On Tue, 16 Apr 2013 01:43, Cristian Rodríguez <crrodriguez@...> wrote:
Hi:
While testing kmscon, I noticed that, by default it is impossible to login as root. kmscon simple invokes login(1) binary which in interfaces with PAM module pam_securetty that checks for "secure ttys" in /etc/securetty which lists the permitted devices as a whitelist..but kmscon does not use the tty(4) but pts(4) and /dev/pts/* devices are not in the list.
While I think this "whitelist" is a pretty arcane and ugly way to control access, I'm looking for feedback on how to make this stuff work without having to manually extend the whitelist (and therefore perpetuating the false sense of security it provides) AND not breaking the old way.
Does anyone have any feedback on how to "bypass" this list programatically ?
AFAIK the /bin/login that is in use by OSS 12.3 does not link to pam_securetty directly. Thus the usual suspects for the needed changes are: - pam_securetty.so to allow pts/? in /etc/securetty or - pam-config files /etc/pam.d/{login,login.old,remote} For a 'try' system the removal of the pam_securetty.so calls in the pam-config files is OK, but on a proctive system out there, I think we want to have a replacement / extension for pam_securetty.so ATM kmscon is a very fresh child in terms of programming, and subject to change, so IMHO it would be the best to rise this issue with the programmers of kmscon directly and ask for ideas. OTOH kick this issue to the RedHat sec-team and watch the firework. - Yamaban, who is feeling vindictive on the issue.