On Fri, 10 Jul 1998, Jericho Nunn wrote: > An easy and quick work-around that avoids granting just anybody at > the console the ability to "Stop-A" and drop into OBP, is to enable the > "security-mode" and "security-password" variables within OBP. Changing > the default value of "security-mode" from 'none' to 'full', forces a > user who tries to halt the system to authenticate against the password > defined in "security-password" before having access to the OBP command > line. Alas, "full" password mode on at least some of the Sun systems I have used will also prompt for the password before completing any legitimate boot, more or less cripping the lab/server in the event of any kind of unattended restart. Such as might well happen in a lab, or on a server after a panic, power out, or other incident. It also does not prevent the Stop-A/Break from freezing the running system. I believe that setting the EEPROM security mode to "command" will prevent anyone from doing much to the system other than to Stop-A/Break halt it and reboot with the default boot params; it will also will allow a halted machine to be continued. It should (at least so the manual pages seem to claim) not allow other commands, and I am pretty sure it will allow an unattended reboot to the default boot device. Seems like this would be the best remedy in a lab environment. Note that none of the modes will prevent the Stop-A/Break halt itself, AFAIK. But now we're talking physical access issues, and all physcially accessible system are subject to the snip hole (power cord? <snip>), and the spray hole (spray water into the box), should the malicious person want to halt it in person. Finally, remote consoling any server or device that treats the console as possessing special privileges should be undertaken with great caution. Cisco owners take note (!). -M Michael Brian Scher (MS683) | Anthropologist, Attorney, Part-Time Guru strangeat_private | http://www.tezcat.com/~strange/ strangeat_private | strangeat_private Give me a compiler and a box to run it, and I can move the mail.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:23 PDT