fedora-docs / quick-docs

Clone
Source Code
GIT

#703 Fix instructions for setting grub2 password
Opened 2 months ago by mlewando. Modified a month ago
fedora-docs/ mlewando/quick-docs password-update  into  main

Merge
file modified
+11 -3 
@@ -702,19 +702,25 @@ 
 

  

  == Setting a password for interactive edit mode
 

  

- If you wish to protect the *GRUB2* interactive edit mode with a password, but allow ordinary users to boot the computer, you have to create a definition file where you set up this functionality: 

+ If you wish to protect the *GRUB2* interactive edit mode with a password, but allow ordinary users to boot the computer, use the `grub2-set-password` command. You will be prompted for the password, and then will have to confirm it. The encrypted password will be stored in /boot/grub2/user.cfg.
 

+ 

+ To remove password protection, simply delete the user.cfg file.
 

+ 

+ Alternately, you can set this up manually:
 

  

  .Procedure
 

  

  . Create the `/etc/grub.d/01_users` file and write the following lines into the file.
 

  +
 

  ----
 

+ cat << EOF
 

  set superusers="root"
 

  export superusers
 

  password root <password>
 

+ EOF
 

  ----
 

  

- . Regenerate the *GRUB2* configuration file and reinstall the bootloader into the MBR, as described in xref:adding-other-operating-systems-grub2[Adding other operating systems to the *GRUB2* menu].
 

+ . Regenerate the *GRUB2* configuration file, as described in xref:adding-other-operating-systems-grub2[Adding other operating systems to the *GRUB2* menu].
 

  

  

  .More information
 
@@ -725,11 +731,13 @@ 
 

  password_pbkdf2 root grub.pbkdf2.sha512.10000.1B4BD9B60DE889A4C50AA9458C4044CBE129C9607B6231783F7E4E7191D8254C0732F4255178E2677BBE27D03186E44815EEFBAD82737D81C87F5D24313DDDE7.E9AEB53A46A16F30735E2558100D8340049A719474AEEE7E3F44C9C5201E2CA82221DCF2A12C39112A701292BF4AA071EB13E5EC8C8C84CC4B1A83304EA10F74
 

  ----
 

  

+ To remove password protection, simple remove the changes you made to the `/etc/grub.d/01_users` file and regenerate the *GRUB2* configuration file, as before.
 

+ 

  More details can be found at https://help.ubuntu.com/community/Grub2/Passwords[Ubuntu Help: GRUB2 Passwords].
 

  

  [NOTE]
 

  ====
 

- Starting from Fedora 21, the `--md5pass` kickstart option must be used when using the `grub2-mkpasswd-pbkdf2` command.
 

+ Starting from Fedora 15, the `--password=<encrypted_grub_passwd> --iscrypted` kickstart option must be used if setting an encrypted *GRUB2* password in the kickstart file.
 

  ====

  • Add information about grub2-set-password command
  • Correct manual editing instructions
  • Add information about how to disable password protection

Signed-off-by: Marta Lewandowska mlewando@redhat.com

1 new commit added

  • Two more small changes to grub2 password doc
2 months ago

I just added a couple more small changes. This should be ready for review now.

I think more clear would be to link to "Create a GRUB2 configuration" because in this adding another operating system section, there are much more instructions.

. Regenerate the *GRUB2* configuration file, as described in xref:create-a-grub-2-configuration[Create a GRUB2 configuration].

md5 hurts my eyes, but if it works with grub2-mkpasswd-pbkdf2 I guess it is fine and shorter to use :)

Maybe users better create their own configuration file instead of modifying existing one. Or maybe remove that part of the page because this manual setup is much more complicated. Although it gives some clue about possibility to create more users and passwords, in which sense it is also good to stay..

Thank you, much clearer now!

The thing is, it's not an md5 password, and that option doesn't work with grub2-mkpasswd-pbkdf2:

$ grub2-mkpasswd-pbkdf2 --md5pass
grub2-mkpasswd-pbkdf2: unrecognized option '--md5pass'
Try 'grub2-mkpasswd-pbkdf2 --help' or 'grub2-mkpasswd-pbkdf2 --usage' for more
information.

I think those options are arguments to the bootloader Kickstart command, and --md5pass isn't documented as a valid option there, either, in our own Kickstart syntax reference. Those docs have an example bootloader command to set up Grub2 with a password, and they use --iscrypted --password=grub2_sha512_hash. Even if --md5pass is accepted as a legacy option, I don't think we should be documenting it here when none of the other docs acknowledge it as a valid option.
Edited a month ago by ferdnyc

@mlewando, @akostadi @ferdnyc Sorry, I'm a bit lost by the comments. Is this now ready to be merged?

@pboy

The only remaining point of discussion is this change:

- Starting from Fedora 21, the `--md5pass` kickstart option must be used when using the `grub2-mkpasswd-pbkdf2` command.
+ Starting from Fedora 15, the `--md5pass` or the `--password=<encrypted_grub_passwd> --iscrypted` kickstart option must be used if setting an encrypted *GRUB2* password in the kickstart.

(Ugh, our highlight.js setup doesn't do diff highlighting?)

@akostadi was somewhat perturbed by the inclusion of --md5pass, but decided to live with it.

I feel it's a mistake to include, because it's not a valid option for grub2-mkpasswd-pbkdf2 (as the old text seemed to be implying), and if it's a valid option for the Kickstart bootstrap command (which is what accepts the alternative --iscrypted --password= arguments), then it [meaning --md5pass] is an undocumented, outdated option that IMHO we shouldn't be encouraging anyone to use anymore.

I also think that text could be clearer about what exactly it means that these "kickstart option must be used", since like I said AFAICT those are actually flags for Kickstart's bootstrap command, specifically.

But those are relatively minor concerns, and there is clearer information on those points in the Kickstart documentation itself. If the decision is made to merge it as-is, I have no strong objections.

The only place that I know of that --md5pass is documented is here: https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#bootloader and it does work, but I'm happy to remove that part if it's not in the other documentation and y'all prefer to discourage its use.

2 new commits added

  • Remove md5pass option
  • Two more small changes to grub2 password doc
a month ago

@mlewando

The only place that I know of that --md5pass is documented is here

Yeah, and even there it's documented as being simply an...

Alias for --password=MD5PASS --iscrypted.

So IMHO it makes sense to just document that one form, instead. I wouldn't be surprised if --md5pass ends up deprecated soon enough. It's been almost three decades since md5 was broken, and it's not accepted by any sort of security/cryptography code anymore, so that alias is just confusing.

@mlewando

I'm not sure quite what happened, but those last two commits you pushed to the branch are a bit off — the first one completely removes the entire grub2-bootloader.adoc file, and then the second one adds the whole thing back in.

It'd probably be helpful to squash them together, so that they're one small change instead of two huge ones.

3 new commits added

  • Remove md5pass option
  • Two more small changes to grub2 password doc
  • Fix instructions for setting grub2 password
a month ago

@ferdnyc
Also not sure what happened... but it's done. sorry for the mess.

I'm not sure why my attempts to "heart" your last comment are being met with a message on the console that reads:

POST https://pagure.io/fedora-docs/quick-docs/pull-request/703 405 (Method Not Allowed)

...So I'll just say, "Thanks! LGTM."
Metadata
None
No Tags
Changes Summary 1
+11 -3
file changed
modules/ROOT/pages/grub2-bootloader.adoc
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.