Date: Tue, 3 Apr 2001 15:56:20 -0400 From: Peter Radcliffe <pir@pir.net> To: Crist Clark <crist.clark@globalstar.com> Cc: freebsd-chat@FreeBSD.ORG Subject: Re: su change? Message-ID: <20010403155620.C13435@pir.net> In-Reply-To: <3ACA2471.A5AF44AD@alum.mit.edu>; from crist.clark@globalstar.com on Tue, Apr 03, 2001 at 12:28:49PM -0700 References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> <3ACA12FF.F4000B95@allmaui.com> <3ACA1755.7C98C5@alum.mit.edu> <20010403144240.H9618@pir.net> <3ACA2471.A5AF44AD@alum.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't read -chat.
Crist Clark <crist.clark@globalstar.com> probably said:
> Someone else started talking about booting off of a CDROM which
> diverted us into the relm of a Sun in OpenBoot. I wanted to point out
> you can just tell it to boot off the CDROM, so I was expecting someone to
> mention that you would need a EEPROM password to do that if the security
> was enabled. I figured I preempt that remark.
If you've lost the PROM password you've got far bigger problems than
a root password, which was the question.
> 7.My Sun is in full-security mode (can't even boot without password)
> and I don't know the EEPROM password. How do I fix this? (Replace chip)
>
> "Replace chip." You know a trick? I'd be curious. I had an admin do
> this once ('course, with our Sun contract, a tech replaced the chip
> the same day, no big deal).
If you have a service contract the easiest way (and the only way
supported by sun) is indeed to get them to replace it.
No one in their right minds should be putting production machines in
full-security mode, however, with the possible exception of desktop
machines when you don't trust the person sitting in front of it. It
only increases the security level slightly and can be worked around if
you have physical access. If you have physical access you can pull
the disk and put it in a machine where you have root access and alter
the password file and ignore the prom password.
If you don't have a service contract (personally aquired a machine or
similar), and don't want to buy a new NVRAM, that URL also describes;
] Resetting the NVRAM (when Stop-N doesn't do it)
]
] You might want to do this to recover from the loss of an NVRAM password
] (in full security mode) or if you mess up your nvramrc. I think that the
] safest thing to do is pay the $20 for a new Timekeeper chip. But several
] people have reported to me success hot-swapping the NVRAM (i.e. removing
] and installing a new chip when the system is on).
]
] dowdy@cs.colorado.edu (Stephen Dowdy) writes:
] > (this may apply to other SPARC models.)
] > IPC -- remove NVRAM, power-up without. *carefully* hot-plug it in when OK
] > prompt comes up (after it says CHECKSUM failure). do:
] > OK set-defaults
] > OK set-defaults
] > then power-cycle
] >
] > SS2 -- you need to boot from a good NVRAM, then hot-swap the "bad" one
] > and "set-defaults". Only if the L1-N (or is it L1-D) thingy
] > doesn't work for you.
You can also use a ZIF socket with one pin removed to do this more
safely and on more machines. I've done this on a Sparc Classic I
aquired.
When the PROM is not in full-security mode you can reset passwords in
several other ways; the easiest is to replace the non-booting disk
with a disk that will boot and you know the root password for and use
the eeprom command.
If someone has left 'net' in the boot-device list, you can remove the
disk and when it fails to boot from disk it will try to boot from the
network, I use a jumpstart mini-root to use the eeprom command. I've
done this on a few machines.
> I agree this has now gotten inappropriate. Unfortunately, my mailer
> mutinied when I tried to remove -stable from the list of targets (teach
> me to wrestle with the mailer at work). I left in -security since I was
> actually posing a small question about the old C2 spec someone mentioned.
To my knowledge (I don't work with any of the other listed OSen day to
day) there hasn't been a C2 mode on a major commercial OS since SunOS
4. Modern versions meet as much of C2 as they are going to as
shipped.
P.
--
pir pir@pir.net pir@net.tufts.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010403155620.C13435>