HPE Community
Operating System - HP-UX
1846620 Members
1968 Online
110256 Solutions
New Discussion

Re: Boot Password

 
SOLVED
Go to solution
hpuxrox
Respected Contributor

‎03-12-2004 06:10 AM

‎03-12-2004 06:10 AM

Boot Password

10 Points for any one that tells me how to enable a password to boot the system.
0 Kudos
Reply
10 REPLIES 10
Patrick Wallek
Honored Contributor

‎03-12-2004 06:20 AM

‎03-12-2004 06:20 AM

Solution

Re: Boot Password

I assume you are talking about HP-UX. If so, the closest you can come is password protecting single user mode.

The easiest way is to have only root in /etc/shutdown.allow and then don't give the root passwd to anyone.

The only other thing I can think of is to write a wrapper script for shutdown and reboot, ask for a passwd, and if it is incorrect then simply exit out with an error.
Reply
Geoff Wild
Honored Contributor

‎03-12-2004 06:28 AM

‎03-12-2004 06:28 AM

Re: Boot Password


I don't think there is a way on HP-UX servers (parisc) - atleast none that I'm aware of....

What you could do is diasble AUTOBOOT on the console (interupt the boot process)....you might even be able to remove the PRIMARY/ALTERNATE BOOT options - so that you have to manually tell the system which device to boot...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
hpuxrox
Respected Contributor

‎03-12-2004 06:32 AM

‎03-12-2004 06:32 AM

Re: Boot Password

Thanks, I think the problem here is the admins requesting this are solaris admin.
They lack understanding of how hpux works.

Peace,

Yates
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎03-12-2004 06:34 AM

‎03-12-2004 06:34 AM

Re: Boot Password

I guess that begs the question of "why are the other admins requesting this?" What is their rationale?
Reply
Alzhy
Honored Contributor

‎03-12-2004 07:19 AM

‎03-12-2004 07:19 AM

Re: Boot Password

Yates,
Being a Solaris Admin myself, I think what they are after for is that on Solaris - you can secure via eeprom so that Sun Server's require a "boot password" -- which is the in the OBP subsystem (similar to GSP/MP/PDC on HPs)..


So your best answer to them would be that GSP is locked down, no one can CTRL-B and disable auto-reboot in the absence of a GSP/BCH setting to allow password to the BOOT command at BCH level.

Hakuna Matata.
Reply
hpuxrox
Respected Contributor

‎03-12-2004 07:32 AM

‎03-12-2004 07:32 AM

Re: Boot Password

Patrick, Long story,

All I know is that I am dictated to do things from security, that I would never do If i had the choice.
0 Kudos
Reply
Joshua Scott
Honored Contributor

‎03-12-2004 07:42 AM

‎03-12-2004 07:42 AM

Re: Boot Password

One thing you could do is change the time allowed to interrupt the autoboot to 0, so nobody could interupt the boot process.

You could also do what I do and keep the servers in a locked room that only I and my boss (CIO) have the key for. (and he wouldn't know what to do if he ever did go in there)

No matter what you do, the system is pretty much only as secure as physical access to it. You can usually get into any system that you have physical access to, as long as you have the required knowledge.

Josh
What are the chances...
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎03-12-2004 07:46 AM

‎03-12-2004 07:46 AM

Re: Boot Password

It would be nice if you could change the time that you are prompted to "press any key within 10 seconds..." but that is not possible. I have asked about that, to extend the time because I invariably miss the 10 second window and have to boot again. I was told that this was hardcoded and could not be changed.

I think the best bet is a baseball bat.....errr....ummmm....I mean proper education of admins and using the shutdown.allow file.

0 Kudos
Reply
Alzhy
Honored Contributor

‎03-12-2004 07:53 AM

‎03-12-2004 07:53 AM

Re: Boot Password

You have SIO (Security Information Office) or CSO (Chief Security Officer)? Or better yet - you have a Certified UNIX Security Specialist? I bet they got those certifications or positions becuase they passed it having "memorised" some SANS/CERT book but not really having real hands on experience as an Admin. Beware and politely question what might be forced upon thee!

IMHO, SAN Gurus, Security Specialists, Backup and Storage Specialists, Performance and Capacity folks are best descended and bred from System Admin lineage - not just some person plucked out of nowhere and sent to some "vacation" err Training..

Hakuna Matata.
Reply
Joshua Scott
Honored Contributor

‎03-12-2004 08:55 AM

‎03-12-2004 08:55 AM

Re: Boot Password

Patrick,

on my K580 test box, you can set the "secure" flag in the BCH, under the configuration menu. This prevents one from choosing where to boot from. the only way to override (according to the online help) would be to disconnect all boot devices from the system, thus forcing it to a BCH prompt.

Sadly, there is no way to lengthen the time allowed, as I would benefit from that much more.

Josh
What are the chances...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.