[Semibug] OpenBSD - Authenticate boot into single user mode

Anthony Cascianelli acascianelli at icloud.com
Wed Jun 2 16:28:17 EDT 2021


It was mentioned earlier how pulling the battery off the laptop would clear any boot password set up.  I thought most modern BIOS/UEFI passwords were in non-volatile memory and would persist even if the batteries were pulled.


On June 2, 2021 at 3:53 PM, Mike Wayne <semibug15 at post.wayne47.com> wrote:


On Wed, Jun 02, 2021 at 04:03:23AM -0600, Jonathan Drews wrote:

Hi People:


I have an OpneBSD laptop. I was distrurbed to find this:


I Forgot My Root Password
https://www.openbsd.org/faq/faq8.html



You boot into single user mode;
boot> boot -s


and now have root privliges and can change the root password!


My question is how do I prevent this? I thought of using a BIOS
level password. That would suspend the boot process until you
entered a password. However the thief could remove the CMOS battery
and the BIOS would reset.

This is sort of a religous issue.

If you have physical access to the machine, you can find SOME way
to read the disk. So "protecting" the system in single user mode
is just silly since the reaon you are doing this is likely that you
are recovering a machine that you do not know root password and all
you are doing is making it more complicated for the user.

If the person doing the recovery is the original owner (the most
common case), you are just making their life more difficult. If the
person doing it is nefarious, they will eventually succeed anyway

_______________________________________________
Semibug mailing list
Semibug at lists.nycbug.org
http://lists.nycbug.org:8080/mailman/listinfo/semibug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/semibug/attachments/20210602/992d5ded/attachment.htm>


More information about the Semibug mailing list