How do I secure GRUB with a plain-text or MD5 hashed password?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 4, 5, 6

Issue

  • How do I secure GRUB with a plain-text or MD5 hashed password?
  • How do I set or reset a GRUB password?
  • How do I lock down GRUB to prevent people modifying the kernel boot parameters?

Resolution

For background on what GRUB passwords are and what they can be used for, reference the RHEL6 Security Guide's section on Boot Loader Passwords

For plain-text passwords

  1. Edit /boot/grub/grub.conf in a text editor and add a new "password PASSWORD-GOES-HERE" line prior to the first title stanza, e.g.:

    default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password my-not-so-hidden-password
title Red Hat Enterprise Linux ...

  2. Ensure permissions on grub.conf do not allow anyone but root to read it

    # chmod 600 /boot/grub/grub.conf
[root@localhost ~]# ls -l /boot/grub/grub.conf 
-rw------- 1 root root 678 Jan 29 18:27 /boot/grub/grub.conf

For MD5-hashed passwords

  1. Run grub-md5-crypt and save the hash generated by it to /boot/grub/grub.conf

    • Use mouse to copy-paste
    • Use shell redirection (e.g., grub-md5-crypt >>/boot/grub/grub.conf)
    • Call grub-md5-crypt from within vim (by typing :r!grub-md5-crypt)

    Generate MD5-hashed passwords:

    [root@localhost ~]# grub-md5-crypt 
Password: 
Retype password: 
$1$cpF.Z1$3Jm6il6b3pt66EYMbSYxS0
[root@localhost ~]#

  2. Add a new "password --md5 HASH-GOES-HERE" line prior to the first title stanza, e.g.:

    default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$cpF.Z1$3Jm6il6b3pt66EYMbSYxS0
title Red Hat Enterprise Linux ...

  3. As a final best-practice step, ensure permissions on grub.conf do not allow anyone but root to read it

    # chmod 600 /boot/grub/grub.conf
[root@localhost ~]# ls -l /boot/grub/grub.conf 
-rw------- 1 root root 678 Jan 29 18:27 /boot/grub/grub.conf

  4. Reboot system and try pressing p to enter password to unlock and enable next features in grub list.

 
See also: How do I secure GRUB with a SHA-2 hashed password in RHEL6?

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.