https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217561#M169718 Patrick,<BR /><BR />on my K580 test box, you can set the "secure" flag in the BCH, under the configuration menu. This prevents one from choosing where to boot from. the only way to override (according to the online help) would be to disconnect all boot devices from the system, thus forcing it to a BCH prompt.<BR /><BR />Sadly, there is no way to lengthen the time allowed, as I would benefit from that much more.<BR /><BR />Josh Fri, 12 Mar 2004 16:55:33 GMT Joshua Scott 2004-03-12T16:55:33Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217551#M169708 10 Points for any one that tells me how to enable a password to boot the system. Fri, 12 Mar 2004 14:10:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217551#M169708 hpuxrox 2004-03-12T14:10:56Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217552#M169709 I assume you are talking about HP-UX. If so, the closest you can come is password protecting single user mode.<BR /><BR />The easiest way is to have only root in /etc/shutdown.allow and then don't give the root passwd to anyone.<BR /><BR />The only other thing I can think of is to write a wrapper script for shutdown and reboot, ask for a passwd, and if it is incorrect then simply exit out with an error. Fri, 12 Mar 2004 14:20:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217552#M169709 Patrick Wallek 2004-03-12T14:20:52Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217553#M169710 <BR />I don't think there is a way on HP-UX servers (parisc) - atleast none that I'm aware of....<BR /><BR />What you could do is diasble AUTOBOOT on the console (interupt the boot process)....you might even be able to remove the PRIMARY/ALTERNATE BOOT options - so that you have to manually tell the system which device to boot...<BR /><BR />Rgds...Geoff Fri, 12 Mar 2004 14:28:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217553#M169710 Geoff Wild 2004-03-12T14:28:08Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217554#M169711 Thanks, I think the problem here is the admins requesting this are solaris admin.<BR />They lack understanding of how hpux works.<BR /><BR />Peace,<BR /><BR />Yates Fri, 12 Mar 2004 14:32:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217554#M169711 hpuxrox 2004-03-12T14:32:25Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217555#M169712 I guess that begs the question of "why are the other admins requesting this?" What is their rationale? Fri, 12 Mar 2004 14:34:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217555#M169712 Patrick Wallek 2004-03-12T14:34:22Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217556#M169713 Yates,<BR />Being a Solaris Admin myself, I think what they are after for is that on Solaris - you can secure via eeprom so that Sun Server's require a "boot password" -- which is the in the OBP subsystem (similar to GSP/MP/PDC on HPs)..<BR /><BR /><BR />So your best answer to them would be that GSP is locked down, no one can CTRL-B and disable auto-reboot in the absence of a GSP/BCH setting to allow password to the BOOT command at BCH level.<BR /><BR /> Fri, 12 Mar 2004 15:19:12 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217556#M169713 Alzhy 2004-03-12T15:19:12Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217557#M169714 Patrick, Long story,<BR /><BR />All I know is that I am dictated to do things from security, that I would never do If i had the choice. Fri, 12 Mar 2004 15:32:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217557#M169714 hpuxrox 2004-03-12T15:32:04Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217558#M169715 One thing you could do is change the time allowed to interrupt the autoboot to 0, so nobody could interupt the boot process.<BR /><BR />You could also do what I do and keep the servers in a locked room that only I and my boss (CIO) have the key for. (and he wouldn't know what to do if he ever did go in there)<BR /><BR />No matter what you do, the system is pretty much only as secure as physical access to it. You can usually get into any system that you have physical access to, as long as you have the required knowledge.<BR /><BR />Josh Fri, 12 Mar 2004 15:42:36 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217558#M169715 Joshua Scott 2004-03-12T15:42:36Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217559#M169716 It would be nice if you could change the time that you are prompted to "press any key within 10 seconds..." but that is not possible. I have asked about that, to extend the time because I invariably miss the 10 second window and have to boot again. I was told that this was hardcoded and could not be changed.<BR /><BR />I think the best bet is a baseball bat.....errr....ummmm....I mean proper education of admins and using the shutdown.allow file.<BR /><BR /> Fri, 12 Mar 2004 15:46:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217559#M169716 Patrick Wallek 2004-03-12T15:46:10Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217560#M169717 You have SIO (Security Information Office) or CSO (Chief Security Officer)? Or better yet - you have a Certified UNIX Security Specialist? I bet they got those certifications or positions becuase they passed it having "memorised" some SANS/CERT book but not really having real hands on experience as an Admin. Beware and politely question what might be forced upon thee!<BR /><BR />IMHO, SAN Gurus, Security Specialists, Backup and Storage Specialists, Performance and Capacity folks are best descended and bred from System Admin lineage - not just some person plucked out of nowhere and sent to some "vacation" err Training..<BR /><BR /> Fri, 12 Mar 2004 15:53:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217560#M169717 Alzhy 2004-03-12T15:53:31Z https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217561#M169718 Patrick,<BR /><BR />on my K580 test box, you can set the "secure" flag in the BCH, under the configuration menu. This prevents one from choosing where to boot from. the only way to override (according to the online help) would be to disconnect all boot devices from the system, thus forcing it to a BCH prompt.<BR /><BR />Sadly, there is no way to lengthen the time allowed, as I would benefit from that much more.<BR /><BR />Josh Fri, 12 Mar 2004 16:55:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/boot-password/m-p/3217561#M169718 Joshua Scott 2004-03-12T16:55:33Z