topic Re: password protecting boot sequence in Operating System - HP-UX

password protecting boot sequence

Mark Stewart — Wed, 22 Oct 2003 13:02:33 GMT

Is it possible to password protect the boot sequence, so that you can't break out to the boot menu? Or if you can breakout to it, that all commands are password protected? Thanks!

Re: password protecting boot sequence

Sanjay_6 — Wed, 22 Oct 2003 13:04:09 GMT

No I do not think so. Why are you trying to make some guy's life miserable.

Regds
Sanjay

Re: password protecting boot sequence

Pete Randall — Wed, 22 Oct 2003 13:06:50 GMT

Mark,

The ability to break out of the boot sequence is both a feature and a safe-guard. Should an rc script get mis-configured, the only way to fix the offending script is to break out, login, edit the script and reboot. I don't think this is something you really want to do.

Pete

Re: password protecting boot sequence

Mark Stewart — Wed, 22 Oct 2003 13:07:04 GMT

Ha! More like security requirements making MY life difficult.

I was 99% sure you couldn't, but just thought I'd toss this out there before I started arguing. Thanks!

Re: password protecting boot sequence

Todd McDaniel_1 — Wed, 22 Oct 2003 13:20:35 GMT

I believe that it exists on 700 series workstations.

I wouldnt recommend it for several reasons below. Just make your Datacenter more secure and restrict the root password.

However, if you ever have a kernel hang upon reboot, you will be in a recovery mode.

IF you ever have patching go wrong and hang upon reboot, you will be in a recovery mode.

IF you ever have 3rd party software hang upon reboot, you will be in recovery mode.

If you ever have a root disk fail and dont have "no quorum" set, you will be in a H/W replacement mode before you can boot your box.

Re: password protecting boot sequence

Brian Markus — Thu, 23 Oct 2003 02:10:17 GMT

You can make it so that you can't boot to single user without the root password, but I've never seen anything that will lock you out of the boot menu on a 9000 series. They do make console lock devices, and other physical security devices. If they are worried about this, they have much larger problems.

-Brian.

Re: password protecting boot sequence

Alan Turner — Thu, 23 Oct 2003 03:24:46 GMT

You mentioned breaking out to the boot menu.
Do you mean breaking in at the point:
Processor is booting from the first available device.
To discontinue, press any key within 10 second.

If so, then the ability to interrupt can, I believe, be locked out by setting secure mode in the frimware - break in at the prompt to get the boot menu, enter CO to get the configuration menu, then enter SEC to display the secure mode flag.
I've never set secure mode (i.e. I've so far successfully resisted pressure to do so) and although I believe it operates a bit like a PC BIOS password (i.e. you don't need the password to boot, only to change boot parameters such as the boot device or to choose a boot option such as single user mode or ODE) I'd want to do a lot more research before enabling it.

You can also - as others have said - set single user mode authentication, where the user can still interact with the firmware to choose single user mode or LVM maintenance mode, but need to enter a user name and password to interact with the machine. That user needs to be authorised to boot to single user mode (suggestion - as well as root, enable some other user with a shell set to false, then put their login details in an envelope in a safe on site - that way, if single user mode is needed and the password has to be disclosed, the password isn't much use for anything else). I think this is only available in trusted mode. One thing I've noticed about this is that, though it works for user-selected entry to these modes, it doesn't stop the person sat at the console being given a root privilege prompt in bcheckrc if there's a serious file system corruption which the automatic fsck cannot fix.
I don't know if you can do much about Ctrl-Backslash once the system has started running through its rc scripts, but I think you still need to enter a username and password if you break in in this way.