Red Hat Enterprise Linux 7/CentOS 7 system that requires manual entry of a bootloader password in order to boot any future kernels Adding users and custom menuentry
.... --user SOMEUSER directives to /etc/grub.d/40_custom as per the the RHEL7 System Administrator’s Guide is great, but how can you configure grub so that ALL existing & future kernels require a password in order to boot?
- Edit
/etc/grub.d/10_linux, changing the line like the following:CLASS="--class gnu-linux --class gnu --class os --unrestricted"to a line exactly like the following:
CLASS="--class gnu-linux --class gnu --class os --users '' "This could be done with a simple
sedcommand, e.g., by running the following from a root shell:sed -i "/^CLASS=/s/unrestricted/users '' /" /etc/grub.d/10_linux
Add a user to /etc/grub.d/40_custom as described in RHEL7 System Administrator’s Guide, e.g., by running the following from a root shell:
cat >>/etc/grub.d/40_custom <<\EOF
set superusers=”root”
password root test123
EOF
[root@clusterserver3 ~]# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.86A0045A177A7C12C3649BE90A5A8CE1C9099EC4BFD50B0D4C1884FA13AD2893738F103C28888A819629DDE735AA1941C15732FB1ACCA9AF05B9E560C74ED474.61E9129DE99E0E7F6B7679534FF849046570C099A244D9D3215D849D5C1940FB50C478DCEFE4CE6086B41CA1BCDA185123166967B3933C0FDD5AA9E537B02505
cat >>/etc/grub.d/40_custom <<\EOF
set superusers=”root”
set superusers=”root”
password_pbkdf2 root grub.pbkdf2.sha512.10000.E4827A5F6322572A56AAD8BC17E665160D4596290AFCB9C45D97DC6E621E7AF6D595946BE5291D9019DD51196835D54DACEB4047AAC3A510790BC2CE3B71BA07.6A5BC9851BD2EA5A505C558632F4FC049C41E0C44C49CDDE43C50DBE45D81FAEDC40A721D5EFA2A18758CE313541CD6035FDA1AA20FD5D7E1491ED2BF714CE4E
EOF
Recent Comments