That is not the correct code path. First the stat() fails and returns success and that is intentional according to the code documentation: https://github.com/linux-pam/linux-pam/blob/9e5bea9e146dee574796259ca464ad2435be3590/modules/pam_securetty/pam_securetty.c#L110 No special config needed. I wouldn't have hinted that without looking at the code first. Anyways the whole point of this report was concerns about the upgrade case that just removes pam_securetty. Ie disabling a security feature without notice. Customers who actually modified /etc/securetty probably never noticed that change. Now three years of ignoring the report later that's a bit moot anyways.