Why use the OFPW tool versus Apple's nvram tool?

1. This tool can set the open firmware password without having to know the encryption method of the password. To set the security-password with Apple's nvram tool via the command line, you must know what the encrypted password string is on a Mac that has the password already set via the Open Firmware interface at bootup time:
   
   
   • Boot into Open Firmware (Option+Command+O+F at bootup)
   • Set the password by entering "password"
   • Save the changes and reboot by entering "reset-all"
   • Login to Mac OS X as an admin user
   • Open terminal.app from /Applications/Utilities/
   • In the terminal, enter in "sudo nvram -p | grep security-password" to see what the encrypted password looks like. Here's an example of "macosxlabs" encrypted:
     
     
     security-password %c7%cb%c9%c5%d9%d2%c6%cb%c8%d9
   
   
2. The OFPW tool can change the security-mode regardless of the previous state of the nvram. Apple's /usr/sbin/nvram tool had a problem doing this in Mac OS X 10.3.9 and earlier. Apple fixed this bug in Mac OS X 10.4 (Tiger).

Most administrators will use the "command" mode which displays the password dialog pictured below when the OPTION key is held down at bootup, immediately after the startup "Bong". The other 2 modes are "none" which doesn't require any password entry, and the other is "full" which will cause the Mac to go directly into Open Firmware and require a password to do anything.

Setting the security-mode to "command" and the password to anything non-blank forces a user who attempts to boot from another device (hold down the Option key on restart) to enter a password. Command mode disables all "snag" keys except the Option key at bootup time. Entering single user mode is also prevented. The Open Firmware password dialog is displayed when the mode is changed to command and the Option key is held down at boot up time:

1. The Macintosh must be capable of supporting Open Firmware security
2. You must have an administrator account on the Mac

1. To set the Open Firmware password via cleartext
2. To change the security-mode to "none", "command" or "full". This is essential to programmatically/automatically setting the security-mode and password on Macs right out of the box. This is highly desirable in an enterprise/large installation of Macs.

Download the OFPW tool, mount the disk image, and then install it in /usr/local/bin by entering this in the terminal:

NOTE: For the password, use characters that have ASCII values from 32 to 127 (inclusive) and do NOT use the capital letter "U" due to a bug in Open Firmware.

Note that you can only set 1 attribute at a time. That is, you can set the mode or password first, but you can't set the password and the mode on one line. You must call ofpw to set the password, and then again to change the mode.

We are very lucky to have this tool. The source code will not be distributed.