{ "content": [ { "type": "text", "text": "# pam_securetty (man)\n\n## NAME\n\npamsecuretty - Limit root login to special devices\n\n## SYNOPSIS\n\npamsecuretty.so [debug]\n\n## DESCRIPTION\n\npamsecuretty is a PAM module that allows root logins only if the user is logging in on a\n\"secure\" tty, as defined by the listing in the securetty file. pamsecuretty checks at first,\nif /etc/securetty exists. If not and it was built with vendordir support, it will use\n/securetty. pamsecuretty also checks that the securetty files are plain files and\nnot world writable. It will also allow root logins on the tty specified with console= switch\non the kernel command line and on ttys from the /sys/class/tty/console/active.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **OPTIONS** (2 subsections)\n- **MODULE TYPES PROVIDED**\n- **RETURN VALUES**\n- **EXAMPLES**\n- **SEE ALSO**\n- **AUTHOR**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "pam_securetty", "section": "", "mode": "man", "summary": "pamsecuretty - Limit root login to special devices", "synopsis": "pamsecuretty.so [debug]", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [ "auth required pamsecuretty.so", "auth required pamunix.so" ], "see_also": [ { "name": "securetty", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/securetty/5/json" }, { "name": "pam.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.conf/5/json" }, { "name": "pam.d", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.d/5/json" }, { "name": "pam", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/pam/7/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 13, "subsections": [] }, { "name": "OPTIONS", "lines": 1, "subsections": [ { "name": "debug", "lines": 2 }, { "name": "noconsole", "lines": 4 } ] }, { "name": "MODULE TYPES PROVIDED", "lines": 2, "subsections": [] }, { "name": "RETURN VALUES", "lines": 25, "subsections": [] }, { "name": "EXAMPLES", "lines": 5, "subsections": [] }, { "name": "SEE ALSO", "lines": 2, "subsections": [] }, { "name": "AUTHOR", "lines": 5, "subsections": [] } ], "sections": { "NAME": { "content": "pamsecuretty - Limit root login to special devices\n", "subsections": [] }, "SYNOPSIS": { "content": "pamsecuretty.so [debug]\n", "subsections": [] }, "DESCRIPTION": { "content": "pamsecuretty is a PAM module that allows root logins only if the user is logging in on a\n\"secure\" tty, as defined by the listing in the securetty file. pamsecuretty checks at first,\nif /etc/securetty exists. If not and it was built with vendordir support, it will use\n/securetty. pamsecuretty also checks that the securetty files are plain files and\nnot world writable. It will also allow root logins on the tty specified with console= switch\non the kernel command line and on ttys from the /sys/class/tty/console/active.\n\nThis module has no effect on non-root users and requires that the application fills in the\nPAMTTY item correctly.\n\nFor canonical usage, should be listed as a required authentication method before any\nsufficient authentication methods.\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "debug", "content": "Print debug information.\n" }, { "name": "noconsole", "content": "Do not automatically allow root logins on the kernel console device, as specified on the\nkernel command line or by the sys file, if it is not also specified in the securetty\nfile.\n" } ] }, "MODULE TYPES PROVIDED": { "content": "Only the auth module type is provided.\n", "subsections": [] }, "RETURN VALUES": { "content": "PAMSUCCESS\nThe user is allowed to continue authentication. Either the user is not root, or the root\nuser is trying to log in on an acceptable device.\n\nPAMAUTHERR\nAuthentication is rejected. Either root is attempting to log in via an unacceptable\ndevice, or the securetty file is world writable or not a normal file.\n\nPAMBUFERR\nMemory buffer error.\n\nPAMCONVERR\nThe conversation method supplied by the application failed to obtain the username.\n\nPAMINCOMPLETE\nThe conversation method supplied by the application returned PAMCONVAGAIN.\n\nPAMSERVICEERR\nAn error occurred while the module was determining the user's name or tty, or the module\ncould not open the securetty file.\n\nPAMUSERUNKNOWN\nThe module could not find the user name in the /etc/passwd file to verify whether the\nuser had a UID of 0. Therefore, the results of running this module are ignored.\n", "subsections": [] }, "EXAMPLES": { "content": "auth required pamsecuretty.so\nauth required pamunix.so\n\n\n", "subsections": [] }, "SEE ALSO": { "content": "securetty(5), pam.conf(5), pam.d(5), pam(7)\n", "subsections": [] }, "AUTHOR": { "content": "pamsecuretty was written by Elliot Lee .\n\n\n\nLinux-PAM Manual 06/08/2020 PAMSECURETTY(8)", "subsections": [] } } } }