HPE Community
Operating System - HP-UX
1834573 Members
3752 Online
110069 Solutions
New Discussion

Re: Securing console from single user boot

 
SOLVED
Go to solution
Alan Edwards
Frequent Advisor

‎10-15-2002 08:27 AM

‎10-15-2002 08:27 AM

Securing console from single user boot

Is it possible to secure the console from booting into single user mode unless you know the root password?

The specific systems I am using are J series workstations.
Klatu Barada Nikto
0 Kudos
Reply
11 REPLIES 11
Sandip Ghosh
Honored Contributor

‎10-15-2002 08:33 AM

‎10-15-2002 08:33 AM

Re: Securing console from single user boot

It is not possible to secure the single user boot-up. Because when you boot up in single user mode it does not ask for any password.

Sandip
Good Luck!!!
0 Kudos
Reply
Ted Ellis_2
Honored Contributor

‎10-15-2002 08:36 AM

‎10-15-2002 08:36 AM

Re: Securing console from single user boot

I am not sure if this is compatible... but it is certainly something that may be worth looking into. You could get rid of the "local" console and replace with a web console. To access the console you can configure an additional log-in with password. Not fool proof, as someone could hook up a local monitor and reboot the box anyway, but it makes it more difficult... and nice to have that web-console for remote operations... something to consider

Ted
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎10-15-2002 08:37 AM

‎10-15-2002 08:37 AM

Re: Securing console from single user boot

Only if you convert your workstation to truted mode. With trusted you can configure (in SAM) it in such a way that when the system boots up in single user mode a login is required. Typically when booting the system in single user mode you'll see something like "boot authentication" required (kindda like a login prompt).
Reply
Bill Hassell
Honored Contributor

‎10-15-2002 08:37 AM

‎10-15-2002 08:37 AM

Re: Securing console from single user boot

Actually, there is a way to secure single user mode: convert to a Trusted System. One of the policies in Trusted is to require root password to get a shell prompt.

Otherwise, to secure the system from single user mode attacks, the computer and (all) console access must be physically protected with locked doors, etc.


Bill Hassell, sysadmin
Reply
Alan Edwards
Frequent Advisor

‎10-15-2002 08:43 AM

‎10-15-2002 08:43 AM

Re: Securing console from single user boot

I know; that is why I am asking. In the back of my mind I remember an HP reference to a "Secure Console boot".

This can be done on other UNIX's, for example Linux. If HP cannot, is a security hole as workstations are typically on a desk, not in a secure computer room.
Klatu Barada Nikto
0 Kudos
Reply
Alan Edwards
Frequent Advisor

‎10-15-2002 08:45 AM

‎10-15-2002 08:45 AM

Re: Securing console from single user boot

Wow, many responses, much appreciated.

One comment, these are workstations on desks, the console is a 21??? monitor the user uses, so I can???t turn it off.
Klatu Barada Nikto
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎10-15-2002 08:49 AM

‎10-15-2002 08:49 AM

Re: Securing console from single user boot

We had quite an extensive discusson back in May. You may want to read this ..
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x6c118f960573d611abdb0090277a778c,00.html
Reply
Alan Edwards
Frequent Advisor

‎10-15-2002 08:50 AM

‎10-15-2002 08:50 AM

Re: Securing console from single user boot

I'm not sure I can do trusted mode, we use NIS for user authentication.
Klatu Barada Nikto
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-15-2002 10:01 AM

‎10-15-2002 10:01 AM

Solution

Re: Securing console from single user boot

Correct. NIS defeats the whole purpose of a Trusted system by sending the encrypted password across the network. A Trusted system uses a shadow password technique. There is an NIS+ standard which does provide encryption for the commuinication but it is totally incompatible with plain NIS, thus all clients must support NIS+ before switching.

Workstations are always a problem due to lack of physical security. The night crew that cleans the floor is a perfect cover to tap on keyboards when no one is looking. The best way to secure the data is over the network. The screen lockout prevents access in multiuser mode, and in single user mode, it is impossible to do any networking. Of course, NFS brings it's own set of problems...


Bill Hassell, sysadmin
Reply
Alan Edwards
Frequent Advisor

‎10-15-2002 10:39 AM

‎10-15-2002 10:39 AM

Re: Securing console from single user boot

Hi Bill, I agree, there is not much that can be done.

After rethinking this, I don???t think this is a problem that needs fixing after all. We do have all user data and applications on NFS or AFS shares, so there isn't anything locally.

If someone did bring a system to single user mode they couldn???t get to anything on the network, and I can re-ignite the system in 45 minutes.

Thanks, everybody
Klatu Barada Nikto
0 Kudos
Reply
Steffen Jaiser
Occasional Advisor

‎10-16-2002 06:51 AM

‎10-16-2002 06:51 AM

Re: Securing console from single user boot

Hi,
I'm not so sure about the security. True, that you can't access the network in single user mode, but what hinders you to choose files first in the nsswitch.conf (before NIS) and change the root password. Then you could execute an init 4 login as root and su to any user you want (Though I'm not 100% sure if NIS allows this) and open up a NFS connection this user is allowed to.
I think there was a switch in the boot menu that allowed to disable the interuption of the bootup. though I don't really know if the J-Class still has something like this and it would also be not 100% sure.
Hope it helped.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.