Re: Disable/Passprotect single user mode
JSD [EMAIL PROTECTED] writes: That's right. The complete story is that I would like to protect it from my nasty family. :) Erm. Yet another attempt to use a technical solution to solve a social problem. If you don't trust your family, either move out from your mothers home or get a divorce. Don't apply technology to non-technical problems. //art
Re: Disable/Passprotect single user mode
On Saturday 27 August 2005 06:07, JSD wrote: Hi folks, I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. It is a big problem for me and I would like to password protect this single user mode or to totally disable this function but I don't know how. Is anyone here who solved this problem? Please help, thanks! Jaya Sri ___ [freemail] extra 1GB-os postafiskkal, Vnnek mar van? http://freemail.hu In your bios, you should be able to set a boot password which will prevent booting until the password is given. In addition, if you have a laptop, youshould be able to also set a disk password which will also prevent booting until it is given. Finally, you should be able in the bios to disable booting from any device but the hard disk containing the operating system. Dave Feustel -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!!
Re: Disable/Passprotect single user mode
At 08:27 AM 8/27/05, Dave Feustel wrote: On Saturday 27 August 2005 06:07, JSD wrote: Hi folks, I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. It is a big problem for me and I would like to password protect this single user mode or to totally disable this function but I don't know how. Is anyone here who solved this problem? Please help, thanks! Jaya Sri In your bios, you should be able to set a boot password which will prevent booting until the password is given. In addition, if you have a laptop, you should be able to also set a disk password which will also prevent booting until it is given. Finally, you should be able in the bios to disable booting from any device but the hard disk containing the operating system. Dave Feustel Did you miss the line If someone has physical access to my OpenBSD box? With physical access, all of your suggestions are easily bypassed with a bios reset.
Re: Disable/Passprotect single user mode
On Saturday 27 August 2005 07:27, Dave Feustel wrote: On Saturday 27 August 2005 06:07, JSD wrote: Hi folks, I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. It is a big problem for me and I would like to password protect this single user mode or to totally disable this function but I don't know how. Is anyone here who solved this problem? Please help, thanks! Jaya Sri ___ [freemail] extra 1GB-os postafiskkal, Vnnek mar van? http://freemail.hu In your bios, you should be able to set a boot password which will prevent booting until the password is given. In addition, if you have a laptop, youshould be able to also set a disk password which will also prevent booting until it is given. Finally, you should be able in the bios to disable booting from any device but the hard disk containing the operating system. I forgot to mention that there is also a master bios password that, when set. will permit the system to boot after the boot password is given, but will disable making any changes to the bios without first entering the master password. Dave Feustel -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!! -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!!
Re: Disable/Passprotect single user mode
Edit /etc/ttys and remove the secure option and disable booting from CD/Floppy and set a BIOS password so to change the BIOS you need authentication. Boot authentication is another option however it becomes a pain in the arse when you are away from home and the power goes out, hence your server gets knocked offline until someone enters a password. Simple enough, John. On 8/27/05, JSD [EMAIL PROTECTED] wrote: Hi folks, I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. It is a big problem for me and I would like to password protect this single user mode or to totally disable this function but I don't know how. Is anyone here who solved this problem? Please help, thanks! Jaya Sri ___ [freemail] extra 1GB-os postafiskkal, Vnnek mar van? http://freemail.hu -- John Kintaro Tate Mobile: 0413 348 815 (Yep, old number, but I have a new phone) Attention all Internet users, is life getting you down? Are you so happy you could chainsaw an innocent bystander and LAUGH? Do you believe in God? Do you not believe in God? Have you found yourself stranded on prehistoric Earth for 5 years? If so, if you do anything at all there are people who care at the Kintaro Labs Forum, join now and after you reach 50 posts you get a free OpenBSD shell account! http://labs.kintaro.noobify.com Personal Website: http://kintaro.noobify.com
Re: Disable/Passprotect single user mode
Did you miss the line If someone has physical access to my OpenBSD box? With physical access, all of your suggestions are easily bypassed with a bios reset. as you are sure you know, that, along with matt's tip, is about as reasonable advice you can get if you can't physically secure your box, and that's why you can't come up with anything better, smart ass. /kami
Re: Disable/Passprotect single user mode
On Saturday 27 August 2005 09:08, kami petersen wrote: Did you miss the line If someone has physical access to my OpenBSD box? With physical access, all of your suggestions are easily bypassed with a bios reset. as you are sure you know, that, along with matt's tip, is about as reasonable advice you can get if you can't physically secure your box, and that's why you can't come up with anything better, smart ass. /kami Also, Kami is unfamiliar with the details of the disk password. man atactl /secsetpass Dave Feustel -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!!
Re: Disable/Passprotect single user mode
On 8/27/05, JSD [EMAIL PROTECTED] wrote: I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. This is hardly unique to OpenBSD. How about placing your devices in a securely locked place where you can adequately determine who gets access? Once people have physical access to your devices, a password to enter single user mode will not do you much good. Unless you bolt down the machine and its access panels, an attacker will just plug the hard drive into a system under his control. [...] I would like to password protect this single user mode or to totally disable this function You might even argue that placing a password such as you suggest slows you down when trying to get repairs done. You wouldn't be the first to lose such a password. That said, disabling single user mode seems rather nasty: you'd lose one of the best places to work on a troublesome system. Keep your maintenance access panels accessible. It's what they're there for. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Disable/Passprotect single user mode
Dave Feustel skrev: On Saturday 27 August 2005 09:08, kami petersen wrote: Did you miss the line If someone has physical access to my OpenBSD box? With physical access, all of your suggestions are easily bypassed with a bios reset. as you are sure you know, that, along with matt's tip, is about as reasonable advice you can get if you can't physically secure your box, and that's why you can't come up with anything better, smart ass. /kami Also, Kami is unfamiliar with the details of the disk password. man atactl /secsetpass Dave Feustel dave, what are you smoking? please carefully note how i edited out _your_ text so as to indicate _who_ i was addressing and whom i additionally consider being a smartass. let me rephrase: dear frank. your response is unneccesary and non constructive. provided that the box in question cannot be physically secured there is little you can practically do other than applying the above methods put forward by dave and matt in order to prevent single user root access. /kami ps. except tying your german shepherd to it...
Re: Disable/Passprotect single user mode
That's right. The complete story is that I would like to protect it from my nasty family. :) They should know the BIOS password to restart my machine when I am away from home but I wouldn't like them to reach single user mode. Thanks for your advice, I think the best way is to edit /etc/ttys and set a BIOS user password for them. Jaya Sri John Kintaro Tate [EMAIL PROTECTED] mrta: Edit /etc/ttys and remove the secure option and disable booting from CD/Floppy and set a BIOS password so to change the BIOS you need authentication. Boot authentication is another option however it becomes a pain in the arse when you are away from home and the power goes out, hence your server gets knocked offline until someone enters a password. Simple enough, John. On 8/27/05, JSD [EMAIL PROTECTED] wrote: Hi folks, I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. It is a big problem for me and I would like to password protect this single user mode or to totally disable this function but I don't know how. Is anyone here who solved this problem? Please help, thanks! Jaya Sri ___ [freemail] extra 1GB-os postafiskkal, Vnnek mar van? http://freemail.hu -- John Kintaro Tate Mobile: 0413 348 815 (Yep, old number, but I have a new phone) Attention all Internet users, is life getting you down? Are you so happy you could chainsaw an innocent bystander and LAUGH? Do you believe in God? Do you not believe in God? Have you found yourself stranded on prehistoric Earth for 5 years? If so, if you do anything at all there are people who care at the Kintaro Labs Forum, join now and after you reach 50 posts you get a free OpenBSD shell account! http://labs.kintaro.noobify.com Personal Website: http://kintaro.noobify.com ___ [freemail] extra 1GB-os postafiskkal, Vnnek mar van? http://freemail.hu
Re: Disable/Passprotect single user mode
On Saturday 27 August 2005 11:14, kami petersen wrote: dave, what are you smoking? please carefully note how i edited out _your_ text so as to indicate _who_ i was addressing and whom i additionally consider being a smartass. let me rephrase: dear frank. your response is unneccesary and non constructive. provided that the box in question cannot be physically secured there is little you can practically do other than applying the above methods put forward by dave and matt in order to prevent single user root access. /kami Sorry. I'll try to be more careful. Dave -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!!
Re: Disable/Passprotect single user mode
On Saturday, August 27, Dave Feustel wrote: On Saturday 27 August 2005 06:07, JSD wrote: I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. It is a big problem for me and I would like to password protect this single user mode or to totally disable this function but I don't know how. In your bios, you should be able to set a boot password which will prevent booting until the password is given. Oh god, please just read the ttys(5) manual, and mark the console as not being secure. PC's in general are shitty pieces of hardware that are easy to circumvent. You BIOS password would prevent the machine from booting automatically after power outtage for example... --Toby.
Re: Disable/Passprotect single user mode
On Saturday 27 August 2005 12:28, Tobias Weingartner wrote: You BIOS password would prevent the machine from booting automatically after power outtage for example... What! You're not running with backup power??? :-) -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!!
Re: Disable/Passprotect single user mode
On 8/27/05, Todd C. Miller [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED] so spake JSD (sri): I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. It is a big problem for me and I would like to password protect this single user mode or to totally disable this function but I don't know how. Is anyone here who solved this problem? Please help, thanks! Just remove the secure qualifier from the console line in /etc/ttys. E.g. Instead of: console /usr/libexec/getty Pc vt220 off secure Use: console /usr/libexec/getty Pc vt220 off - todd Also, a BIOS password can be easily removed if one has physical access to the box. The small CMOS battery can be popped out, and put back in (on the motherboard), erasing your password. -b14ck
Re: Disable/Passprotect single user mode
On 8/27/05, black reaper [EMAIL PROTECTED] wrote: Also, a BIOS password can be easily removed if one has physical access to the box. The small CMOS battery can be popped out, and put back in (on the motherboard), erasing your password. Not always, actually. I have a Dell laptop that's rumored to store the password in some kind of ROM. Whatever the technical aspects, removing the battery (actually, cutting the leads to it) didn't remove the password. Note that I'm not actually suggesting this as an effective security mechanism, since most of these laptops also have a Master password, but this one didn't---or at least none of the ones I tried with the help of a Dell support person worked. Still, just important to realize that it may or may not be as easy as popping a battery out and in. -- Christian Jones [EMAIL PROTECTED] http://www.aleph0.com/~chjones
Re: Disable/Passprotect single user mode
On Saturday 27 August 2005 17:50, Christian Jones wrote: On 8/27/05, black reaper [EMAIL PROTECTED] wrote: Also, a BIOS password can be easily removed if one has physical access to the box. The small CMOS battery can be popped out, and put back in (on the motherboard), erasing your password. Not always, actually. I have a Dell laptop that's rumored to store the password in some kind of ROM. Whatever the technical aspects, removing the battery (actually, cutting the leads to it) didn't remove the password. The password you were unable to remove may well be a disk-drive password. I have an 8-year-old Dell laptop which provides in the bios the capability of setting a disk-drive password in addition to 2 bios passwords(boot and master). The question is 'WHICH disk password was set?' If it was the master disk password, you aren't going to get your data back - period. If it was the user disk password, you may be able to clear it via the master disk password. Good Luck! Note that I'm not actually suggesting this as an effective security mechanism, since most of these laptops also have a Master password, but this one didn't---or at least none of the ones I tried with the help of a Dell support person worked. Still, just important to realize that it may or may not be as easy as popping a battery out and in. -- Christian Jones [EMAIL PROTECTED] http://www.aleph0.com/~chjones -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!!
Re: Disable/Passprotect single user mode
Christian Jones wrote: On 8/27/05, black reaper [EMAIL PROTECTED] wrote: Also, a BIOS password can be easily removed if one has physical access to the box. The small CMOS battery can be popped out, and put back in (on the motherboard), erasing your password. Not always, actually. I have a Dell laptop that's rumored to store the password in some kind of ROM. Whatever the technical aspects, removing the battery (actually, cutting the leads to it) didn't remove the password. Note that I'm not actually suggesting this as an effective security mechanism, since most of these laptops also have a Master password, but this one didn't---or at least none of the ones I tried with the help of a Dell support person worked. Still,. just important to realize that it may or may not be as easy as popping a battery out and in. Its hard to be a hard target With Windoze on this HP zd8000 monster, I have no less than 3 passwords that I have to give before I can do anything. Then all of my essays on me, life, family (disfunctionsl) are all encrypted. I wrote Linus (who works about 3 miles from where I live) and told him to tell Gates to fix the miserable XP-Pro encyption. I made the mistake of encrypting my entire My Documents folder. That cpu now is OpenBSD only, haha. When I did the encryption it brought the laptop to a standstill. On the same subject, does anyone really know what XP-encryption actually means? My god, I would pick Blowfish if I had a choice. Rob.
Re: Disable/Passprotect single user mode
I have always been under the assumption to lock up a critical piece of hardware where no one can get to it accept the person with the key or possbily a crowbar. rogern John 3:16 From: Christian Jones [EMAIL PROTECTED] To: black reaper [EMAIL PROTECTED] CC: misc@openbsd.org Subject: Re: Disable/Passprotect single user mode Date: Sat, 27 Aug 2005 15:50:52 -0700 On 8/27/05, black reaper [EMAIL PROTECTED] wrote: Also, a BIOS password can be easily removed if one has physical access to the box. The small CMOS battery can be popped out, and put back in (on the motherboard), erasing your password. Not always, actually. I have a Dell laptop that's rumored to store the password in some kind of ROM. Whatever the technical aspects, removing the battery (actually, cutting the leads to it) didn't remove the password. Note that I'm not actually suggesting this as an effective security mechanism, since most of these laptops also have a Master password, but this one didn't---or at least none of the ones I tried with the help of a Dell support person worked. Still, just important to realize that it may or may not be as easy as popping a battery out and in. -- Christian Jones [EMAIL PROTECTED] http://www.aleph0.com/~chjones http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
