forbid root login to lish?

Maybe remove tty0 from /etc/securetty?

I think this should prevent root logins, but if they have already managed to login to lish you are probably completely pwned anyway.

removing tty0 means every user except root can log in, but every user can do a su - and become root, right? i have vc/0 - 11 and tty0 - 11 in the file, whats that? i thought vc is an alias for tty?

i want to do it because this way one has to break two passwords to gain root access.

@cattani:

removing tty0 means every user except root can log in, but every user can do a su - and become root, right? this way one has to break two passwords to gain root access.
Yes, anyone but root could login through the console, and then they could su from there if they are normally allowed to. Really this would require three passwords - lish, regular user, root.

However if they can login to lish, that means they can access your account and do pretty much anything they want, for example installing and booting into a new disk image, or canceling your account. Probably no limit to the BadThings they could do with that one password.

hmm, so i need to disable lish, any idea how to? thanks!

@cattani:

hmm, so i need to disable lish, any idea how to? thanks!
If you do this, how would you plan on gaining access to your linode if, say, networking wasn't working for some reason, or if sshd broke?

Your best solution is to do as suggested, edit /etc/securetty and use very strong passwords.

If they know your lish password, they can log into the members section of linode, and say reboot into finnix and change ur passwords/security options reboot, and then have full access to your stuff there. so.. Its probably not worth thinking about disabling lish. Just make sure ur password for linode.com is strong