I have to configure to limit root direct access except system consoles. That is, the ways of telnet, ftp, SSH are all prohibited. Root can only login through console. I understand that will require me to configure the file /etc/securetty. I have to comment all the tty, just keep "console" in /etc/securetty.
But from google, I found many peoples said that configure /etc/securetty will not limit the way of SSH login.
From my experiment, I found it is. (configure /etc/securetty won't limit SSH login).
And I add one line in /etc/pam.d/system-auth:
auth required pam_securetty
It seems root SSH login can be prohibited.
But I can't find the reason: What is the difference of configure pam_securetty and /etc/securetty? Can anyone help me with this? Only configure /etc/securetty could work? Or Have I to configure pam_securetty at the same time? Thanks a lot!
pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in /etc/securetty. pam_securetty also checks to make sure that /etc/securetty is a plain file and not world writable.
telnet and ftp call login, and you probably already have /etc/pam.d/login including pam_securetty