Title: Limiting root logins

KBTAG: kben10000149
URL: http://www.securityportal.com/lskb/10000100/kben10000149.html
Date created: 10/08/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Limiting root logins
Keywords: Console

Summary:

Restricting root logins to console is a very good idea (in fact I also usually disable the root account).

More information:

You can restrict root logins a number of ways, for different services it varies but there are a few common ways:

/etc/securetty

file which lists ttys from which root can log in, basically the console ones are: tty1, tty2, tty3, tty4, tty5, tty6, tty7, tty8. If you want to leave root enabled (so you can do maitenance or whatever) you can safely remove all but tty1, you shouldn't be logging in as root at the console generally (use sudo).

login shell

by setting root's login shell to something that doesn't exist and is not listed in /etc/shells such as /bin/nologin you will generally end up disabling any remote access for root since most daemons check for a valid shell/etc.

PAM

you can use the listfile directive in PAM to restrict access for users to services, and pam_console can be removed from config files which generally disabled most console access (good for servers), you could also limit root to 0 logins, but then you would need to be very careful as this will probably break things.

Limiting user access to network services with PAM

Limiting user access to resources with PAM

Notes:

These are alternatives to using the root account:

Secure administrative access tools for Linux - overview