Problem setting Grub password on RHEL7

Latest response

I'm sure I'm missing something very simple, but can someone help me with this?

Trying to set up a password so that the Grub menu can't be edited without authentication.

  1. grub2-mkpasswd-pbkdf2
    Enter password:
    Confirm password:
  2. Copy password hash
  3. Edit /etc/grub2/40_custom
    set superuser="root"
    password root

  4. Save file
  5. grub2-mkconfig -o /boot/grub2/grub.cfg

After rebooting, I enter 'e' at the boot menu. It prompts me for the user (I enter 'root') and then it prompts me for the password (I enter
) and then I'm back at the Grub menu.

What am I missing? This seems like it's supposed to be much easier than all this.

DC
Log in to join the conversation

Responses

DC Pro 539 points
2 July 2015 4:05 PM

I was able to find that my /boot/grub2/grub.cfg file had the '--unrestricted' option set on all the menuitems which probably explains why this wasn't working properly.

That brings me to the next challenge....How do I make it so that '--unrestricted' is not set by default?

R. Hinton's picture Guru 6827 points
2 July 2015 4:08 PM

UPDATED - It seems you may have used the below procedure, but just double check it...

UPDATED 2
I noticed this in Paragraph 24.3.1

Anyone can boot Red Hat Enterprise Linux 
Server, because of the --unrestricted option, 
but only john can edit the menu entry as a 
superuser has been defined. When a 
superuser is defined then all records are 
protected against unauthorized changes 
and all records are protected for booting if 
they do not have the --unrestricted 
parameter

I have not tried this, but look at:
- RHEL 7 sysadmin guide, paragraph 24.3. GRUB 2 Password Protection
- And see the subsequent entries that follow.

Hope this helps, let us know how it goes. Make a backup of your grub file.

R. Hinton.'s picture Guru 10128 points
22 January 2018 2:50 PM

UPDATE Use Ryan Sawhill's method here (and cited in his post below) https://access.redhat.com/solutions/979643

I've changed accounts since I posted the previous, above,

DC Pro 539 points
2 July 2015 4:21 PM

Thanks! Yes, that's the document I was originally going by. The part I still can't figure out is how to make the system NOT use the '--unrestricted' option as a default. My concern is that, next time I install an updated kernel, the new menuitem will automatically include the '--unrestricted' option and I'll have to go back in and remove it again. On one system, this isn't so bad, but it does not scale well.

Ryan Sawhill's picture Red Hat Guru 3719 points
2 July 2015 5:04 PM

Hi Dan. I wrote an article about this a while back. Let me know if it helps you.

How to permanently password-protect standard RHEL7 menu entries in GRUB2

DC Pro 539 points
2 July 2015 6:04 PM

Ryan,

That's exactly what I was looking for! Thanks!!

Ryan Sawhill's picture Red Hat Guru 3719 points
2 July 2015 6:14 PM

Glad to hear it!

R. Hinton.'s picture Guru 10128 points
22 January 2018 2:51 PM

Thanks Daniel, I made a change right afterwards. I have switched accounts due to a long story that I'll spare ya. Anyone landing here, please DO see Ryan Sawhill's link above (scroll up) first too.

-RJ

Robert Ramsey's picture Community Member 20 points
18 September 2018 8:56 PM

The grub2-mkpasswd-pbkdf2 command also produces password output that's suitable for use in a FIPS complient kickstart configuration file (ks.cfg).

R. Hinton.'s picture Guru 10128 points
19 September 2018 10:41 PM

I've used Ryan Sawhill's method which is an update for more current versions of RHEL 7, so the grub2-mkpasswd-pbkdf2 is replaced by using the method in the article he cites above

Regards - RJ

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.