So I am trying to figure out what are THE correct steps for configuring both Red Hat 7 and CentOS-7.
I am aware of the commands grub2-mkpassword-pbkdf2, grub2-setpassword, grub2-mkconfig.
I have found several websites that take "me" different directions or paths and don't seem to provide a single, consistent and coherent approach to how best implement (and force) a password-protected GRUB.
There are references in the man page for grub-setpassword to set the password in the user.cfg.
This URL, https://www.unixmen.com/set-grub2-passw ... 7centos-7/, says to edit /etc/grub2.cfg; which is a link to /boot/grub2/grub.cfg.
This URL, https://access.redhat.com/discussions/1517493, I cannot get full access to (because my password isn't working and I don't have access to my corporate email right now) says to update /etc/grub2/40_custom.
The directions are all over the place and I am looking to learn how to best manage the grub password update process, and then I have to figure out how to manage it through a puppet module.
Please help, someone with a single, consistent, fully coherent process.
[SOLVED] grub2 setup AUTH properly
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
[SOLVED] grub2 setup AUTH properly
Last edited by warron.french on 2018/03/28 20:00:46, edited 1 time in total.
Thanks,
War
War
Re: grub2 setup AUTH properly
If you want to just stop people from modifying the boot entries then just setting the password in user.cfg is enough. They can pick which kernel to boot but that's it, any attempt to change e.g the kernel parameters will ask for the password. If you want to stop them changing which kernel to boot then you have to sed -i "/^CLASS=/s/ --unrestricted//" /etc/grub.d/10_linux and set the password and rerun grub2-mkconfig.
Or you can edit /boot/grub2/grub.cfg and remove unrestricted from all the kernel entries there and make sure you never run grub2-mkconfig - the normal kernel update procedure doesn't use it and uses /sbin/grubby which just copies the previous kernel entry, complete with its lack of unrestricted, and amends it for the newer kernel.
Or you can edit /boot/grub2/grub.cfg and remove unrestricted from all the kernel entries there and make sure you never run grub2-mkconfig - the normal kernel update procedure doesn't use it and uses /sbin/grubby which just copies the previous kernel entry, complete with its lack of unrestricted, and amends it for the newer kernel.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
Re: grub2 setup AUTH properly
TroverH, are you saying that if I set the account and password pair in the user.cfg file it will limit me from booting, interrupting the boot process to gain access to the GRUB but you will not be allowed to add "single" to the end and boot off that kernel into single user-mode bypassing the root account's password challenge? Or are you saying something different?
What we are looking for is allowing a bypass of the root password when you have physical access to the system, can reboot the OS, interrupt the boot during GRUB so that we can change the "unknown" root password value.
What we are looking for is allowing a bypass of the root password when you have physical access to the system, can reboot the OS, interrupt the boot during GRUB so that we can change the "unknown" root password value.
Thanks,
War
War
Re: grub2 setup AUTH properly
Try it and see whatyou can do with --unrestricted on the menuentry but with the password in user.cfg. I think it only lets you boot any of the installed kernels but not modify any of their parameters. With --unrestricted removed it won't let you do anything at all if my understanding is correct.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
[SOLVED] - grub2 setup AUTH properly
warron.french wrote:So I am trying to figure out what are THE correct steps for configuring both Red Hat 7 and CentOS-7.
I am aware of the commands grub2-mkpassword-pbkdf2, grub2-setpassword, grub2-mkconfig.
I have found several websites that take "me" different directions or paths and don't seem to provide a single, consistent and coherent approach to how best implement (and force) a password-protected GRUB.
There are references in the man page for grub-setpassword to set the password in the user.cfg.
This URL, https://www.unixmen.com/set-grub2-passw ... 7centos-7/, says to edit /etc/grub2.cfg; which is a link to /boot/grub2/grub.cfg.
This URL, https://access.redhat.com/discussions/1517493, I cannot get full access to (because my password isn't working and I don't have access to my corporate email right now) says to update /etc/grub2/40_custom.
The directions are all over the place and I am looking to learn how to best manage the grub password update process, and then I have to figure out how to manage it through a puppet module.
Please help, someone with a single, consistent, fully coherent process.
Thanks,
War
War
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
[SOLVED] grub2 setup AUTH properly
warron.french wrote:So I am trying to figure out what are THE correct steps for configuring both Red Hat 7 and CentOS-7.
I am aware of the commands grub2-mkpassword-pbkdf2, grub2-setpassword, grub2-mkconfig.
I have found several websites that take "me" different directions or paths and don't seem to provide a single, consistent and coherent approach to how best implement (and force) a password-protected GRUB.
There are references in the man page for grub-setpassword to set the password in the user.cfg.
This URL, https://www.unixmen.com/set-grub2-passw ... 7centos-7/, says to edit /etc/grub2.cfg; which is a link to /boot/grub2/grub.cfg.
This URL, https://access.redhat.com/discussions/1517493, I cannot get full access to (because my password isn't working and I don't have access to my corporate email right now) says to update /etc/grub2/40_custom.
The directions are all over the place and I am looking to learn how to best manage the grub password update process, and then I have to figure out how to manage it through a puppet module.
Please help, someone with a single, consistent, fully coherent process.
Thanks,
War
War