Hi guys,
I am using OpenSUSE 12.3 with XFCE DE.Now I want to disable virtual consoles i.e I don't want the CLI if I press CTRL-ALT-F keys.Is there a possibility to do that.
Any help would be appreciated.Thanks in advance.
In a sysviinit system you would find in /etc/inittab:
# getty-programs for the normal runlevels
# <id>:<runlevels>:<action>:<process>
# The "id" field MUST be the same as the last
# characters of the device (after "tty").
1:2345:respawn:/sbin/mingetty --noclear tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
#
But that is all gone in 12.3. In other words, I assume it is somewhere in systemd configurations. But we have to reinvent the wheel for all thes features now :(.
On Fri, 02 Aug 2013 19:36:02 +0000, hcvv wrote:
> In a sysviinit system you would find in /etc/inittab:
>
> Code:
> --------------------
> # getty-programs for the normal runlevels
> # <id>:<runlevels>:<action>:<process>
> # The “id” field MUST be the same as the last # characters of the
> device (after “tty”). 1:2345:respawn:/sbin/mingetty --noclear tty1
> 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3
> 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5
> 6:2345:respawn:/sbin/mingetty tty6 #
>
> --------------------
>
> But that is all gone in 12.3. In other words, I assume it is somewhere
> in systemd configurations. But we have to reinvent the wheel for all
> thes features now :(.
I found this:
http://unix.stackexchange.com/questions/56531/how-to-get-fewer-ttys-with-
systemd
Seems like it might do the trick.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
That looks like it would do it but I don’t know about 0 ttys. A tty has pulled my bacon out of the fire many time when the GUI would not start for some reason. So I’d really think about killing all of them. It is really good to have a safety net
That didn’t work completely.I have modified logind.conf with NAutoVFs=0 and ReserveVT=0.Now I am still unable to disable tty1.All others are disabled.
I have similar concerns, but on the other hand I can see a case for disabling them all for security reasons to block people from using the system for other things then a restricted environment.
Am environment with an automatic GUI login and then restricted application usage (think about KIOSK in KDE as an example) could be circumvented by a console login.
Hm, I didn’t read that link and the links mentioned there complete, but I get the impression that the first console (that is where the console messages are) allway gets a tty (and thus a login prompt) because the kernel asks for it. Thus regardless of what you configure in the systemd environment. Maybe you should look into kernel parameters to see if you can tell the kernel not to do this.
BTW, reading this:
There is no real need to disable “extra” TTYs as under systemd gettys are generated on demand: see man systemd-getty-generator for details
and what follows there, shows that that the person writing this (and thus maybe also the designers of the feature) had in hisr mind only one possible reason for not wanting to have those TTYs: resources. The fact that people may want not to have them for other reason was apperently not taken into account.
Found this in aq list of kernel parameters:
console= [KNL] Output console device and options.
tty<n> Use the virtual console device <n>.
ttyS<n>,options]
ttyUSB0,options]
Use the specified serial port. The options are of
the form "bbbbpnf", where "bbbb" is the baud rate,
"p" is parity ("n", "o", or "e"), "n" is number of
bits, and "f" is flow control ("r" for RTS or
omit it). Default is "9600n8".
See Documentation/serial-console.txt for more
information. See
Documentation/networking/netconsole.txt for an
alternative.
uart[8250],io,<addr>,options]
uart[8250],mmio,<addr>,options]
Start an early, polled-mode console on the 8250/16550
UART at the specified I/O port or MMIO address,
switching to the matching ttyS device later. The
options are the same as for ttyS, above.
hvc<n> Use the hypervisor console device <n>. This is for
both Xen and PowerPC hypervisors.
If the device connected to the port is not a TTY but a braille
device, prepend "brl," before the device type, for instance
console=brl,ttyS0
For now, only VisioBraille is supported.
Maybe some experimenting is needed here, but I could imagine that using a black hole device somewhere here might help.
Happy hacking 
I have tried with various kernel parameters but of no use.Unable to disable tty1.
One must understand of course that the console login was allways a part of any Unix system as the basic (and when in trouble maybe only) way to get access to the system. Thus I can understand that it is not removable at all.
Maybe you could explain why you want this. I have suggested something somewhere above, but you did not tell any background of your whish. Thus it could be that a different path leads to a solution.
In other words, let us try to avoid this being a case of “describe the goal, not the step”: How To Ask Questions The Smart Way
My goal is to block the access of CLI for user.
A much used method to prevent users from logging in is giving them /bin/false as login shell:
henk@boven:~> grep false /etc/passwd
avahi:x:107:107:User for Avahi:/var/run/avahi-daemon:/bin/false
dnsmasq:x:105:65534:dnsmasq:/var/lib/empty:/bin/false
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
messagebus:x:101:101:User for D-Bus:/var/run/dbus:/bin/false
mysql:x:60:108:MySQL database admin:/var/lib/mysql:/bin/false
ntp:x:74:104:NTP daemon:/var/lib/ntp:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
rtkit:x:106:106:RealtimeKit:/proc:/bin/false
sshd:x:102:103:SSH daemon:/var/lib/sshd:/bin/false
tftp:x:104:105:TFTP account:/srv/tftpboot:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
henk@boven:~>
It is obvious to me how this works th a CLI login (alll of he not only from the console). I am am not sure if it will also block a GUI login, but that is of course easy to test.
I have tested it. Loging in with a user that has /bin/false as login shell results in a popup window from the X-server that the login is blocked for that user. Thus no login at all possible. Not what you want I presume.
Another approach is more tricky.
As the program started for the coming login is agetty, you could replace agetty with a program that does not start the login sequence.
IMHO this is a bit tricky, as that program must stay as a process once started (else it will be restarted immediatly). OTOH you do not want it to loop eating CPU cycles. Thus making it sleep or waiting for some never occuring event might be needed.
I have changed in the /etc/passwd file to /bin/false It is blocking GUI login also.
I said so in post #13 above.
Yes I have seen that but is there any other way to prevent user from accessing COMMAND LINE.
tty1 is started by default service shipped with systemd:
bor@opensuse:~> systemctl status getty@tty1
getty@tty1.service - Getty on tty1
Loaded: loaded (/usr/lib/systemd/system/getty@tty1.service; enabled)
Active: active (running) since Sat, 2013-07-27 11:13:45 MSK; 1 weeks and 0 days ago
Docs: man:agetty(8)
Main PID: 684 (agetty)
CGroup: name=systemd:/system/getty@.service/tty1
└ 684 /sbin/agetty --noclear tty1 38400 linux
To disable it use “systemctl mask getty@tty1.service”
To disable it use “systemctl mask getty@tty1.service”
Actually I have tried stopping the service with this “systemctl stop getty@tty1.service” Now it’s working after executing your command “systemctl mask getty@tty1.service”.
Thank You for that thanks a lot.
Nice to know. And a “clean” solution too.