pam_securetty

This module is configured within PAM service files (e.g., /etc/pam.d/login) and is not executed directly from the command line.

Syntax in PAM configuration:
module_type control_flag pam_securetty.so [module_options]

Example:
auth required pam_securetty.so

debug
    Instructs the module to log debugging information via syslog.

no_warn
    Suppresses warnings if the /etc/securetty file is missing. By default, a warning is logged if the file is not found.

file=/path/to/securetty
    Specifies an alternative path to the securetty file instead of the default /etc/securetty.

pam_securetty is a Pluggable Authentication Module (PAM) that enhances system security by controlling where the root user can log in directly. It verifies that a login attempt by the root user originates from a terminal (TTY) device explicitly listed in the /etc/securetty file. This file contains a list of TTY devices considered 'secure' for root logins. If a root login is attempted from a TTY not present in this file, the module denies the authentication request. This mechanism helps prevent direct root access from potentially insecure terminals, such as network connections or dial-up lines, ensuring that administrative privileges are only granted via designated secure consoles or terminals. It is typically configured within PAM service files like /etc/pam.d/login or /etc/pam.d/sshd, usually in the auth stack.

pam_securetty primarily affects direct root logins. It does not control user switching to root via commands like su, unless pam_securetty is explicitly configured for the su PAM service.

The effectiveness of this module relies on the correct configuration and permissions of the /etc/securetty file. If the file is missing or empty, root logins might be unexpectedly denied or allowed.

For SSH access, PermitRootLogin option in sshd_config (e.g., set to no or without-password) often provides more comprehensive control over root logins than relying solely on pam_securetty.

The /etc/securetty file is a plain text file where each line specifies a TTY device name (e.g., tty1, console, pts/0) from which the root user is permitted to log in directly. Only TTYs listed in this file are considered secure by pam_securetty for root authentication.

pam_securetty is typically used as an auth module in the PAM stack. This means it performs an authentication check, verifying the legitimacy of the login attempt based on the TTY from which it originates.

The concept of restricting root logins to specific terminals (TTYs) existed in UNIX-like systems long before PAM. With the advent of Pluggable Authentication Modules (PAM) developed by Sun Microsystems and later adopted by Linux, this functionality was modularized into pam_securetty. This allowed administrators to flexibly integrate this security check into various authentication services without modifying the core programs, maintaining a critical layer of defense against unauthorized root access from untrusted terminals.

pam(8), pam.conf(5), pam.d(5), securetty(5), login(1), sshd(8), su(1)