- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: password protecting boot sequence
Operating System - HP-UX
1825002
Members
2596
Online
109678
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2003 06:02 AM
тАО10-22-2003 06:02 AM
password protecting boot sequence
Is it possible to password protect the boot sequence, so that you can't break out to the boot menu? Or if you can breakout to it, that all commands are password protected? Thanks!
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2003 06:04 AM
тАО10-22-2003 06:04 AM
Re: password protecting boot sequence
No I do not think so. Why are you trying to make some guy's life miserable.
Regds
Sanjay
Regds
Sanjay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2003 06:06 AM
тАО10-22-2003 06:06 AM
Re: password protecting boot sequence
Mark,
The ability to break out of the boot sequence is both a feature and a safe-guard. Should an rc script get mis-configured, the only way to fix the offending script is to break out, login, edit the script and reboot. I don't think this is something you really want to do.
Pete
Pete
The ability to break out of the boot sequence is both a feature and a safe-guard. Should an rc script get mis-configured, the only way to fix the offending script is to break out, login, edit the script and reboot. I don't think this is something you really want to do.
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2003 06:07 AM
тАО10-22-2003 06:07 AM
Re: password protecting boot sequence
Ha! More like security requirements making MY life difficult.
I was 99% sure you couldn't, but just thought I'd toss this out there before I started arguing. Thanks!
I was 99% sure you couldn't, but just thought I'd toss this out there before I started arguing. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2003 06:20 AM
тАО10-22-2003 06:20 AM
Re: password protecting boot sequence
I believe that it exists on 700 series workstations.
I wouldnt recommend it for several reasons below. Just make your Datacenter more secure and restrict the root password.
However, if you ever have a kernel hang upon reboot, you will be in a recovery mode.
IF you ever have patching go wrong and hang upon reboot, you will be in a recovery mode.
IF you ever have 3rd party software hang upon reboot, you will be in recovery mode.
If you ever have a root disk fail and dont have "no quorum" set, you will be in a H/W replacement mode before you can boot your box.
I wouldnt recommend it for several reasons below. Just make your Datacenter more secure and restrict the root password.
However, if you ever have a kernel hang upon reboot, you will be in a recovery mode.
IF you ever have patching go wrong and hang upon reboot, you will be in a recovery mode.
IF you ever have 3rd party software hang upon reboot, you will be in recovery mode.
If you ever have a root disk fail and dont have "no quorum" set, you will be in a H/W replacement mode before you can boot your box.
Unix, the other white meat.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2003 07:10 PM
тАО10-22-2003 07:10 PM
Re: password protecting boot sequence
You can make it so that you can't boot to single user without the root password, but I've never seen anything that will lock you out of the boot menu on a 9000 series. They do make console lock devices, and other physical security devices. If they are worried about this, they have much larger problems.
-Brian.
-Brian.
When a sys-admin say's maybe, they don't mean 'yes'!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2003 08:24 PM
тАО10-22-2003 08:24 PM
Re: password protecting boot sequence
You mentioned breaking out to the boot menu.
Do you mean breaking in at the point:
Processor is booting from the first available device.
To discontinue, press any key within 10 second.
If so, then the ability to interrupt can, I believe, be locked out by setting secure mode in the frimware - break in at the prompt to get the boot menu, enter CO to get the configuration menu, then enter SEC to display the secure mode flag.
I've never set secure mode (i.e. I've so far successfully resisted pressure to do so) and although I believe it operates a bit like a PC BIOS password (i.e. you don't need the password to boot, only to change boot parameters such as the boot device or to choose a boot option such as single user mode or ODE) I'd want to do a lot more research before enabling it.
You can also - as others have said - set single user mode authentication, where the user can still interact with the firmware to choose single user mode or LVM maintenance mode, but need to enter a user name and password to interact with the machine. That user needs to be authorised to boot to single user mode (suggestion - as well as root, enable some other user with a shell set to false, then put their login details in an envelope in a safe on site - that way, if single user mode is needed and the password has to be disclosed, the password isn't much use for anything else). I think this is only available in trusted mode. One thing I've noticed about this is that, though it works for user-selected entry to these modes, it doesn't stop the person sat at the console being given a root privilege prompt in bcheckrc if there's a serious file system corruption which the automatic fsck cannot fix.
I don't know if you can do much about Ctrl-Backslash once the system has started running through its rc scripts, but I think you still need to enter a username and password if you break in in this way.
Do you mean breaking in at the point:
Processor is booting from the first available device.
To discontinue, press any key within 10 second.
If so, then the ability to interrupt can, I believe, be locked out by setting secure mode in the frimware - break in at the prompt to get the boot menu, enter CO to get the configuration menu, then enter SEC to display the secure mode flag.
I've never set secure mode (i.e. I've so far successfully resisted pressure to do so) and although I believe it operates a bit like a PC BIOS password (i.e. you don't need the password to boot, only to change boot parameters such as the boot device or to choose a boot option such as single user mode or ODE) I'd want to do a lot more research before enabling it.
You can also - as others have said - set single user mode authentication, where the user can still interact with the firmware to choose single user mode or LVM maintenance mode, but need to enter a user name and password to interact with the machine. That user needs to be authorised to boot to single user mode (suggestion - as well as root, enable some other user with a shell set to false, then put their login details in an envelope in a safe on site - that way, if single user mode is needed and the password has to be disclosed, the password isn't much use for anything else). I think this is only available in trusted mode. One thing I've noticed about this is that, though it works for user-selected entry to these modes, it doesn't stop the person sat at the console being given a root privilege prompt in bcheckrc if there's a serious file system corruption which the automatic fsck cannot fix.
I don't know if you can do much about Ctrl-Backslash once the system has started running through its rc scripts, but I think you still need to enter a username and password if you break in in this way.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP