[opensuse] Grub security doubt
Hi, I have erncrypted the password for increased security, executed the command 'grub-md5-crypt' in a shell (as root). One will be asked for the password. After the password is entered, it will be displayed in encrypted form: linux:~ # grub-md5-crypt Password: Retype password: $1$xmY1P/$wL6rbH2VC2L5IT8GivtytyeLq. I appended this string ('$1$xmY1P/$wL6rbH2VC2L5IT8GivtytyeLq') to the global section of the file '/boot/grub/menu.lst'. The option that needs to be appended is 'password --md5'. The section looked as follows: ********** # Modified by YaST2. Last modification on Tue Jan 17 18:55:10 IST 2012 # THIS FILE WILL BE PARTIALLY OVERWRITTEN by perl-Bootloader # Configure custom boot parameters for updated kernels in /etc/sysconfig/bootloader default 0 #timeout 8 password --md5 $1$xmY1P/$wL6rbH2VC2L5IT8GivtytyeLq. ##YaST - generic_mbr gfxmenu (hd0,0)/boot/message ##YaST - activate ........................ ........................ ********** So now, when I boot into the PC, I have to press 'p' and enter the password and this is what which is expected. But when logging in _when_ I don't press 'p' (to enter the password and boot) but only long press Enter, I get booted, so why the above option (of appending the grub-md5 password to the global section of '/boot/grub/menu.lst' file) is not working in this particular case? Since implementing the above should block both - the normal logging (until password is entered) and interactive editing too. Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Feb 27, 2012 at 01:52:31PM +0530, PM wrote: [ 8< ]>
So now, when I boot into the PC, I have to press 'p' and enter the password and this is what which is expected. But when logging in _when_ I don't press 'p' (to enter the password and boot) but only long press Enter, I get booted, so why the above option (of appending the grub-md5 password to the global section of '/boot/grub/menu.lst' file) is not working in this particular case?
It's working but different than you expected. The password protects against modifications of the kernel command line. IIRC that's all it provides. And it's the way I used it in the past. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Mon, Feb 27, 2012 at 3:02 PM, Lars Müller <lmuelle@suse.de> wrote:
It's working but different than you expected. The password protects against modifications of the kernel command line. IIRC that's all it provides. And it's the way I used it in the past.
Can you please elaborate a little? It doesn't block the logging in but only the kernel editing (or interactive editing...?)..? Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Feb 27, 2012 at 08:02:39PM +0530, PM wrote:
On Mon, Feb 27, 2012 at 3:02 PM, Lars Müller <lmuelle@suse.de> wrote:
It's working but different than you expected. The password protects against modifications of the kernel command line. IIRC that's all it provides. And it's the way I used it in the past.
Can you please elaborate a little? It doesn't block the logging in but only the kernel editing (or interactive editing...?)..?
It prevents from getting additional arguments passed to the soon booted kernel. You aren't able to modify the arguments as they're set in the mneu.lst file. As you have configured this it should be very easy to try. Have you also tried a different position of the password line in the menu.lst file? I've never use one as part of the actual kernel and initrd configuration. Please try something like this in your /boot/grub/menu.lst file: title openSUSE 12.1 - 3.1.9-1.4 root (hd0,5) kernel /vmlinuz-3.1.9-1.4-default root=/dev/disk/by-uuid/... initrd /initrd-3.1.9-1.4-default password --md5 <your_md5_hash> If this works please check the openSUSE wiki and update it. Thanks! Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Mon, Feb 27, 2012 at 8:23 PM, Lars Müller <lmuelle@suse.de> wrote:
It prevents from getting additional arguments passed to the soon booted kernel.
You aren't able to modify the arguments as they're set in the mneu.lst file.
As you have configured this it should be very easy to try.
Have you also tried a different position of the password line in the menu.lst file?
I've never use one as part of the actual kernel and initrd configuration.
Please try something like this in your /boot/grub/menu.lst file:
title openSUSE 12.1 - 3.1.9-1.4 root (hd0,5) kernel /vmlinuz-3.1.9-1.4-default root=/dev/disk/by-uuid/... initrd /initrd-3.1.9-1.4-default password --md5 <your_md5_hash>
If this works please check the openSUSE wiki and update it. Thanks!
Well I tried and finally get to know that I appened the work 'lock' just below the title bar of each -- (i) openSUSE and (ii) Failsafe, so now even the long pressing Enter doesn't allow to get booted. Found it here ultimately, http://tr.opensuse.org/SDB:Setting_a_Password_for_the_Boot_Manager_GRUB however, seeing other options too...if ...... Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Feb 27, 2012 at 09:04:48PM +0530, PM wrote:
On Mon, Feb 27, 2012 at 8:23 PM, Lars Müller <lmuelle@suse.de> wrote:
It prevents from getting additional arguments passed to the soon booted kernel.
You aren't able to modify the arguments as they're set in the mneu.lst file.
As you have configured this it should be very easy to try.
Have you also tried a different position of the password line in the menu.lst file?
I've never use one as part of the actual kernel and initrd configuration.
Please try something like this in your /boot/grub/menu.lst file:
title openSUSE 12.1 - 3.1.9-1.4 root (hd0,5) kernel /vmlinuz-3.1.9-1.4-default root=/dev/disk/by-uuid/... initrd /initrd-3.1.9-1.4-default password --md5 <your_md5_hash>
If this works please check the openSUSE wiki and update it. Thanks!
Well I tried and finally get to know that I appened the work 'lock' just below the title bar of each -- (i) openSUSE and (ii) Failsafe, so now even the long pressing Enter doesn't allow to get booted. Found it here ultimately, http://tr.opensuse.org/SDB:Setting_a_Password_for_the_Boot_Manager_GRUB however, seeing other options too...if ...... Thanks.
Please update the english wiki page(s) if required. Thanks for your support! Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Mon, Feb 27, 2012 at 9:17 PM, Lars Müller <lmuelle@suse.de> wrote:
Please update the english wiki page(s) if required. Thanks for your support!
In fact the same thing I asked in the forum too (http://bit.ly/yhXcze) but didn't get any reply, but the problem solved here. Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 27 Feb 2012 16:47:20 +0100 Lars Müller <lmuelle@suse.de> wrote:
Please update the english wiki page(s) if required. Thanks for your support!
Done. http://en.opensuse.org/SDB:GRUB_password It probably needs more work, though. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 27 Feb 2012 21:04:48 +0530 PM <worldwithoutfences@gmail.com> wrote:
Well I tried and finally get to know that I appened the work 'lock' just below the title bar of each -- (i) openSUSE and (ii) Failsafe, so now even the long pressing Enter doesn't allow to get booted. Found it here ultimately, http://tr.opensuse.org/SDB:Setting_a_Password_for_the_Boot_Manager_GRUB however, seeing other options too...if ...... Thanks.
Interesting that tr wiki shows up in Google results before old-en that has the same page :) http://old-en.opensuse.org/SDB:Setting_a_Password_for_the_Boot_Manager_GRUB I'm looking for corresponding article on current wiki, but no luck in first attempts. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Lars Müller -
PM -
Rajko M.