/etc/securetty is a file listing the names of consoles where root is allowed to log in. On my Red Hat machine, it consists of:

vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11

These are the hardware consoles and X sessions. Root is allowed only to log in on these because they're (hopefully) secure ttys, thus giving the name of the file. The reason they're marked secure is because you must be at the machine to have one of these default ttys.

Note that these entries are all under /dev, and you don't have to specify that.

If you want root to log in via telnet sessions, you must add pts/0 through a reasonable amount to this file, or use SSH, which controls root-login ability by itself.

Checking securetty at login is controlled by PAM, in the file /etc/pam.d/login:

auth       required     /lib/security/pam_securetty.so
If you want root to be able to log in from anything, anywhere a getty can be run, you can remove that line from the PAM configuration. This is not recommended.

Log in or register to write something here or to contact authors.