This official Red Hat page offers some vague hints.
Since /etc/securetty listed many possible devices so that the practical effect in most cases was to allow by default, this change has only a minor impact. However, if you use a more restrictive configuration, you need to add a line enabling the pam_securetty.so module to the appropriate files in the /etc/pam.d directory, and create a new /etc/securetty file.
It seems odd there is no cleaner way of allowing passwordless serial console access.
This page provides a solution that works well enough but I can't help wondering if there is a simpler way.
With the current state of CentOS 8, I don't think so.
The problem is that a traditional Unix login from a serial port involves two components: a getty
process to initialize the port settings and prompt for the username, and a login
process to prompt for a password, check it and initiate the user's session. The RHEL/CentOS SELinux rules have been written with this in mind.
You could make it simpler to configure automatic logins by replacing the combination of agetty
and login
by something else that does both jobs, and adjusting the PAM and SELinux configurations to match, but you'll find that to be far more complex than the three simple steps listed in the link you provided.
Configuring an automatic login is a pretty significant action in terms of security, so it generally should be a multi-step procedure so it'll be unlikely to be done by accident. And if you find yourself doing it often, there's nothing to stop you from automating it using a tool of your choice (e.g. just a script, or perhaps something like Ansible).
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments