14

I want to configure securetty to limit root directly access. Now I am clear if I add:

auth        required      pam_securetty.so

into /etc/pam.d/system-auth, and keep only "console" in /etc/securetty, ssh login will also be prohibit. And if I add:

auth        required      pam_securetty.so

into /etc/pam.d/login, and keep only "console" in /etc/securetty, ssh login will not be prohibit.

Now I am not very clear about the difference between /etc/pam.d/login and /etc/pam.d/system-auth. Could anyone give me some reference or some guide? Thanks a lot!

P.S. /etc/pam.d/login vs. /etc/pam.d/system-auth also give a little about it, but I want to get more to make me more clear.

Community
  • 1
zhaojing
  • 195
  • 1
  • 3
  • 11
  • 1
    Could you be more exact? What are you missing from the link? It explains the differences between the both files. – Christian Oct 15 '10 at 06:26
  • Christian, yes, in fact, the link makes me clear about the problem. But I want to know if there are more difference because I am not sure if the answer "login is just for local console (NOT remote login)" in the link is right. – zhaojing Oct 15 '10 at 08:47

3 Answers3

11

The /etc/pam.d/system-auth file is used by Red-Hat and like systems to group together common security policies. It is often included in other /etc/pam.d policy files where those common policies are required.

When accessing a system via ssh through sshd, the /etc/pam.d/sshd policy file is consulted. This file includes /etc/pam.d/system-auth so your changes to /etc/pam.d/system-auth are valid.

The file /etc/pam.d/login is consulted when you log in via the /bin/login program therefore any changes to it only affect /bin/login.

hb20007
  • 101
  • 5
user9517
  • 114,104
  • 20
  • 206
  • 289
5
  • login - rules for local (console login)
  • system-auth - common rules many services
  • password-auth - common rules for many remote services
  • sshd - rules for SSHD daemon only
Benny
  • 51
  • 1
  • 1
3

Now I am not very clear about the difference between /etc/pam.d/login and /etc/pam.d/system-auth. Could anyone give me some reference or some guide?

OpenSSH use /etc/pam.d/sshd module. /etc/pam.d/sshd:

auth       include      system-auth

OpenSSH not use /etc/pam.d/login to auth. /etc/pam.d/login and /etc/pam.d/system-auth is different modules to different programs.

bindbn
  • 5,153
  • 2
  • 26
  • 23
  • bindbn, thanks for your explanations and suggestions. I got your meaning "etc/pam.d/login and /etc/pam.d/system-auth is different modules to different programs". – zhaojing Oct 15 '10 at 08:51