From owner-freebsd-questions@FreeBSD.ORG Sat Nov 13 07:27:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36C2716A4CE for ; Sat, 13 Nov 2004 07:27:16 +0000 (GMT) Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 082F643D5A for ; Sat, 13 Nov 2004 07:27:16 +0000 (GMT) (envelope-from bc979@lafn.org) Received: from [10.0.1.7] ([4.28.157.47]) (authenticated bits=0) by zoot.lafn.org (8.12.3p3/8.12.3) with ESMTP id iAD7RE8k066099 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Fri, 12 Nov 2004 23:27:15 -0800 (PST) (envelope-from bc979@lafn.org) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <6FCD9DAC-3545-11D9-900C-000393681B06@lafn.org> Content-Transfer-Encoding: 7bit From: Doug Hardie Date: Fri, 12 Nov 2004 23:27:12 -0800 To: "Ted Mittelstaedt" X-Mailer: Apple Mail (2.619) X-Virus-Scanned: ClamAV 0.80rc4/531/Thu Oct 14 08:09:21 2004 clamav-milter version 0.80j on zoot.lafn.org X-Virus-Status: Clean cc: f-questions List Subject: Re: Root login at console X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Nov 2004 07:27:16 -0000 On Nov 12, 2004, at 23:18, Ted Mittelstaedt wrote: > > >> -----Original Message----- >> From: owner-freebsd-questions@freebsd.org >> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Doug Hardie >> Sent: Friday, November 12, 2004 10:52 PM >> To: f-questions List >> Subject: Root login at console >> >> >> I am setting up some 5.3 systems and have encountered a situation I >> can't figure out. I have had the following (and only) active line in >> 4.6 systems /etc/login.allow: >> >> -:ALL EXCEPT user1 user2 user3: ALL >> >> That only permitted logins from those 3 users and not root. The users >> had to su to get to root - even on the console. However that same >> line >> in 5.3 doesn't let anyone su to root (terminal or console). I have to >> add root to the list: >> >> -:ALL EXCEPT root user1 user2 user3: ALL >> >> Then the users can su to root. However root can login on the console >> directly which I don't want. I have tried a few diferent approaches >> to >> make this work but none have succeeded. What am I missing? Thanks. >> > > I don't think that the /etc/login.allow should have blocked root login > at > the console. If it did in 4.x that is a bug and 5.3 corrected it. > > If you want to block root login at the console then edit /etc/ttys and > change the keyword from "secure" to "insecure" for the console. > > Ted Thanks. I just checked ttys in my 4.6 system and they all say secure. I see the instructions in ttys now and that makes sense. A quick check also shows it works. I guess there was a bug in 4.6. The instructions seem to indicate that removing the secure keyword is all that is required. Thats what I checked and it worked. I presume thats the same as using the insecure key which I really didn't see mentioned.