how to set OBP security mode

How to set OBP security mode
Document ID		Synopsis		Date
14214		how to set OBP security mode		9 Jan 1998
Description
How does a user set/change the security mode of a SparcStation
so that system access can be controlled at the OBP level?

The NVRAM "security-mode" and password can be set either while
in Solaris or SunOS or while at the "ok" prompt.

CAUTION: Do not forget the password that you set for the OBP.
         If the password is forgotten, the system will not be
         usable and the only fix is a hardware swap of the NVRAM chip.

CAUTION: Do not use special (control) characters that are not
         recognized by the OBP in your password, such as control
         characters like ^L. If these characters are used the
         password will not be recognized and depending on the 
         level of security may require the replacement of the
         NVRAM chip.

To set the security level and password while booted into the OS,
do the following (Solaris and SunOS are the same):

test# eeprom security-mode="level"
Changing PROM password:
New password:  {password not echoed}
Retype new password:  {password not echoed}
test#

To set the security level at the "ok" prompt, do the following:
 
ok password
New password (8 characters max)  {password not echoed}
Retype new password:  {password not echoed}
ok setenv security-mode "level"
security-mode =       level
ok 

Replace "level" with the security level that you wish to apply.
The valid levels are: none, command, and full.

NOTE: Setting the level to none will not ask for a password to be set.

The effects of the three security levels are:
none - Any command can be typed and no password is required.
command - The user can use the 'c' or 'b' (continue, boot) commands at
          the restricted monitor without a password.
          A password is required if the user wishes to use the 'n' command
          to get to the forth command mode or if a parameter is used
          with the 'b' command (e.g. to boot single user mode).
full - This is the most restrictive mode and the only command that can
       be executed without a password is the 'c' command.
       All others (b,n) require a password.

CAUTION: The use of control characters such as ^L will cause the OBP
         to not recognize the password you have entered. It is 
         recommended that the password be tested using the 'command'
         security level prior to selecting 'full'. If the password
         is not recognized, boot the system with no arguments and 
         modify using the eeprom command.

If an incorrect password is entered, the system delays for approx. 10 seconds
before displaying the boot prompt again. The number of times that an incorrect
password is entered is stored in the security-#badlogins variable of the NVRAM.

NOTE: The recommended procedure is the one using the eeprom command,
      although both have the same result. DO NOT set the security-password
      variable of the NVRAM directly. Let the system prompt you for the
      password as shown in the two examples.
SOLUTION SUMMARY:
Applies To	(none)
Attachments	(none)
Document Content	INFODOC ID: 14214