Operating System - Tru64 Unix
cancel
Showing results for 
Search instead for 
Did you mean: 

password protect console

Lawrence_S
Occasional Visitor

password protect console

HI

Is it possible to set a password for console mode in tru64 unix? Kind of like password protecting the boot prompt in Lnux.

Thnaks
8 REPLIES
Steven Schweda
Honored Contributor

Re: password protect console

It just might depend on the hardware and/or
SRM console firmware involved. Have you
tried ">>>set password"? Or by "in tru64
unix" did you mean that you wanted to set the
console password while the system was up and
running?
Lawrence_S
Occasional Visitor

Re: password protect console

My brief is to password protect the boot prompt and single user mode on all unix servers in the organisation.
I am not familiar with tru64 at all but in Linux, it is possible to interupt the boot process and gain shell access as root. If you set boot loader password, this is no longer possible.
Now I understand that tru64 doesn't use a bootloader but apparently you can boot to console mode by doing and log in without a root password. I need to secure this.

As for single user mode, I am adding this line to /etc/inittab

~~:S:wait:/sbin/sulogin

SO in a nutshell, I want to secure all forms of root access to the box with a password.

Thanks



Vladimir Fabecic
Honored Contributor

Re: password protect console

To boot TRU64 in single user mode you must have access to console prompt ( >>> ).
It would be something like :
>>> boot -flag 0
Like Steven said, you can prevent that by setting console password (>>> set password). This would be something like BIOS password in PC world.
By the way, line
~~:S:wait:/sbin/sulogin
in inittab is nothing without setting BIOS password. You can boot from knoppix CD i change that. You can even change root password from knoppix CD.
So, on linux intel platform you MUST also prevent booting from CD and changing boot device.
In vino veritas, in VMS cluster
Lawrence_S
Occasional Visitor

Re: password protect console

Thanks for the info guys.

I will use the >>> set password

Steven Schweda
Honored Contributor

Re: password protect console

Please bear in mind that a knowledgeable
person with physical access to the machine
(in particular, to the Halt button) may be
able to bypass a console password
requirement. A locked room is pretty much a
requirement for serious security.

Depending on the (still secret) hardware
and/or firmware, you may also have a "set
secure" console command which might improve
things a bit, too.
Ann Majeske
Honored Contributor

Re: password protect console

See "man sulogin" for the proper way to set up your system to require the root password on entering single user mode. You should use the rcmgr command to add the SECURE_CONSOLE variable to the appropriate /etc/rc.config* file. I didn't see any indication of what version and patch kit you're running. I know that there was a bug in the sulogin program at one point. I think that it was only looking in /etc/rc.config instead of also looking in /etc/rc.config.common, so this could be an issue if you're not running V5.1B with the latest patch kit.

How you password protect the console itself and how secure that password is depends on the console firmware. In most cases using "set password" at the ">>>" is the proper command. But as others have implied, if someone has access to the hardware they can probably manage to break into the system if they try hard enough, regardless of whether you've set the console password or not. The best way to secure the console is to secure physical access to the hardware.

Ann Majeske - Tru64 UNIX Security
Archunan Muthiah
Honored Contributor

Re: password protect console

Lawrence,

You can use ">>>set password" console command. and ">>> login" to login.


Archunan
God is Artist, we are all just brushes
Lawrence_S
Occasional Visitor

Re: password protect console

Wow, what a forum.

Thanks for all the replies. OK to clarify. Physical access to the machines are tightly controlled. It is a large cellular service company and access to the datacentre is restricted.
Version is 5.1b with latest patchkit.
We are implementing a Unix security standard and one of the benchmarks is to password protect all root access to the servers - majority of which are Linux, but a few legacy tru64 machines also became my responsibillity.

The replies to my post here has solved the issue for me so thanks again guys.