Solved ttys commenting out question

sidetone

Daemon

Reaction score: 367
Messages: 1,014

In /etc/ttys, is it secure to comment out terminals I don't use, than to turn it off, and mark them "insecure"?
This is what I have, and the argument lines commented out also work without the #.
Code:
# name   getty                          type    status       comments
...
console   none                          unknown off secure
#
ttyv0   "/usr/libexec/getty Pc"         xterm   on  secure
# Virtual terminals
ttyv1   "/usr/libexec/getty Pc"         xterm   on  secure
ttyv2   "/usr/libexec/getty Pc"         xterm   on  secure
ttyv3   "/usr/local/bin/xdm -nodaemon"  xterm   on  secure
#ttyv4  "/usr/libexec/getty Pc"         xterm   off insecure
#ttyv5  "/usr/libexec/getty Pc"         xterm   off insecure
#ttyv6  "/usr/libexec/getty Pc"         xterm   off insecure
#ttyv7  "/usr/libexec/getty Pc"         xterm   off insecure
#ttyv8  "/usr/libexec/getty Pc"         xterm   off insecure
# Serial terminals
# The 'dialup' keyword identifies dialin lines to login, fingerd etc.
ttyu0   "/usr/libexec/getty 3wire"      vt100   off insecure
#ttyu1  "/usr/libexec/getty 3wire"      vt100   off insecure
#ttyu2  "/usr/libexec/getty 3wire"      vt100   off insecure
#ttyu3  "/usr/libexec/getty 3wire"      vt100   off insecure
# Dumb console
dcons   "/usr/libexec/getty std.9600"   vt100   off secure
For the dialup section, ttyu0 cannot be commented out, or it won't work.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 6,975
Messages: 28,967

From ttys(5):
Code:
     As flag values, the strings ``on'' and ``off'' specify that init(8)
     should (should not) execute the command given in the second field.
So setting it to "off" or remarking/removing the whole line would essentially be the same. Both will prevent getty(8) from running on that TTY.

(Thread moved to General, this has nothing to do with X11)
 
OP
OP
sidetone

sidetone

Daemon

Reaction score: 367
Messages: 1,014

So I take it that turning it off and commenting it out are equally secure.
In
Code:
ttyu0   "/usr/libexec/getty 3wire"      vt100   off insecure
This appears to be slightly different. If I comment this line out, the terminal and xdm won't start, but it works when set to "off" and "insecure". Perhaps this line just needs to be present, so the processes can see it. It looks the "dialup" section is not all for network logins, as login(1) is needed for logging in locally. I don't expect to use fingerd(8), and network services like that, so perhaps only the first ttyu or perhaps two are required here.
Code:
# Dumb console
dcons   "/usr/libexec/getty std.9600"   vt100   off secure
In this section, if "dcons" is marked as insecure, or commented out, I believe it won't work when you need the dcons(4) device.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 6,975
Messages: 28,967

If I comment this line out, the terminal and xdm won't start, but it works when set to "off" and "insecure". Perhaps this line just needs to be present, so the processes can see it.
To be honest I'm not sure how init(8) handles it. It's possible an 'off' line causes the TTY device to be created but prevents spawning a getty(8) process on it. Removing/remarking the whole line may also prevent the creation of that TTY device. Which might be causing the errors on XDM, when it tries to get a TTY device that doesn't exist.

You might want to have a look if there's a difference in existence of the devices themselves between "off" and a remarked/removed line.

It looks the "dialup" section is not all for network logins, as login(1) is needed for logging in locally. I don't expect to use fingerd(8), and network services like that, so perhaps only the first ttyu or perhaps two are required here.
The dialup section is for very traditional serial connections. Either directly connected using a dumb terminal or through ppp(8) and a receiving modem. The ttyu0 is primarily used for a serial console (useful for headless machines). It has nothing to do with network based logins like ssh(1).

The ttyv0 to ttyv8 are the 'virtual' terminals on the local console itself. The ones you can select with ALT-F1 to ALT-F8.
 
OP
OP
sidetone

sidetone

Daemon

Reaction score: 367
Messages: 1,014

I'll just go with this...
Code:
console   none               unknown   off secure
#
ttyv0   "/usr/libexec/getty Pc"       xterm   on  secure
# Virtual terminals
ttyv1   "/usr/libexec/getty Pc"       xterm   on  secure
ttyv2   "/usr/libexec/getty Pc"       xterm   on  secure
ttyv3   "/usr/libexec/getty Pc"       xterm   off  secure
ttyv4   "/usr/local/bin/xdm -nodaemon"   xterm   on  secure
ttyv5   "/usr/libexec/getty Pc"       xterm   off  insecure
ttyv6   "/usr/libexec/getty Pc"       xterm   off  insecure
ttyv7   "/usr/libexec/getty Pc"       xterm   off  insecure
ttyv8   "/usr/libexec/getty Pc"       xterm   off  insecure
# Serial terminals
# The 'dialup' keyword identifies dialin lines to login, fingerd etc.
ttyu0   "/usr/libexec/getty 3wire"   vt100   off   insecure
ttyu1   "/usr/libexec/getty 3wire"   vt100   off   insecure
ttyu2   "/usr/libexec/getty 3wire"   vt100   off       insecure
ttyu3   "/usr/libexec/getty 3wire"   vt100   off       insecure
# Dumb console
dcons   "/usr/libexec/getty std.9600"   vt100   off        secure
To be honest I'm not sure how init(8) handles it. It's possible an 'off' line causes the TTY device to be created but prevents spawning a getty(8) process on it. Removing/remarking the whole line may also prevent the creation of that TTY device. Which might be causing the errors on XDM, when it tries to get a TTY device that doesn't exist.

You might want to have a look if there's a difference in existence of the devices themselves between "off" and a remarked/removed line.
The dialup section is for very traditional serial connections. Either directly connected using a dumb terminal or through ppp(8) and a receiving modem. The ttyu0 is primarily used for a serial console (useful for headless machines). It has nothing to do with network based logins like ssh(1).
If ttyu0 is commented out, it doesn't work.

...
I've thought about it, it's better to both turn completely unused settings off and have them marked as insecure. If there is a default elsewhere, those settings should be overruled in /etc/ttys. Commenting out wouldn't achieve this.

It looks like virtual terminals except 0 don't have a default in another file. ttyu0 must have a default elsewhere, which would explain why turning it off works, while commenting it out doesn't. It should be noted, that if something is marked as "off", it still matters if is labeled as "insecure" or not. For instance, while the line "console" is marked "off", the secure setting affects whether the root password is needed for single user mode.


It seems that for those not using dialup, it should be seen if ttyu should be disabled in ttys from ttyu4 on. I'm uncertain if these lines can be replaced by
Code:
ttyu*   "/usr/libexec/getty 3wire"   vt100   off   insecure
, but it works so far, unlike when the line starting with "ttyu0" is by itself and commented out.
 
Top