[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#442443: grub-installer: Please do not store the GRUB password in cleartext

Package: grub-installer
Severity: wishlist

(originally sent by Alex to the -boot list. As I find this an
interesting suggestion, I turn this into a wishlist bug against grub-installer)

Observed with today's debian-testing-amd64-businesscard.iso. (Testing with a 
sid installer)

The debian installer allows the user to enter a password for GRUB to access 
advanced features. If the user does so, the password is included in cleartext 
in /boot/grub/menu.lst

GRUB has the capability to use an md5 hash of a password instead of storing 
the password. These are generated with the grub command md5crypt. For 
example, to generate a md5 hash of the password "foobar" (no quotes):

echo -e "md5crypt\nfoobar" | sudo grub --batch | grep "Encrypted" | 
sed -e 's/Encrypted: //g'

There may be a cleaner way to do this but the above will work. Then, 
in /boot/grub/menu.lst, where you would write:

password foobar

instead write (the output from the above command)

password --md5 $1$SZmo8$vxbhcjqNC4kHpqZi5n3r81

It is important not to store the password in cleartext for several reasons. 
Some users (such as myself) may use a password either similar to or identical 
to the root or user password on the machine for the bootloader. I boot to an 
encrypted root, but of course /boot is on an unencrypted volume so the 
password could be snooped.

I understand the rationale that on a normal system, if you have read access to 
menu.conf then you have write access (eg, by rooting the system) and could 
just clear the password anyway, but given that GRUB provides such a simple 
way to use a hash instead I think Debian should implement this.

As always, thanks for the wonderful, free operating system. Many of us 
appreciate your effort (including our entire cluster:-), and my two personal 

Alex Roper
UGCS Sysadmin
California Institute of Technology


Attachment: signature.asc
Description: Digital signature

Reply to: