Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 39

Thread: Grub 2 Password Protection

  1. #11
    Join Date
    Aug 2008
    Location
    South East Montana
    Beans
    6,153

    Re: Grub 2 Password Protection

    I am glad to hear that it isn't just me.

    Am fighting with several other things in 10.04 but will be getting back to this in a couple of weeks.
    Dell 480 XPS 3G ram Quad Core 2.40GHz, Radeon HD 2400 PRO, Audigy1, 3x320G HDD, 320G External, Debian Testing for use, Debian Squeeze for secure use, Debian Sid for FUN

  2. #12
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Update:
    I just tried enabling the console mode in /etc/default/grub and in console mode both encrypted and unencrypted password/authentication works as it should. Of course, in this mode backgrounds will not be available.
    GRUB_TERMINAL=console
    Back to Xorg...

    Retired.

  3. #13
    Join Date
    Aug 2008
    Location
    South East Montana
    Beans
    6,153

    Re: Grub 2 Password Protection

    Wow, I was going to try that and was too chicken at the time. That is great.

    I will give it a whack one of these days on one of these installs on my box. If it works I will just slap that on the wifes.

    No background!! Oh My What Will We Do?

    Security or Background? That is a tough one.

    My main use of backgrounds is to use the wallpaper from the install supplying grub at the time so I know at a glance which I am using. I bet if I have one with a black background I can tell it too.

    The Wifes background is very nice but you don't see it for very long. I think she will get over it and she only needs that security when away anyway. Two sets of the needed files and we are all set. One secure and the other not so secure.

    Thanks a bunch.
    Dell 480 XPS 3G ram Quad Core 2.40GHz, Radeon HD 2400 PRO, Audigy1, 3x320G HDD, 320G External, Debian Testing for use, Debian Squeeze for secure use, Debian Sid for FUN

  4. #14
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Quote Originally Posted by ranch hand View Post
    Wow, I was going to try that and was too chicken at the time. That is great.
    Thanks a bunch.
    I was pleasantly surprised that it worked, even with the encrypted password using grub-mkpasswd_pbkdf2.

    I should note the encrypted passwords are available in Grub 1.98+ (Lucid) or the experimental branches, not in Karmic and 1.97~beta.

    @ ranch hand: I'm off for a week, so I expect you to have everything Grub 2-related solved by the time I get back.


    Caution Added: In playing a bit with this, I found that encrypted function still isn't working as it should. When trying to get into the edit mode I get the username and p/w prompts, but then it takes me back to the main menu. Without editing capability, make sure you have at least one entry you know will work, otherwise you won't be able to try to recover a boot via command line or editing.

    Update 3/8/2010: With build 1.98~20100128-1ubuntu4 the encrypted passwords are working fine if I have GRUB_GFXMODE=console as the option in /etc/default/grub. When attempting to use it in gfxterm mode the password mode still seems to hang.
    Last edited by drs305; March 8th, 2010 at 08:59 PM.
    Back to Xorg...

    Retired.

  5. #15
    Join Date
    Aug 2008
    Location
    South East Montana
    Beans
    6,153

    Re: Grub 2 Password Protection

    While my wifes box does run 9.10, it also is running grub1.98. I have access to the 10.04 repo.

    I have a sources.list.lizard (10.04 is called Lounge Lizard isn't it) that just has the main lucid repo on it.

    Change the name of the real sources list to sources.list.kinky (9.10+Kinky Kitty) and drop the .lizard and you can have the newest kernel and grub if you want them.

    Kinky runs real well on 2.6.32 by the way. My wifes just runs on 31. I just want it stable. It will get upgraded to the Lizard when System76 says it will work with their drivers. I may try them before that but not on hers.

    EDIT
    I have no idea what you are off to but have FUN.
    Dell 480 XPS 3G ram Quad Core 2.40GHz, Radeon HD 2400 PRO, Audigy1, 3x320G HDD, 320G External, Debian Testing for use, Debian Squeeze for secure use, Debian Sid for FUN

  6. #16
    Join Date
    Jun 2007
    Beans
    66

    Re: Grub 2 Password Protection

    hi

    first, thansk for the infos

    i just tried it and i have 2 questions

    how can i do the protect "only" the command line edit with the "e" key or console

    so anyone can boot, but only superuser can edit the menu, is it possible ?

    and second question:

    is it possible to change the keymap in grub2 ? i looked all the files but can t find anything for it

    thx

    ++

  7. #17
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Quote Originally Posted by smo View Post
    how can i do the protect "only" the command line edit with the "e" key or console

    so anyone can boot, but only superuser can edit the menu, is it possible ?

    ...

    is it possible to change the keymap in grub2 ? i looked all the files but can t find anything for it
    I have very limited experience with the keymap issue. I know you can add items such as "keymap=us" or "keymap=qwerty" to either of these lines in /etc/default/grub:
    GRUB_CMDLINE_LINUX_DEFAULT=
    GRUB_CMDLINE_LINUX=
    I have also used "setkmap=us" in the linux line of a custom menu entry for mounting ISOs. That is the limit of my knowledge on keymaps in Grub2 I'm afraid.


    As for the first question you asked, this is one of the things I like about the forums. Sometimes it takes a bit of thought to come up with a solution to an unanticipated request.

    If a superuser and password are set the entire menu is locked for editing menuentries or entering the Grub2 command line.

    Here is what I came up with regarding your request - locking the edit feature (and also command line):

    1. Make at least one scripted entry password-protected, such as the recovery mode. If there is one password-enabled entry, only the superuser can edit or use the terminal. No other entries would require any user to use a password.

    2. A solution that meets your requirements (all entries accessible) could be done by adding an entry into /etc/grub.d/40_custom. You could make it invisible, or add a message either at the top or bottom of the real menu. (For the bottom, make the entry in 40_custom; for the top, rename the file 06_custom). The actual entry, other than the title, wouldn't boot to anything. I've used the "insmod ext2" command since it is already used in my existing grub.cfg entries.

    Here are two examples.

    Invisible:
    cat << EOF
    menuentry " " --users superman {
    insmod ext2
    }
    EOF
    Welcome message in 06_custom:
    cat << EOF
    menuentry "Welcome. You Have 10 Seconds to Select a New Entry." --users superman {
    insmod ext2
    }
    EOF
    Make sure you have added at least the superuser and password in the 00_header file as described in the first post and then update grub.
    Back to Xorg...

    Retired.

  8. #18
    Join Date
    Dec 2006
    Beans
    61

    Re: Grub 2 Password Protection

    Thanks for your excellent Howto. I have been using the manual way of editing grub.cfg - the editing calls for helper-programs to pull trough and if you don't have them dont't even try. But when editing by hand there is no need to touch any configuration-files in any condition and there are no limits to what you can edit. But anyway password-protection operates just as you said. My grub.cfg in it's entirety is as follows:

    set timeout=5
    set default="Lucid-1, 2.6.32-18-generic, sda1"

    # Superuser petteri's password is 1234 in the context of editing menuline when booting or going to commandline; it is not the usual 'sudo-password'. Normal user osmo can boot Lucid-2 wit password 4321; other users cannot boot it at all.
    set superusers="petteri"
    password petteri 1234
    password osmo 4321

    menuentry "Lucid-1, 2.6.32-18-generic, sda1" --class ubuntu --class gnu-linux --class gnu --class os {
    insmod ext2
    set root='(/dev/sda,1)'
    search --no-floppy --fs-uuid --set df4b9966-28ad-41b3-936d-fa5470865131
    linux /boot/vmlinuz-2.6.32-18-generic root=UUID=df4b9966-28ad-41b3-936d-fa5470865131 ro quiet splash
    initrd /boot/initrd.img-2.6.32-18-generic
    }

    menuentry "Lucid-2, sda2" --users osmo {
    configfile (hd0,2)/boot/grub/grub.cfg
    }

  9. #19
    Join Date
    Dec 2007
    Location
    Louvain-la-Neuve
    Beans
    175
    Distro
    Xubuntu 13.10 Saucy Salamander

    Re: Grub 2 Password Protection

    Thank you very much for the how-to. I tried password protecting without encryption on lucid and it worked right away. I can't afford trying the risky encryption thing because I am on vacation, without a live-cd, and my connection is over my mobile phone...

    There was this trick suggested in the forums for the previous version of grub, in which instead of encryption, the permitions of menu.lst were changed in order to prevent unauthorized users from reading the unencrypted password from within the file.... could something like this work in this case? like changing the permitions of 00_header and grub.cfg files? (unfortunately I can't test it myself because I'd be left helpless without an OS in case of a failure... anyhow... I'll probably check this out when I get home)


    Thanks again for the thread!

  10. #20
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    eotakos,

    I just did a simple "sudo chmod -r <path/filename>" on /boot/grub/grub.cfg and /etc/grub.d/00_header.
    Code:
    sudo chmod -r /boot/grub/grub.cfg /etc/grub.d/00_header

    Without the +r attribute, a normal user can't use "cat" or open the file for viewing without admin privileges. The update-grub command worked fine and any of the commands combined with "sudo" or "gksudo" worked normally.
    Back to Xorg...

    Retired.

Page 2 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •