Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de> suggests:

> bad:
>>   proto bootblock size 51200
>>   Will load 85 blocks.
> 
> good:
>>   proto bootblock size 48128
>>   Will load 79 blocks.
> 
> I can only guess that the bootblock is too big.

Part of me really wants to ask, "too big for what?", but there's a
good chance I would not understand the answer and I'd hate to waste
your time.  Anyway...

> Have you tried rebuilding
> without SA_USE_CREAD, SA_INCLUDE_NET in
> /sys/arch/i386/stand/biosboot/Makefile?

I hadn't, but today I gathered up my courage and did so.  It works!

SA_INCLUDE_NET was already set to "no" in the Makefile, but I changed
the setting of SA_USE_CREAD from "yes" to "no", and installed the
resulting biosboot.sym:

  /usr/mdec/biosboot.sym: entry point 0x805d000
  proto bootblock size 30720
  room for 10 filesystem blocks at 0x578
  renamed //boot -> //boot.bak
  Will load 45 blocks.
  dblk: 9840, num: 16
  dblk: 13424, num: 16
  dblk: 482, num: 13
  BSD partition starts at sector 63
  deleting //boot.bak

*Much* smaller, as you can see.

Anyway, the right thing happens with respect to passwords; thanks!

Booting from floppy is now a bit of an ordeal, since to do so, I have
to set the hardware to boot from removable media first, so that the
floppy's bootblocks (which understand the floppy's gzipped kernel)
are used.  I hope that some day it will be possible to squeeze all that
functionality (gzipped kernel reading *and* boot menu passwords) in,
but for now, what I have is quite workable, and in particular, I think
my system is now protected from attackers with physical access, except
those who are actually willing to open the case and grab the disk or
physically reset the supervisor password (or just take the whole system!).

Again, many thanks!


Anne.
-- 
Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
anne@alcor.concordia.ca                                        +1 514 848-7606