tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Modify and improve the how_to_config_grub2_password_protection doc

This commit is contained in:
samson 2018-11-24 07:24:59 +08:00
parent 9ab41dceea
commit 9c6f1409fc
1 changed files with 27 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
docs/examples/manual-operation-docs/how_to_config_grub2_password_protection.mkd
View File

@ -1,6 +1,12 @@
# How to config grub2 password protection
## Generate hashed password for GRUB
## test platform info:
```
Operation system: Debian GNU/Linux 9.6
Grub version: 2.02~beta3-5+deb9u1
```
## 1、Generate hashed password for GRUB
This example use the following char as the password: "MangGuO93,*jqvt", a combination like this is a requirement to satisfy the robustness of the password.
```
# grub-mkpasswd-pbkdf2
@ -10,9 +16,9 @@ PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F5CFD948DC06B644E05531F
```
It will generate a long password encrypted like this: grub.pbkdf2.sha512.10000........ Copy the complete generated code.
## Setting Up Password Protection
## 2、Setting Up Password Protection
### Modify /etc/grub.d/10_linux
### 1Modify /etc/grub.d/10_linux
In /etc/grub.d/10_linux, find the following line:
```
printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
@ -22,13 +28,13 @@ Add --users '':
printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"
```
### Modify/etc/grub.d/30_os-prober
### 2Modify/etc/grub.d/30_os-prober
To alter the /etc/grub.d/30_os-prober to add password protection to all entries:
```
# sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober
```
### Add password protection to /etc/grub.d/40_header
### 3Add password protection to /etc/grub.d/40_header
```
set superusers="username"
password_pbkdf2 username password
@ -42,7 +48,7 @@ password_pbkdf2 John grub.pbkdf2.sha512.10000.F5CFD948DC06B644E05531FBF9773C086B
Save the file and exit.
## Generate a grub2 config file
## 3、Generate a grub2 config file
```
# update-grub2
Generating grub configuration file ...
@ -53,7 +59,19 @@ done
That's all, your grub2 is protected.
## Troubleshooting
## 4、Set operating system entry will boot up normally
If you configure it using the 1 to 3 steps, the normal entry into the system will also be checked by the superuser when it is executed, which is not convenient for normal startup. So, need to set for the operating system entry will boot up normally but no one except the superusers will be able to edit the related entry in the list. Just set the first and third items in the second step, and the other operations are unchanged.
Find following line in /etc/grub.d/10_linux:
```
echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
```
Add --unrestricted:
```
echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
```
## 5、Troubleshooting
If add password protection to /etc/grub.d/00_header, maybe you get an error when exec update-grub2, like this following:
```
@ -63,5 +81,5 @@ If add password protection to /etc/grub.d/00_header, maybe you get an error when
Remember that the correct file to edit is 40_custom simply because other files such as grub.cfg or even 00_header are updated automatically by the system in certain circumstances, and it would make you lose those changes.
## Reference
[https://help.ubuntu.com/community/Grub2/Passwords](https://help.ubuntu.com/community/Grub2/Passwords)
## 6、Reference
[https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html#Authentication-and-authorisation](https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html#Authentication-and-authorisation)