<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_securetty">

  <refmeta>
    <refentrytitle>pam_securetty</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo class="source">Linux-PAM</refmiscinfo>
    <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
  </refmeta>

  <refnamediv xml:id="pam_securetty-name">
    <refname>pam_securetty</refname>
    <refpurpose>Limit root login to special devices</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis xml:id="pam_securetty-cmdsynopsis" sepchar=" ">
      <command>pam_securetty.so</command>
      <arg choice="opt" rep="norepeat">
        debug
      </arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1 xml:id="pam_securetty-description">

    <title>DESCRIPTION</title>

    <para>
      pam_securetty is a PAM module that allows root logins only if the
      user is logging in on a "secure" tty, as defined by the listing
      in the <filename>securetty</filename> file. pam_securetty checks at
      first, if <filename>/etc/securetty</filename> exists. If not and
      it was built with vendordir support, it will use
      <filename>%vendordir%/securetty</filename>. pam_securetty also
      checks that the <filename>securetty</filename> files are plain
      files and not world writable. It will also allow root logins on
      the tty specified with <option>console=</option> switch on the
      kernel command line and on ttys from the
      <filename>/sys/class/tty/console/active</filename>.
    </para>
    <para>
      This module has no effect on non-root users and requires that the
      application fills in the <emphasis remap="B">PAM_TTY</emphasis>
      item correctly.
    </para>
    <para>
      For canonical usage, should be listed as a
      <emphasis remap="B">required</emphasis> authentication method
      before any <emphasis remap="B">sufficient</emphasis>
      authentication methods.
    </para>
  </refsect1>

  <refsect1 xml:id="pam_securetty-options">
    <title>OPTIONS</title>
        <variablelist>
      <varlistentry>
        <term>
          debug
        </term>
        <listitem>
          <para>
            Print debug information.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          noconsole
        </term>
        <listitem>
          <para>
            Do not automatically allow root logins on the kernel console
            device, as specified on the kernel command line or by the sys file,
            if it is not also specified in the
            <filename>securetty</filename> file.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 xml:id="pam_securetty-types">
    <title>MODULE TYPES PROVIDED</title>
    <para>
      Only the <option>auth</option> module type is provided.
    </para>
  </refsect1>

  <refsect1 xml:id="pam_securetty-return_values">
    <title>RETURN VALUES</title>
    <variablelist>
      <varlistentry>
        <term>PAM_SUCCESS</term>
        <listitem>
          <para>
            The user is allowed to continue authentication.
            Either the user is not root, or the root user is
            trying to log in on an acceptable device.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_AUTH_ERR</term>
        <listitem>
          <para>
            Authentication is rejected. Either root is attempting to
            log in via an unacceptable device, or the
            <filename>securetty</filename> file is world writable or
            not a normal file.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_BUF_ERR</term>
        <listitem>
          <para>
            Memory buffer error.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_CONV_ERR</term>
        <listitem>
          <para>
            The conversation method supplied by the application
            failed to obtain the username.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_INCOMPLETE</term>
        <listitem>
          <para>
            The conversation method supplied by the application
            returned PAM_CONV_AGAIN.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_SERVICE_ERR</term>
        <listitem>
          <para>
            An error occurred while the module was determining the
            user's name or tty, or the module could not open
            the <filename>securetty</filename> file.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_USER_UNKNOWN</term>
        <listitem>
          <para>
            The module could not find the user name in the
            <filename>/etc/passwd</filename> file to verify whether
            the user had a UID of 0. Therefore, the results of running
            this module are ignored.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 xml:id="pam_securetty-examples">
    <title>EXAMPLES</title>
    <para>
      <programlisting>
auth  required  pam_securetty.so
auth  required  pam_unix.so
      </programlisting>
    </para>
  </refsect1>

  <refsect1 xml:id="pam_securetty-see_also">
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
        <refentrytitle>securetty</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>
    </para>
  </refsect1>

  <refsect1 xml:id="pam_securetty-author">
    <title>AUTHOR</title>
      <para>
        pam_securetty was written by Elliot Lee &lt;sopwith@cuc.edu&gt;.
      </para>
  </refsect1>

</refentry>