manual 有:
pam_securetty is a PAM module that allows root logins only if the
user is logging in on a "secure" tty, as defined by the listing
in /etc/securetty. pam_securetty also checks to make sure that
/etc/securetty is a plain file and not world writable. It will
also allow root logins on the tty specified with console= switch
on the kernel command line and on ttys from the
/sys/class/tty/console/active.
build-from source:
git clone https://github.com/linux-pam/linux-pam版本都很舊,有些 am, config 的格式都錯,最後 checkout v1.5.2 才build OK
需要 flex
然後 document 有問題,所以要 disable。
./autogen,sh ./configure --help | less ./configure --enable-static=yes --enable-debug --disable-doc make
securetty_perform_check
#define SECURETTY_FILE "/etc/securetty" if (stat(SECURETTY_FILE. &ttyfileinfo) .. #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"最後一個檢查是盤排除 /sys/class/tty/console/activat 所寫得 tty。
所以只要 /sys/class/tty/console/activate 內寫的 tty,就一定不會被 pam_securetty block
source code 另外有 noconsole 這個 option,可以 bypass 後面的 console/active 檢查。只依照 /etc/securetty 的內容。
cat /etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so debug noconsole ..
沒有留言:
張貼留言