Subject: Re: Securing the console
To: None <>
From: David Maxwell <>
List: netbsd-users
Date: 08/09/2001 10:06:39
On Thu, Aug 09, 2001 at 04:56:39AM +0000, Jim Breton wrote:
> Any links or tips on securing the console of a NetBSD machine?  (Besides
> BIOS passwords and disabling floppy/CD-ROM booting.)

> (when I turned on IPSec without first creating /etc/ipsec.conf.. which I
> thought would fall back reasonably and still boot normally) the console
> was by default configured to let me get a root shell without prompting
> for the password.  I understand this is probably a safety measure in

Edit /etc/ttys, and remove the 'secure' token from the terminals 
appropriate for your setup. i.e:

console "/usr/libexec/getty Pc"         pc3     off secure

Note, once you remove secure, you will not be able to log in as root on
that terminal, so make sure you have a usable account created and listed
in /etc/group under 'wheel' so that you can 'su'.
(Or make sure you have setup sudo or other alternative methods)

Removing secure will cause booting to require a password to get into
single-user mode.

David Maxwell,| -->
All this stuff in twice the space would only look half as bad!
					      - me