You are not logged in.
I have ligthdm installed as display manager and modified the configuration file /etc/lightdm/lightdm.conf that I can remote login via vnc.
[VNCServer]
#enabled=false
#command=Xvnc
#port=5900
#listen-address=
#width=1024
#height=768
#depth=8
enabled=true
command=/usr/bin/Xvnc -once securitytypes=TLSNone
port=5900
#listen-address=
width=1600
height=900
depth=24 This is only the VNCserver section, because this is the only one I modified, everything else in this file is left untouched.
Unfortunately I can not only login as normal user but also as root. I want to disable this.
From what I have learned is that the login behaviour of lightdm is pam driven. But there are so many pam modules controlling this like pam_nologin, pam_access, pam_listfile etc.
By googling I found: http://forums.debian.net/viewtopic.php? … 81#p502795 but this will disable root logins from lightdm generally, I want to disable only remote root logins.
I also found https://access.redhat.com/documentation … oroot.html. If I understand it right it will disable root logins from everywhere for all pam driven services although it might by a good start.
Finally I found https://www.centos.org/docs/5/html/5.1/ … oroot.html very similar to the above link. Ofcourse I found a lot more but the above links seem to be the most promising ones.
Especially the chapter dealing with pam_securetty looks very interesting for me.
From the documentation of pam_securetty I learned
pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in /etc/securetty. pam_securetty also checks to make sure that /etc/securetty is a plain file and not world writable
Ok, an empty /etc/securetty will disable root login from every terminal, this is not wanted by me. What terminals are considered as local terminals? For tty1-6 I'm sure, console maybe, anything else I don't know. So please help me to understand what to put into /etc/securetty.
Next int /etc/pam.d I have 3 lightdm related files lightdm, lightdm-autologin and lightdm-greeter. Which of them I would have to change to disable remote root logins?
The line "auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so" from the Redhat guide looks very complicated for me and I do not understand what it will do. Can someone please explain the meaning of it?
And finally is this complicated line really necessary or can I use something simpler?
Thanks for your help.
Last edited by emwe (2018-10-13 03:35:56)
Offline
I finally found a solution. Thanks for the many answers saving me a lot of time.
Offline