HPE Community
Operating System - Tru64 Unix
1752604 Members
4333 Online
108788 Solutions
New Discussion юеВ

password protect console

 
Lawrence_S
New Member

тАО07-31-2006 09:19 PM

тАО07-31-2006 09:19 PM

password protect console

HI

Is it possible to set a password for console mode in tru64 unix? Kind of like password protecting the boot prompt in Lnux.

Thnaks
0 Kudos
8 REPLIES 8
Steven Schweda
Honored Contributor

тАО07-31-2006 09:41 PM

тАО07-31-2006 09:41 PM

Re: password protect console

It just might depend on the hardware and/or
SRM console firmware involved. Have you
tried ">>>set password"? Or by "in tru64
unix" did you mean that you wanted to set the
console password while the system was up and
running?
0 Kudos
Lawrence_S
New Member

тАО07-31-2006 10:59 PM

тАО07-31-2006 10:59 PM

Re: password protect console

My brief is to password protect the boot prompt and single user mode on all unix servers in the organisation.
I am not familiar with tru64 at all but in Linux, it is possible to interupt the boot process and gain shell access as root. If you set boot loader password, this is no longer possible.
Now I understand that tru64 doesn't use a bootloader but apparently you can boot to console mode by doing and log in without a root password. I need to secure this.

As for single user mode, I am adding this line to /etc/inittab

~~:S:wait:/sbin/sulogin

SO in a nutshell, I want to secure all forms of root access to the box with a password.

Thanks



0 Kudos
Vladimir Fabecic
Honored Contributor

тАО07-31-2006 11:55 PM

тАО07-31-2006 11:55 PM

Re: password protect console

To boot TRU64 in single user mode you must have access to console prompt ( >>> ).
It would be something like :
>>> boot -flag 0
Like Steven said, you can prevent that by setting console password (>>> set password). This would be something like BIOS password in PC world.
By the way, line
~~:S:wait:/sbin/sulogin
in inittab is nothing without setting BIOS password. You can boot from knoppix CD i change that. You can even change root password from knoppix CD.
So, on linux intel platform you MUST also prevent booting from CD and changing boot device.
In vino veritas, in VMS cluster
0 Kudos
Lawrence_S
New Member

тАО07-31-2006 11:59 PM

тАО07-31-2006 11:59 PM

Re: password protect console

Thanks for the info guys.

I will use the >>> set password

0 Kudos
Steven Schweda
Honored Contributor

тАО08-01-2006 02:48 AM

тАО08-01-2006 02:48 AM

Re: password protect console

Please bear in mind that a knowledgeable
person with physical access to the machine
(in particular, to the Halt button) may be
able to bypass a console password
requirement. A locked room is pretty much a
requirement for serious security.

Depending on the (still secret) hardware
and/or firmware, you may also have a "set
secure" console command which might improve
things a bit, too.
0 Kudos
Ann Majeske
Honored Contributor

тАО08-01-2006 04:44 AM

тАО08-01-2006 04:44 AM

Re: password protect console

See "man sulogin" for the proper way to set up your system to require the root password on entering single user mode. You should use the rcmgr command to add the SECURE_CONSOLE variable to the appropriate /etc/rc.config* file. I didn't see any indication of what version and patch kit you're running. I know that there was a bug in the sulogin program at one point. I think that it was only looking in /etc/rc.config instead of also looking in /etc/rc.config.common, so this could be an issue if you're not running V5.1B with the latest patch kit.

How you password protect the console itself and how secure that password is depends on the console firmware. In most cases using "set password" at the ">>>" is the proper command. But as others have implied, if someone has access to the hardware they can probably manage to break into the system if they try hard enough, regardless of whether you've set the console password or not. The best way to secure the console is to secure physical access to the hardware.

Ann Majeske - Tru64 UNIX Security
0 Kudos
Arch_Muthiah
Honored Contributor

тАО08-01-2006 12:25 PM

тАО08-01-2006 12:25 PM

Re: password protect console

Lawrence,

You can use ">>>set password" console command. and ">>> login" to login.


Archunan
Regards
Archie
0 Kudos
Lawrence_S
New Member

тАО08-01-2006 09:06 PM

тАО08-01-2006 09:06 PM

Re: password protect console

Wow, what a forum.

Thanks for all the replies. OK to clarify. Physical access to the machines are tightly controlled. It is a large cellular service company and access to the datacentre is restricted.
Version is 5.1b with latest patchkit.
We are implementing a Unix security standard and one of the benchmarks is to password protect all root access to the servers - majority of which are Linux, but a few legacy tru64 machines also became my responsibillity.

The replies to my post here has solved the issue for me so thanks again guys.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.