This chapter describes the procedures for controlling who can access Solaris systems. The following is a list of the information in this chapter.Controlling System Access (Task Map) Securing Logins and Passwords (Task Map) Changing the Password Algorithm (Task Map) Monitoring and Restricting Superuser (Task Map) Controlling Access to System Hardware (Task Map) computer securitysystem securitymachine securitysystem securitycommandsindividual commandsFor overview information about system security, see Chapter 2, Managing Machine Security (Overview). task mapssecuring systems task mapssystem access controllingsystem access A computer is as secure as its weakest point of entry. The following task map shows the areas that you should monitor and secure.Task Description For Instructions Monitor, permit, and deny user login Monitors unusual login activity. Prevents logins temporarily. Manages dial-up logins. Securing Logins and Passwords (Task Map) Provide strong password encryption Specifies algorithms to encrypt user passwords. Installs additional algorithms. Changing the Password Algorithm (Task Map) Monitor and restrict superuser activities Regularly monitors superuser activity. Prevents remote login by a root user. Monitoring and Restricting Superuser (Task Map) Prevent access to hardware settings Keeps ordinary users away from the PROM. Controlling Access to System Hardware (Task Map) task mapssecuring logins and passwords logging intask map passwordstask map securinglogins task map securingpasswords task map The following task map points to procedures that monitor user logins and that disable user logins.Task Description For Instructions Display a user's login status Lists extensive information about a user's login account, such as full name and password aging information. How to Display a User's Login Status Find users who do not have passwords Finds only those users whose accounts do not require a password. How to Display Users Without Passwords Disable logins temporarily Denies user logins to a machine as part of system shutdown or routine maintenance. How to Temporarily Disable User Logins Save failed login attempts Creates a log of users who failed to provide the correct password after five attempts. How to Monitor Failed Login Attempts Save all failed login attempts Creates a log of failed attempts to log in. How to Monitor All Failed Login Attempts Create a dial-up password Requires an additional password for users who log in remotely through a modem or dial-up port. How to Create a Dial-Up Password Disable dial-up logins temporarily Prevents users from dialing in remotely through a modem or port. How to Temporarily Disable Dial-Up Logins You can limit remote logins and require users to have passwords. You can also monitor failed access attempts and disable logins temporarily.usersdisplaying login status viewinguser's login status displayinguser's login status logging indisplaying user's login status logins commanddisplaying user's login status system securitydisplayinguser's login status user accountsdisplaying login status &rolePAstep;logins commandsyntaxDisplay a user's login status by using the logins command.# logins -x -l usernamexDisplays an extended set of login status information. l usernameDisplays the login status for the specified user. The variable username is a user's login name. Multiple login names must be specified in a comma-separated list. The logins command uses the appropriate password database to obtain a user's login status. The database can be the local /etc/passwd file, or a password database for the name service. For more information, see the logins1M man page. displayinguser's login status logging indisplaying user's login status logins commanddisplaying user's login status system securitydisplayinguser's login status user accountsdisplaying login status In the following example, the login status for the user rimmer is displayed.# logins -x -l rimmer rimmer 500 staff 10 Annalee J. Rimmer /export/home/rimmer /bin/sh PS 010103 10 7 -1rimmerIdentifies the user's login name. 500Identifies the user ID (UID). staffIdentifies the user's primary group. 10Identifies the group ID (GID). Annalee J. RimmerIdentifies the comment. /export/home/rimmerIdentifies the user's home directory. /bin/shIdentifies the login shell. PS 010170 10 7 -1Specifies the password aging information:Last date that the password was changed Number of days that are required between changes Number of days before a change is required Warning period usershaving no passwords listingusers with no passwords viewingusers with no passwords displayingusers with no passwords passwordsfinding users with no passwords &rolePAstep;p optionlogins commandDisplay all users who have no passwords by using the logins command.# logins -plogins commanddisplaying users with no passwordspasswordsdisplaying users with no passwordssystem securitydisplayingusers with no passwordsThe p option displays a list of users with no passwords. The logins command uses the password database from the local system unless a name service is enabled. In the following example, the user pmorph does not have a password.# logins -p pmorph 501 other 1 Polly Morph # usersdisabling login disablinglogins temporarily logging indisabling temporarily /etc/nologin filedisabling user logins temporarily disablinguser logins Temporarily disable user logins during system shutdown or routine maintenance. Superuser logins are not affected. For more information, see the nologin4 man page. &rolePAstep;Create the /etc/nologin file in a text editor.# vi /etc/nologin Include a message about system availability. Close and save the file. In this example, users are notified of system unavailability.# vi /etc/nologin (Add system message here) # cat /etc/nologin ***No logins permitted.*** ***The system will be unavailable until 12 noon.***You can also bring the system to run level 0, single-user mode, to disable logins. For information on bringing the system to single-user mode, see Chapter 10, Shutting Down a System (Tasks), in System Administration Guide: Basic Administration. logging inmonitoring failures monitoringfailed logins failed login attemptsloginlog file logging insecuritysaving failed attempts loginlog filesaving failed login attempts savingfailed login attempts system securitysaving failed login attempts /var/adm/loginlog filesaving failed login attempts accesssecuritysaving failed logins This procedure captures failed login attempts from terminal windows. This procedure does not capture failed logins from a CDE or GNOME login attempt. &rolePAstep;Create the loginlog file in the /var/adm directory.# touch /var/adm/loginlog Set read-and-write permissions for root user on the loginlog file.# chmod 600 /var/adm/loginlog Change group membership to sys on the loginlog file.# chgrp sys /var/adm/loginlog Verify that the log works.For example, log in to the system five times with the wrong password. Then, display the /var/adm/loginlog file.# more /var/adm/loginlog jdoe:/dev/pts/2:Tue Nov 4 10:21:10 2003 jdoe:/dev/pts/2:Tue Nov 4 10:21:21 2003 jdoe:/dev/pts/2:Tue Nov 4 10:21:30 2003 jdoe:/dev/pts/2:Tue Nov 4 10:21:40 2003 jdoe:/dev/pts/2:Tue Nov 4 10:21:49 2003 #The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, no failed attempts are logged.A growing loginlog file can indicate an attempt to break into the computer system. Therefore, check and clear the contents of this file regularly. For more information, see the loginlog4 man page. log filesfailed login attempts logging inlog of failed logins /etc/syslog.conf filefailed logins and configuration filessyslog.conf file failed login attemptssyslog.conf file syslog.conf filesaving failed login attempts /var/log/authlog filefailed logins authlog filesaving failed login attempts This procedure captures in a syslog file all failed login attempts. &rolePAstep;system variablesSYSLOG_FAILED_LOGINSSYSLOG_FAILED_LOGINSsystem variable/etc/default/login filelogin default settingslogin filelogin default settingsSet up the /etc/default/login file with the desired values for SYSLOG and SYSLOG_FAILED_LOGINSEdit the /etc/default/login file to change the entry. Make sure that SYSLOG=YES is uncommented.# grep SYSLOG /etc/default/login # SYSLOG determines whether the syslog(3) LOG_AUTH facility # should be used SYSLOG=YES … SYSLOG_FAILED_LOGINS=0 # Create a file with the correct permissions to hold the logging information.Create the authlog file in the /var/adm directory.# touch /var/adm/authlog Set read-and-write permissions for root user on the authlog file.# chmod 600 /var/adm/authlog Change group membership to sys on the authlog file.# chgrp sys /var/adm/authlog Edit the syslog.conf file to log failed password attempts.The failures should be sent to the authlog file.Type the following entry into the syslog.conf file.Fields on the same line in syslog.conf are separated by tabs.auth.notice <Press Tab> /var/adm/authlog svcadm commandrestarting syslog daemonRefresh the configuration information for the syslog daemon.# svcadm refresh system/system-log Verify that the log works.For example, as an ordinary user, log in to the system with the wrong password. Then, in the Primary Administrator role or as superuser, display the /var/adm/authlog file.# more /var/adm/authlog Nov 4 14:46:11 example1 login: [ID 143248 auth.notice] Login failure on /dev/pts/8 from example2, stacey # Monitor the /var/adm/authlog file on a regular basis. Follow the preceding procedure, except set the value of SYSLOG_FAILED_LOGINS to 3 in the /etc/default/login file. Uncomment the RETRIES entry in the /etc/default/login file, then set the value of RETRIES to 3. Your edits take effect immediately. After three login retries in one session, the system closes the connection. addingdial-up passwords creatingdial-up passwords passwordscreating for dial-up dial-up passwordscreating When you first establish a dial-up password, be sure to remain logged in to at least one port. Test the password on a different port. If you log off to test the new password, you might not be able to log back in. If you are still logged in to another port, you can go back and fix your mistake. &rolePAstep;configuringdial-up loginscreatingdial-up passwordsadministeringdial-up loginsdialups filecreating/etc/dialups filecreatingCreate an /etc/dialups file that contains a list of serial devices.Include all the ports that are being protected with dial-up passwords. The /etc/dialups file should appear similar to the following:/dev/term/a /dev/term/b /dev/term/c d_passwd filecreating/etc/d_passwd filecreatingcreating/etc/d_passwd filecreatingd_passwd fileuucico commandlogin programCreate an /etc/d_passwd file that contains the login programs that you are requiring to have a dial-up password. Include shell programs that a user could be running at login, for example, uucico, sh, ksh, and csh. The /etc/d_passwd file should appear similar to the following: /usr/lib/uucp/uucico:encrypted-password: /usr/bin/csh:encrypted-password: /usr/bin/ksh:encrypted-password: /usr/bin/sh:encrypted-password:Later in the procedure, you are going to add the encrypted password for each login program. Set ownership to root on the two files.# chown root /etc/dialups /etc/d_passwd Set group ownership to root on the two files.# chgrp root /etc/dialups /etc/d_passwd Set read-and-write permissions for root on the two files.# chmod 600 /etc/dialups /etc/d_passwd creatingpasswords for temporary userCreate the encrypted passwords.Create a temporary user.# useradd username Create a password for the temporary user.# passwd username New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for username Capture the encrypted password.# grep username /etc/shadow > username.temp Edit the username.temp file.Delete all fields except the encrypted password. The second field holds the encrypted password. For example, in the following line, the encrypted password is U9gp9SyA/JlSk.temp:U9gp9SyA/JlSk:7967:::::7988: Delete the temporary user.# userdel username Copy the encrypted password from username.temp file into the /etc/d_passwd file.You can create a different password for each login shell. Alternatively, use the same password for each login shell. Inform your dial-up users of the password.You should ensure that your means of informing the users cannot be tampered with. disablingdial-up passwords disablingdial-up logins temporarily passwordsdisabling dial-up temporarily dial-up passwordsdisabling temporarily d_passwd filedisabling dial-up logins temporarily /etc/d_passwd filedisabling dial-up logins temporarily passwordsdial-up passwordsdisabling temporarily stoppingdial-up logins temporarily system securitydial-up passwordsdisabling temporarily &rolePAstep;Put the following single-line entry into the /etc/d_passwd file: /usr/bin/sh:*: task mapschanging default algorithm for password encryption passwordsspecifying algorithmlocally policiesspecifying password algorithm encryptingpasswords encryptionspecifying password algorithmlocally changingdefault password algorithm changingpassword algorithm task map administeringpassword algorithms The following task map points to procedures to administer password algorithms.Task For Instructions Provide strong password encryption How to Specify an Algorithm for Password Encryption Provide strong password encryption with a name service How to Specify a New Password Algorithm for an NIS Domain How to Specify a New Password Algorithm for an NIS+ Domain How to Specify a New Password Algorithm for an LDAP Domain Add new password encryption module How to Install a Password Encryption Module From a Third Party crypt_unix password algorithm By default, user passwords are encrypted with the crypt_unix algorithm. You can use a stronger encryption algorithm, such as MD5 or Blowfish, by changing the default password encryption algorithm.policy.conf filespecifying password algorithms configuration filespolicy.conf file /etc/security/policy.conf filealgorithms configuration policy.conf filespecifying encryption algorithms in MD5 encryption algorithmpolicy.conf file algorithmspasswordconfiguration passwordsspecifying algorithm passwordsusing MD5 encryption algorithm for In this procedure, the BSD-Linux version of the MD5 algorithm is the default encryption algorithm that is used when users change their passwords. This algorithm is suitable for a mixed network of machines that run the Solaris, BSD, and Linux versions of UNIX. For a list of password encryption algorithms and algorithm identifiers, see Table 2–1. &rolePAstep;CRYPT_DEFAULT system variablesystem variablesCRYPT_DEFAULTSpecify the identifier for your chosen encryption algorithm.Type the identifier as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.You might want to comment the file to explain your choice.# cat /etc/security/policy.conf … CRYPT_ALGORITHMS_ALLOW=1,2a,md5 # # Use the version of MD5 that works with Linux and BSD systems. # Passwords previously encrypted with __unix__ will be encrypted with MD5 # when users change their passwords. # # CRYPT_DEFAULT=__unix__ CRYPT_DEFAULT=1usingnew password algorithmpasswordsusing new algorithmIn this example, the algorithms configuration ensures that the weakest algorithm, crypt_unix, is never used to encrypt a password. Users whose passwords were encrypted with the crypt_unix module get a crypt_bsdmd5-encrypted password when they change their passwords.For more information on configuring the algorithm choices, see the policy.conf4 man page. Blowfish encryption algorithmpolicy.conf file Blowfish encryption algorithmusing for password passwordsusing Blowfish encryption algorithm for In this example, the identifier for the Blowfish algorithm, 2a, is specified as the value for the CRYPT_DEFAULT variable in the policy.conf file:CRYPT_ALGORITHMS_ALLOW=1,2a,md5 #CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=2aThis configuration is compatible with BSD systems that use the Blowfish algorithm. policy.conf filespecifying password algorithmin name services passwordsspecifying algorithmin name services NIS name servicespecifying password algorithm changingpassword algorithm for a domain passwordsNISspecifying new password algorithm When users in an NIS domain change their passwords, the NIS client consults its local algorithms configuration in the /etc/security/policy.conf file. The NIS client machine encrypts the password. Specify the password encryption algorithm in the /etc/security/policy.conf file on the NIS client. Copy the modified /etc/security/policy.conf file to every client machine in the NIS domain. To minimize confusion, copy the modified /etc/security/policy.conf file to the NIS root server and to the slave servers. NIS+ name servicespecifying password algorithm passwordsNIS+specifying new password algorithm When users in an NIS+ domain change their passwords, the NIS+ name service consults the algorithms configuration in the /etc/security/policy.conf file on the NIS+ master. The NIS+ master, which is running the rpc.nispasswd daemon, creates the encrypted password. Specify the password encryption algorithm in the /etc/security/policy.conf file on the NIS+ master. daemonsrpc.nispasswdTo minimize confusion, copy the NIS+ master's /etc/security/policy.conf file to every host in the NIS+ domain. LDAP name servicespecifying password algorithm passwordsLDAPspecifying new password algorithm When the LDAP client is properly configured, the LDAP client can use the new password algorithms. The LDAP client behaves just as an NIS client behaves. Specify a password encryption algorithm in the /etc/security/policy.conf file on the LDAP client. Copy the modified policy.conf file to every client machine in the LDAP domain. Ensure that the client's /etc/pam.conf file does not use a pam_ldap module.Ensure that a comment sign (#) precedes entries that include pam_ldap.so.1. Also, do not use the new server_policy option with the pam_authtok_store.so.1 module.The PAM entries in the client's pam.conf file enable the password to be encrypted according to the local algorithms configuration. The PAM entries also enable the password to be authenticated.When users in the LDAP domain change their passwords, the LDAP client consults its local algorithms configuration in the /etc/security/policy.conf file. The LDAP client machine encrypts the password. Then, the client sends the encrypted password, with a {crypt} tag, to the server. The tag tells the server that the password is already encrypted. The password is then stored, as is, on the server. For authentication, the client retrieves the stored password from the server. The client then compares the stored password with the encrypted version that the client has just generated from the user's typed password.To take advantage of password policy controls on the LDAP server, use the server_policy option with the pam_authtok_store entries in the pam.conf file. Passwords are then encrypted on the server by using the Sun Java System Directory Server's cryptographic mechanism. For the procedure, see Chapter 11, Setting Up Sun Java System Directory Server With LDAP Clients (Tasks), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). /etc/security/crypt.conf filechanging with new password module crypt.conf filechanging with new password module policy.conf fileadding password encryption module passwordsinstalling third-party encryption module addingpassword encryption module installingpassword encryption module encryptioninstalling third-party password modules third-party password algorithmsadding /etc/security/crypt.conf filethird-party password modules crypt.conf filethird-party password modules A third-party password encryption algorithm is typically delivered as a module in a software package. When you run the pkgadd command, scripts from the vendor should modify the /etc/security/crypt.conf file. You then modify the /etc/security/policy.conf file to include the new module and its identifier. pkgadd commandinstalling third-party softwareAdd the software by using the pkgadd command.For detailed instructions on how to add software, see Adding or Removing a Software Package (pkgadd) in System Administration Guide: Basic Administration. Confirm that the new module and module identifier have been added.Read the list of encryption algorithms in the /etc/security/crypt.conf file.For example, the following lines show that a module that implements the crypt_rot13 algorithm has been installed.# crypt.conf # md5 /usr/lib/security/$ISA/crypt_md5.so rot13 /usr/lib/security/$ISA/crypt_rot13.so # For *BSD - Linux compatibility # 1 is MD5, 2a is Blowfish 1 /usr/lib/security/$ISA/crypt_bsdmd5.so 2a /usr/lib/security/$ISA/crypt_bsdbf.so Add the identifier of the newly installed algorithm to the /etc/security/policy.conf file.The following lines show excerpts from the policy.conf file that would need to be modified to add the rot13 identifier.# Copyright 1999-2002 Sun Microsystems, Inc. All rights reserved. # ... #ident "@(#)policy.conf 1.6 02/06/07 SMI" # ... # crypt(3c) Algorithms Configuration CRYPT_ALGORITHMS_ALLOW=1,2a,md5,rot13 #CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=md5In this example, the rot13 algorithm is used if the current password was encrypted with the crypt_rot13 algorithm. New user passwords are encrypted with the crypt_sunmd5 algorithm. This algorithms configuration works on Solaris-only networks. task mapsmonitoring and restricting superuser monitoringsuperuser task map restrictingsuperuser task map The following task map describes how to monitor and restrict the root user login.Task Description For Instructions Monitor who is using the su command Scans the sulog file on a regular basis. How to Monitor Who Is Using the su Command Display superuser activity on the console Monitors superuser access attempts as the attempts occur. How to Restrict and Monitor Superuser Logins An alternative to using the superuser account is to set up role-based access control. Role-based access control is called RBAC. For overview information on RBAC, see Role-Based Access Control (Overview). To set up RBAC, see Chapter 9, Using Role-Based Access Control (Tasks).monitoringsu command attempts su commandmonitoring use accessroot accessmonitoring su command attempts /etc/default/su filemonitoring su command log filesmonitoring su command root usermonitoring su command attempts su filemonitoring su command sulog file system securitysu command monitoring The sulog file lists every use of the su command, not only the su attempts that are used to switch from user to superuser. /var/adm/sulog filemonitoring contents ofsulog filemonitoring contents ofMonitor the contents of the /var/adm/sulog file on a regular basis.# more /var/adm/sulog SU 12/20 16:26 + pts/0 stacey-root SU 12/21 10:59 + pts/0 stacey-root SU 01/12 11:11 + pts/0 root-rimmer SU 01/12 14:56 + pts/0 pmorph-root SU 01/12 14:57 + pts/0 pmorph-rootThe entries display the following information:The date and time that the command was entered. + (plus sign)sulog fileplus sign (+)entry in sulog file- (minus sign)sulog fileminus sign (-)entry in sulog fileIf the attempt was successful. A plus sign (+) indicates a successful attempt. A minus sign (-) indicates an unsuccessful attempt. The port from which the command was issued. The name of the user and the name of the switched identity. The su logging in this file is enabled by default through the following entry in the /etc/default/su file:SULOG=/var/adm/sulog Entries that include ??? indicate that the controlling terminal for the su command cannot be identified. Typically, system invocations of the su command before the desktop appears include ???, as in SU 10/10 08:08 + ??? root-root. After the user starts a desktop session, the ttynam command returns the value of the controlling terminal to the sulog: SU 10/10 10:10 + pts/3 jdoe-root.Entries similar to the following can indicate that the su command was not invoked on the command line: SU 10/10 10:20 + ??? root-oracle. The user might have switched to the oracle role by using a GUI. accessroot accessrestricting /etc/default/login filerestricting remote root access logging inroot loginrestricting to console login filerestricting remote root access root userrestricting remote access root userrestricting remote access system securityrestricting remote root access system securityroot access restrictions disablingremote root access remote loginspreventing superuser from securitypreventing remote login monitoringsuperuser access attempts superusermonitoring access attempts /etc/default/su filemonitoring access attempts accessroot accessdisplaying attempts on console consoledisplaying su command attempts displayingroot access attempts displayingsu command attempts /etc/default/su filedisplaying su command attempts root userdisplaying access attempts on console su commanddisplaying access attempts on console This method immediately detects superuser attempts to access the local system. View the CONSOLE entry in the /etc/default/login file.CONSOLE=/dev/consoleBy default, the console device is set to /dev/console. With this setting, root can log in to the console. root cannot log in remotely. Verify that root cannot log in remotely.From a remote system, try to log in as superuser.mach2 % rlogin -l root mach1 Password: <Type root password of mach1> Not on system console Connection closed. Monitor attempts to become superuser.By default, attempts to become superuser are printed to the console by the SYSLOG utility.Open a terminal console on your desktop. In another window, use the su command to become superuser.% su - Password: <Type root password> #A message is printed on the terminal console.Sep 7 13:22:57 mach1 su: 'su root' succeeded for jdoe on /dev/pts/6 In this example, superuser attempts are not being logged by SYSLOG. Therefore, the administrator is logging those attempts by removing the comment from the #CONSOLE=/dev/console entry in the /etc/default/su file.# CONSOLE determines whether attempts to su to root should be logged # to the named device # CONSOLE=/dev/consoleWhen a user attempts to become superuser, the attempt is printed on the terminal console.SU 09/07 16:38 + pts/8 jdoe-root To become superuser from a remote system when the /etc/default/login file contains the default CONSOLE entry, users must first log in with their user name. After logging in with their user name, users then can use the su command to become superuser.If the console displays an entry similar to Mar 16 16:20:36 mach1 login: ROOT LOGIN /dev/pts/14 FROM mach2.Example.COM, then the system is permitting remote root logins. To prevent remote superuser access, change the #CONSOLE=/dev/console entry to CONSOLE=/dev/console in the /etc/default/login file. task mapscontrolling access to system hardware task mapsprotecting system hardware preventingaccess to system hardware controllingaccess to system hardware The following task map describes how to protect the PROM from unwanted access.Task Description For Instructions Prevent users from changing system hardware settings Requires a password to modify PROM settings. How to Require a Password for Hardware Access Disable the abort sequence Prevents users from accessing the PROM. How to Disable a System's Abort Sequence hardwareprotecting system hardwarecontrolling access to securityprotecting hardware securityprotecting PROM PROM security mode eeprom command system securityhardware protection passwordsPROM security mode configuringhardware security accessrestricting forsystem hardware securitysystem hardware accesssecuritysystem hardware You can protect the physical machine by requiring a password to gain access to the hardware settings. You can also protect the machine by preventing a user from using the abort sequence to leave the windowing system.addingsecurity to system hardware passwordsrequiring for hardware access hardwarerequiring password for access passwordshardware access and configuringpassword for hardware access protectingBIOS, pointer to protectingPROM rolesusing to access the hardware On an x86 system, the equivalent to protecting the PROM is to protect the BIOS. Refer to your machine's manuals for how to protect the BIOS. rights profilesusing the System Administrator profileSystem Administrator (RBAC)protecting hardwareBecome superuser or assume a role that includes the Device Security profile, the Maintenance and Repair profile, or the System Administrator profile.The System Administrator profile includes the Maintenance and Repair profile. To create a role that includes the System Administrator profile and to assign the role to a user, see Configuring RBAC (Task Map). In a terminal window, type the PROM security mode.# eeprom security-mode=command Changing PROM password: New password: <Type password> Retype new password: <Retype password> Choose the value command or full. For more details, see the eeprom1M man page.If, when you type the preceding command, you are not prompted for a PROM password, the system already has a PROM password. To change the PROM password, type the following command:# eeprom security-password= Press Return Changing PROM password: New password: <Type password> Retype new password: <Retype password>The new PROM security mode and password are in effect immediately. However, they are most likely to be noticed at the next boot.Do not forget the PROM password. The hardware is unusable without this password. enablingkeyboard abort disablingkeyboard abort variablesKEYBOARD_ABORT disablingkeyboard shutdown disablingabort sequence disablingsystem abort sequence /etc/default/kbd file kbd file KEYBOARD_ABORT system variable system variablesKEYBOARD_ABORT Some server systems have a key switch. When the key switch is set in the secure position, the switch overrides the software keyboard abort settings. So, any changes that you make with the following procedure might not be implemented. &rolePAstep;Change the value of KEYBOARD_ABORT to disable.Comment out the enable line in the /etc/default/kbd file. Then, add a disable line:# cat /etc/default/kbd … # KEYBOARD_ABORT affects the default behavior of the keyboard abort # sequence, see kbd(1) for details. The default value is "enable". # The optional value is "disable". Any other value is ignored. … #KEYBOARD_ABORT=enable KEYBOARD_ABORT=disable Update the keyboard defaults.# kbd -i