Jump to content

[Guide] Passwords in Grub4DOS


H@L0_F00

Recommended Posts

You can password protect your Multipass a couple different ways. You can also use both plain-text or a salted MD5 hash.

To generate an MD5 hash of your preferred password

1. Boot up Grub4DOS

2. Press 'c' which brings you to the command line

3. Type in "md5crypt" and press Enter

4. It will ask you for a password, input your password.

5. The hash will be created, write it down EXACTLY HOW IT APPEARS.

My USB-TestVM would work well with this so that you can type everything in on the host instead of having to write it all down which can be a pain when you have bad handwriting or can't always decipher your '5' from your 'S.'

Now you've got a salted MD5 hash of your password, you can use this instead of plain-text for a little bit more security. (Although the password can EASILY be bypassed with a program as simple as notepad. More on that later.)

Ok, now you must implement the password in your menu.lst (this can be used on any .lst file though).

Let's say I use the password "multipass" and get the hash of "$1$vqP3$/KfP4fwz0nDBeFiEf0INP0"

To password protect editing of the boot options at the Grub4DOS boot (where it shows your menu.lst)

default 0
splashimage /multiboot/splashimages/tux.xpm.gz
password --md5 $1$vqP3$/KfP4fwz0nDBeFiEf0INP0

This requires the user to "gain privileged control" before editing any of the listed boot options or using the command line. To gain privileged control press 'p', type in your password, and press Enter. Now you can edit the boot options and have access to the command line.

You can make it so the user must gain privileged control before executing any of the boot options by using the "lock" command in your boot sequence like this: (Note-you must have a password set at the beginning of the config file (posted above) to use this)

title Something
lock
kernel /multiboot/something/vmlinuz
initrd /multiboot/something/initrd.gz

Now, if you try to boot "Something" you are denied "Error 32: Must be authenticated" which you solve by authenticating (pressing 'p' and typing in your password). You can add the "lock" command to any boot sequence, just remember that it stops executing when it reaches the "lock" command, so if you put it at the end, it's still bootable without authentication.

To request a password when the boot option is selected

title Something
password --md5 $1$vqP3$/KfP4fwz0nDBeFiEf0INP0
kernel /multiboot/something/vmlinuz
initrd /multiboot/something/initrd.gz

This will ask for a password when booting "Something" resulting in Error 32 if the password is incorrect.

If I wanted, I could replace anywhere where it says "password --md5 $1$vqP3$/KfP4fwz0nDBeFiEf0INP0" with "password multipass" and it will do the exact same thing, except your password is then in plain-text in your menu.lst file. I don't know why you'd want to do this, but you can, so I put it out there.

Although this does offer some type of "protection" from unwanted use of your multipass, to bypass it somebody could easily remove the "password" line and they're in. This does not encrypt, hide, or in any other way protect your data, everything is still on you flash drive and the password can be removed by an idiot.

Link to comment
Share on other sites

Good guide for people who haven't played around GRUB all that much.

My main comment to this is little off-topic, but considering...

... to bypass it somebody could easily remove the "password" line and they're in. ... everything is still on you flash drive and the password can be removed by an idiot.

I think the password option (and the lock ofc) are propably ment from PC's where you would use GRUB as your basic boot loader, where I asume you can't just grab the "menu.lst", edit it and put it back in.

Just my two cents.

Link to comment
Share on other sites

True, except you can then change the boot priority, boot off a USB, change the menu.lst and boot from the main GRUB :P

Sure, but if someone is paranoid one can always crypt the HDD to prevent this, can't one :P

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...