Most Unix versions provide some mechanism for limiting direct root logins to certain terminal lines. Note that these mechanisms have no effect on the ability of a user to gain root access via the su command. We’ll consider the ones offered by each operating system in turn.

As we’ve seen earlier in this chapter, FreeBSD allows you to state explicitly whether direct root logins may take place on a line-by-line basis via the secure keyword in /etc/ttys . For example, these entries allow root logins on the terminal connected to the first serial line, but not on the terminal connected to the second serial line:

# name  getty                           type    flags 
ttyd0   "/usr/libexec/getty std.9600"   vt100   on secure   
ttyd1   "/usr/libexec/getty std.9600"   vt100   on

FreeBSD also provides general user class-based terminal restrictions via the ttys.allow and ttys.deny attributes in /etc/login.conf. See Section 6.2 for details.

Under Solaris, if the file /etc/default/login contains a CONSOLE entry, direct root logins are limited to that device. For example, this entry limits root logins to the system console:

CONSOLE=/dev/console

On HP-UX systems, the file /etc/securetty lists devices where root is allowed to log in. Here are some sample entries:

console 
tty00 
tty01

Note that /dev/ is not included in the line designation. The HP-UX file restricts access to the listed terminal lines to privileged users, rather than applying only to root.

Tru64 uses the file /etc/securettys in a similar manner: