Product SiteDocumentation Site

4.7. Restricción del acceso a la consola

Algunas políticas de seguridad quieren forzar a los administradores para registrarse en el sistema a través de la consola con su usuario/contraseña y luego llegar a ser un superusuario (consu o sudo). Esta política es implementada en Debian al editar el archivo /etc/login.defs o /etc/securetty cuando se usa PAM. En:
/etc/pam.d/login In older Debian releases you would need to edit login.defs, and use the CONSOLE variable which defines a file or list of terminals on which root logins are allowed. enables the pam_securetty.so module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user.
securetty The /etc/securetty is a configuration file that belongs to the login package. by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need console, ttyX Or ttyvX in GNU/FreeBSD, and ttyE0 in GNU/KNetBSD. and vc/X (if using devfs devices), you might want to add also ttySX Or comX in GNU/Hurd, cuaaX in GNU/FreeBSD, and ttyXX in GNU/KNetBSD. if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for Wheezy The default configuration in woody includes 12 local tty and vc consoles, as well as the console device but does not allow remote logins. In sarge the default configuration provides 64 consoles for tty and vc consoles. includes many tty devices, serial ports, vc consoles as well as the X server and the console device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing /etc/inittab Look for the getty calls. . For more information on terminal devices read the Text-Terminal-HOWTO
Cuando use PAM se hacen otros cambios para el proceso de registro, los cuales pueden incluir restricciones para usuarios y grupos a tiempos dados, puede ser configurado en /etc/pam.d/login. Una interesante característica que puede ser incapacitada es la posibilidad de registrar con contraseñas sin efecto (nulas). Esta característica puede ser limitada removiendo el nullok de la linea: 
  auth required pam_unix.so nullok