I want to configure securetty to limit root directly access. Now I am clear if I add:
auth required pam_securetty.so
into /etc/pam.d/system-auth, and keep only "console" in /etc/securetty, ssh login will also be prohibit. And if I add:
auth required pam_securetty.so
into /etc/pam.d/login, and keep only "console" in /etc/securetty, ssh login will not be prohibit.
Now I am not very clear about the difference between /etc/pam.d/login and /etc/pam.d/system-auth. Could anyone give me some reference or some guide? Thanks a lot!
P.S. /etc/pam.d/login vs. /etc/pam.d/system-auth also give a little about it, but I want to get more to make me more clear.
The
/etc/pam.d/system-authfile is used by Red-Hat and like systems to group together common security policies. It is often included in other/etc/pam.dpolicy files where those common policies are required.When accessing a system via ssh through sshd, the
/etc/pam.d/sshdpolicy file is consulted. This file includes/etc/pam.d/system-authso your changes to/etc/pam.d/system-authare valid.The file
/etc/pam.d/loginis consulted when you log in via the/bin/loginprogram therefore any changes to it only affect/bin/login.OpenSSH use /etc/pam.d/sshd module. /etc/pam.d/sshd:
OpenSSH not use /etc/pam.d/login to auth. /etc/pam.d/login and /etc/pam.d/system-auth is different modules to different programs.