[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password protecting grub

On Thu 17 Mar 2016 at 11:52:36 (+0530), Raj Kiran Grandhi wrote:
> I have been trying to achieve something similar on my system. Password
> protection in grub2 appears to be quite different from that in grub-legacy.

... and did you succeed?

> In grub2, authentication is activated by the lines (from the grub info
> manual, the section on security):
> set superusers="root"
> password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
> in the /boot/grub/grub.cfg file

Well, my recommendation was to use the unencrypted version until the
OP was successful at getting grub to see it and act upon it. This
prevents any hashing mishaps complicating the issue; one step at
a time.

> The command grub-mkpasswd-pbkdf2 can be used to generate the password.
> On debian systems, it is better to put those two lines in
> /etc/grub.d/40_custom to make sure that your changes remain after an
> `update-grub' command.

"put those two lines in":
As I pointed out, it's very important to place those lines carefully,
obeying the instructions at the top of the file (if they haven't
already been mangled out of existence).

Unfortunately the OP keeps reporting the same old error message
(with LOL) but never posts what's in which file. This makes it hard to help.

> But, be advised that once you do this, all the menu entries in grub will be
> inaccessible until the password is supplied.
> It would be nice to have a way of requiring a password only if it required
> to boot a non-default entry.

That's what
      menuentry "May be run by any user" --unrestricted {
is for. The documentation example runs thus:

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
password user1 insecure

menuentry "May be run by any user" --unrestricted {
	  set root=(hd0,1)
	  linux /vmlinuz

menuentry "Superusers only" --users "" {
	  set root=(hd0,1)
	  linux /vmlinuz single

menuentry "May be run by user1 or a superuser" --users user1 {
	  set root=(hd0,2)
	  chainloader +1


Reply to: