On Fri, 20 Oct 2006 23:18:19 -0400, Thor Lancelot Simon <tls@rek.tjls.com>
wrote:

> On Fri, Oct 20, 2006 at 11:06:03PM -0400, Steven M. Bellovin wrote:
> >
> > Is there any easy way to find out what the boot system thinks is the
> > console device?
> 
> Look at the boot messages.

Thanks; I'd looked but missed the crucial line:

	com0: console

> > 
> > I *think* things are set up correctly, since 'ps' shows
> > 
> > 	  848 tty00  IWs+   0:00.03 /usr/libexec/getty Pc console 
> 
> Yeah, that looks right -- that means that init started a getty on
> /dev/console, but ps thinks that device is /dev/tty00 -- which it is,
> since they're aliases.
> 
> This is, however, a poor configuration of /etc/ttys for a machine with
> a serial console: you should never run getty on /dev/console, but rather
> on the underlying tty, lest something go wrong with the bootblocks and
> you end up with your "console" getty on the VGA instead.  Also, doing it
> this way means you're using the "Pc" gettytab entry, which may not have
> the speed or terminal settings you want, and it prevents you from
> requiring a password for single-user access if you want to allow root
> to log in.  If you use the tty00 and ttyE0 entries in /etc/ttys for
> the console getty, and mark those ttys "secure", but leave the console
> entry present but not marked "secure", you get what you most likely want:
> you can't break to single-user mode without the root password, but you
> can log in on tty00 as root -- even if the system gets confused about
> what the console is.
> 
Fair enough.  

You're saying that E0 and 00 should both be on?  That won't cause dueling
gettys?

The relevant entries now are

	console "/usr/libexec/getty Pc"         vt100   on secure
	ttyE0   "/usr/libexec/getty Pc"         vt220   off secure
	tty00   "/usr/libexec/getty std.9600"   unknown off secure

(Hmm -- I also see that I have wscons on in rc.conf.  Of course, this
machine has worked for years this way.)

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb