[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Locking out single user mode.
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Locking out single user mode.
- From: Adam Szilveszter <sziszi_(_at_)_petra_(_dot_)_hos_(_dot_)_u-szeged_(_dot_)_hu>
- Date: Mon, 1 Nov 1999 21:39:10 +0100 (CET)
- Cc: grendel_(_at_)_jazzandjava_(_dot_)_com
On Mon, 1 Nov 1999, Federico G. Schwindt wrote:
> > How do I make OpenBSD to not accept things like the boot -c option, and more
> > importantly, how do I keep people from getting into single user mode after a
> > reboot?
Unless I am mistaken, you can set the "console" entry in your /etc/ttys
from "secure" to "insecure" and then it asks for password there also. (At
least in FreeBSD it does this) But then you will not be able to salvage
yourself if you for some reason forget the root password.
Some other ideas:
-If you just want these machines to be terminals, you do not need a floppy
drive much, esp if they can boot from CD-ROM (mine cannot...) but you can
disable the floppy temporaraily in any event. (not in the BIOS, pull the
cables out from it, that is hard to crack with a default passwd:-) And you
can always plug them back when you do maintenance...
- If you have SCSI CD-ROM drives, you can configure them to be locked by
default, that is only root can open them and place something in them. With
ATAPI you must look for some other solution, see above.
-Try rebooting them as little as possible. OpenBSD does not need to be
rebooted much. And make them hard to reboot by "third parties" I am not
talking about special PC cases here (although they would be nice, they are
used for servers all over) but you could get a power supply which has a
real ON/OFF switch (not just a button) on it and then you could wipe
that nasty panic button from the front side. Reset should also go, there
are not many situations where it is needed and certainly none when users
are present. Also place them as close to the wall as possible or similar
so that users could not pull the cable from the outlet (yes even *that* is
important. You cannot even imagine how much damage in IT systems is
caused by earthquakes and ignorant cleaning personnel:-) and generally
hide as much from them as possible. They do not
even need to have the whole box handy, just the screen and the keys+mouse,
-I know that even this will not stop some very determined wannabe-hackers
from wreacking havock, but at least very few unfortunate accidents will
happen because of ignorant users who are even frightened in the end... A
dorm lobby is a dangerous place after all, much more so than a lab where
you can control access to...( here in Hungary I am pretty sure they would
be gone, OpenBSD and all in about a month:-)
* Adam Szilveszter * JATE Szeged * email: sziszi_(_at_)_petra_(_dot_)_hos_(_dot_)_u-szeged_(_dot_)_hu *
* Homepage : none * alternate email: cc_(_at_)_flanker_(_dot_)_itl_(_dot_)_net_(_dot_)_ua *
* Finger sziszi_(_at_)_petra_(_dot_)_hos_(_dot_)_u-szeged_(_dot_)_hu for PGP key. *
* I prefer using the door instead of Windows(tm)... *
Visit your host, monkey.org