Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Grub MD5 Password
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
y0el
n00b
n00b


Joined: 01 Aug 2002
Posts: 40
Location: Sweden
PostPosted: Mon Nov 04, 2002 5:36 pm    Post subject: Grub MD5 Password Reply with quote
Hey!

I'm trying to set a password in (GNU) Grub so that you have to enter the password to boot Gentoo... Now, if I put "password THISISMYPASSWORD" in /boot/grub/menu.lst then you can see the password in clear text by pressing "e" in the Grub menu... So I read the documentation and it said that I could use md5crypt in the Grub shell, but I get this when trying "md5crypt" in that shell:
Code:
Error 27: Unrecognized command


What to do? Where do I find this md5crypt?
Thanks
\\baxlash
Back to top
View user's profile Send private message
UnderScore
n00b
n00b


Joined: 14 Jul 2002
Posts: 25
Location: Long Island, NY, USA
PostPosted: Tue Nov 05, 2002 5:03 am    Post subject: Reply with quote
Check here: http://www.linuxquestions.org/questions/history/31772

for this post:
Quote:
password=something is for lilo but I don't want to restart my machine to test it and I am using GRUB.

In grub, you can set a password using the grub-md5-crypt. To use this, login as root and then run this:

grub-md5-crypt

You'll get a password prompt here. forx, i specified the password redhat, i get this as an output:

$1$JQQTV/$OK8zwwM5hTFI7m/i6AEl6/

I then copy that in /etc/grub.conf. To set the password just for the linux bootup:

title Red Hat Linux
password --md5 $1$JQQTV/$OK8zwwM5hTFI7m/i6AEl6/
root (hd0,1)
kernel /vmlinuz-2.4.18-10 ro root=/dev/hda6
initrd /initrd-2.4.18-10.img

You can also use a plain text password here but I prefer using the crypted one. Just remove the --md5 option and set the entry 'redhat'.

This gives a password prompt everytime a user chooses to boot into Red Hat Linux.





From the Grub manual at http://www.mcc.ac.uk/grub/grub_9.htm
Quote:
9. Protecting your computer from cracking

You may be interested in how to prevent ordinary users from doing whatever they like, if you share your computer with other people. So this chapter describes how to improve the security of GRUB.

One thing which could be a security hole is that the user can do too many things with GRUB, because GRUB allows to modify its configuration and run arbitrary commands at run-time. For example, the user can read even `/etc/passwd' in the command-line interface by the command cat (see section 13.3.3 cat). So it is necessary to disable all the interactive operations.

Thus, GRUB provides password feature, so that only administrators can start the interactive operations (i.e. editing menu entries and entering the command-line interface). To use this feature, you need to run the command password in your configuration file (see section 13.2.10 password), like this:



password --md5 PASSWORD

If this is specified, GRUB disallows any interactive control, until you press the key p and enter a correct password. The option `--md5' tells GRUB that `PASSWORD' is in MD5 format. If it is omitted, GRUB assumes the `PASSWORD' is in clear text.

You can encrypt your password with the command md5crypt (see section 13.3.24 md5crypt). For example, run the grub shell (see section 15. Invoking the grub shell), and enter your password:



grub> md5crypt
Password: **********
Encrypted: $1$U$JK7xFegdxWH6VuppCUSIb.

Then, cut and paste the encrypted password to your configuration file.

Also, you can specify an optional argument to password. See this example:



password PASSWORD /boot/grub/menu-admin.lst

In this case, GRUB will load `/boot/grub/menu-admin.lst' as a configuration file when you enter the valid password.

Another thing which may be dangerous is that any user can choose any menu entry. Usually, this wouldn't be problematic, but you might want to permit only administrators to run some of your menu entries, such as an entry for booting an insecure OS like DOS.

GRUB provides the command lock (see section 13.3.21 lock). This command always fails until you enter a valid password, so you can use it, like this:



title Boot DOS
lock
rootnoverify (hd0,1)
makeactive
chainload +1

You should insert lock right after title, because any user can execute commands in an entry, until GRUB encounters lock.

You can also use the command password instead of lock. In this case the boot process will ask for the password and stop if it was entered incorrectly. Since the password takes its own PASSWORD argument this is useful if you want different passwords for different entries.


I haven't tried it myself, but I hope this helps.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy