There are sometimes where setting a firmware password is less than desirable, but protecting access to single user mode is required.
The key to this is the “lock” command. From the man page:
lock - requests a password from the user, reads it again for verification and then will normally not relinquish the terminal until the password is repeated. There are two other conditions under which it will terminate: it will timeout after some interval of time and it may be killed by someone with the appropriate permission.
Apple stopped including the command with the OS after 10.4. Fortunately it is open source so we can compile a version for newer versions of the OS. You can get the source here or download a precompiled version here. The lock command should be installed into /usr/bin/.
Once lock has been installed it is important to set the root password. This can be done with the following command.
sudo passwd -i file root
It is important to note that this will save the password to the UNIX password file which can be recovered via target disk mode or HD removal and then brute forced so you want to choose a strong password that is only used for this purpose.
The next step is to create a .profile in /var/root/ with the contents “/usr/bin/lock -p -t 38000”. This can be done with the following command.
sudo echo "/usr/bin/lock -p -t 38000" > /var/root/.profile
Now when you try to boot to single user mode you will be prompted for a password.
Note: The -p flag tells lock to use the root password that we set earlier and the -t flag sets the timeout in minutes (the default is 15 min).