Send in your Unix questions today! |
See additional Unix tips and tricks
A firmware password secures a system against unauthorized changes at the ok prompt. If you don't have a firmware password set, anyone with access to your system's console can modify your OpenBoot parameters. If you do have a firmware password set, be careful not to forget it or even you may not be able to boot your system. With a restrictive security setting, accessing a system can be very difficult.
Before we get into what you should do if you buy a system with a firmware password set on eBay, let's look at what the security parameters at the OpenBoot prompt provide. The parameters that influence firmware security are:
security-mode -- used to restrict the operations that users can perform at
the OpenBoot prompt
security-password -- specifies the firmware password
security-#badlogins -- specifies the number of incorrect password attempts
that can be made
The actual password is set by typing "password" at the ok prompt and then entering your selected password twice at the prompts. Set the security mode with the setenv command as shown.
ok password
New password (8 characters max) {password not echoed}
Retype new password: {password not echoed}
ok setenv security-mode "full"
security-mode = full
ok
Once a firmware password is set, you can set security variables to determine how and when the new password will be required. The most restrictive setting is "full". This setting says that all OpenBoot commands will require that the user provide the firmware password; the only exception is "go" or "c" (continue). Since these commands simply resume normal operations, all someone can do when this setting is in use is enter and leave the OpenBoot prompt. The next most restrictive setting is "command"; this setting is nearly as restrictive as "full". However, it requires the firmware password for all OpenBoot commands except "boot" and "go" (or "c") require a password. With this setting, someone can boot the system. This means that you can reinstall the system by booting from CD ROM or allow the system to boot from disk and, if you know the root password, change the firmware setting with the eeprom command. The only other firmware setting is "none"; this setting (the default) requires no password for any OpenBoot commands.
Like any privileged password, a firmware password can helps to secure a system against unauthorized changes, but it also incurs a certain risk. A forgotten firmware password can be even more troublesome than a forgotten root password when the most restrictive setting is used.
If the system settings don't allow you to boot from CD ROM or from the network, as would be the case if the "full" setting is used, what can you do?
The OBP will not recognize passwords that include control characters. Testing a new password in command mode before initiating full mode is a good idea. You will still be able to boot the system and use the eeprom command to change the settings.
If you acquire a system from eBay or elsewhere that has a firmware password set and security-mode set to command or full, you may still be able to gain control of the box, but not easily. While there isn't a magical keyboard sequence (like ^N) to override this setting, you still have some options. In next week's column, we'll look at gaining control of a system with an unknown firmware password.
