[SOLVED] grub2 setup AUTH properly

Support for security such as Firewalls and securing linux
Post Reply
User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

[SOLVED] grub2 setup AUTH properly

Post by warron.french » 2017/11/05 04:00:45

So I am trying to figure out what are THE correct steps for configuring both Red Hat 7 and CentOS-7.

I am aware of the commands grub2-mkpassword-pbkdf2, grub2-setpassword, grub2-mkconfig.

I have found several websites that take "me" different directions or paths and don't seem to provide a single, consistent and coherent approach to how best implement (and force) a password-protected GRUB.

There are references in the man page for grub-setpassword to set the password in the user.cfg.

This URL, https://www.unixmen.com/set-grub2-passw ... 7centos-7/, says to edit /etc/grub2.cfg; which is a link to /boot/grub2/grub.cfg.
This URL, https://access.redhat.com/discussions/1517493, I cannot get full access to (because my password isn't working and I don't have access to my corporate email right now) says to update /etc/grub2/40_custom.

The directions are all over the place and I am looking to learn how to best manage the grub password update process, and then I have to figure out how to manage it through a puppet module.

Please help, someone with a single, consistent, fully coherent process.
Last edited by warron.french on 2018/03/28 20:00:46, edited 1 time in total.
Thanks,
War

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: grub2 setup AUTH properly

Post by TrevorH » 2017/11/05 13:23:05

If you want to just stop people from modifying the boot entries then just setting the password in user.cfg is enough. They can pick which kernel to boot but that's it, any attempt to change e.g the kernel parameters will ask for the password. If you want to stop them changing which kernel to boot then you have to sed -i "/^CLASS=/s/ --unrestricted//" /etc/grub.d/10_linux and set the password and rerun grub2-mkconfig.

Or you can edit /boot/grub2/grub.cfg and remove unrestricted from all the kernel entries there and make sure you never run grub2-mkconfig - the normal kernel update procedure doesn't use it and uses /sbin/grubby which just copies the previous kernel entry, complete with its lack of unrestricted, and amends it for the newer kernel.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: grub2 setup AUTH properly

Post by warron.french » 2017/11/06 01:35:20

TroverH, are you saying that if I set the account and password pair in the user.cfg file it will limit me from booting, interrupting the boot process to gain access to the GRUB but you will not be allowed to add "single" to the end and boot off that kernel into single user-mode bypassing the root account's password challenge? Or are you saying something different?

What we are looking for is allowing a bypass of the root password when you have physical access to the system, can reboot the OS, interrupt the boot during GRUB so that we can change the "unknown" root password value.
Thanks,
War

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: grub2 setup AUTH properly

Post by TrevorH » 2017/11/06 02:03:38

Try it and see whatyou can do with --unrestricted on the menuentry but with the password in user.cfg. I think it only lets you boot any of the installed kernels but not modify any of their parameters. With --unrestricted removed it won't let you do anything at all if my understanding is correct.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

[SOLVED] - grub2 setup AUTH properly

Post by warron.french » 2018/02/28 19:28:11

warron.french wrote:So I am trying to figure out what are THE correct steps for configuring both Red Hat 7 and CentOS-7.

I am aware of the commands grub2-mkpassword-pbkdf2, grub2-setpassword, grub2-mkconfig.

I have found several websites that take "me" different directions or paths and don't seem to provide a single, consistent and coherent approach to how best implement (and force) a password-protected GRUB.

There are references in the man page for grub-setpassword to set the password in the user.cfg.

This URL, https://www.unixmen.com/set-grub2-passw ... 7centos-7/, says to edit /etc/grub2.cfg; which is a link to /boot/grub2/grub.cfg.
This URL, https://access.redhat.com/discussions/1517493, I cannot get full access to (because my password isn't working and I don't have access to my corporate email right now) says to update /etc/grub2/40_custom.

The directions are all over the place and I am looking to learn how to best manage the grub password update process, and then I have to figure out how to manage it through a puppet module.

Please help, someone with a single, consistent, fully coherent process.
Thanks,
War

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

[SOLVED] grub2 setup AUTH properly

Post by warron.french » 2018/02/28 19:28:27

warron.french wrote:So I am trying to figure out what are THE correct steps for configuring both Red Hat 7 and CentOS-7.

I am aware of the commands grub2-mkpassword-pbkdf2, grub2-setpassword, grub2-mkconfig.

I have found several websites that take "me" different directions or paths and don't seem to provide a single, consistent and coherent approach to how best implement (and force) a password-protected GRUB.

There are references in the man page for grub-setpassword to set the password in the user.cfg.

This URL, https://www.unixmen.com/set-grub2-passw ... 7centos-7/, says to edit /etc/grub2.cfg; which is a link to /boot/grub2/grub.cfg.
This URL, https://access.redhat.com/discussions/1517493, I cannot get full access to (because my password isn't working and I don't have access to my corporate email right now) says to update /etc/grub2/40_custom.

The directions are all over the place and I am looking to learn how to best manage the grub password update process, and then I have to figure out how to manage it through a puppet module.

Please help, someone with a single, consistent, fully coherent process.
Thanks,
War

Post Reply