And what happens if you forget the password? You can turn your doorstop back into a Mac, of course, but it may cost you. First, if you can still boot (i.e., you didn't set security-mode full), and you have the password to an "administrator" account, you can reset the password using the Apple-provided GUI program mentioned earlier (but not using the nvram command -- see sidebar). Otherwise, you have to open the case and add or remove any amount of system memory. Apple figured this would happen AND figured that if you have physical access to open it, you "own" the machine. So if the amount of memory changes, the password is removed. Yet another reason for not leaving your TiBook lying around unattended! If that doesn't work or you just don't want to open the case, take it back to your Apple service center.

Dual Booting

Although most readers won't need to set up a machine for "dual boot", that is, being able to boot into one of two different operating systems, you only need one extra OFW command to enable it. You probably don't need a "boot manager" as you would on a PC. For example, because of my security work, my TiBook often runs OpenBSD, but can easily be booted into Jaguar, depending on my mood when I boot it up. Other choices for dual-booting, if you need the capabilities of the other system, are NetBSD and Linux/PPC. As per the install instructions for OpenBSD, I set the boot-device to be "hd:,ofwboot" after installing the file ofwboot in the root of the HFS+ partition.

setenv boot-device hd:,ofwboot

Now when I boot, I can just type "boot" at the OK prompt (with security-mode full, or just restart the machine with security-mode command) to boot into OpenBSD. Or, I can type the cryptic

boot hd:,\\tbxi

(note that with command mode, I have to enter OFW, then type any command that requires a password, then type the boot command above. I guess a boot manager might be good after all. And don't ask me what tbxi stands for, but I simply observed that it's the factory default in printenv's listing. And it gets me into Mac OS X. Alternately, I could have left this setting alone and used "boot" to get Mac OS and "boot hd:,ofwboot" to boot OpenBSD (right now you cannot use the graphical boot chooser to boot into OpenBSD from the hard drive).

Again, for normal Mac OS X-only use, you only need to set a password and security-mode; it will prompt you for the password as appropriate.

Other Local Openings

So you've set a boot password and enabled full security. Now the bad guy can't just turn your machine on and walk all through your secret data, right? Wrong. Because, out of the box, OS X doesn't even require login passwords. First thing to do is change this. Go to System Preferences -> System -> Accounts -> Users -> Set Auto Login... and ensure that the "Log in automatically" checkbox is not checked for any user. You now have to type a password to login to the computer. As an aside, your login password should not be the same as the "BIOS password" set earlier.

Now the Screen Saver. Screen savers should always have a password, so nobody can use your machine if they walk up to it while you've stepped out for a coffee. Go to System Preferences -> Personal -> Screen Effects -> Activation, and ensure that "Use my user account password" is selected. While you're there, "Hot Corners" provides a convenient way to start the screen saver--which should now be a screen lock--just by dragging the mouse off a given corner of the screen. I use this feature.

What about your OS 9 disk? If you have an OS 9 disk attached to your machine, or an OS 9 partition, with some Mac hardware you can sometimes get the Mac to boot into OS 9 by interrupting the boot on the OS X partition. Either don't keep OS 9 disks online or ensure you have selected passwords under the Multiple Users control panel.

Network Security Openings

If you use rsh, telnet or SSH, you might want to enable remote access to your computer. Mac OS X comes with OpenSSH, the free, open-source implementation of SSH, the Secure Shell protocol. The client is part of Mac OS X--to ssh out to another host, just say "ssh nameOfHost.com" and you've got an SSH connection, assuming the host runs an SSH server. To enable the SSH server, look in System Preferences -> Sharing and check the box for Remote Login.

While you're there, if your machine is on the Internet or any other network, you should probably start the "Personal Firewall" under the Firewall tab. The "Personal Firewall"--like pf or ipf on BSD UNIXes--provides a simple but effective packet filter which prevents all incoming network traffic other than what you allow. When you turn on a service like SSH, it is automatically allowed by the firewall. Note that if you don't enable the firewall, there is a greater chance of crackers accessing system services or files remotely. There is more detail on the Personal Firewall in Chris Cochella's macdevcenter article.

There is no rsh or telnet server--and I'm glad they don't ship r*d or telnetd. Actually these do ship with OS X, but there is no way to enable these services from the System Preferences, which is a step in the right direction. These puppies are dangerous--read: "totally insecure"--and should not be used. Your Mac OS X comes with ssh; use it instead.

Most of these servers, as well as the OS kernel, are part of the "open source" Darwin project, which means two things: bugs are likely to get found and likely to get fixed. The system crackers have the source code to this stuff and are reading it while you're reading this article, so do be sure and apply all updates that Apple makes available.

Finally, the fewer "sharing options" you enable, the less likely you are to suffer a hull breach when the crackers attack from deep in cyberspace.

References

OFW is designed to help in debugging operating systems; as such, it gives you much more control over the machine than is good for you. Do not experiment with OFW commands not discussed here; you can render your machine unbootable or lose data from your disk.

• IEEE Std 1275.1-1994
  IEEE Standard for Boot (Initialization Configuration) Firmware: Instruction Set Architecture (ISA) Supplement for IEEE 1754.
  Not available online; IEEE standards must be ordered from IEEE Publications.
• Firmworks, the leading supplier of Open Firmware.
• Open Firmware Command Summary, free from FirmWorks' web site.
• Open Firmware Command Reference, available for a charge from FirmWorks.
• Sun OpenBoot 3.x Command Reference Manual, available online at http://docs.sun.com/db/doc/802-5837
• http://playground.sun.com/pub/p1275/, Sun's OpenBoot/OFW site. Lots of gory details.

Here's a handy table that shows you four useful keyboard combinations related to restarting and powering down.

Ian F. Darwin has worked in the computer industry for three decades: with Unix since 1980, Java since 1995, and OpenBSD since 1998. He is the author of two O'Reilly books, Checking C Programs with lint and Java Cookbook, and co-author of Tomcat: The Definitive Guide with Jason Brittain.

Return to the Mac DevCenter.

Prev  [1] [2]