0

This official Red Hat page offers some vague hints.

Since /etc/securetty listed many possible devices so that the practical effect in most cases was to allow by default, this change has only a minor impact. However, if you use a more restrictive configuration, you need to add a line enabling the pam_securetty.so module to the appropriate files in the /etc/pam.d directory, and create a new /etc/securetty file.

It seems odd there is no cleaner way of allowing passwordless serial console access.

This page provides a solution that works well enough but I can't help wondering if there is a simpler way.

user189395
  • 153
  • 10

2 Answers2

1

With the current state of CentOS 8, I don't think so.

The problem is that a traditional Unix login from a serial port involves two components: a getty process to initialize the port settings and prompt for the username, and a login process to prompt for a password, check it and initiate the user's session. The RHEL/CentOS SELinux rules have been written with this in mind.

You could make it simpler to configure automatic logins by replacing the combination of agetty and login by something else that does both jobs, and adjusting the PAM and SELinux configurations to match, but you'll find that to be far more complex than the three simple steps listed in the link you provided.

Configuring an automatic login is a pretty significant action in terms of security, so it generally should be a multi-step procedure so it'll be unlikely to be done by accident. And if you find yourself doing it often, there's nothing to stop you from automating it using a tool of your choice (e.g. just a script, or perhaps something like Ansible).

telcoM
  • 87,318
  • 3
  • 112
  • 232
0

I had similar concern about lack of cleaner approach so I had to come up with a different solution than provided in the linked question.

  1. You need to configure console for the kernel. It depends on the platform but typically it's console=ttyS0 or console=hvc0. Then you don't need to append serial console to /etc/securetty, as mentioned in pam_securetty(8):
   pam_securetty [...] will also allow root logins on the tty specified
   with console= switch on the kernel command line and on ttys from the
   /sys/class/tty/console/active.
  1. root login should be explicitly allowed on the serial console, i.e. /etc/pam.d/login should have pam_securetty module:
#%PAM-1.0
auth        required    pam_securetty.so
...
  1. Then you need to configure autologin in the systemd getty, run systemctl edit [email protected] and replace parameters passed to login -o '-p -- \\u' with autologin:
ExecStart=-/sbin/agetty --autologin root --noclear --keep-baud 115200,38400,9600 %I $TERM
roolebo
  • 111
  • 4