CentOS RHEL Authentication – Allow Passwordless Root Login on Serial Console

authenticationcentosrhelserial-console

I do a lot of local development work with (CentOS/RHEL) virtual machines. Rather than configuring everything with a default root password — which, if exposed to the network, can be problematic — I'd like to configure them to allow passwordless root login only on the serial console.

My first attempt was to simply replace the default ExecStart command for serial-getty@.service with a command line using the --autologin option:

ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 --noclear --autologin root ttyS0 $TERM

While this skips the login: prompt, it still prompts for a root password. This appears to be a limitation of the login program under Linux.

I also tried replacing the default login program with a shell, like this:

ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 --noclear -n -l /bin/bash ttyS0 $TERM

But this runs afoul of selinux: while I get a bash shell, it has no access to anything:

bash: /root/.bashrc: Permission denied
# ls /etc/systemd
ls: cannot open directory '/etc/systemd': Permission denied

Elsewhere on the net, people have suggested just removing the password hash from /etc/{password,shadow}, but of course that results in a different set of problems: now any user can su - without a password.

Any thoughts on how to make this work properly?

Best Answer

After some experimenting, I've got something that works:

Run systemctl edit serial-getty@ttyS0.service, and add the following:
```
[Service]
ExecStart=
ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 --noclear --autologin root ttyS0 $TERM
```
This will cause agetty to auto-login the root user, but with only this change the system will still prompt you for the root password.
We can configure /etc/pam.d/login to authenticate root logins on the console without a password. Add the following to the top of /etc/pam.d/login:
```
auth sufficient pam_listfile.so item=tty sense=allow file=/etc/securetty onerr=fail apply=root
```
This will cause the PAM stack to check for the login tty in /etc/securetty, and to skip other authentication mechanisms if it finds it.
Add the serial port to /etc/securetty:
```
# echo ttyS0 > /etc/securetty
```

With these changes in place, you'll see the following on the serial console when you boot:

CentOS Linux 8 (Core)
Kernel 4.18.0-80.11.2.el8_0.x86_64 on an x86_64

localhost login: root (automatic login)

Last login: Sun Nov 17 00:29:36 on ttyS0
[root@localhost ~]#

...and if you log out, you'll end up right back at the shell prompt.

Note that I've used the filename /etc/securetty here, which in days of yore actually did something else (it controlled terminals on which root was allowed to log in). So if that bothers you, use a different file :).

Related Solutions

Resizable serial console window

Like the commentators before me mentioned there is no alternative to calling resize after every command, if you don't have this command and you don't want to install a package where it's in (xterm), here are two POSIX shell script that do the same using ANSI terminal escape codes:

res() {

  old=$(stty -g)
  stty raw -echo min 0 time 5

  printf '\0337\033[r\033[999;999H\033[6n\0338' > /dev/tty
  IFS='[;R' read -r _ rows cols _ < /dev/tty

  stty "$old"

  # echo "cols:$cols"
  # echo "rows:$rows"
  stty cols "$cols" rows "$rows"
}

res2() {

  old=$(stty -g)
  stty raw -echo min 0 time 5

  printf '\033[18t' > /dev/tty
  IFS=';t' read -r _ rows cols _ < /dev/tty

  stty "$old"

  # echo "cols:$cols"
  # echo "rows:$rows"
  stty cols "$cols" rows "$rows"
}

res is based on the solution presented at https://wiki.archlinux.org/index.php/working_with_the_serial_console#Resizing_a_terminal. It works as follows:
1. The cursor position is saved (\0337, DECSC).
2. The cursors is moved to the most bottom-right point possible (\033[r\033[999;999H, DECSTBM? + CUP).
3. The cursor position is reported (\033[6n, DSR).
4. The cursor is moved back to the previously saved position (\0338, DECRC).
res2 is influenced by resize.sh from xterm (see https://github.com/ThomasDickey/xterm-snapshots/blob/master/vttests/resize.sh). It uses a specific xterm code for getting the information we want (implemented in many terminal emulators), see: http://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h2-Functions-using-CSI-_-ordered-by-the-final-character_s_ ("Report the size of the text area in characters.").

BTW, in my .profile file you will find the following: [ $(tty) = /dev/ttyS0 ] && res so that the the terminal size is determined on every login over the serial line (the one I use for management), e.g. after you reboot the device.
See also the idea by rsaw in the comments to have the line [ $(tty) = /dev/ttyS0 ] && trap res2 DEBUG there instead so the resizing runs after every command (note that AFAIK it's not or not always possible on busybox though).

Arch Linux – No Login Prompt on Serial Console

After reading more on the internets I found out that a newer version of systemd requires a kernel with configuration option CONFIG_FHANDLE=y - however, this option is not present on the kernel version included in the official banana-pi ArchLinux image (3.4.90).

I recompiled the kernel with the option included and now the login prompt appears as expected -> everything is great.

For those interested in compiling the newer kernel (3.4.103+ at the time of this writing) I followed the instructions provided here on a virtual Ubuntu Server 14.04. Did not encounter any problems. I only followed to a point where I had kernel compiled - I did not create a new SD image.

Update

The official Banana Pi Arch Linux image now contains the new kernel version 3.4.103 so there is no need to recompile.

Best Answer

Related Solutions

Resizable serial console window

Arch Linux – No Login Prompt on Serial Console

Update

Related Question