2 Replies Latest reply on Apr 18, 2013 5:20 PM by Darren Moffat-Oracle

    How Do You Set a  GRUB 2 Boot Menu Password in Solaris 11.1

      I've done all kinds of searches here and on Google to figure out how to set a GRUB menu password in Solaris 11.1, and can't find anything about it for Solaris 11.1, only for Linux.

      We are a government agency, and are required to follow the DISA and CIS benchmarks for locking down a system. Setting the GRUB boot menu password is one of the requirements for x64 servers.

      To set the GRUB password in Solaris 10 you did the following:

      # Run the grub command

      Type md5crypt at the grub prompt
      grub> md5crypt

      Enter the password you want to set, and it will show you the encrypted value:
      Password: changeme
      Encrypted: $1$9jC881$RRf4VaJaotnhN4E8bEkz.1

      Edit the /rpool/boot/grub/menu.lst file and add the following line above the entries added by bootadm:
      password --md5 $1$9jC881$RRf4VaJaotnhN4E8bEkz.1

      Finally add a new line with the text "lock" under the title of each entry you want to protect:
      title Oracle Solaris 10 8/11 s10x_u10wos_17b X86

      title Solaris failsafe

      In GRUB 2, there is no menu.lst file, and no grub command.

      Is it still possible to set a boot menu password in GRUB 2?

      Thank you in advance!

        • 1. Re: How Do You Set a  GRUB 2 Boot Menu Password in Solaris 11.1
          Ok, I think this might be the way to do it, but could someone confirm this please?

          Setting a boot menu password in Solaris 11.1 ( GRUB 2 )

          # Create the password

               # Enter and confirm the password
                    Enter password: changeme
                    Reenter password: changeme
               # Grub displays the hashed password
                    Your PBKDF2 is grub.pbkdf2.sha512.10000.1831D57224A36CC245CE31F292DF1ADFCB44ECF639FB7763C19E0387ADFFD5B4CFF763C18A6366572151A1224C06E3025A1CF8EB7B58A2CD7AABAC4410AEBFC2.244E0285590D0ED10060EA9F06A89E5CAC10AD46E9518636991C4DA1ACC7DFBBED3244F6347B443AD557BB4DD6E0C384F923B8663CD8C653A4D4322D6EB8CAB8

          # Edit the /boot/grub/grub.cfg

               vi /boot/grub/grub.cfg
               # Add the following below the " set default="0" but before the menuentry section of the file:
                    set superusers="root"
                    password_pbkdf2 root grub.pbkdf2.sha512.10000.1831D57224A36CC245CE31F292DF1ADFCB44ECF639FB7763C19E0387ADFFD5B4CFF763C18A6366572151A1224C06E3025A1CF8EB7B58A2CD7AABAC4410AEBFC2.244E0285590D0ED10060EA9F06A89E5CAC10AD46E9518636991C4DA1ACC7DFBBED3244F6347B443AD557BB4DD6E0C384F923B8663CD8C653A4D4322D6EB8CAB8
                    ***(Note: the line above is the text " password_pbkdf2 root " and then the result from the grub-mkpasswd-pbkdf2 command you ran in the first step )***

               # Add ' --users "" ' to the menuentry line for each one you want to force a password on
                    Each menuentry line was:
                    menuentry "Oracle Solaris 11.1" {
                    menuentry "Oracle Solaris 11.1 ttya" {
                    menuentry "Oracle Solaris 11.1 ttyb" {
                    Change to:
                    menuentry "Oracle Solaris 11.1" --users "" {
                    menuentry "Oracle Solaris 11.1 ttya" --users "" {
                    menuentry "Oracle Solaris 11.1 ttyb" --users "" {