Re: Root boot/mount Password?

2008-07-29 Thread RW
On Sun, 27 Jul 2008 12:12:16 +0200
Roland Smith [EMAIL PROTECTED] wrote:


 Note that encrypting the partitions where the OS lives is not
 particularly usefull; there is nothing secret there. On the contrary,
 it would potentially make the encrypted partition vulnerable to a
 known plaintext attack.

The reason for doing it is to protect the OS from modification. For
that to be effective the /boot really needs to be on removable media.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Root boot/mount Password?

2008-07-27 Thread DSA - JCR
On Sat, Jul 26, 2008 at 05:31:23PM -, DSA - JCR wrote:
 Hi all

 FreeBSD 6.2

 I would like to put a password when booting/mounting mi Freebsd box. is
it possible? How?

Yes. Use geli(8) encryption.

 is for protecting the system from unauthorized users

Disk encryption also protects your data if the PC or harddrive is stolen.
Roland


Yes, I had thinking of Geli, but my system is up and running and I don't
know if I can use geli for this without breaking all
I have used geli for unused disks and for swap but not for root, because i
dont know if I will break all

can I use it for root, when it is a live system?


Of course i don't think in methods like BIOS because simply taking the
battery out can reset all.



Juan Coruña
Desarrollo de Software Atlantico






___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Root boot/mount Password?

2008-07-27 Thread Roland Smith
On Sun, Jul 27, 2008 at 09:47:44AM -, DSA - JCR wrote:
 On Sat, Jul 26, 2008 at 05:31:23PM -, DSA - JCR wrote:
  Hi all
 
  FreeBSD 6.2
 
  I would like to put a password when booting/mounting mi Freebsd box. is
  it possible? How?
 
 Yes. Use geli(8) encryption.
 
  is for protecting the system from unauthorized users
 
 Disk encryption also protects your data if the PC or harddrive is stolen.
 Roland
 
 
 Yes, I had thinking of Geli, but my system is up and running and I don't
 know if I can use geli for this without breaking all
 I have used geli for unused disks and for swap but not for root, because i
 dont know if I will break all
 
 can I use it for root, when it is a live system?

You can encrypt the root filesystem, but in that case /boot must be on a
separate unencrypted partition, otherwise the OS cannot boot. So unless
you have a spare partition for /boot, you'll have to make backups and
re-partition your disk.

Note that encrypting the partitions where the OS lives is not
particularly usefull; there is nothing secret there. On the contrary, it
would potentially make the encrypted partition vulnerable to a known
plaintext attack.

So what I would recommend it to put all _your_ data (which you want to
protect from unauthorized access) on one partition (in case of a
desktop, I'd use /home), and encrypt that. To do this you should back up
all your data. Then you fill the partition with random noise using 'dd
if=/dev/random'. This can take some time depending on the size of the
partition. As soon as that is done you can use 'geli init' to initialize
a geli-encrypted device, and 'geli attach' to make a device node. Then
you can use newfs on the new device, mount it and restore your
backup. Now edit /etc/fstab to refer to the geli device. On the next
boot, the rc scripts will ask for the password and take care of the
mounting of the device.

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpcuWzENqk5E.pgp
Description: PGP signature


Re: Root boot/mount Password?

2008-07-26 Thread Chuck Robey
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

DSA - JCR wrote:
 Hi all
 
 FreeBSD 6.2
 
 I would like to put a password when booting/mounting mi Freebsd box.
 is it possible? How?
 
 What I want is that if the system is rebooted or shutdown, somebody must
 enter a password to boot and/or mounting /
 
 is for protecting the system from unauthorized users

A couple of items here.  The first is a long known rule of security, which is,
if an attacker has physical access to the console, then the game is up, you
can't protect it any more.

This has *somewhat* been modified in the last few years, because it's a become a
fairly common option in BIOSes to allow for a boot password.  This too can be
bypassed, pretty quickly and thoroughly, by doing a CMOS memory clear, but it IS
a step in the right direction.  Honestly, though, a good security strategy is to
respect that rule about an attacker with physical access to the console: protect
yourself physically.  Yes, you can set that boot password in the BIOS (active
before any OS, including FreeBSD, starts up) but don't be silly and rely on that
... protect yourself.

 
 
 Thanks in advance
 
 Juan Coruña
 Desarrollo de Software Atlantico
 
 
 
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiLZJYACgkQz62J6PPcoOkWkgCePG+GpCdE3XJ+g1IzXjZ9QzzT
jm8An2MpTyWMnTnTvfLMCmqNhTC2GXaj
=YdcO
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Root boot/mount Password?

2008-07-26 Thread Roland Smith
On Sat, Jul 26, 2008 at 05:31:23PM -, DSA - JCR wrote:
 Hi all
 
 FreeBSD 6.2
 
 I would like to put a password when booting/mounting mi Freebsd box.
 is it possible? How?

Yes. Use geli(8) encryption.

 is for protecting the system from unauthorized users

Disk encryption also protects your data if the PC or harddrive is stolen.

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpMYMGTDTpep.pgp
Description: PGP signature


Re: Root boot/mount Password?

2008-07-26 Thread Roland Smith
On Sat, Jul 26, 2008 at 01:53:27PM -0400, Chuck Robey wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 DSA - JCR wrote:
  Hi all
  
  FreeBSD 6.2
  
  I would like to put a password when booting/mounting mi Freebsd box.
  is it possible? How?
  
  What I want is that if the system is rebooted or shutdown, somebody must
  enter a password to boot and/or mounting /
  
  is for protecting the system from unauthorized users
 
 A couple of items here.  The first is a long known rule of security, which is,
 if an attacker has physical access to the console, then the game is up, you
 can't protect it any more.

You cannot protect the machine if an attacker has physical access. But
you _can_ protect your data by encrypting it. Hence my advice to use geli(8).

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgprMHXOlFhSB.pgp
Description: PGP signature


Re: Root boot/mount Password?

2008-07-26 Thread Polytropon
Hi!

Allthough you already got good answers, I'd like to add the
following:

On Sat, 26 Jul 2008 17:31:23 - (GMT), DSA - JCR [EMAIL PROTECTED] wrote:
 Hi all
 
 FreeBSD 6.2
 
 I would like to put a password when booting/mounting mi Freebsd box.
 is it possible? How?


 What I want is that if the system is rebooted or shutdown, somebody must
 enter a password to boot and/or mounting /

Next to the usual means of access control (no automated login, no
users without password), there would be an option to boot the system
in single user mode first. Your /etc/ttys would contain insecure
in the 5th field so nobody would get into the shell without the
root password. Then, fsck and mount -a, followed by exit or Ctrl-D
would be neccessary to boot the system into multi user mode. To
boot your system into SUM, I think /boot/loader.conf must contain
the line ,,boot_single=YES''.

If I remember correctly, there as been a way to put a password
request into a much earlier stage of booting (boot oder loader),
but sadly, I can't remember where to do this or if it's still
possible.

Maybe these ideas are helpful.



-- 
Polytropon
From Magdeburg, Germany
Happy FreeBSD user since 4.0
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Root boot/mount Password?

2008-07-26 Thread Roland Smith
On Sat, Jul 26, 2008 at 09:58:53PM +0200, Polytropon wrote:
  What I want is that if the system is rebooted or shutdown, somebody must
  enter a password to boot and/or mounting /
 
 Next to the usual means of access control (no automated login, no
 users without password), there would be an option to boot the system
 in single user mode first. Your /etc/ttys would contain insecure
 in the 5th field so nobody would get into the shell without the
 root password. Then, fsck and mount -a, followed by exit or Ctrl-D
 would be neccessary to boot the system into multi user mode. To
 boot your system into SUM, I think /boot/loader.conf must contain
 the line ,,boot_single=YES''.

Assuming physical access to the machine, this can be easily circumvented
by booting from a FreeBSD CD. 

Of yourse you can disable booting from CD in the BIOS, and guard that
with a password. But that is usually easy to wipe by shorting a jumper
on the motherboard. It just depends on the amount of time and knowledge
that the attacker has.

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpvCq1i3bfD6.pgp
Description: PGP signature