セキュリティポリシーによっては管理者がコンソールから自分のユーザおよび パスワードでシステムにログインして、それから (su か sudo で) スーパーユーザになることを強制したいかもしれません。 Debian ではこのポリシーは /etc/login.defs ファイル または PAM を使うときは /etc/securetty を編集することによって 実施できます。

/etc/pam.d/login In older Debian releases you would need to edit login.defs, and use the CONSOLE variable which defines a file or list of terminals on which root logins are allowed. enables the pam_securetty.so module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user.

securetty The /etc/securetty is a configuration file that belongs to the login package. by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need console, ttyX Or ttyvX in GNU/FreeBSD, and ttyE0 in GNU/KNetBSD. and vc/X (if using devfs devices), you might want to add also ttySX Or comX in GNU/Hurd, cuaaX in GNU/FreeBSD, and ttyXX in GNU/KNetBSD. if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for Wheezy The default configuration in woody includes 12 local tty and vc consoles, as well as the console device but does not allow remote logins. In sarge the default configuration provides 64 consoles for tty and vc consoles. includes many tty devices, serial ports, vc consoles as well as the X server and the console device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing /etc/inittab Look for the getty calls. . For more information on terminal devices read the Text-Terminal-HOWTO

PAM を使うときはある時刻でのユーザやグループの制限を含むログイン過程の 変更は /etc/pam.d/login で設定できます。停止できる 興味深い機能は空の (空白の) パスワードでログインできる機能です。 この機能は次の行から nullok を削除することによって制限できます:

  auth       required   pam_unix.so nullok