7

I do a lot of local development work with (CentOS/RHEL) virtual machines. Rather than configuring everything with a default root password -- which, if exposed to the network, can be problematic -- I'd like to configure them to allow passwordless root login only on the serial console.

My first attempt was to simply replace the default ExecStart command for [email protected] with a command line using the --autologin option:

ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 --noclear --autologin root ttyS0 $TERM

While this skips the login: prompt, it still prompts for a root password. This appears to be a limitation of the login program under Linux.

I also tried replacing the default login program with a shell, like this:

ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 --noclear -n -l /bin/bash ttyS0 $TERM

But this runs afoul of selinux: while I get a bash shell, it has no access to anything:

bash: /root/.bashrc: Permission denied
# ls /etc/systemd
ls: cannot open directory '/etc/systemd': Permission denied

Elsewhere on the net, people have suggested just removing the password hash from /etc/{password,shadow}, but of course that results in a different set of problems: now any user can su - without a password.

Any thoughts on how to make this work properly?

larsks
  • 32,449
  • 5
  • 54
  • 70
  • It should be possible to use PAM for what you want. But is there any reason why you don't want to set up password-less ssh login to root? – roaima Nov 17 '19 at 08:05
  • I already have passwordless ssh login available, but if the network configuration is unknown a priori or fails to come up for some reason, serial console access is tremendously convenient. – larsks Nov 17 '19 at 13:13

1 Answers1

11

After some experimenting, I've got something that works:

  1. Run systemctl edit [email protected], and add the following:

    [Service]
ExecStart=
ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 --noclear --autologin root ttyS0 $TERM

    This will cause agetty to auto-login the root user, but with only this change the system will still prompt you for the root password.

  2. We can configure /etc/pam.d/login to authenticate root logins on the console without a password. Add the following to the top of /etc/pam.d/login:

    auth sufficient pam_listfile.so item=tty sense=allow file=/etc/securetty onerr=fail apply=root

    This will cause the PAM stack to check for the login tty in /etc/securetty, and to skip other authentication mechanisms if it finds it.

  3. Add the serial port to /etc/securetty:

    # echo ttyS0 > /etc/securetty

With these changes in place, you'll see the following on the serial console when you boot:

CentOS Linux 8 (Core)
Kernel 4.18.0-80.11.2.el8_0.x86_64 on an x86_64

localhost login: root (automatic login)

Last login: Sun Nov 17 00:29:36 on ttyS0
[root@localhost ~]#

...and if you log out, you'll end up right back at the shell prompt.

Note that I've used the filename /etc/securetty here, which in days of yore actually did something else (it controlled terminals on which root was allowed to log in). So if that bothers you, use a different file :).

larsks
  • 32,449
  • 5
  • 54
  • 70
  • "This will cause agetty to auto-login the root user, but with only this change the system will still prompt you for the root password." This is a contradictory sentence. – user189395 Apr 23 '22 at 18:18
  • @user189395 in fact is is not! But I can see why you might read it that way at first glance. I'm open to alternative phrasings. – larsks Apr 24 '22 at 18:28
  • Doesn't "auto-login" mean you don't need to enter a password? – user189395 Apr 24 '22 at 19:26
  • 1
    In this case, it means it behaves as if you had typed `root` the `login:` prompt: it automatically initiates a root login, but still prompts you for a password. Maybe that's a better way of putting it? – larsks Apr 25 '22 at 00:05
  • I wonder, would it be also possible to use [`pam_securetty.so`](https://linux.die.net/man/8/pam_securetty)? – Petr Jun 05 '22 at 20:10
  • 2
    This appears to work as well: `auth sufficient pam_securetty.so` But take it with a grain of salt, I'm a beginner when it comes to _pam_. – Petr Jun 06 '22 at 17:11
  • Honestly, I'm not sure why I didn't mention `pam_securetty` when I wrote this :). Thanks for the comments. – larsks Jun 06 '22 at 17:14