Anyone know how to allow auto root login from the serial console without a password while still requiring a password for ssh? This is really a worst case recovery type thing where someone changes the default password and forgets the new password. Physical security should be adequate in this case.
man getty
Specificly:
-a, --autologin username
Automatically log in the specified user without asking for a
username or password. Using this option causes an -f username
option and argument to be added to the /bin/login command line.
See --login-options, which can be used to modify this option's
behavior.
Note that --autologin may affect the way how agetty initializes
the serial line, because on auto-login agetty does not read from
the line and it has no opportunity optimize the line setting.
and also:
-l, --login-program login_program
Invoke the specified login_program instead of /bin/login. This
allows the use of a non-standard login program. Such a program
could, for example, ask for a dial-up password or use a differ������
ent password file. See --login-options.
-o, --login-options "login_options"
Options and arguments that are passed to login(1). Where \u is
replaced by the login name. For example:
--login-options '-h darkstar -- \u'
See --autologin, --login-program and --remote.
Please read the SECURITY NOTICE below before using this option.
-p, --login-pause
Wait for any key before dropping to the login prompt. Can be
combined with --autologin to save memory by lazily spawning
shells.
systemd files of interest:
/etc/systemd/system/getty.target.wants/serial-getty@ttyGS0.service
/lib/systemd/system/serial-getty@.service
The former is a symlink to the second, but you don't want to mess with the
second, but instead copy the second to someplace
(/usr/local/lib/systemd/system/ probably) and modify it (maybe rename it to
/lib/systemd/system/serial-getty-root@.service) and then change the
/etc/systemd/system/getty.target.wants/serial-getty@ttyGS0.service symlink.
Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services
Thanks. That makes sense. I was barking up the wrong tree and just totally forgot about getty.
This is a tad more sinister than it appears. In /etc/systemd/system/getty.target.wants/ are 3 files: getty@tty1.service, serial-getty@.service, and serial-getty@ttyGS0.service. I have changed them all, and none have had any impact. A ‘systemctl cat getty@ttyGS0.service’ shows the unchanged unit file /lib/systemd/system/getty@.service. Although I did desire to not alter the original systemd unit file in /lib, I may need to do that and see if it makes a difference.
The fix seems to be here: https://unix.stackexchange.com/questions/401759/automatically-login-on-debian-9-2-1-command-line
Midway through the page someone was working with a serial instead of a virtual terminal. I’m not exactly sure of the impact of the edit in the logind.conf file, but the combination shown there works.