I do a lot of local development work with (CentOS/RHEL) virtual machines. Rather than configuring everything with a default root password — which, if exposed to the network, can be problematic — I'd like to configure them to allow passwordless root login only on the serial console.
My first attempt was to simply replace the default ExecStart
command for serial-getty@.service
with a command line using the --autologin
option:
ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 --noclear --autologin root ttyS0 $TERM
While this skips the login:
prompt, it still prompts for a root password. This appears to be a limitation of the login
program under Linux.
I also tried replacing the default login program with a shell, like this:
ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 --noclear -n -l /bin/bash ttyS0 $TERM
But this runs afoul of selinux: while I get a bash
shell, it has no access to anything:
bash: /root/.bashrc: Permission denied
# ls /etc/systemd
ls: cannot open directory '/etc/systemd': Permission denied
Elsewhere on the net, people have suggested just removing the password hash from /etc/{password,shadow}
, but of course that results in a different set of problems: now any user can su -
without a password.
Any thoughts on how to make this work properly?
Best Answer
After some experimenting, I've got something that works:
Run
systemctl edit serial-getty@ttyS0.service
, and add the following:This will cause
agetty
to auto-login theroot
user, but with only this change the system will still prompt you for the root password.We can configure
/etc/pam.d/login
to authenticateroot
logins on the console without a password. Add the following to the top of/etc/pam.d/login
:This will cause the PAM stack to check for the login tty in
/etc/securetty
, and to skip other authentication mechanisms if it finds it.Add the serial port to
/etc/securetty
:With these changes in place, you'll see the following on the serial console when you boot:
...and if you log out, you'll end up right back at the shell prompt.
Note that I've used the filename
/etc/securetty
here, which in days of yore actually did something else (it controlled terminals on whichroot
was allowed to log in). So if that bothers you, use a different file :).