OpenBoot Security

Anyone who has access to a computer keyboard can access OpenBoot and modify parameters unless you set up the security variables. These variables are listed in Table 3.11.

Table 3.11. OpenBoot Security Variables
Variable	Description
`security-mode`	Restricts the set of operations that users are allowed to perform at the OpenBoot prompt.
`security-password`	Specifies the firmware security password. (It is never displayed.) You should not set this variable directly; you set it by using `password`.
`security-#badlogins`	Specifies the number of incorrect security password attempts.

Caution

Setting the OpenBoot Security Mode It is important to remember your security password and to set it before setting the security mode. If you later forget this password, you cannot use your system; you must call your vendor's customer support service to make your machine bootable again.

If you are able to get to a Unix prompt as root, you can use the eeprom command to either change the security-mode parameter to none or reset the security password.

To set the security password, you type the password at the ok prompt, as shown in the following:

New password (only first 8 chars are used): <enter password>
Retype new password: <enter password>

Earlier in this chapter you learned how to change the OpenBoot parameter security-password from the command line.

After you assign a password, you can set the security variables that best fit your environment.

You use security-mode to restrict the use of OpenBoot commands. When you assign one of the three values shown in Table 3.12, access to commands is protected by a password. The syntax for setting security-mode is as follows :

setenv security-mode <value>

Table 3.12. OpenBoot Security Values
Value	Description
`full`	Specifies that all OpenBoot commands except `go` require a password. This security mode is the most restrictive.
`command`	Specifies that all OpenBoot commands except `boot` and `go` require a password.
`none`	Specifies that no password is required. This is the default.

The following example sets the OpenBoot environment so that all commands except boot and go require a password:

setenv security-mode command

With security-mode set to command, a password is not required if you enter the boot command by itself or if you enter the go command. Any other command requires a password, including the boot command with an argument.

The following are examples of when a password might be required when security-mode is set to command:

Example	Description
`ok boot`	No password is required.
`ok go`	No password is required.
`ok reset-all`	You are prompted to enter a password.

If you enter an incorrect security password, there is a delay of about 10 seconds before the next startup prompt appears. The number of times that an incorrect security password can be typed is stored in the security-#badlogins variable, but you should not change this variable .

OpenBoot Security

Table 3.11. OpenBoot Security Variables

Table 3.12. OpenBoot Security Values