1 00:00:06,600 --> 00:00:07,433 - And here we go. 2 00:00:07,433 --> 00:00:08,880 Last assignment. 3 00:00:08,880 --> 00:00:11,610 Let's set up your system such that direct login 4 00:00:11,610 --> 00:00:14,700 by the user route is only allowed on tty3. 5 00:00:14,700 --> 00:00:17,790 And ensure this requires your root user to be able 6 00:00:17,790 --> 00:00:19,383 to log in with a password. 7 00:00:20,910 --> 00:00:23,640 So this last part is for Ubuntu users. 8 00:00:23,640 --> 00:00:25,620 On Ubuntu, the root user cannot log in 9 00:00:25,620 --> 00:00:28,290 because the user doesn't have a password. 10 00:00:28,290 --> 00:00:31,770 So sudo passwd root, just like we would do 11 00:00:31,770 --> 00:00:33,243 first on Ubuntu. 12 00:00:34,440 --> 00:00:36,633 Then it's pam configuration. 13 00:00:37,470 --> 00:00:39,810 So in 14 00:00:39,810 --> 00:00:44,610 user/lib/security... 15 00:00:44,610 --> 00:00:48,060 Oops, it is user/lib64/security. 16 00:00:48,060 --> 00:00:51,090 We have these pams and the pam module 17 00:00:51,090 --> 00:00:54,950 that we are looking for is securetty.so, 18 00:00:54,950 --> 00:00:57,030 so pam_securetty.so. 19 00:00:57,030 --> 00:00:59,910 And I wanna make sure that pam_securetty.so 20 00:00:59,910 --> 00:01:02,880 is included in the pam login. 21 00:01:02,880 --> 00:01:07,050 So I'm going to /etc/pam.d, 22 00:01:07,050 --> 00:01:09,480 and there I'm editing the login file 23 00:01:09,480 --> 00:01:11,613 to include pam_securetty.so in auth. 24 00:01:14,725 --> 00:01:16,590 So that will be auth, 25 00:01:18,270 --> 00:01:22,243 required, pam_securetty.so. 26 00:01:25,950 --> 00:01:28,140 Now that we have that included, we need to create 27 00:01:28,140 --> 00:01:29,840 a file with the name etc/securetty 28 00:01:31,735 --> 00:01:32,990 and in etc/securetty, I'm listing tty3. 29 00:01:36,360 --> 00:01:38,160 Really, it's nothing more than that. 30 00:01:39,330 --> 00:01:41,340 And now we are going to test. 31 00:01:41,340 --> 00:01:45,180 So first I'm using chvt for change virtual terminal. 32 00:01:45,180 --> 00:01:47,583 I'm going to virtual terminal number 4. 33 00:01:48,630 --> 00:01:50,613 To login as the root user, 34 00:01:54,150 --> 00:01:56,043 and that doesn't seem to be working. 35 00:01:57,150 --> 00:02:00,330 So let me get in as user student, that still works 36 00:02:00,330 --> 00:02:03,660 and sudo -i 37 00:02:03,660 --> 00:02:05,283 to open a root shell. 38 00:02:06,120 --> 00:02:08,700 That still works because etc/securetty 39 00:02:08,700 --> 00:02:11,223 just denies direct root user login. 40 00:02:12,180 --> 00:02:14,613 Back to tty3, 41 00:02:16,710 --> 00:02:17,830 logging in as root 42 00:02:19,140 --> 00:02:21,660 with a password and that is working. 43 00:02:21,660 --> 00:02:24,570 So from here, chvt 2. 44 00:02:24,570 --> 00:02:28,110 And let's not forget to clean up the sessions. 45 00:02:28,110 --> 00:02:31,799 Loginctl is how you can best do that. 46 00:02:31,799 --> 00:02:35,140 So loginctl has this option, list-sessions 47 00:02:36,630 --> 00:02:40,950 where we can see the sessions on tty4 and on tty3. 48 00:02:40,950 --> 00:02:43,590 And that is what I want to terminate. 49 00:02:43,590 --> 00:02:46,293 So loginctl terminate-session. 50 00:02:50,910 --> 00:02:54,240 And in order to terminate we need the session numbers 51 00:02:54,240 --> 00:02:56,190 which are session four and five. 52 00:02:56,190 --> 00:02:57,023 So there we go. 53 00:02:57,023 --> 00:02:59,190 Number four and number five. 54 00:02:59,190 --> 00:03:01,620 And now if I use w, 55 00:03:01,620 --> 00:03:03,360 which is also showing 56 00:03:03,360 --> 00:03:04,590 currently logged in users, 57 00:03:04,590 --> 00:03:06,990 we don't see these sessions anymore. 58 00:03:06,990 --> 00:03:11,280 And let's also observe this from loginctl list-sessions. 59 00:03:11,280 --> 00:03:12,840 We only have the student user now 60 00:03:12,840 --> 00:03:15,480 on tty2 and that's what I wanted. 61 00:03:15,480 --> 00:03:18,597 And this is how you integrate etc/securetty 62 00:03:18,597 --> 00:03:22,083 to protect root logins from secure terminals only.