Recipe 3.19 Prohibiting root Logins on Terminal Devices

3.19.1 Problem

You want to prevent the superuser, root, from logging in directly over a terminal or pseudo-terminal.

3.19.2 Solution

Edit /etc/securetty. This file contains device names, one per line, that permit root logins. Make sure there are no pseudo-ttys (pty) devices listed, so root cannot log in via the network, and remove any others of concern to you. Lines do not contain the leading "/dev/" path, and lines beginning with a hash mark (#) are comments. For example:

# serial lines
# devfs devices

3.19.3 Discussion

If possible, don't permit root to log in directly. If you do, you're providing a route for breaking into your system: an outsider can launch (say) a dictionary attack against the terminal in question. Instead, users should log in as themselves and gain root privileges in an appropriate manner, as we discuss in Chapter 5.

3.19.4 See Also

securetty(5). Documentation on devfs is at

    Chapter 9. Testing and Monitoring