Grub2 password configuration

From Notes_Wiki

Home > Fedora > grub2 password configuration

Creating superuser with encrypted password

grub2-password was configured by using following steps as root user:

  1. Run 'grub2-mkpasswd-pbkdf2' and get password hash of desired password
  2. Edit '/etc/grub.d/40_custom' file and append: 
    set superusers="root"
    

    password_pbkdf2 root <password-hash>
  3. Run 'grub2-mkconfig > /etc/grub2.cfg'

If plaintext password in /etc/grub.d/40_custom file is acceptable then use "password root <plain-text-password>" instead of "password_pbkdf2 root <password-hash>".


Creating other users

Similar to superuser other users can be created using: 

password_pbkdf2 root <password-hash>


Allowing access to OS without password

It is possible that after creating users grub starts asking password for all entries. If this is not desired then "--unrestricted" option needs to be added to corresponding menu entries. If the option is added to /etc/grub2.cfg directly then on using "grub2-mkconfig > /etc/grub2.cfg" the changes would be lost. Hence the option has to be added to config files in "/etc/grub.d/", so that it persists across grub2-mkconfig calls. This is slighly tricky and OS specific too. But for Linux a simple way is to edit /etc/grub.d/10_linux file and update value of CLASS variable such that it has "--unrestricted". Run "grub2-mkconfig > /etc/grub2.cfg" after /etc/grub.d/ files are modified for new changes to take effect. It is possible to verify effect of new changes by reading new /etc/grub2.cfg file.


Allow certain OS entries only to certain users

To allow access to few menu items (typically OS entries) to only selected grub users (Note that superusers will have full access to all entries and options), append "--users user1,user2" (that is comma separated user list without any quotes) in corresponding menu entries. To allow all users after authentication use "--users" without following it with any username. To allow only superuser one can use --user "", that is --user followed by empty quoted string.


Change grub default entry or timeout

To change grub default entry or timeout edit '/etc/default/grub' file and set appropriate values

Refer: https://askubuntu.com/questions/148095/how-do-i-set-the-grub-timeout-and-the-grub-default-boot-entry#148097


Steps learned from https://help.ubuntu.com/community/Grub2/Passwords




Home > Fedora > grub2 password configuration

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Grub2_password_configuration&oldid=5718"