Securing the console

snickerdoodle general
1
Hi Guys.

This is another one of those subjects that Google can't quite handle. There are too many similar, but still off the mark responses that finding the useful one(s) would require days of reading.
Obviously having the USB console open - not requiring any authentication to gain root access - is great for development, but less so for deployment. I'm sure there's a simple way to require a login on the console connection, but I haven't been able to find it.
Anyone?
Thanks,

-Nick
2
Hi Nick,

We actually didn't "enable" this feature until 16.04 (after days of reading, configuring, etc.), so the new image we have posted has this, but not the previous one. Sounds like you're on 14.04 from your other post; Bush may have some suggestions you can try, but we probably won't be messing around with the 14.04 build anytime soon.

-Ryan

On Tuesday, September 12, 2017 at 10:18:14 AM UTC-7, Nick Burkitt wrote:
Hi Guys.

This is another one of those subjects that Google can't quite handle. There are too many similar, but still off the mark responses that finding the useful one(s) would require days of reading.
Obviously having the USB console open - not requiring any authentication to gain root access - is great for development, but less so for deployment. I'm sure there's a simple way to require a login on the console connection, but I haven't been able to find it.
Anyone?
Thanks,

-Nick
3
The automatic root login was replaced on the new 16.04 Ubuntu image. I'm not sure exactly what user/group configuration but you will at least need a user with root-level permissions before you can remove the root login. If you don't already have a user account you want to use, you will need to create one and give it sudo permissions:

# useradd <username>
# usermod -aG sudo <username>

You can then delete the root password to disable direct login as root:

# passwd -d root

Depending on the security configuration for the console, the automatic login can be configured based on a combination of the settings found at:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html

Can you take a look at that guide and let me know if/where your configuration/system doesn't seem compatible (i.e. no pam or securetty configuration available) you may need to update.

On Tuesday, September 12, 2017 at 10:18:14 AM UTC-7, Nick Burkitt wrote:
Hi Guys.

This is another one of those subjects that Google can't quite handle. There are too many similar, but still off the mark responses that finding the useful one(s) would require days of reading.
Obviously having the USB console open - not requiring any authentication to gain root access - is great for development, but less so for deployment. I'm sure there's a simple way to require a login on the console connection, but I haven't been able to find it.
Anyone?
Thanks,

-Nick
4
Maybe there's some confusion about what I'm asking. I don't want to disable root login, I want to require root login in order to establish a session as root when using the USB console.

But, I spent the morning answering my own question, and the answer is, edit /etc/default/autogetty and comment out the line

AUTOGETTY_ARGS="-n -l /bin/auto-root-login"

-Nick

On Wednesday, September 13, 2017 at 4:11:31 PM UTC-7, Bush wrote:
The automatic root login was replaced on the new 16.04 Ubuntu image. I'm not sure exactly what user/group configuration but you will at least need a user with root-level permissions before you can remove the root login. If you don't already have a user account you want to use, you will need to create one and give it sudo permissions:

# useradd <username>
# usermod -aG sudo <username>

You can then delete the root password to disable direct login as root:

# passwd -d root

Depending on the security configuration for the console, the automatic login can be configured based on a combination of the settings found at:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html

Can you take a look at that guide and let me know if/where your configuration/system doesn't seem compatible (i.e. no pam or securetty configuration available) you may need to update.

On Tuesday, September 12, 2017 at 10:18:14 AM UTC-7, Nick Burkitt wrote:
Hi Guys.

This is another one of those subjects that Google can't quite handle. There are too many similar, but still off the mark responses that finding the useful one(s) would require days of reading.
Obviously having the USB console open - not requiring any authentication to gain root access - is great for development, but less so for deployment. I'm sure there's a simple way to require a login on the console connection, but I haven't been able to find it.
Anyone?
Thanks,

-Nick