Page 1 of 4 123 ... LastLast
Results 1 to 10 of 39

Thread: Grub 2 Password Protection

  1. #1
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Grub 2 Password Protection

    This page has been migrated to the Ubuntu Community Documentation site. For the most up-to-date information, please visit:
    https://help.ubuntu.com/community/Grub2/Passwords

    The above page is a sub-page of the main community documentation regarding https://help.community/Grub2/.

    Thank you to all the users who posted in these threads and expanded our knowledge of Grub 2 since it's introduction.

    A thread for discussion of the wiki can be found at http://ubuntuforums.org/showthread.php?p=12073029


    Support threads regarding the wiki and it's content should be created in a suitable forum.

    ------

    Grub 2 Password Protection


    1. Introduction
    2. How It Works
    3. Warnings & Cautions
    4. Setup
    5. Protecting All Menu Items
    6. Examples (PW Protect Windows Recovery)
    7. Password Encryption - grub-mkpasswd-pbkdf2
    8. Internal Links
    9. External Links


    1. Introduction to Grub 2 Basic Password Protection
      Password protection in Grub 2 is still being developed and its behavior may change in future updates. In this guide, when the term "Grub 2" is used it refers to the version of Grub 2 (grub-pc) available in the main Ubuntu repository. Any time Grub 2 is updated, the user should note whether their password protection is still working as expected.
      These instructions are primarily for 1.98. Advanced capabilities such as encrypted passwords which have been introduced in Grub 1.98 are still being worked on. Some of the advancements work well while others do not.

      • This is basic password security. The username/password are unencrypted; anyone having physical access to the machine and more than an elementary knowledge of how Linux works will be able to access the configuration files and bypass this feature. Encrypted password protection is on the horizon and available in an experimental version of Grub 2 (see "The Future" section below).
      • Grub 2 can set password protection on specific menuentries and for specific users. For example, "John" can access Ubuntu but not the Windows recovery mode, which is only accessible by "Bill", the superuser.
      • Automatic password protection has not yet been automated. Menuentries must be identified manually by editing the Grub 2 /etc/grub.d/ scripts such as 10_linux and 30_os-prober.
      • If password protection is enabled, even if for only one entry, and even if not for the superuser, the superuser name and password are required to gain access to the Grub 2 command line and menu-editing modes.
      • The username and/or password do not have to be the same as the Ubuntu logon name/password.


    2. How It Works
      • To enable basic password protection, the user/administrator must add a superuser (and other users if desired) and password(s) to the /etc/grub.d/00_header* file and manually designate which menuentries require a password in the /etc/grub.d/ files.
      • The Grub 2 menu can include both password-protected and non-protected entries.
      • Once the password feature is enabled the Grub 2 menu will appear as it does normally. When a selection requiring a password is required, the user will be prompted to enter the correct username and password. If entered correctly, the selected menuentry will continue to boot. If incorrect, the user will be returned to the Grub 2 menu.
      • If Grub 2 is set up to boot directly to a password-protected menuentry without displaying a menu, the username/password prompt will appear and booting will not occur until they are correctly entered.
      • Here is a sample menu with passwords enabled, provided by one of the Grub 2 developers:
        set superusers="user1"
        password user1 password1
        password user2 password2

        menuentry "GNU/Linux" {
        set root=(hd0,1)
        linux /vmlinuz
        }

        menuentry "Windows" --users user2 {
        set root=(hd0,2)
        chainloader +1
        }
        • user1 is the designated superuser. This user can boot any menuentry, edit items in the Grub 2 menu during boot, and use the Grub 2 command line.
        • Anyone can boot GNU/Linux
        • Only user2 and the superuser can boot Windows in this example.
      • * Technically, the superuser/user information and password do not have to be contained in the /etc/grub.d/00_header file. The information can be placed in any /etc/grub.d file as long as that file is incorporated into grub.cfg. The user may prefer to enter this data into a custom file, such as /etc/grub.d/40_custom so it is not overwritten should the Grub package be updated. If placing the information in a custom file, do not include the "cat << EOF" and "EOF" lines as the content is automatically added from these files.


    3. Warnings & Cautions

      • Errors in creating a password-protected Grub 2 menu may result in an unbootable system. To restore a system with broken passwords, access and edit the Grub 2 configuration files using the LiveCD or another OS.
      • If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or use the command line by pressing "c".
      • Caution: If Grub 2 is set up to boot automatically to a password-protected menuentry the user has no option to back out of the password prompt to select another menuentry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem.


    4. Setting Up Password Protection
      There are three steps to enabling Grub 2 password protection. The user must set up the authorized users, designate the password(s), and identify the password-protected menuentries in the /etc/grub.d/ scripts.


      1. Superuser & Password Designation (Required)
        A superuser must be designated. This superuser can access any menuentry, edit the menuentries in the Grub 2 menu by pressing "e", or invoke the Grub 2 command line mode.


        • Add the following the bottom of /etc/grub.d/00_header
          cat << EOF
          set superusers="user1"
          password user1 password1
          EOF
          Example:
          cat << EOF
          set superusers="superman"
          password superman 1234
          EOF


      2. Other Users (Optional)
        Other users can be identified and given a password. A designated user can access unprotected and his/her own menuentries.


        • Add the following the bottom of /etc/grub.d/00_header
          cat << EOF
          set superusers="user1"
          password user1 password1
          password user2 password2
          EOF
          Example:
          cat << EOF
          set superusers="superman"
          password superman 1234
          password bill 5678
          EOF


      3. Designating Menuentries for Password Protection
        Once the superuser/other users and their password(s) are established, the entries to be protected must be identified. Currently Grub 2 adds no password protection to any entries upon establishment of a superuser and password in /etc/grub.d/00_header. (Note: This may change. See "The Future" section below.) Each menuentry must be identified and modified.

        Scripts can be used to tailor entries for specific menuentries. See the "Scripts" section for examples. The remainder of this section will explain how to change the main script files in /etc/grub.d/ to set up password protection for entire classes of menuentries (Linux on the main partition, OSs on other partitions, memtest86+, etc). Remember that editing the /boot/grub/grub.cfg file directly is discouraged.

        For protecting specific menuentries, another option is to add entries to the /etc/grub.d/40_custom file and disable the applicable script file in the same folder. For example, copy the Windows entries from /boot/grub/grub.cfg to 40_custom, add "--users user1" to the desired entry (such as the Windows recovery partition) and then remove the executable bit from /etc/grub.d/30_os-prober.


        • Password protect all Linux kernels on the main partition: /etc/grub.d/10_linux:

          From newer Grub2 versions (1.98-1ubuntu5)(approximately line 74):
          printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}" {
          To allow the superuser only:
          printf "menuentry --users user1 '${title}' ${CLASS} {\n" "${os}" "${version}" {
          Example to permit access by only the superuser (superman):
          printf "menuentry --users superman '${title}' ${CLASS} {\n" "${os}" "${version}" {
          Example to permit access by the superuser (superman) and bill (Note, for multiple users, separate the names with a comma - bill,john,jill):
          printf "menuentry --users bill '${title}' ${CLASS} {\n" "${os}" "${version}" {
          From older Grub2 versions (approximately line 59):
          menuentry "$1" {
          To allow the superuser only:
          menuentry "$1" --users user1 {
          Example to permit access by only the superuser (superman):
          menuentry "$1" --users superman {
          Example to permit access by the superuser (superman) and bill:
          menuentry "$1" --users bill {




        • Password protect the Recovery Mode option: /etc/grub.d/10_linux Also make the change as described in the /etc/grub.d/00_header section above.
          For GNU GRUB 1.98-1ubuntu12. change this section to the following (add the user information and include the 'printf' line inside each conditional rather than following them:
          if ${recovery} ; then
          title="$(gettext_quoted "%s, with Linux %s (recovery mode)")"
          printf "menuentry '${title}' ${CLASS} --users drs305 {\n" "${os}" "${version}"
          else
          title="$(gettext_quoted "%s, with Linux %s")"
          printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
          fi
          From (GNU GRUB 1.98-1ubuntu5):
          printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
          To:
          if ${recovery} ; then
          printf "menuentry '${title}' --users user1 ${CLASS} {\n" "${os}" "${version}"
          else
          printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
          fi


        • Password protect the memtest86+ option: /etc/grub.d/20_memtest[/B] . Also make the change as described in the /etc/grub.d/00_header section above.
          menuentry "Memory test (memtest86+)" --users superman {
          Additional memtest86+ entries (from other partitions) may also be located in this file. The line will start with "menuentry". Change these lines as desired.



        • Password protect kernels/operating systems on other partitions: /etc/grub.d/30_os-prober. Also make the change(s) as described in the /etc/grub.d/00_header section above.

          Linux entries on other partitions:
          menuentry "${LLABEL} (on ${DEVICE})" --users superman {
          Other Operating Systems, including Windows:
          menuentry "${LONGNAME} (on ${DEVICE})" --users superman {
          OSX entries (in the macosx) section:
          menuentry "${LONGNAME} (on ${DEVICE})" --users superman {

        Save the files, run "sudo update-grub", and reboot.


    5. Protecting All Entries
      Grub 2 password protection is still evolving. Currently password protection must be assigned to each menuentry. Protecting the entire menu from editing can be accomplished by adding the superuser and password without designating a specific menuentry.

      For now, there is no automatic method in Grub 2 to password-protect every menu item. At some point it is expected that this feature will be incorporated in grub-mkconfig. For now this can be accomplished by running the following command(s).

      Before rebooting make sure you have added the "superuser" and password to etc/grub.d/00_header and inspect /boot/grub/grub.cfg to ensure you achieved the desired results.

      Notes:
      • The way Grub 2 assigns password protection may change. Currently the default is for menuentries to be unlocked. The developers are considering making the passwords mandatory for all entries once a superuser is designated. The superuser would then be able to unlock entries. If this feature is incorporated in the Ubuntu version of Grub 2 I will update these instructions.
      • The first two ccommands make backups of the files to be modified.
      • filename(s) should be replaced by the specific script file names you wish to change. These files are located in /etc/grub.d/ and include 10_linux, 20_memtest86+, and 30_os-prober. You can include one or more in the commands.


      Code:
      sudo mkdir /etc/grub.d.backup
      sudo cp /etc/grub.d/* /etc/grub.d.backup
      sudo sed -i -e '/^menuentry /s/ {/ --users user1 {/' filename(s)
      Example:
      Code:
      sudo sed -i -e '/^menuentry /s/ {/ --users superman {/' /etc/grub.d/10_linux  /etc/grub.d/20_memtest86+ /etc/grub.d/30_os-prober /etc/grub.d/40_custom
      To undo the previous command, run:
      Code:
      sudo sed -i -e '/^menuentry /s/ --users user1 {/ {/' filename(s)
      Example:
      Code:
      sudo sed -i -e '/^menuentry /s/ --users superman[/B] {/ {/' /etc/grub.d/10_linux  /etc/grub.d/20_memtest86+ /etc/grub.d/30_os-prober /etc/grub.d/40_custom
      Save the files, run "sudo update-grub", and reboot. At the Grub 2 menu, you will be presented with the normal menu. When you make a selection, a prompt will ask for the username and password.

    6. Examples


      • Password Protect the Windows Recovery Partition

        Note: See the Grub 2 Title Tweaks thread if you want to remove the Windows Recovery option from the menu entirely.

        1. Determine the Windows Recovery partition (sda1, sda2, etc).
        2. Add the desired username and password as described in Section 4A and 4B to /etc/grub.d/00_header.
        3. Open /etc/grub.d/30_os-prober for editing:
          Code:
          cd /etc/grub.d/
          sudo cp 30_os-prober 30_os-prober.bak # Make a backup copy
          sudo chmod -x 30_os-prober.bak        # Remove executable bit
          gksu gedit 30_os-prober &
          Change the following (approximately line 100)
          From:
          cat << EOF
          menuentry "${LONGNAME} (on ${DEVICE})" {
          EOF
          To:
          if [ ${DEVICE} = "/dev/sdXY" ]; then
          cat << EOF
          menuentry "${LONGNAME} (on ${DEVICE})" --users user1 {
          EOF
          else

          cat << EOF
          menuentry "${LONGNAME} (on ${DEVICE})" {
          EOF

          fi
          Example setting protection on sda2 for user superman:
          if [ ${DEVICE} = "/dev/sda2" ]; then
          cat << EOF
          menuentry "${LONGNAME} (on ${DEVICE})" --users superman {
          EOF
          else
          cat << EOF
          menuentry "${LONGNAME} (on ${DEVICE})" {
          EOF
          fi
        4. Save the file, then run:
          Code:
          sudo update-grub
          You can use the same concept on other menuentries. Rather than using the partition designation {DEVICE}, you could use other unique identifying variables, such as . The title variable depends on the operating system. Examples include {LONGNAME} or {LLABEL}.

          My thread on Grub 2 Title Tweaks may give you some ideas of how to alter the basic scripts to suit your needs.


    7. Password Encryption - grub-mkpasswd-pbkdf2

      Although Grub 2 encrypted password protection has been available in all versions of Grub 2, it was initially a bit buggy. Forum member georgemc in Post #35 reported that it was working in Grub 1.99 (Natty) and my subsequent tests confirm his findings.

      One of the drawbacks of the password set up discussed so far is that the passwords are entered in plain text in the Grub 2 files. While physical access to the computer cannot prevent access, the measure of security can be greatly enhanced by using Grub 2's grub-mkpasswd-pbkdf2 command. This command converts your desired password into a very long alphanumeric code which is placed in the Grub 2 files. Your actual password is no longer visible in the Grub 2 scripts.

      Note: If you are going to experiment with encrypted passwords, make sure you have at least one good non-password protected menuentry to boot or you may not be able to log on if you encounter problems.


      • To generate an encrypted password, open a terminal and run the following command:
        • Code:
          grub-mkpasswd-pbkdf2
          • Enter the desired password, the reenter it when prompted.
          • Copy the resulting code. In a terminal, highlight the code and CTRL-SHIFT-c to place it in memory.
          • Paste the code after the username(s). Pasting can be accomplished in a text editor by either CTRL-v or middle mouse click.
          • Example (shortened for formatting purposes):
          • password_pbkdf2 drs305 grub.pbkdf2.sha512.10000.71C5B50F5ECB0EE953AB18568 4FABAC


        • The format for an encrypted password entry in /etc/grub.d/00_header would look similar to:
          • set superusers="drs305"
            password_pbkdf2 drs305 <some really long alphanumeric entry generated from the grub-mkpasswd-pbkdf2 command>


    8. Internal Links by the Author
      Grub 2 Title Tweaks
      Grub 2 Basics
      Grub 2 Common Tasks

    9. External Links
      Grub Wiki:Authentication
      Felix Ziecle's Experimental Grub PPA
      Grub 2 Community Doc
    Last edited by drs305; July 4th, 2012 at 12:00 AM. Reason: Wiki migration notice.
    GRUB2

    Retired.

  2. #2
    Join Date
    Jan 2008
    Location
    Atlanta GA
    Beans
    220
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Grub 2 Password Protection

    What if you have an older grub?
    A wise man listens to an opinion and tries to develop his own but a foolish man listens to an opinion and except it as fact.

  3. #3
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Quote Originally Posted by supertails View Post
    What if you have an older grub?
    I would prefer to keep this thread about Grub 2 but should probably have included a link for Grub Legacy users. For those seeking the answer to the same question, here is a link concerning Grub and password protection:
    HOWTO: Password protect your GRUB entries
    GRUB2

    Retired.

  4. #4
    Join Date
    Aug 2008
    Location
    South East Montana
    Beans
    6,153

    Re: Grub 2 Password Protection

    In section 2 you have;
    To enable basic password protection, the user/administrator must add a superuser (and other users if desired) and password(s) to the /etc/default/00_header file and manually designate which menuentries require a password in the /etc/grub.d/ files.
    What /etc/default/00_header file? I have grub1.96 on PhatDebian and 9.04, grub1.97beta4 on some 9.10 versions (3) and grub1.98 on all 10.04 installs. None of these has a /etc/default/00_header file.

    Am I missing some thing or is that a typo?

    I have a System76 laptop coming for my Silversmith wife and want a little more protection as she will be taking it to shows. This means that I am playing with this now to figure out how to set her box up.

    I am going to try this with one of my 9.10 respins assuming it is a typo.
    Dell 480 XPS 3G ram Quad Core 2.40GHz, Radeon HD 2400 PRO, Audigy1, 3x320G HDD, 320G External, Debian Testing for use, Debian Squeeze for secure use, Debian Sid for FUN

  5. #5
    Join Date
    Aug 2008
    Location
    South East Montana
    Beans
    6,153

    Re: Grub 2 Password Protection

    Well, that is slicker than grass through a goose.

    Created a superuser and a second user. Require superuser for Zenix and second user for Stone Edition1.2.

    Log in with superuser was great on both and second user had no trouble logging in to Stoner. Left the others "open".

    Switched grub back to this OS and booted to Zenix login with no trouble so I can forget I did that and be cool (people wonder why I have so many OS' on my test drive).

    I really love the ease of switching the boot/root from one OS to another in grub2. What a great boot loader it is.
    Dell 480 XPS 3G ram Quad Core 2.40GHz, Radeon HD 2400 PRO, Audigy1, 3x320G HDD, 320G External, Debian Testing for use, Debian Squeeze for secure use, Debian Sid for FUN

  6. #6
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Quote Originally Posted by ranch hand View Post
    In section 2 you have;

    What /etc/default/00_header file? I have grub1.96 on PhatDebian and 9.04, grub1.97beta4 on some 9.10 versions (3) and grub1.98 on all 10.04 installs. None of these has a /etc/default/00_header file. .
    It's /etc/grub.d/00_header. It's referenced that way in all but the general overview. I've corrected it.
    GRUB2

    Retired.

  7. #7
    Join Date
    Aug 2008
    Location
    South East Montana
    Beans
    6,153

    Re: Grub 2 Password Protection

    I bought a System 76 laptop for my wife with 9.10 installed. We had a little problem with grub1.97beta4 and it now is running grub1.98.

    In 1.97beta4 the password protection did work fine.

    Trying it in 1.98 turned out to be a bad mistake. The username prompt comes up and looks right but there is a cursor prompt like flasher double spaced below it and you can't enter a name. Hitting enter gives you the password prompt with the same thing.

    It was exciting because, like an idiot, I had protected all entries.

    For now anyway, in case some one is thinking about trying this in grub1.98, I would not do it. If you do, at least be smart enough to leave an unprotected one until you have tested real well. It wastes a lot of time fixing stupid mistakes.
    Dell 480 XPS 3G ram Quad Core 2.40GHz, Radeon HD 2400 PRO, Audigy1, 3x320G HDD, 320G External, Debian Testing for use, Debian Squeeze for secure use, Debian Sid for FUN

  8. #8
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Thanks for the report ranch hand. I mention in the original post that this guide is for 1.97~beta, which is the standard for Karmic. Several times I thought I could update it for 1.98 for Lucid but my results have been mixed and decided not to. However, I can and will add a note that the instructions are only for 1.97~beta for now.
    GRUB2

    Retired.

  9. #9
    Join Date
    Aug 2008
    Location
    South East Montana
    Beans
    6,153

    Re: Grub 2 Password Protection

    Yes, that is probably a good idea.

    I did read that and took note of it too. Little things like that do not stop me from trying it though.

    I should be smart enough, particularly on the wifes box, to do these things with care. I sure wasn't that time.

    What is really silly is that there is a boot password option in bios that I really should try. I can get back to that to change it easier. Yes, I do have a password to access the bios.

    She will be taking this to shows (Silversmith) and I would like some security on the bugger. It is pretty good right now unless someone trying to get in is a Linux user.
    Dell 480 XPS 3G ram Quad Core 2.40GHz, Radeon HD 2400 PRO, Audigy1, 3x320G HDD, 320G External, Debian Testing for use, Debian Squeeze for secure use, Debian Sid for FUN

  10. #10
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    I am looking for feedback on password protection in Lucid A3. I am currently not able to get password protection to work in A3. (Latest grub build 1.98~20100128-1ubuntu3).

    I can generate passwords with "grub-mkpasswd-pbkdf2".
    I can import the passwords from 00_header into grub.cfg as normal.

    With either encrypted or unencrypted passwords in Lucid, the Grub menu hangs and does not respond most of the time. When I can get to the username/password entries, it allows me enter a username (after a lengthy delay) but reverts to the menu as I type the password.

    If anyone is successfully using passwords in Grub 2 with Lucid, please say which version you are using and if you had to do anything special to get it working.
    GRUB2

    Retired.

Page 1 of 4 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •