[Semibug] OpenBSD - Authenticate boot into single user mode

Mike Wayne semibug15 at post.wayne47.com
Wed Jun 2 15:53:04 EDT 2021

On Wed, Jun 02, 2021 at 04:03:23AM -0600, Jonathan Drews wrote:
> Hi People:
>   I have an OpneBSD laptop. I was distrurbed to find this:
> I Forgot My Root Password
> https://www.openbsd.org/faq/faq8.html
> You boot into single user mode;
> boot> boot -s
> and now have root privliges and can change the root password!
> My question is how do I prevent this? I thought of using a BIOS
> level password. That would suspend the boot process until you
> entered a password. However the thief could remove the CMOS battery
> and the BIOS would reset.

This is sort of a religous issue.

If you have physical access to the machine, you can find SOME way
to read the disk. So "protecting" the system in single user mode
is just silly since the reaon you are doing this is likely that you
are recovering a machine that you do not know root password and all
you are doing is making it more complicated for the user.

If the person doing the recovery is the original owner (the most
common case), you are just making their life more difficult. If the 
person doing it is nefarious, they will eventually succeed anyway

More information about the Semibug mailing list