The NVRAM system security parameters are:
security-mode
security-password
security-#badlogins
security-mode can restrict the set of actions that unauthorized users are allowed to perform from the Forth Monitor. The three security modes, listed in order of least to most secure, are:
none
command
full
The Restricted Monitor is used to implement the command and full modes. When security is set to command or full mode, the OpenBoot firmware will come up in the Restricted Monitor. In none security mode, it will come up in either the Forth Monitor or the Restricted Monitor, depending on which one is the default.
In none security mode, any command can be typed in the Restricted Monitor, and no password is required. In command and full security modes, passwords are required to execute certain commands. For example, a password is required to get to the Forth Monitor. Once you enter the Forth Monitor, however, a password is never required.
security-mode can be changed with the operating system eeprom utility.
With security-mode set to command, the system comes up in the Restricted Monitor. In this monitor mode,
A password is not required if you type the b command, unless you use the command with a parameter.
The c command never asks for a password.
A password is required to execute the n command.
Examples are shown in the following screen.
> b (no password required) > c (no password required) > b filename (password required) PROM Password: (password is not echoed as it is typed) > n (password required) PROM Password: (password is not echoed as it is typed)
To set the security password and command security mode, type the following at the ok prompt:
ok password ok New password (only first 8 chars are used): ok Retype new password: ok setenv security-mode command ok
Although this example works, you should normally set the two security parameters with the eeprom command from the operating system.
The security password you assign follows the same rules as the root password: a combination of six to eight letters and numbers. The security password can be the same as the root password, or different from it. You do not have to reset the system; the security feature takes effect as soon as you type the command.
It is important to remember your security password. If you forget this password, you cannot use your system; you will have to call Sun's customer support service to make your machine bootable again.
If you enter an incorrect security password, there will be a delay of about 10 seconds before the next boot prompt appears. The number of times that an incorrect security password is typed is stored in the security-#badlogins parameter. This parameter is a 32-bit signed number (680 years worth of attempts at 10 seconds per attempt).
The full security mode is the most restrictive. With security-mode set to full, the system comes up in the Restricted Monitor. In this mode:
A password is required when you type the b command.
The c command never asks for a password.
A password is required to execute the n command.
> c (no password required) > b (password required) PROM Password: (password is not echoed as it is typed) > b filename (password required) PROM Password: (password is not echoed as it is typed) > n (password required) PROM Password: (password is not echoed as it is typed)
To set the security password and full security, type the following at the ok prompt:
ok password ok New password (only first 8 chars are used): ok Retype new password: ok setenv security-mode full ok