'\" t
.\" Title: pam_securetty
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1
.\" Date: 09/19/2013
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
.TH "PAM_SECURETTY" "8" "09/19/2013" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_securetty \- Limit root login to special devices
.SH "SYNOPSIS"
.HP \w'\fBpam_securetty\&.so\fR\ 'u
\fBpam_securetty\&.so\fR [debug]
.SH "DESCRIPTION"
.PP
pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in
/etc/securetty\&. pam_securetty also checks to make sure that
/etc/securetty
is a plain file and not world writable\&. It will also allow root logins on the tty specified with
\fBconsole=\fR
switch on the kernel command line and on ttys from the
/sys/class/tty/console/active\&.
.PP
This module has no effect on non\-root users and requires that the application fills in the
\fBPAM_TTY\fR
item correctly\&.
.PP
For canonical usage, should be listed as a
\fBrequired\fR
authentication method before any
\fBsufficient\fR
authentication methods\&.
.SH "OPTIONS"
.PP
\fBdebug\fR
.RS 4
Print debug information\&.
.RE
.PP
\fBnoconsole\fR
.RS 4
Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the
/etc/securetty
file\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
Only the
\fBauth\fR
module type is provided\&.
.SH "RETURN VALUES"
.PP
PAM_SUCCESS
.RS 4
The user is allowed to continue authentication\&. Either the user is not root, or the root user is trying to log in on an acceptable device\&.
.RE
.PP
PAM_AUTH_ERR
.RS 4
Authentication is rejected\&. Either root is attempting to log in via an unacceptable device, or the
/etc/securetty
file is world writable or not a normal file\&.
.RE
.PP
PAM_INCOMPLETE
.RS 4
An application error occurred\&. pam_securetty was not able to get information it required from the application that called it\&.
.RE
.PP
PAM_SERVICE_ERR
.RS 4
An error occurred while the module was determining the user\*(Aqs name or tty, or the module could not open
/etc/securetty\&.
.RE
.PP
PAM_USER_UNKNOWN
.RS 4
The module could not find the user name in the
/etc/passwd
file to verify whether the user had a UID of 0\&. Therefore, the results of running this module are ignored\&.
.RE
.SH "EXAMPLES"
.PP
.if n \{\
.RS 4
.\}
.nf
auth required pam_securetty\&.so
auth required pam_unix\&.so
.fi
.if n \{\
.RE
.\}
.sp
.SH "SEE ALSO"
.PP
\fBsecuretty\fR(5),
\fBpam.conf\fR(5),
\fBpam.d\fR(5),
\fBpam\fR(7)
.SH "AUTHOR"
.PP
pam_securetty was written by Elliot Lee \&.