Re: Root boot/mount Password?
On Sun, 27 Jul 2008 12:12:16 +0200 Roland Smith [EMAIL PROTECTED] wrote: Note that encrypting the partitions where the OS lives is not particularly usefull; there is nothing secret there. On the contrary, it would potentially make the encrypted partition vulnerable to a known plaintext attack. The reason for doing it is to protect the OS from modification. For that to be effective the /boot really needs to be on removable media. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Root boot/mount Password?
On Sat, Jul 26, 2008 at 05:31:23PM -, DSA - JCR wrote: Hi all FreeBSD 6.2 I would like to put a password when booting/mounting mi Freebsd box. is it possible? How? Yes. Use geli(8) encryption. is for protecting the system from unauthorized users Disk encryption also protects your data if the PC or harddrive is stolen. Roland Yes, I had thinking of Geli, but my system is up and running and I don't know if I can use geli for this without breaking all I have used geli for unused disks and for swap but not for root, because i dont know if I will break all can I use it for root, when it is a live system? Of course i don't think in methods like BIOS because simply taking the battery out can reset all. Juan Coruña Desarrollo de Software Atlantico ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Root boot/mount Password?
On Sun, Jul 27, 2008 at 09:47:44AM -, DSA - JCR wrote: On Sat, Jul 26, 2008 at 05:31:23PM -, DSA - JCR wrote: Hi all FreeBSD 6.2 I would like to put a password when booting/mounting mi Freebsd box. is it possible? How? Yes. Use geli(8) encryption. is for protecting the system from unauthorized users Disk encryption also protects your data if the PC or harddrive is stolen. Roland Yes, I had thinking of Geli, but my system is up and running and I don't know if I can use geli for this without breaking all I have used geli for unused disks and for swap but not for root, because i dont know if I will break all can I use it for root, when it is a live system? You can encrypt the root filesystem, but in that case /boot must be on a separate unencrypted partition, otherwise the OS cannot boot. So unless you have a spare partition for /boot, you'll have to make backups and re-partition your disk. Note that encrypting the partitions where the OS lives is not particularly usefull; there is nothing secret there. On the contrary, it would potentially make the encrypted partition vulnerable to a known plaintext attack. So what I would recommend it to put all _your_ data (which you want to protect from unauthorized access) on one partition (in case of a desktop, I'd use /home), and encrypt that. To do this you should back up all your data. Then you fill the partition with random noise using 'dd if=/dev/random'. This can take some time depending on the size of the partition. As soon as that is done you can use 'geli init' to initialize a geli-encrypted device, and 'geli attach' to make a device node. Then you can use newfs on the new device, mount it and restore your backup. Now edit /etc/fstab to refer to the geli device. On the next boot, the rc scripts will ask for the password and take care of the mounting of the device. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpcuWzENqk5E.pgp Description: PGP signature
Root boot/mount Password?
Hi all FreeBSD 6.2 I would like to put a password when booting/mounting mi Freebsd box. is it possible? How? What I want is that if the system is rebooted or shutdown, somebody must enter a password to boot and/or mounting / is for protecting the system from unauthorized users Thanks in advance Juan Coruña Desarrollo de Software Atlantico ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Root boot/mount Password?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DSA - JCR wrote: Hi all FreeBSD 6.2 I would like to put a password when booting/mounting mi Freebsd box. is it possible? How? What I want is that if the system is rebooted or shutdown, somebody must enter a password to boot and/or mounting / is for protecting the system from unauthorized users A couple of items here. The first is a long known rule of security, which is, if an attacker has physical access to the console, then the game is up, you can't protect it any more. This has *somewhat* been modified in the last few years, because it's a become a fairly common option in BIOSes to allow for a boot password. This too can be bypassed, pretty quickly and thoroughly, by doing a CMOS memory clear, but it IS a step in the right direction. Honestly, though, a good security strategy is to respect that rule about an attacker with physical access to the console: protect yourself physically. Yes, you can set that boot password in the BIOS (active before any OS, including FreeBSD, starts up) but don't be silly and rely on that ... protect yourself. Thanks in advance Juan Coruña Desarrollo de Software Atlantico ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiLZJYACgkQz62J6PPcoOkWkgCePG+GpCdE3XJ+g1IzXjZ9QzzT jm8An2MpTyWMnTnTvfLMCmqNhTC2GXaj =YdcO -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Root boot/mount Password?
On Sat, Jul 26, 2008 at 05:31:23PM -, DSA - JCR wrote: Hi all FreeBSD 6.2 I would like to put a password when booting/mounting mi Freebsd box. is it possible? How? Yes. Use geli(8) encryption. is for protecting the system from unauthorized users Disk encryption also protects your data if the PC or harddrive is stolen. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpMYMGTDTpep.pgp Description: PGP signature
Re: Root boot/mount Password?
On Sat, Jul 26, 2008 at 01:53:27PM -0400, Chuck Robey wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DSA - JCR wrote: Hi all FreeBSD 6.2 I would like to put a password when booting/mounting mi Freebsd box. is it possible? How? What I want is that if the system is rebooted or shutdown, somebody must enter a password to boot and/or mounting / is for protecting the system from unauthorized users A couple of items here. The first is a long known rule of security, which is, if an attacker has physical access to the console, then the game is up, you can't protect it any more. You cannot protect the machine if an attacker has physical access. But you _can_ protect your data by encrypting it. Hence my advice to use geli(8). Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgprMHXOlFhSB.pgp Description: PGP signature
Re: Root boot/mount Password?
Hi! Allthough you already got good answers, I'd like to add the following: On Sat, 26 Jul 2008 17:31:23 - (GMT), DSA - JCR [EMAIL PROTECTED] wrote: Hi all FreeBSD 6.2 I would like to put a password when booting/mounting mi Freebsd box. is it possible? How? What I want is that if the system is rebooted or shutdown, somebody must enter a password to boot and/or mounting / Next to the usual means of access control (no automated login, no users without password), there would be an option to boot the system in single user mode first. Your /etc/ttys would contain insecure in the 5th field so nobody would get into the shell without the root password. Then, fsck and mount -a, followed by exit or Ctrl-D would be neccessary to boot the system into multi user mode. To boot your system into SUM, I think /boot/loader.conf must contain the line ,,boot_single=YES''. If I remember correctly, there as been a way to put a password request into a much earlier stage of booting (boot oder loader), but sadly, I can't remember where to do this or if it's still possible. Maybe these ideas are helpful. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Root boot/mount Password?
On Sat, Jul 26, 2008 at 09:58:53PM +0200, Polytropon wrote: What I want is that if the system is rebooted or shutdown, somebody must enter a password to boot and/or mounting / Next to the usual means of access control (no automated login, no users without password), there would be an option to boot the system in single user mode first. Your /etc/ttys would contain insecure in the 5th field so nobody would get into the shell without the root password. Then, fsck and mount -a, followed by exit or Ctrl-D would be neccessary to boot the system into multi user mode. To boot your system into SUM, I think /boot/loader.conf must contain the line ,,boot_single=YES''. Assuming physical access to the machine, this can be easily circumvented by booting from a FreeBSD CD. Of yourse you can disable booting from CD in the BIOS, and guard that with a password. But that is usually easy to wipe by shorting a jumper on the motherboard. It just depends on the amount of time and knowledge that the attacker has. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpvCq1i3bfD6.pgp Description: PGP signature