Grub

How Do I Secure Grub Boot Loader?

Create A Password For Grub

Add MD5 Password To Grub Configuration File

Optional Settings for Dual Booting Computer

How To Recover Linux Grub Boot Loader Password

Knoppix Live cd

Mount Partition

Remove The Grub Password

Change Root password

How Do I Secure Grub Boot Loader?

You can set a password for the GRUB bootloader. This prevents users from entering single user mode or changing settings at boot time.

 

When your system is rebooted, grub presents the boot option menu. From this menu one can easily login into a single user mode without the password which might result into compromise system security.

For example, anyone can access the data or change the settings. However you can setup a password for grub with password option. This option forces grub to ask for a password before making any changes or entering into single user mode. You need to type p followed by password.

Create A Password For Grub

Type grub-md5-crypt command to create password in MD5 format:
# grub-md5-cryptOutput:

Password:<ENTER-YOUR-PASSWORD>

Retype password:<ENTER-YOUR-PASSWORD>

$1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0

Please note that you need to copy and paste the MD5 password ($1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0) to your configuration file. Use mouse to copy the same.

Add MD5 Password To Grub Configuration File

Under Debian GNU/Linux the Grub configuration file is located at /boot/grub/menu.lst. (Red Hat / Fedora user use /boot/grub/grub.conf file)
# vi /boot/grub/menu.lst
Edit file and add a password line as follows:
password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0
Here is my sample config file:

default         0

timeout         5

password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0

title           Debian GNU/Linux, kernel 2.6.13.4-cust-en-smp

root           (hd0,0)

kernel        /boot/vmlinuz root=/dev/hda3 ro

savedefault

boot

Save and close the file.

Optional Settings for Dual Booting Computer

If you dual boot with Windows XP/2000/7, consider adding lock command to Windows XP right after title command:

title           Windows NT/2000/XP

lock

root            (hd0,1)

savedefault

makeactive

chainloader     +1

Note the lock option can be also added to the failsafe entry too. For more information please read

How To Recover Linux Grub Boot Loader Password

GNU GRUB (short for GNU GRand Unified Bootloader) is a boot loader package from the GNU Project. If you have, a password protected grub boot loader, and you forgot both root and grub password, then you can recover grub-boot loader password using the following method/procedure:

 

  1. 1.Use Knoppix cd. Boot from Knoppix Live cd  

  2. 2.Remove the password from Grub configuration file  

  3. 3.Reboot the system  

  4. 4.Change the root password  

  5. 5.Setup new Grub password if required (optional)  

Knoppix Live cd

The best way to recovering (or reset) a password (and to solve many other problems) is use Knoppix Live CD. First downloaded knoppix and burn it on CD. Put CD into CD/DVD ROM and boot the system. You need to boot the system into a single user mode, at boot: prompt type linux single:
boot: linux single

Fig.01 knoppix in actionFig.01 knoppix in action
 

Mount Partition

You need to mount a partition where you grub configuration file is stored. Depend upon your Linux distribution the location of Grub configuration file changes. Following list summaries Grub configuration file location for pouplar distros:

If you forgot partition name use the fdisk -l command to obtained partition list / names:
# fdisk -l

Fig.02: The fdisk command displaying the current partition listFig.02: The fdisk command displaying the current partition list

Finally, you need to mount your partition as follows:
# mount /dev/sdb1 /mnt

Remove The Grub Password

a) If you are using Debian Linux you need to modify /boot/grub/menu.lst file:
# cd /mnt/boot/grub
# vi menu.lst

b) If you are using Suse Linux you need to modify /etc/grub.conf file
# cd /mnt/etc
# vi grub.conf

If you are using Red Hat / Fedora Linux you need to modify /boot/grub/grub.conf file
# cd /mnt/boot/grub
# vi grub.conf
Once file opened using a text editor, locate password line and remove it:
password --md5 $1$9sdflksdf/sdf44k

Fig.03: Removing The Grub Password LineFig.03: Removing The Grub Password Line

Removing The Grub Password Line

Save and close the file. Reboot the system.
# sync; sync
# cd /
# umount /mnt
# reboot

Change Root password

Now your Grub password is removed from the system. You need to login to the system without any password. To restore root user password boot system into a single user mode.

1) At Grub prompt press ‘e’ to edit command before booting.

2) Select second line

3) Again, press ‘e’ to edit selected command

4) Type the following line
init=/bin/sh
OR
init=/bin/bash

Fig.04: Booting into a single user mode using GrubFig.04: Booting into a single user mode using Grub

Booting into a single user mode using Grub

4) Press ‘b’ to boot system.

5) Now you are at shell prompt. Just change root password with the passwd command:
# passwd
Please note that depend upon your Linux distribution you may need to remount root partition in read/write mode before running the above command.