Monday, 8 September 2014

How to Protect GRUB with Password in Linux

Here, we will describe how to restrict user from entering into single user mode.

Alert: We appetite to take backup of your data and try it out at your own risk.

Create Password for GRUB:

As you are a root user, open command terminal and put below command. After that type grub password repeatedly and then press enter. This will prompt md5 hash password. Please note this password.

[root@amir ~]# grub-md5-crypt

Sample Output:

[root@amir ~]# grub-md5-crypt
Retype password:

Configure GRUB File:

Now you have to go to the file /boot/grub/menu.lst or /boot/grub/grub.conf file and open with vim editor (here i am using vim editor to open a file) and add the md5 password. Following both files are same.

[root@amir ~]# vim /boot/grub/menu.lst


[root@amir ~]# vim /boot/grub/grub.conf

Note : Before making any changes into the files, it is suggested to take backup of the files, because you can revert these files in case of any error or failure.

Add md5 Password in GRUB Configuration File:

Paste the copied password with “password –md5 <add the copied md5 string>” under timeout line and save and exit from grub file.

Reboot the System:
Reboot system and now you will show “press ‘p’ to enter a password to unlock the next set of features”.

GRUB Password Encrypt Using “grub-crypt” Command:

You will think the grub is now secured by a password. But in the grub.conf file, the above password has clear text in the grub.conf file which is defeats the aim of the above steps.

grub-crypt utility is used to create an encrypted password. “grub-crypt” command  will get the clear text password and display the encrypted password as shown below.

[root@amir ~]# grub-crypt
Sample Output:
[root@amir ~]# grub-crypt
Password: $1$XmNqP1$Lr4gjPRkWc.9fDJwah/oi.
Retype password: $1$XmNqP1$Lr4gjPRkWc.9fDJwah/oi.
$6$.AHzfIDTJfxzVidk$1iqbQP7/D7YecUhFdqWzOHcEqyRaV89j/0e6HlNMXz37zmASQW6MGm7o4Li9/xKQgD.FshASIlCRWL0vgUiB7/(Newly encrypted password)
Customize the grub.conf File:
Add the entry with –encrypted argument “password –encrypted <add the copied grub-crypt string>” in the grub.conf file as shown below.