passwords are awkward to use with grub-mkconfig

A (rather long) list of missing feature is at http://grub.enbug.org/CommandList.

Likely to be an upstream priority for 1.97.

There's now basic support for this (in 1.97~beta1), but it probably needs to be glued into grub-mkconfig somehow as well. Still, this may be enough for some people.

2009-08-25 Vladimir Serbinenko <email address hidden>

        Authentication support.

        * commands/password.c: New file.
        * conf/common.rmk (pkglib_MODULES): Add password.mod.
        (password_mod_SOURCES): New variable.
        (password_mod_CFLAGS): Likewise.
        (password_mod_LDFLAGS): Likewise.
        (normal_mod_SOURCES): Add normal/auth.c.
        * conf/i386-coreboot.rmk (grub_emu_SOURCES): Add commands/password.c and
        normal/auth.c.
        * conf/i386-efi.rmk (grub_emu_SOURCES): Likewise.
        * conf/i386-ieee1275.rmk (grub_emu_SOURCES): Likewise.
        * conf/i386-pc.rmk (grub_emu_SOURCES): Likewise.
        * conf/powerpc-ieee1275.rmk (grub_emu_SOURCES): Likewise.
        * conf/sparc64-ieee1275.rmk (grub_emu_SOURCES): Likewise.
        * conf/x86_64-efi.rmk (grub_emu_SOURCES): Likewise.
        * include/grub/auth.h: New file.
        * include/grub/err.h (grub_err_t): New enum value
        GRUB_ERR_ACCESS_DENIED.
        * include/grub/menu.h (grub_menu_entry): New fields 'restricted' and
        'users'.
        * include/grub/normal.h (grub_cmdline_get): New argument 'history'.
        * normal/cmdline.c (grub_cmdline_get): New argument 'history'. All
        users updated.
        * normal/auth.c: New file.
        * normal/main.c (grub_normal_add_menu_entry): Handle --users option.
        (grub_cmdline_run): Don't allow to go to command line without
        authentication.
        * normal/menu.c (grub_menu_execute_entry): Handle restricted entries.
        * normal/menu_entry.c (grub_menu_entry_run): Don't allow editing
        menuentry without superuser rights.
        * normal/menu_viewer.c (grub_menu_viewer_show_menu): Don't exit if
        user isn't a superuser.

Am Donnerstag, den 03.09.2009, 10:59 +0000 schrieb Colin Watson:
> There's now basic support for this (in 1.97~beta1), but it probably
> needs to be glued into grub-mkconfig somehow as well. Still, this may be
> enough for some people.
>

I documented it a bit in the official Wiki how to use it:
http://grub.enbug.org/Authentication

--
Felix Zielcke
Proud Debian Maintainer

I'm unmarking this as a regression now, as the core facility is implemented even though it's not as convenient to use as it might be. (You can write an /etc/grub.d/ script to emit the appropriate commands, for instance.)

Could someone post some example scripts for this?
That would be a great help.

Well, you could just add
 echo 'set superusers="myusername"'
 echo 'password myusername mypassword'
to /etc/grub.d/00_header and change 'menuentry "$1" {' to 'menuentry "$1" --users myusername {' in 10_linux or 30_os-prober.
After that, run 'update-grub' as root.

i'd like to politely add that this only supports plain text passwords as opposed to hashed (eg: md5 which old grub had).
it would be nice to have support for hashed passwords (like sha1/sha256) in this grub, so this is no longer a regression.
thanks!

Hashed passwords are still being discussed / worked on upstream.

experimental branch supports now encrypted/hashed passwords.
See here how to use them:
http://grub.enbug.org/Authentication
My PPA has it now included:
https://launchpad.net/~fzielcke/+archive/grub-ppa/

... and support for hashed passwords is now in lucid, which only leaves figuring out how to make them a bit more convenient to use in conjunction with grub-mkconfig, I think.

If I try to use the example from the upstream wiki on lucid, I get:

$ sudo update-grub2
Generating grub.cfg ...
/etc/grub.d/00_header: 167: password_pbkdf2: not found

Am I missing something obvious?

Also, should we really edit 00_header directly, or would it be better to create a separate file such as /etc/grub.d/01_superusers or somesuch?

Unmarking as security since the features are all available, if still a bit inconvenient.

Workaround (avoiding plain-text passwords in /etc/grub.d)

For those who cannot be bothered with a PPA repository for grub2, and want to let users set their own bootup passwords and/or have users who don't want to divulge their bootup password to the system administrator ...

Remembering that the usual bash shell constructs work, one can do something similar to this, within 00_header
-----
password nick $(gpg --decrypt --no-mdc-warning --batch --no-tty --no-use-agent --quiet --passphrase-file /etc/grub.d/pass.txt /home/nick/nick.pwd.gpg)
-----
Repeat for other users authorised to set their own passwords.

Put the attached script in /usr/local/bin for users to set their own passwords. And you need to generate /etc/grub.d/pass.txt as the unrotated passphrase (or make alternative arrangements).

Limitations:
1. The passphrase used to drive GPG could be hidden a bit better
2. You will still get a clear-text copy of the users' passwords in /boot/grub/grub.cfg, when you run update-grub, make sure it is generated with permissions -r-------- (600, in favour of root:root).

One more limitation of my workaround
3. After running SetBootPassword, user(s) must notify system administrator to run update-grub so that their new password comes into force.

As long as update-grub doesn't recognize passwords properly (see comment #12), just don't add your password directly to /etc/grub.d/whatever, but instead write it directly into /boot/grub/grub.cfg. Not nice but it'll do the trick...

example:
...
set superusers="main"
password_pbkdf2 maint grub.pbkdf2.sha512.10000.verylongstring...
### END /etc/grub.d/00_header ###
...

This release of Ubuntu is no longer receiving maintenance updates. If this is still an issue on a maintained version of Ubuntu please let us know.

[Expired for grub2 (Ubuntu) because there has been no activity for 60 days.]