| Set Grub password |
For Grub version 1
STEP 1: Create a password for GRUB, be a root user and open command prompt, type below command. When prompted type grub password twice and press enter. This will return MD5 hash password. Please copy or note it down.
[root@pgoli-server ~]# grub-md5-crypt
Sample Output:
[root@pgoli-server ~]# grub-md5-cryptPassword:Retype password:$1$19oD/1$NklcucLPshZVoo5LvUYEp1
Step 2: Now you need to open the /boot/grub/menu.lst or /boot/grub/grub.conf file and add the MD5 password. Both files are same and symbolic link to each other.
[root@pgoli-server ~]# vi /boot/grub/menu.lst
OR
[root@pgoli-server ~]# vi /boot/grub/grub.conf
Note : I advise you to take backup of the files before making any changes to it, if in case something goes wrong you can revert it.
STEP 3: Add the newly created MD5 password in GRUB configuration file. Please paste copied password below timeout line and save it and exit. For example, Enter the line password –md5 <add the copied md5 string from step 1> above.
# grub.conf generated by anaconda## Note that you do not have to rerun grub after making changes to this file# NOTICE: You have a /boot partition. This means that# all kernel and initrd paths are relative to /boot/, eg.# root (hd0,0)# kernel /vmlinuz-version ro root=/dev/sda3# initrd /initrd-[generic-]version.img#boot=/dev/sdadefault=0timeout=5password –md5 $1$TNUb/1$TwroGJn4eCd4xsYeGiBYq.splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle CentOS (2.6.32-279.5.2.el6.i686)root (hd0,0)kernel /vmlinuz-2.6.32-279.5.2.el6.i686 ro root=UUID=d06b9517-8bb3-44db-b8c5-7710e183edb7 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quietinitrd /initramfs-2.6.32-279.5.2.el6.i686.imgtitle centos (2.6.32-71.el6.i686)root (hd0,0)kernel /vmlinuz-2.6.32-71.el6.i686 ro root=UUID=d06b9517-8bb3-44db-b8c5-7710e183edb7 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quietinitrd /initramfs-2.6.32-71.el6.i686.img
STEP 4: Reboot system and try it pressing ‘p‘ to enter password to unlock and enable next features.
Password Protect Grub in Linux
Securing GRUB-menu in RHEL/Centos 7.2
Starting with RHEL 7.2, the above method for the securing Grub does not work. In RHEL 7.2 new utility ‘grub2-setpassword’ has been introduced. & procedure to set password is mentioned below.
Firstly run following command as “root” user
grub2-setpassword
then enter your password & confirm it. Hash for the password is created in /boot/grub/user.cfg & user i.e.”root” is defined in /boot/grub2/grub.cfg.
If you reboot system now & try to modify the boot entries, you will be asked to provide the credentials but you can boot the entries without credentials. In order to stop both unauthorized modification & unauthorized booting, we need to make changes to /boot/grub2/grub.cfg
Open the file & search for the boot entry you need to protect with password, it begins with menuentry. Once the entry is located, delete the –unrestricted parameter from it,
That’s it . Your GRUB-menu is now completely secured with a password.
Securing GRUB-menu in RHEL/Centos 5 & 6
Using “root ” user enter the following command ,
grub-md5-crypt
then, enter the password, confirm it & copy the password hash created
Next, open the file /boot/grub/grub.conf & copy the following line in it
password –md5 “password hash”
Lastly, restart your server & try to access you GRUB-menu, you will need to enter your credentials to access the menu.
Grub 2
- Create an Encrypted Password using grub2-mkpasswd-pbkdf2
- Define Encrypted Password in /etc/grub.d/40_custom
- Refresh /boot/grub2/grub.cfg by grub2-mkconfig -o /boot/grub2/grub.cfg
- Test new password on Boot
In Centos/RHEL, GRUB2 bootloader is used & the process to assign GRUB-password is different as in RHEL/Centos 6 which uses GRUB.
NOTE:- Before we start I must warn you that you must backup of the files before editing them, incase we run into some trouble.
Securing GRUB-menu in RHEL/Centos 7 & 7.1
Firstly, we will generate an encrypted password by using the following command
grub2-mkpasswd-pbkdf2
You will be asked to enter a password twice. After you have entered the password, you will see password hash on your screen (see screenshot), copy the hash.
Next, open /etc/grub2/01_users & enter the following at the bottom of the file
set superusers=”john” password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85
here, john is the user for the for GRUB-menu. You can modify & also use root or any other user here.
And we will now run following command to apply the grub changes
grub2-mkconfig –o /boot/grub/grub.conf
Now, reboot the system & press ’e’ to edit GRUB-parameters, you will now be asked for the credentials to access the menu.
| Set Grub password |
For Grub 1
STEP 1: Create a password for GRUB, be a root user and open command prompt, type below command. When prompted type grub password twice and press enter. This will return MD5 hash password. Please copy or note it down.[root@tecmint ~]# grub-md5-crypt
Sample Output:
[root@tecmint ~]# grub-md5-cryptPassword: Retype password: $1$19oD/1$NklcucLPshZVoo5LvUYEp1
Step 2: Now you need to open the /boot/grub/menu.lst or /boot/grub/grub.conf file and add the MD5 password. Both files are same and symbolic link to each other.[root@tecmint ~]# vi /boot/grub/menu.lst
OR
[root@tecmint ~]# vi /boot/grub/grub.confNote : I advise you to take backup of the files before making any changes to it, if in case something goes wrong you can revert it.STEP 3: Add the newly created MD5 password in GRUB configuration file. Please paste copied password below timeout line and save it and exit. For example, Enter the line password –md5 <add the copied md5 string from step 1> above.# grub.conf generated by anaconda## Note that you do not have to rerun grub after making changes to this file# NOTICE: You have a /boot partition. This means that# all kernel and initrd paths are relative to /boot/, eg.# root (hd0,0)# kernel /vmlinuz-version ro root=/dev/sda3# initrd /initrd-[generic-]version.img#boot=/dev/sdadefault=0timeout=5password –md5 $1$TNUb/1$TwroGJn4eCd4xsYeGiBYq.splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle CentOS (2.6.32-279.5.2.el6.i686) root (hd0,0) kernel /vmlinuz-2.6.32-279.5.2.el6.i686 ro root=UUID=d06b9517-8bb3-44db-b8c5-7710e183edb7 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet initrd /initramfs-2.6.32-279.5.2.el6.i686.imgtitle centos (2.6.32-71.el6.i686) root (hd0,0) kernel /vmlinuz-2.6.32-71.el6.i686 ro root=UUID=d06b9517-8bb3-44db-b8c5-7710e183edb7 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet initrd /initramfs-2.6.32-71.el6.i686.imgSTEP 4: Reboot system and try it pressing ‘p‘ to enter password to unlock and enable next features.
https://www.tecmint.com/password-protect-grub-in-linux/grub/Password Protect Grub in LinuxGrub 2
- Create an Encrypted Password using grub2-mkpasswd-pbkdf2
- Define Encrypted Password in /etc/grub.d/40_custom
- Refresh /boot/grub2/grub.cfg by grub2-mkconfig -o /boot/grub2/grub.cfg
- Test new password on Boot
In Centos/RHEL, GRUB2 bootloader is used & the process to assign GRUB-password is different as in RHEL/Centos 6 which uses GRUB.NOTE:- Before we start I must warn you that you must backup of the files before editing them, incase we run into some trouble.
Securing GRUB-menu in RHEL/Centos 7 & 7.1
Firstly, we will generate an encrypted password by using the following command
grub2-mkpasswd-pbkdf2
You will be asked to enter a password twice. After you have entered the password, you will see password hash on your screen (see screenshot), copy the hash.
Next, open /etc/grub2/01_users & enter the following at the bottom of the fileset superusers=”john”
password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85
here, john is the user for the for GRUB-menu. You can modify & also use root or any other user here.And we will now run following command to apply the grub changesgrub2-mkconfig –o /boot/grub/grub.conf
Now, reboot the system & press ’e’ to edit GRUB-parameters, you will now be asked for the credentials to access the menu.
Securing GRUB-menu in RHEL/Centos 7.2
Starting with RHEL 7.2, the above method for the securing Grub does not work. In RHEL 7.2 new utility ‘grub2-setpassword’ has been introduced. & procedure to set password is mentioned below.Firstly run following command as “root” usergrub2-setpassword
then enter your password & confirm it. Hash for the password is created in /boot/grub/user.cfg & user i.e.”root” is defined in /boot/grub2/grub.cfg.If you reboot system now & try to modify the boot entries, you will be asked to provide the credentials but you can boot the entries without credentials. In order to stop both unauthorized modification & unauthorized booting, we need to make changes to /boot/grub2/grub.cfgOpen the file & search for the boot entry you need to protect with password, it begins with menuentry. Once the entry is located, delete the –unrestricted parameter from it,
That’s it . Your GRUB-menu is now completely secured with a password.
Securing GRUB-menu in RHEL/Centos 5 & 6
Using “root ” user enter the following command ,grub-md5-crypt
then, enter the password, confirm it & copy the password hash created
Next, open the file /boot/grub/grub.conf & copy the following line in itpassword –md5 “password hash”
Lastly, restart your server & try to access you GRUB-menu, you will need to enter your credentials to access the menu.