DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th September 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default How to set an on-boot passphrase ?

Hi !

Is it possible to set a boot passphrase wether the system is wd* of sd* ?


Much thanks.
Reply With Quote
  #2   (View Single Post)  
Old 16th September 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,883
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
Is it possible to set a boot passphrase wether the system is wd* of sd* ?
Explain.
Reply With Quote
  #3   (View Single Post)  
Old 16th September 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Like in Debian for instance , one can set a passphrase before they can resume booting into the system ..for both IDE/ATA or SCSI
Reply With Quote
  #4   (View Single Post)  
Old 16th September 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,687
Thanked 214 Times in 189 Posts
Default

Yes.

At the BIOS level, portable workstations may have security passwords that can be set for the workstation itself. They may not be resettable if lost without a trip to the vendor; check your laptop/netbook BIOS documentation carefully.

Portable drive electronics may also have password protection, the ATA standard calls this "Security Mode" and not all drives have them. These may be set from the BIOS, or, for exampe, from atactl(8). HEED THE WARNINGS in that man page andi n your BIOS manual. There are two levels of password; user and master. Loss of both passwords will mean more than data loss, it will mean loss of the device.
(If I recall correctly, recovery without the user password requires a data security erase, which wipes the drive, and this recovery function requires the master password if one has been set.)
Simple password protection at boot can be performed by multiboot tools, such as GAG. These are easily defeatable by booting another device, or inspecting the boot blocks -- at least with GAG, the passwords are in plaintext.

-------

OpenBSD-specific solutions are also possible, such as encrypting partitions with softraid(4)/bioctl(8) that use keydisks and/or passphrases.
Reply With Quote
  #5   (View Single Post)  
Old 16th September 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,883
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
Is it possible to set a boot passphrase wether the system is wd* of sd* ?
It is also unclear from your question whether you are asking if the execution path (booting from wd(4) or sd(4)...) can be changed based on the passphrase provided.

While most BIOS'es today will allow some control over what boot device will allowed, the implementation of password protection at the BIOS level is generally not sophisticated -- either the password provided matches what is stored or it does not.

If you are wanting control over what device or operating system is booted, what you are ultimately searching for is a boot manager, but these are frequently limited to choosing which operating system is selected on the boot hard drive.
Reply With Quote
  #6   (View Single Post)  
Old 16th September 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

@jggimi , @ocicat , Thank you very much !!
I'm sorry for the bad articulation & the typo .. I have several OpenBSD boxes .. some are SATA disks and some are just flash sticks .. at times I change disks (for the same laptop) .. they are not encrypted nor have passphrases .. what I was asking about :
a way to set a passphrase to use at the initial boot phase.I would hope the passphrase would still be asked for when trying to boot the respective disk using another machine (other laptop/server) ..
Then would using that passphrased disk -this time not as a boot OS but as an sd** - be mountable without having to supply a passphrase ? if yes then how would I force using a passphrase ?
(I want to prevent intruders from booting/mounting my disks .. yet +security when physical security is gone :-) )
Reply With Quote
  #7   (View Single Post)  
Old 16th September 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,883
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
...be mountable without having to supply a passphrase ? if yes then how would I force using a passphrase ?
See bioctl(8).
Reply With Quote
  #8   (View Single Post)  
Old 16th September 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

bioctl needs a fresh and clean drive right ? which is not my the case.
Reply With Quote
  #9   (View Single Post)  
Old 16th September 2012
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

The information on your disks will be there regardless if you have some weird boot-password or not. So if you lose physical security, you lose everything that is on those disks.

Like already has been mentioned, you need to look into bioctl -C.
Reply With Quote
Old 16th September 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,687
Thanked 214 Times in 189 Posts
Default

Rather, bioctl -c C.
Reply With Quote
Old 16th September 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,687
Thanked 214 Times in 189 Posts
Default

On this netbook, I have /home encrypted. The fstab(8) entry has both "noauto" and 0 for fs_passno.
Code:
3f76e758fbb26404.a /home ffs rw,nodev,nosuid,softdep,noauto 1 0
My rc.local(5) script includes:
Code:
# mount /home
until bioctl -c C -l /dev/sd0g softraid0; do done
fsck -p /home
mount /home
This script segment will loop indefinitely until success, so if there is a problem with the bioctl command, not just an incorrect passphrase, the rc.local script will continue to loop. It's a personal device so that's not a big concern. I just have to boot single user to fix whatever might be wrong.

Last edited by jggimi; 16th September 2012 at 12:27 PM. Reason: clarity
Reply With Quote
Old 16th September 2012
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
Rather, bioctl -c C.
oops! yes.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Where's boot? Senjogahara NetBSD Installation and Upgrading 7 16th October 2010 10:26 PM
Silent Boot arch FreeBSD General 3 15th November 2008 07:00 PM
XP won't boot PatrickBaer FreeBSD General 5 3rd October 2008 12:45 PM
dual boot buba OpenBSD General 2 5th August 2008 11:32 AM
Dual-boot laptop won't boot OpenBSD after upgrade to 4.3 kbeaucha OpenBSD Installation and Upgrading 17 30th May 2008 02:40 PM


All times are GMT. The time now is 12:18 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick