6

How to setup Boot password protection for Grub2 Entries

view full story
linux-howto

http://ubuntuguide.net – Since Ubuntu 9.10 uses Grub2 as default boot loader,we cannot use the previous way to set password protection for grub entries.Grub 2 currently supports unencrypted password protection. Encrypted password protection using PBKDF2, as well as password scripting, is currently under development. This post comes from Ubuntuforums and shows how to set up basic password protection. No user will be able to access the system unless the designated username and password specified in /etc/grub.d/00_header are entered. Notes: Grub 2 has the ability to set password protection on individual menuentries and/or for specific users. Although multilevel access by more than one user is possible, it has not yet been automated and is beyond the scope of this guide. I will try to create a specific Password HOWTO as time permits. The username and password will also be required to gain access to the Grub 2 command line and menu editing modes. The username and/or password do not have to be the same as the Ubuntu logon name/password. This is basic password security. The name/password are unencrypted; anyone having physical access to the machine and more than an elementary knowledge of how Linux works will be able to access the configuration files and bypass this feature. Grub 2 password protection is still evolving. Currently (Grub 1.97beta4) password protection must be assigned to each menuentry as described below. There is a chance the password feature will be revised so that all entries are protected by default. If and when this feature is incorporated in Grub 2, password protection can be eliminated for a specific menuentry by adding “(–unlock)” on the menuentry line. More information will be posted here as it becomes available. Warning: Errors in creating a password-protected Grub 2 menu may result in an unbootable system. To restore a system with broken passwords, access and edit the Grub 2 configuration files using the LiveCD or another OS. Now,let’s start following steps to create password protection.You’d better make a backup before changing a file. Step1: Add the following the bottom of /etc/grub.d/00_header cat << EOF set superusers="myname" password myname 1234 EOF here “myname” and “1234″ after “password” are the username and password you need to type to access grub entries.Change them to what you want. Step2: Change the following in /etc/grub.d/10_linux to password protect Linux installations on the main partition: from: menuentry "$1" { to: menuentry "$1" --users myname { Note:This is what I change in my 64-bit machine: printf "menuentry \"${title}\" --class linux --users myname {\n" "${os}" "${version}" Step3: Change the following in /etc/grub.d/20_memtest to password protect the memtest86+ option: from: menuentry "Memory test (memtest86+)" { to: menuentry "Memory test (memtest86+)" --users myname { Additional memtest86+ entries (from other partitions) may also be located in this file. The line will start with “menuentry”. Change these lines as desired. Step4: Change the following in /etc/grub.d/30_osprober to password protect kernels/operating systems on other partitions.Look for any line in /etc/grub.d/30_osprober which begins with “menuentry”. menuentry "${LONGNAME} (on ${DEVICE})" { menuentry "${LLABEL} (on ${DEVICE})" { Make the change as described in previous step. Step5: Finally,requiring a password for every menuentry in a file can be added using the following command: sudo sed -i -e '/^menuentry /s/ {/ --users myname {/' /etc/grub.d/10_linux /etc/grub.d/20_memtest86+ /etc/grub.d/30_os-prober /etc/grub.d/40_custom To undo this command: sudo sed -i -e '/^menuentry /s/ --users myname {/ {/' /etc/grub.d/10_linux /etc/grub.d/20_memtest86+ /etc/grub.d/30_os-prober /etc/grub.d/40_custom Save the files, run sudo update-grub, and reboot. At the Grub 2 menu, you will be presented with the normal menu. When you make a selection, a prompt will ask for the username and password. Thanks drs305,click following link to see complete Grub2 Guide: http://ubuntuforums.org/showthread.php?t=1195275 Share Related posts: Manually adding/removing entries to Grub 2 Menu Add OS logos into Grub2 boot menu using BURG Reset the forgotten password in Ubuntu (HowTos)