_securetty check by default. The minority of users who actually have consoles with different security levels need to adjust the securetty file anyways, so they might adjust the pam_securetty setting /etc/pam.d/login as well. Alternatively I'd like to hear a realistic scenario where the current default is useful And someone running a UNIX museum where serial ports 0-6 are in staff room while rest are in public access does not count as one! Riku -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
