GRUB: Password protection
Contents
Protect entries from being editing[edit]
Plain text passwords[edit]
To protect grub with a password put the command 'password YOUR_PASSWORD' somewhere in the beginning of /boot/grub/grub.conf, like this:
| File: /boot/grub/grub.conf |
password YOUR_PASSWORD timeout 10 default saved . . . |
This will disable all the options except 'boot' unless you press 'p' to enter the password. But if you have clever users they figure of the password quite easy by booting the OS and reading the password.
Encrypted passwords[edit]
| File: /boot/grub/grub.conf |
password --md5 MD5_SUM_OF_YOUR_PASSWORD |
As you can see in the sample it is similar to the last sample except we specified "--md5" and wrote the checksum instead of the plaintext one. To get the md5 checksum of the password you can start the grub command-line tool and run 'md5'
| Code: Example |
# grub grub> md5 Password: *** Encrypted: $1$XUSFY1$bl73sNsg5vIKj//qCHvv3 |
[edit]
You can load new entries when you typed the correct password. Just specify the name to the new menu after the 'password' command. After typing the password grub will reload itself with the new file.
| File: /boot/grub/grub.conf |
password --md5 MD5_SUM_OF_YOUR_PASSWORD admin.conf |
Protect entries from being booted[edit]
The 'lock' command will fail until a valid password has been entered. If the user hasn't entered one he/she won't be able to continue the execution of the entry. Place it right after the 'title' command
| File: /boot/grub/grub.conf |
title Password protected OS lock root (hd0,0) kernel /kernel |
Also note that this is useless unless the 'password' command is used.
