Securing Your TiBook (or Any Other Mac OS X Machine)
Pages: 1, 2
Of course, this is a Macintosh and you're not supposed to have to use the command line for anything. If you'd prefer a Mac GUI program that will keep it simple, but only let you set a password and set the security-mode described above to "command" (or back to "none"), you can get one from Apple. But since you're here, why not read the rest of this article?
Note also that with full security turned on you can no longer:
- boot a CD-ROM just by holding "c" when rebooting; you must get into
OFW and type the somewhat cryptic
boot cd:,\\:tbxiand give the correct password. - Use the graphical boot device chooser by holding the Option key when rebooting; you must give a boot command at the OFW prompt and give the correct password. (You can use the graphical boot chooser if you have security-mode set to "command"; the Mac will prompt you for the password in a tiny little text field.)
- "Zap the PRAM" by holding down CTRL/Option/P/R while rebooting; you must give the set-defaults command and enter the correct password, then reset-all to save the new values.
A minor historical artifact: there are a few differences between Sun's
implementation and Apple's. Sun's doesn't allow setting your own
variables, but Apple's does. The only real result is that Apple requires
more care in typing. For example, if you meant to say setenv
boot-file hd:,ofwboot but you actually type setenv boot-fiel
hd:,ofwboot Apple's implementation will silently create a new
variable boot-fiel, and since you haven't actually set the boot-file to
anything, it will still have the default value. That is, Apple's OFW
implementation will silently ignore a lot of errors. Strangely, Apple's
implementation also does not implement the unsetenv command, so there is
no defined way of deleting these extraneous variables. Perhaps Apple just
doesn't intend people to use OFW interactively; indeed, the all-important,
user-friendly command-line help command does not work. Sun's at
least gives you a list of commands by category.
|
Do NOT try to set the password using the nvram command or using setenv in OFW. Doing so will create a "word" called password which will "hide" the password command so you will no longer be able to invoke the password command in OFW (you can then only change the OFW password using Apple's GUI program described in the text). |
And what happens if you forget the password? You can turn your doorstop back into a Mac, of course, but it may cost you. First, if you can still boot (i.e., you didn't set security-mode full), and you have the password to an "administrator" account, you can reset the password using the Apple-provided GUI program mentioned earlier (but not using the nvram command -- see sidebar). Otherwise, you have to open the case and add or remove any amount of system memory. Apple figured this would happen AND figured that if you have physical access to open it, you "own" the machine. So if the amount of memory changes, the password is removed. Yet another reason for not leaving your TiBook lying around unattended! If that doesn't work or you just don't want to open the case, take it back to your Apple service center.
Dual Booting
Although most readers won't need to set up a machine for "dual boot", that is, being able to boot into one of two different operating systems, you only need one extra OFW command to enable it. You probably don't need a "boot manager" as you would on a PC. For example, because of my security work, my TiBook often runs OpenBSD, but can easily be booted into Jaguar, depending on my mood when I boot it up. Other choices for dual-booting, if you need the capabilities of the other system, are NetBSD and Linux/PPC. As per the install instructions for OpenBSD, I set the boot-device to be "hd:,ofwboot" after installing the file ofwboot in the root of the HFS+ partition.
setenv boot-device hd:,ofwbootNow when I boot, I can just type "boot" at the OK prompt (with security-mode full, or just restart the machine with security-mode command) to boot into OpenBSD. Or, I can type the cryptic
boot hd:,\\tbxi(note that with command mode, I have to enter OFW, then type any command that requires a password, then type the boot command above. I guess a boot manager might be good after all. And don't ask me what tbxi stands for, but I simply observed that it's the factory default in printenv's listing. And it gets me into Mac OS X. Alternately, I could have left this setting alone and used "boot" to get Mac OS and "boot hd:,ofwboot" to boot OpenBSD (right now you cannot use the graphical boot chooser to boot into OpenBSD from the hard drive).
Again, for normal Mac OS X-only use, you only need to set a password and security-mode; it will prompt you for the password as appropriate.
Other Local Openings
So you've set a boot password and enabled full security. Now the bad guy can't just turn your machine on and walk all through your secret data, right? Wrong. Because, out of the box, OS X doesn't even require login passwords. First thing to do is change this. Go to System Preferences -> System -> Accounts -> Users -> Set Auto Login... and ensure that the "Log in automatically" checkbox is not checked for any user. You now have to type a password to login to the computer. As an aside, your login password should not be the same as the "BIOS password" set earlier.
Now the Screen Saver. Screen savers should always have a password, so nobody can use your machine if they walk up to it while you've stepped out for a coffee. Go to System Preferences -> Personal -> Screen Effects -> Activation, and ensure that "Use my user account password" is selected. While you're there, "Hot Corners" provides a convenient way to start the screen saver--which should now be a screen lock--just by dragging the mouse off a given corner of the screen. I use this feature.
What about your OS 9 disk? If you have an OS 9 disk attached to your machine, or an OS 9 partition, with some Mac hardware you can sometimes get the Mac to boot into OS 9 by interrupting the boot on the OS X partition. Either don't keep OS 9 disks online or ensure you have selected passwords under the Multiple Users control panel.
|
Related Reading Mac OS X Hacks |
Network Security Openings
If you use rsh, telnet or SSH, you might want to enable remote access to your computer. Mac OS X comes with OpenSSH, the free, open-source implementation of SSH, the Secure Shell protocol. The client is part of Mac OS X--to ssh out to another host, just say "ssh nameOfHost.com" and you've got an SSH connection, assuming the host runs an SSH server. To enable the SSH server, look in System Preferences -> Sharing and check the box for Remote Login.
While you're there, if your machine is on the Internet or any other network, you should probably start the "Personal Firewall" under the Firewall tab. The "Personal Firewall"--like pf or ipf on BSD UNIXes--provides a simple but effective packet filter which prevents all incoming network traffic other than what you allow. When you turn on a service like SSH, it is automatically allowed by the firewall. Note that if you don't enable the firewall, there is a greater chance of crackers accessing system services or files remotely. There is more detail on the Personal Firewall in Chris Cochella's macdevcenter article.
There is no rsh or telnet server--and I'm glad they don't ship r*d or telnetd. Actually these do ship with OS X, but there is no way to enable these services from the System Preferences, which is a step in the right direction. These puppies are dangerous--read: "totally insecure"--and should not be used. Your Mac OS X comes with ssh; use it instead.
Most of these servers, as well as the OS kernel, are part of the "open source" Darwin project, which means two things: bugs are likely to get found and likely to get fixed. The system crackers have the source code to this stuff and are reading it while you're reading this article, so do be sure and apply all updates that Apple makes available.
Finally, the fewer "sharing options" you enable, the less likely you are to suffer a hull breach when the crackers attack from deep in cyberspace.
References
OFW is designed to help in debugging operating systems; as such, it gives you much more control over the machine than is good for you. Do not experiment with OFW commands not discussed here; you can render your machine unbootable or lose data from your disk.
- IEEE Std 1275.1-1994
IEEE Standard for Boot (Initialization Configuration) Firmware: Instruction Set Architecture (ISA) Supplement for IEEE 1754.
Not available online; IEEE standards must be ordered from IEEE Publications. - Firmworks, the leading supplier of Open Firmware.
- Open Firmware Command Summary, free from FirmWorks' web site.
- Open Firmware Command Reference, available for a charge from FirmWorks.
- Sun OpenBoot 3.x Command Reference Manual, available online at http://docs.sun.com/db/doc/802-5837
- http://playground.sun.com/pub/p1275/, Sun's OpenBoot/OFW site. Lots of gory details.
Here's a handy table that shows you four useful keyboard combinations related to restarting and powering down.
| Control Sequence | When valid | Meaning |
|---|---|---|
| Command-Option-O-F | During restart | Enter Open FirmWare |
| Control-Option-P-R | When restarting | "Zap the PRAM", disabled by security-mode |
| Control-Option-POWER | Almost anytime | Emergency Power Off |
| Command-shift-option-delete | During Restart | Boot from CD |
Ian F. Darwin has worked in the computer industry for three decades: with Unix since 1980, Java since 1995, and OpenBSD since 1998. He is the author of two O'Reilly books, Checking C Programs with lint and Java Cookbook, and co-author of Tomcat: The Definitive Guide with Jason Brittain.
Return to the Mac DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 24 of 24.
-
What about single user mode?
2003-03-05 13:22:15 anonymous2 [Reply | View]
If you hold down command-s while booting osx will put you in single user mode, which doesnt start any services and instead just dumps you into a root shell, without asking for a password. Is there a way to secure this? -
What about single user mode?
2003-06-29 23:30:42 anonymous2 [Reply | View]
Edit /etc/ttys. Change the 'console' line from 'secure' to 'insecure'. Single user now requires a password. -
What about single user mode?
2003-07-02 15:59:00 anonymous2 [Reply | View]
That doesn't work for me, for some reason. Can you specify exactly what the line should read?
No matter what I do, it still does not require a password anywhere in the process of booting into single user mode.
(You can also email me at nmcspadden@opal.sacred.sf.ca.us)
-
Another "tip"
2003-02-26 12:56:14 anonymous2 [Reply | View]
You can also add the Menu Extra from the Keychain Access utility that allows you to lock your screen or your keychains on the fly.
Open Keychain Access, and under the View Menu, you can set "Show status in menu bar"
Makes it more convenient because I like to keep no password on my screen saver and only lock when I'm away from my Mac.
SB
-
Incorrect OS 9 security statement & OS Security Ramblings
2003-02-24 10:35:39 anonymous2 [Reply | View]
Though the operating system services available in OS X are vastly superior to the services offered in OS 9, it is not only arguable but consistently proven that OS 9 is a very secure platform.
For many serving scenarios, a pre-OS X Mac may be one of the most secure installations available with a wide variety of IP serving software available. There have been contests with $10k in prize money offered to hack a Mac server running the classic operating system, with no winners. In the case where a hack was successfully applied it was due to combined faults in third-party software - not fault of the OS, itself.
Regardless, thank you for writing this article. It answers a lot of my questions as to what should be done to properly secure OS X and I'm sure is of great value to the community as a whole.
In case you're wondering, I still operate some servers on OS 9 machines because of their inherent security features. I use OS X as my primary workstation these days, and am diggin' it - a great OS for computer geeks like myself. But what about the rest of the world? My mom shouldn't have to think about security when she plugs her Mac onto the network. Neither should yours. (-;
- Nathan
-
keyboard in open firmware
2003-02-21 03:39:03 anonymous2 [Reply | View]
i have modified my iBook's keyboard for dvorak. since doing that, and making the appropriate changes in the system i found when in OF mode it defaults to qwerty.
interestingly though, to get into OF mode i hold down my dvorak O & F keys, not what qwerty would be.
do you know anything that would help me? it must be possible, right? i mean not everyone has the same layout.
in x11 i can use xmodmap. is there a similar solution in OF?
thanks for your thought
-
nvram to change the password
2003-02-21 01:32:36 anonymous2 [Reply | View]
Could you ssh into OSX and using nvram, set the password?
You say that you should not try to set the password using nvaram, as it will create a "world" called password. Does that mean that there is no way to set the password in OF with an nvram comand or via some other command apart from booting into OF in front of the Mac?
Thanks for the info -
nvram to change the password
2003-04-23 10:17:40 Ian F. Darwin |
[Reply | View]
>you should not try to set the password using
>nvram, as it will create a "world" called password.
(Er, that's word, not world :-)).
AFAIK you can only set the password by booting into OF at the mac, or by running the GUI-based program Apple supplies.
-
Screen Saver password NOT secure
2003-02-20 09:46:51 krioni [Reply | View]
Just thought I should point out that MacFixit.com had posted an issue where the Screen Effect password can be bypassed. Unfortauntely, the full report requires a subscriber account, but the gist of it was that you can turn on Universal Access's Full Keyboard Access, even when it was off. Then you can manipulate menus, toggle through apps, and potentially do almost anything. In short, don't count on the built-in Screen Effect password to protect your machine. There are some third-party products out there you may wan tot look into if you fear unauthorized access.
http://www.macfixit.com/search.php?query=screen+effect&mode=search&type=stories&platform=Mac+OSX
-
Lousy Airport Reception == Very Secure
2003-02-19 10:20:13 dogzilla [Reply | View]
Given that my new TiBook has such incredibly bad Airport reception, I feel pretty safe from hack attempts. I can't stay connected to the net long enough for anyone to hack me.
Perhaps this is part of Apple's strategy? Certainly it would explain why they keep deleting discussions of bad TiBook Airport performance from their support boards - it's a security measure!
-
macosxlabs.org "Firmware Security"
2003-02-19 07:53:38 anonymous2 [Reply | View]
FYI:
The macosxlabs project, has a detailed documentation on "Open Firmware Security" that covers many aspects of using/setting Open Firmware security.
I would recommend taking a look.
http://www.macosxlabs.org/documentation/firmware_security/intro.html -
macosxlabs.org "Firmware Security"
2003-02-20 13:48:53 Ian F. Darwin |
[Reply | View]
Yes, their article says many of the same things as my article
in different ways.
-
Open Firmware Password
2003-02-19 05:45:38 anonymous2 [Reply | View]
You can save yourself a lot of time and the possibility of making a mistake while in Open Firmware by getting Open Firmware Password from Apple.
http://docs.info.apple.com/article.html?artnum=106482&SaveKCWindowURL=http%3A%2F%2Fkbase.info.apple.com%2Fcgi-bin%2FWebObjects%2Fkbase.woa%2Fwa%2FSaveKCToHomePage&searchMode=Assisted&kbhost=kbase.info.apple.com&showButton=false&randomValue=100&showSurvey=false&sessionID=anonymous%7C164722705
And to comment on other people's comments. Zapping the PRAM will not bypass the password. And you would not be able to put the computer into Target Disk Mode. No Single User Mode, No Verbose Mode. The reason none of these work is because one thing the password protects is that it does not allow you to use any kind of keyboard commands to alter the startup of the computer.
If you use Screen Saver password. Set your computer to require login on boot, and use Open Firmware password then someone would have to take your computer apart to bypass your security. Which means if it is stolen, then you are tough out of luck.
-
Open Firmware Password
2003-02-20 13:50:09 Ian F. Darwin |
[Reply | View]
I agree. These are all pointed out in my article
except for the Target Disk mode.
-
A key-combo side note...
2003-02-19 00:26:44 anonymous2 [Reply | View]
The boot up key sequence: [command] + [option] + [shift] + [delete] was stated as a way to boot from a cd. This is true, but it is more accurately described as telling the machine to ignore the default boot device and to boot from the next bootable device it can find. I am not sure how the sequence works for ATA or ATAPI. It may check all masters then all slaves, or it may go master / slave, master / slave, ect. On SCSI it would progress from sequentially up the chain to find a bootable device.
-
Encrypted Disks
2003-02-18 23:06:25 acdha [Reply | View]
I personally don't care about boot passwords. They're not reliable and are largely a waste of time - if someone has physical access, they can pull the disk and do what they feel with it.
In my case, it won't matter because the two things I care about are my keychain (which is never stored unencrypted) and my documents, which are stored on an AES-128 encrypted disk image:
http://www.macosxhints.com/article.php?story=20030212055706937#comments
I have my keychain set to close when the laptop goes to sleep and I have fairly tight sleep timing and a passworded screen saver. I might have to explain why my software registration codes got published on eDonkey but otherwise my only concern will be the insurance claim.
-
What about Firewire Target disk mode?
2003-02-18 20:44:48 leejoramo1 [Reply | View]
Do these security mesures prevent Target disk mode access?
For those who don't know, Target disk mode allows your system to appear as an external Firewire drive to another computer. You start the system up and hold down the "T" key until a Firewire logo appears on the screen. (And yes, I remember that this trick is not exclusive to Firewire, it also worked back in the SCSI days.)
-
What about Firewire Target disk mode?
2003-02-20 13:54:16 Ian F. Darwin |
[Reply | View]
This is the one thing I did not test, because I never use this mode. But, if it requires a key sequence like holding down T while booting, then you will not get into it once you have set a security mode and a password.
-
url with how to erase or "suck" out the password of a protected but booted mac
2003-02-18 16:50:02 anonymous2 [Reply | View]
http://www.securemac.com/openfirmwarepasswordprotection.php -
url with how to erase or "suck" out the password of a protected but booted mac
2003-02-20 13:46:54 Ian F. Darwin |
[Reply | View]
This is only for Mac OS 9. As I said in the article,
you can largely forget about the notion (or possibility) of security under OS 9.
-
setting "full" is not secure...
2003-02-18 16:44:22 anonymous2 [Reply | View]
fiddle with the ram, and the password is erased, also i think if you zap pram three times or something it is erased... apple should have a knote on this.. -
setting "full" is not secure...
2003-02-20 13:51:33 Ian F. Darwin |
[Reply | View]
I agree with the sentiment, as I tried to say in the article, that nothing is perfectly secure.
If you can take a machine apart and remove the RAM,
you might as well just take out the CMOS battery.
But zapping the PRAM does not erase the password,
at least it didn't in my testing. -
setting "full" is not secure...
2003-03-12 20:38:05 anonymous2 [Reply | View]
Zapping PRAM does not erase the password EXCEPT after you change the amount of physical memory (think 2 minutes maximum to access, and either remove or add RAM), and then only if you zap it twice in a row.
Note this is always the quandary with security. Make the how-to's available and risk informing the bad guys. But there are more good guys than bad guys (and be sure the real baddies are informed already!), and a false sense of security might actually make you more inclined to expose sensitive data. Good security is a habit. DO use the open firmware password, but DO NOT expect it to slow data access for more than a few minutes. For additional powerbook security keep sensitive material encrypted on an external firewire drive (or other persistent external media) and carry it on your person at all times. For even more security, never use that sensitive info on a computer that is EVER connected to a network, period.
