Password Protected Booting

Vincent Danen

March 25, 2008

Locking the system down is important, but a lot of security can be circumvented by an attacker having physical access to your computer. The easiest thing for an attacker to do is push the reset or power button on your computer, pop in their own floppy or CD-ROM, and boot from it. Preventing this is a step one should take, especially if your server (or workstation, or even desktop) is in a publically or semi-publically accessible place. In other words, this pretty much applies to every system. Of course, it also depends on how important and/or critical your data is, and only you can decide on that.

With different computers and different operating systems, there are a number of different ways to prevent booting from other devices, but still keep your system useable. For instance, you may not require a password to actually boot the machine, but require one to prevent using another boot method. For instance, on a server system, in the unlikely event of a power problem, you may wish your system to come back up without human intervention. Having a boot password will, obviously, halt the bootup process by waiting for someone to enter a password. This isn't ideal. However, allowing someone physically in front of the computer to boot from their own floppy disk or a CD-ROM should not be permitted.

Mac OS X / Apple Hardware

In Mac OS X, this is extremely simple to do. What makes it even easier is the fact that there is one way of booting, via Open Firmware, and the "BIOS" that is Open Firmware is pretty straightforward across all machines (arguments about "old world" and "new world" machines not withstanding). While this doesn't work with older machines, it works with relatively recent machines. More specifically, you need to be running an Open Firmware Boot ROM version later than 4.1.7 or 4.1.8. As well, booting into OS 9 (if you have both on your system) will reset things in Open Firmware forcing you to again make these changes.

To determine your Boot ROM version, use the Apple System Profiler (Apple menu -> About this Mac -> More Info, or in /Applications/Utilities). If you look in the Hardware Overview pane, you can see the Boot ROM info line which indicates the version number (in the case of my G4 1GHz powerbook the revision is 4.5.3f2).

There are three types of security you can set in Open Firmware: none, command, and full. The first is for no security, and this is how Apple machines are shipped. The second (command) restricts what Open Firmware commands can be used without knowing the password and full is for complete security; you need the password to do anything (including booting).

To enable the Open Firmware password, boot your system and press the Apple+Option+O+F key combination. This will bring you to a simple text prompt. Type the word password and enter your password twice. Then type setenv security-mode <mode> where <mode> is none, command, or full. Finally, once this is complete type reset-all to reboot the system and save your changes.

To revert the changes, boot into Open Firmware and enter setenv security-mode none and reboot using the reset-all command.

Linux

Things get a little different with Linux due to all of the different hardware. If you're running a PPC version of Linux (Mandrake, YellowDog, etc.) then you can use the above commands to set a password in Open Firmware on Mac machines. If you're using an x86 version of Linux, you should set a BIOS password so that someone can not easily jump into the BIOS and change the boot order of your system. Most BIOSes allow you to have a BIOS password and a boot password; a password to protect the BIOS is sufficient.

Things also get a little muddier depending on what boot loader you are using. For instance, if you use LILO, you can select one of the boot options or supply your own to load a kernel with specific arguments. This makes dealing with Linux a little more interesting, but still not very difficult to handle. With Linux, there are two main boot loaders in use: LILO and Grub. Each of them are very different and use different configuration files and syntax.

LILO

LILO (which stands for LInux LOader is perhaps the most widely-used Linux boot loader for x86 systems. You can protect LILO with a password as well, which will prevent others from specifying additional boot arguments. The following is an example /etc/lilo.conf stanza:

image=/boot/vmlinuz
     label="linux"
     root=/dev/hda3
     initrd=/boot/initrd.img
     read-only
     password="12345"
     restricted

In this case, a user can boot into "linux" (the label noted in the stanza) without requiring a password unless they wish to change the boot arguments (ie. execute "linux single"). The password specified here is "12345", but storing the password in the clear like this is not a very good idea. With older versions of LILO you didn't have much choice, and had to make sure that /etc/lilo.conf was mode 0600 so no one other than root could read the file and thus obtain the password. With newer versions of LILO, you can leave the password keyword blank; ie:

     password=""

When executing the boot installer, you will be interactively prompted for the password. The password is then cached in hashed form as a companion to the configuration file, by default using /etc/lilo.conf.crc.

There are three keywords that correspond to the password entry; mandatory, which indicates that the password is required to boot the image; restricted, which indicates that the password is required to boot the image if kernel options are specified on the command line; and bypass which indicates that no password is required to boot this image.

Each image can have it's own password (if specified directly in lilo.conf), or you can have a global password (put the password keyword and one of the three corresponding keywords in the global section). The latter is likely a better idea, but having individual passwords per boot image can also have it's uses.

To run the boot installer, execute:

# lilo -v

which will rewrite the boot sector. If you need to specify the password to generate the cached password file, use:

# lilo -v -p

Grub

Grub (GRand Unified Bootloader) is another boot loader that is gaining more popularity among Linux users. It is quite different from LILO in how it works and how it's configured. It's also much more powerful than LILO and can make things much easier for local attackers. For instance, Grub can allow users to view the /etc/passwd file directly from the command line interface, without even booting the system.

To add a password to your Grub configuration, add the following to your Grub control file. Note that the location of this file is largely at your vendor's discretion; Red Hat Linux uses /boot/grub/grub.conf whereas Mandrakelinux uses /boot/grub/menu.lst. It looks as though /boot/grub/menu.lst is the preferred, and default, configuration file (according to the grub info pages and website).

     password --md5 [password]

This tells Grub that the password is stored in MD5 format; if --md5 is omitted, Grub assumes the password is clear-text. To obtain the MD5 of your password, run the Grub shell (ie. /sbin/grub) and execute:

grub> md5crypt

Enter your password and then cut and paste the Encrypted string that is printed to the screen (it will begin with "$1$"). For example:

default=0
timeout=0
password --md5 $1$q6MJp/$RCW5VngqVruYS/94ZuUDZ1
title Red Hat Linux (2.4.18-3)
        root (hd0,0)
        kernel /boot/vmlinuz-2.4.18-3 ro root=/dev/sda1
        initrd /boot/initrd-2.4.18-3.img

Using this password does not require someone booting the machine to enter a password to boot an image (unless you specify the lock keyword in a stanza), but it will prevent them from using interactive commands in the Grub command line interface, which means they cannot pass options to the kernel and other generally insecure things that a non-password-protected Grub would allow people to do.

Sparc Hardware

You can password protect Sparc hardware as well, in a similar fashion as that used with Apple hardware. With the Apple, you're using OpenFirmware, and with a Sparc you're using OpenBoot, which is very similar in most respects. Because you can use multiple operating systems on Sparcs (Linux, OpenBSD, etc.), we will look specifically at setting the password in OpenBoot.

To get into OpenBoot, press Stop-A on your Sparc keyboard (for those using a terminal program over a null-modem cable or something similar, you can get into OpenBoot by sending a BREAK character (in minicom, this is CTRL-A+F).

Now, there are different versions of OpenBoot, so we'll concentrate on OpenBoot 2.x (as that is all I have available to me; if any of this is different for other versions of OpenBoot, please feel free to add how it differs).

To change the security mode, type setenv security-mode <mode>, where <mode> is none, command, or full. These options are very similar to those used in OpenFirmware; none is fairly straightforward and will allow you to boot anything you like, modify options in OpenFirmware, etc. The command mode allows booting without a password, unless you pass options to the b command in OpenFirmware. It also restricts going into new command mode (a password is required). In full mode, a password is required for everything.

To set the password, which should be done prior to making changes to the secuirity mode, use password in OpenBoot. You will be asked to type your password in twice.

References