From owner-freebsd-security Mon Dec 21 08:54:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA17051 for freebsd-security-outgoing; Mon, 21 Dec 1998 08:54:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orcrist.mediacity.com (orcrist.mediacity.com [208.138.36.146]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA16993 for ; Mon, 21 Dec 1998 08:54:01 -0800 (PST) (envelope-from gsutter@orcrist.mediacity.com) Received: (from gsutter@localhost) by orcrist.mediacity.com (8.8.8/8.8.8) id IAA10591; Mon, 21 Dec 1998 08:53:55 -0800 (PST) (envelope-from gsutter) Message-ID: <19981221085355.A10360@orcrist.mediacity.com> Date: Mon, 21 Dec 1998 08:53:55 -0800 From: Gregory Sutter To: Dag-Erling Smorgrav , security@FreeBSD.ORG Subject: Re: preventing single user login w/o password References: <199812211324.IAA27266@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Dag-Erling Smorgrav on Mon, Dec 21, 1998 at 04:32:09PM +0100 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 21, 1998 at 04:32:09PM +0100, Dag-Erling Smorgrav wrote: > > Janos Mohacsi wrote, > > > How can I prevent booting FreeBSD into the single user mode without > > > supplying either root or maybe different password? > > Well, you can translate physical access to the computer into physical > access to a more manageable item, such as a Java ring, if you use some > kind of hardware device which strongly encrypts your disks and keep > the encryption key on the Java ring. The idea is that you can't boot > the computer without the ring, and you can't decrypt the contents of > the disk drive without it either (not within reasonable amounts of > time, anyway). Okay, it's 8:45 AM, and I'm still tired, but the first thing that came into my mind was an actual ring that one wears upon a finger. Then I wondered about using that as a physical security key. It would be easy to put a small chip or 2 in a ring; the reader could be sitting in a 5.25" slot until cases are specially built for the device, which would be plugged into the motherboard and prevent all input or somesuch mechanism until the chip is detected. Now, I don't know much about the actual cryptography, but combining "something you have" with "something you know", such as a passphrase, could make for a good physical security system. Combine that with a sturdy, locked case and any intruder will have to take measures that will make their intrusion obvious. Greg -- Gregory S. Sutter Computing is a terminal addiction. mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message