Debianhelp.co.uk

Set/Change GRUB password

Login as root

Enter grub mode:

# grub

Use md5crypt to encrypt password:
grub> md5crypt
Password: ******
Encrypted: $1$jxcdN0$hVHViq1aiPf8FziuGJGZp0

Copy down encrypted password:
$1$jxcdN0$hVHViq1aiPf8FziuGJGZp0


Exit grub mode:
grub> quit

Modify file /etc/grub.conf:

kate /etc/grub.conf

Insert encrypted password in between "splashimage..." and "title...":
...
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
password --md5 $1$jxcdN0$hVHViq1aiPf8FziuGJGZp0
title BIZ DESK (2.4.20-8elx)

Save edited file

*If you see "#", means that you have to type the command in the "Terminal" program found on desktop
*Do not include the "#" while executing the command in the "Terminal" program

For more grub details click here


Set lilo Passowrd

If youy want to set lilo password you need to edit /etc/lilo.conf

Adding: timeout=00

This option controls how long in seconds LILO waits for user input before booting to the default selection. One of the requirements of C2 security is that this interval be set to 0 unless the system dual boots something else.

Adding: restricted

This option asks for a password only, if parameters are specified on the command line (e.g. linux single). The option restricted can only be used together with the password option. Make sure you use this one on each image.

Adding: password=<password>

This option asks the user for a password when trying to load the Linux system in single mode. Passwords are always case-sensitive, also make sure the /etc/lilo.conf file is no longer world readable, or any user will be able to read the password.

An example of protected lilo.conf file.

Edit the lilo.conf file vi /etc/lilo.conf and add or change the above three options as show:

boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt
timeout=00 change this line to 00.
Default=linux
restricted add this line.
password=<password>
image=/boot/vmlinuz-2.2.12-20
label=linux
initrd=/boot/initrd-2.2.12-10.img
root=/dev/sda6
read-only

add password line and put your password.

Because the configuration file /etc/lilo.conf now contains unencrypted passwords, it should only be readable for the super-user root.

[root@test] /# chmod 600 /etc/lilo.conf will be no longer world readable.

Now we must update our configuration file /etc/lilo.conf for the change to take effect.

[root@test] /# /sbin/lilo -v to update the lilo.conf file.

One more security measure you can take to secure the lilo.conf file is to set it immutable, using the chattr command. To set the file immutable simply, use the command:

[root@test] /# chattr +i /etc/lilo.conf

And this will prevent any changes accidental or otherwise to the lilo.conf file. If you wish to modify the lilo.conf file you will need to unset the immutable flag: To unset the immutable flag, use the command:

[root@test] /# chattr -i /etc/lilo.conf