Re: Adding Password Protection to Single User Mode
Hi Valdrin, On Wed, Jul 07, 2021 at 06:44:46AM +, Valdrin MUJA wrote: | Thanks for suggestions, | I removed the "secure" from /etc/ttys but I can still use "boot -s" | without password. Is this about console connection? Please carefully read https://man.openbsd.org/ttys.5: > secure If on is also specified, allows users with a UID of 0 to > log in on this line. If set for the console entry, then > init(8) will start a single-user shell without asking for > the superuser password. That second sentence is very explicit. You need to take the 'secure' keyword out of the line for the 'console' entry. The default is this: [weerd@pom] $ grep ^console /etc/ttys console "/usr/libexec/getty std.9600" vt220 off secure Cheers, Paul 'WEiRD' de Weerd | Updated ttys file; | | # cat /etc/ttys | grep 115200 | tty00 "/usr/libexec/getty std.115200" vt220off | | From: Paul de Weerd | Sent: Tuesday, July 6, 2021 17:36 | To: Valdrin MUJA | Cc: misc@openbsd.org | Subject: Re: Adding Password Protection to Single User Mode | | On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote: | | Hi Folks, | | | | I want to add a small password protection mechanism to | | "boot -s" (single-user mode). | | | | Therefore, I'm working on /sys/stand/boot/boot.c, I've written | | some code in boot.c, and run "make", "make obj", "make install" | | in /sys/. However, I couldn't enable my update "boot" binary on startup. | | On startup, the default boot program is working. | | | | How can I replace my updated boot program with the default one? | | | | P.S.: I've tried compile and install kernel and the result didn't change. | | After building a new boot loader, you will need to use installboot(8) | to actually install said code into the system. Your `make install` | merely placed the bootloader into the spot in the filesystem where | installboot expects to find it, but won't do the special editing of | the disk that installboot does. | | (but also see the replies from others about ttys(5) to deal with your | situation without potentially screwing up your entire system with a | faulty bootloader) | | Cheers, | | Paul 'WEiRD' de Weerd | | -- | >[<++>-]<+++.>+++[<-->-]<.>+++[<+ | +++>-]<.>++[<>-]<+.--.[-] | http://www.weirdnet.nl/ -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Adding Password Protection to Single User Mode
Thanks for suggestions, I removed the "secure" from /etc/ttys but I can still use "boot -s" without password. Is this about console connection? Updated ttys file; # cat /etc/ttys | grep 115200 tty00 "/usr/libexec/getty std.115200" vt220off From: Paul de Weerd Sent: Tuesday, July 6, 2021 17:36 To: Valdrin MUJA Cc: misc@openbsd.org Subject: Re: Adding Password Protection to Single User Mode On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote: | Hi Folks, | | I want to add a small password protection mechanism to | "boot -s" (single-user mode). | | Therefore, I'm working on /sys/stand/boot/boot.c, I've written | some code in boot.c, and run "make", "make obj", "make install" | in /sys/. However, I couldn't enable my update "boot" binary on startup. | On startup, the default boot program is working. | | How can I replace my updated boot program with the default one? | | P.S.: I've tried compile and install kernel and the result didn't change. After building a new boot loader, you will need to use installboot(8) to actually install said code into the system. Your `make install` merely placed the bootloader into the spot in the filesystem where installboot expects to find it, but won't do the special editing of the disk that installboot does. (but also see the replies from others about ttys(5) to deal with your situation without potentially screwing up your entire system with a faulty bootloader) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Adding Password Protection to Single User Mode
On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote: | Hi Folks, | | I want to add a small password protection mechanism to | "boot -s" (single-user mode). | | Therefore, I'm working on /sys/stand/boot/boot.c, I've written | some code in boot.c, and run "make", "make obj", "make install" | in /sys/. However, I couldn't enable my update "boot" binary on startup. | On startup, the default boot program is working. | | How can I replace my updated boot program with the default one? | | P.S.: I've tried compile and install kernel and the result didn't change. After building a new boot loader, you will need to use installboot(8) to actually install said code into the system. Your `make install` merely placed the bootloader into the spot in the filesystem where installboot expects to find it, but won't do the special editing of the disk that installboot does. (but also see the replies from others about ttys(5) to deal with your situation without potentially screwing up your entire system with a faulty bootloader) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Adding Password Protection to Single User Mode
On 7/6/21 2:27 PM, Valdrin MUJA wrote: Hi Folks, I want to add a small password protection mechanism to "boot -s" (single-user mode). Therefore, I'm working on /sys/stand/boot/boot.c, I've written some code in boot.c, and run "make", "make obj", "make install" in /sys/. However, I couldn't enable my update "boot" binary on startup. On startup, the default boot program is working. How can I replace my updated boot program with the default one? P.S.: I've tried compile and install kernel and the result didn't change. man 5 ttys
Re: Adding Password Protection to Single User Mode
On 7/6/21 12:27 PM, Valdrin MUJA wrote: > Hi Folks, > > I want to add a small password protection mechanism to > "boot -s" (single-user mode). > > Therefore, I'm working on /sys/stand/boot/boot.c, I've written > some code in boot.c, and run "make", "make obj", "make install" > in /sys/. However, I couldn't enable my update "boot" binary on startup. > On startup, the default boot program is working. > > How can I replace my updated boot program with the default one? > > P.S.: I've tried compile and install kernel and the result didn't change. If you remove secure from console in /etc/ttys then a standard install will require a password. Of course if they can boot a custom kernel or bsd.rd then any password can always be bypassed.
Adding Password Protection to Single User Mode
Hi Folks, I want to add a small password protection mechanism to "boot -s" (single-user mode). Therefore, I'm working on /sys/stand/boot/boot.c, I've written some code in boot.c, and run "make", "make obj", "make install" in /sys/. However, I couldn't enable my update "boot" binary on startup. On startup, the default boot program is working. How can I replace my updated boot program with the default one? P.S.: I've tried compile and install kernel and the result didn't change.