2 Replies Latest reply: Apr 18, 2013 12:20 PM by Darren Moffat-Oracle RSS

    How Do You Set a  GRUB 2 Boot Menu Password in Solaris 11.1

    keesor
      I've done all kinds of searches here and on Google to figure out how to set a GRUB menu password in Solaris 11.1, and can't find anything about it for Solaris 11.1, only for Linux.

      We are a government agency, and are required to follow the DISA and CIS benchmarks for locking down a system. Setting the GRUB boot menu password is one of the requirements for x64 servers.

      To set the GRUB password in Solaris 10 you did the following:

      # Run the grub command
      /boot/grub/bin/grub

      Type md5crypt at the grub prompt
      grub> md5crypt

      Enter the password you want to set, and it will show you the encrypted value:
      Password: changeme
      Encrypted: $1$9jC881$RRf4VaJaotnhN4E8bEkz.1

      Edit the /rpool/boot/grub/menu.lst file and add the following line above the entries added by bootadm:
      password --md5 $1$9jC881$RRf4VaJaotnhN4E8bEkz.1

      Finally add a new line with the text "lock" under the title of each entry you want to protect:
      i.e.
      title Oracle Solaris 10 8/11 s10x_u10wos_17b X86
      lock
      ...

      title Solaris failsafe
      lock
      ...

      In GRUB 2, there is no menu.lst file, and no grub command.

      Is it still possible to set a boot menu password in GRUB 2?

      Thank you in advance!

      Matt
        • 1. Re: How Do You Set a  GRUB 2 Boot Menu Password in Solaris 11.1
          keesor
          Ok, I think this might be the way to do it, but could someone confirm this please?

          Setting a boot menu password in Solaris 11.1 ( GRUB 2 )

          # Create the password

               /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2
               
               # Enter and confirm the password
               
                    Enter password: changeme
                    Reenter password: changeme
               
               # Grub displays the hashed password
               
                    Your PBKDF2 is grub.pbkdf2.sha512.10000.1831D57224A36CC245CE31F292DF1ADFCB44ECF639FB7763C19E0387ADFFD5B4CFF763C18A6366572151A1224C06E3025A1CF8EB7B58A2CD7AABAC4410AEBFC2.244E0285590D0ED10060EA9F06A89E5CAC10AD46E9518636991C4DA1ACC7DFBBED3244F6347B443AD557BB4DD6E0C384F923B8663CD8C653A4D4322D6EB8CAB8


          # Edit the /boot/grub/grub.cfg

               vi /boot/grub/grub.cfg
               
               # Add the following below the " set default="0" but before the menuentry section of the file:
               
                    set superusers="root"
                    password_pbkdf2 root grub.pbkdf2.sha512.10000.1831D57224A36CC245CE31F292DF1ADFCB44ECF639FB7763C19E0387ADFFD5B4CFF763C18A6366572151A1224C06E3025A1CF8EB7B58A2CD7AABAC4410AEBFC2.244E0285590D0ED10060EA9F06A89E5CAC10AD46E9518636991C4DA1ACC7DFBBED3244F6347B443AD557BB4DD6E0C384F923B8663CD8C653A4D4322D6EB8CAB8
                    ***(Note: the line above is the text " password_pbkdf2 root " and then the result from the grub-mkpasswd-pbkdf2 command you ran in the first step )***


               # Add ' --users "" ' to the menuentry line for each one you want to force a password on
               
                    Each menuentry line was:
                    
                    menuentry "Oracle Solaris 11.1" {
                    
                    menuentry "Oracle Solaris 11.1 ttya" {
                    
                    menuentry "Oracle Solaris 11.1 ttyb" {
                    
                    
                    Change to:
                    
                    menuentry "Oracle Solaris 11.1" --users "" {
                    
                    menuentry "Oracle Solaris 11.1 ttya" --users "" {
                    
                    menuentry "Oracle Solaris 11.1 ttyb" --users "" {
          • 2. Re: How Do You Set a  GRUB 2 Boot Menu Password in Solaris 11.1
            Darren Moffat-Oracle
            That is the GRUB2 way to do it.