Re: Permitting login on AWS serial console
Thanks Noah & Ted for your replies.
Theodore Ts'o wrote:
On Tue, Oct 05, 2021 at 06:55:19PM +0100, Phil Endecott wrote:
What is the recommended way to permit login on the AWS serial
console? I hesitate to try to work it out by trial and error,
since a mistake could either leave me unable to log in at all
or leave the instance insecure.
It looks like you need to configure access to the AWS serial console,
so can use Amazon's IAM policies to control which users have access to
the serial console, which is off by default:
Right, I've done that.
If you are willing to rely solely on the cloud provider's serial
console access policies, you can eliminate the need to type the root
password via something like this:
sed -i -e '/ExecStart/s/agetty/agetty -a root/' \
-e '/ExecStart/s/-p/-p -f/' \
/lib/systemd/system/serial-getty@.service
So I think that is intended to replace this:
ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 %I $TERM
with
ExecStart=-/sbin/agetty -a root -o '-p -f -- \\u' --keep-baud
115200,38400,9600 %I $TERM
man agetty tells me that -a root means "autologin" and man login tells
me that -f means "do not perform authentication".
Is there something I should do to make this apply only to ttyS0?
(Is that a good idea? Not sure.)
But do I really want to edit /lib/systemd/system/serial-getty@.service ?
Is that a "conf-file", or whatever the right terminology is? Isn't there
a file in /etc or /usr/local that I should edit in preference to this one?
Since this is independent of how you can login to the instance via
ssh, you can experiment with this without worrying too much about
screwing anything up.
Right.
Thanks, Phil.
Reply to: