disbale password recovery

Support for security such as Firewalls and securing linux
Post Reply
peymandev
Posts: 2
Joined: 2018/08/22 15:02:01

disbale password recovery

Post by peymandev » 2018/08/22 15:06:57

HI
how can disable password recovery grub even use CD/Media and troubleshooting option?
we have a product than install on vm and our customer can recover my password.
I use superusers but troubleshooting option can remove user and password

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: disbale password recovery

Post by TrevorH » 2018/08/22 16:15:13

You can set a grub password but nothing you can do will ultimately stop any local attacker with hardware access from doing whatever they want. With a grub password they can only boot what's listed and not make any alterations (e.g. cannot drop to single user mode etc) but a grub password will not stop someone from inserting a USB stick or a DVD and booting from that. A BIOS password might temporarily stop them from doing that but if you can access the physical machine and locate the "clear CMOS" jumper on the board then you can reset it all to defaults. And if you can bypass that then they could jsut remove the disk from the machine and get at it that way.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

peymandev
Posts: 2
Joined: 2018/08/22 15:02:01

Re: disbale password recovery

Post by peymandev » 2018/08/22 18:12:36

Thank you so much for your advice :) :)

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: disbale password recovery

Post by hunter86_bg » 2018/09/06 20:06:35

The only way to protect the machine is use LUKS to encrypt the whole machine, grub password to prevent modifications and use NBDE (Clevis & Tang) to automatically unlock the encrypted machine ... Of course the Tang server should be accessible from the machine (port 80).
The main question that comes to my mind is "Is it worth it ?" ...

Post Reply