If that is the password for only Grub at the booting, does it guarantee the security of the hard-disk? becoz the login has been restricted. i am new so don't know much about stdout, would see it. your later, lines, i am not able to understand, my request to you would be if you could make it more simple for a new user like Tim did.<br>
<br>thx.<br><br>---------- Forwarded message ----------<br>From: kalinix <<a href="mailto:calin.kalinix.cosma@gmail.com">calin.kalinix.cosma@gmail.com</a>><br>To: Community support for Fedora users <<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a>><br>
Date: Thu, 10 Jun 2010 22:28:15 +0300<br>Subject: Re: Re: Help required<br>
On Fri, 2010-06-11 at 00:21 +0530, Pallav Jain wrote:<br>
<blockquote type="CITE">
thx tim, your method is too good for securing the data. but i have som doubts which are as follows:<br>
<br>
as you mentioned, i did, but frankly speaking, i am new user, so facing much problem. the issues are as follows:<br>
<br>
1. i edited the grub.conf file, by adding in it the line:<br>
<br>
password --md5 $xxx/<br>
<br>
just above the first title section and below 'hiddenmenu' line. (where xxx=Envrypted password)<br>
<br>
but is this encrypted password of the general user that i login with, in the fedora system? and not the root ever?<br>
</blockquote>
<br>
Not at all, this password is ONLY for accessing and editing Grub on boot time<br>
<br>
<blockquote type="CITE">
<br> 2. when we get the encrypted password
while typing the command 'md5crypt' in the grub shell, where is this
saved? i mean if at all after closing we want to see this encrypted
password where to see? and each time if typing the 'md5crpty' command
in the grub shell overwrites the previous password?<br>
<br>
</blockquote>
Generally speaking, the output of any command is stdout. What gets os
stdout is not saved anywhere, unless directed so (through a pipe or a
redirect for example).<br>
And yes, unless you use same salt for md5 generated hashes or you do
not use salt at all, the hash will differ from one command to another.
On the other side, the command in the grub shell does not overwrites
anything, while you have to manually copy the hash and paste it in the
grub file.<br>
<br>
<br>
<blockquote type="CITE"> 3. if we even encypt the password of the root,
method is same? if yes, how to enter the username 'root' so that the
sys. understands this is the encrypted password of 'root' only.<br>
<br>
</blockquote>
<br>
No. The <emphasize> SHA256 hash </emphasize> for root's (or
any other user) password is kept in /etc/shadow. When root logs in, the
login generates an hash out of the password entered on the terminal and
it's compared with the one existing in /etc/shadow. If those two
matches, the access is granted. (of course this is the simpler way to
put it, in fact things can become much more complicated)<br>
<br>
<blockquote type="CITE">
4. as you say:<br>
<br>
"And then.... if you want different passwords for different menu items,<br>
put the password line within the different title sections of the<br>
grub.conf file, instead of having one password line above all of them.",<br>
<br>
means that each encrypted password is to be obtained from the grub
shell only, by typing that particular password? and it is saved where?<br>
<br>
</blockquote>
<br>
The passwords Tim was talking about are ONLY FOR grub menu, and again
it's not saved anywhere. As I said above, the stdout is not saved,
unless you construct your command for saving stdout. Grub access
password and login password are ENTIRELY two different things.<br>
<br>
<blockquote type="CITE">
thanks man.<br>
<br>
regards,<br>
pallav<br>
<br>
*************************************************************************************************<br>
************************************************************************************************<br>
<br>
As has been mentioned before, "/etc/grub.conf" "/boot/grub/grub.conf"<br>
and "/boot/grub/menu.lst" are all the same thing. One is the actual<br>
file, the others are links to it. You can work on any of them, it works<br>
the same.<br>
<br>
If you're trying to put an encrypted password into GRUB, so that only an<br>
authorised person can do something with it, then follow the steps on the<br>
page, carefully.<br>
<br>
Open a shell, switch to being the root user by using the "su -" command,<br>
type in the root user password, and hit enter. You'll need to be root<br>
to use grub.<br>
<br>
Type in the "grub" command, and hit enter. Now you're in the grub<br>
shell, instead of the bash shell. The commands you type, from now on,<br>
are grub commands.<br>
<br>
Type in the "md5crypt" command, and hit enter. Now you type in the<br>
password that you want to use, and hit enter. It'll spit back a string<br>
of characters that is the encrypted version of your password. It's this<br>
string of characters you'll put into your grub.conf file. Don't use the<br>
string of characters that the web page shows as an example.<br>
<br>
In your grub.conf file, before the first title sections, you'll put in<br>
the password next to the "password --md5" instruction, like I've done<br>
below. The "--md5" bit of the command line details the type of<br>
encryption that was used with the password.<br>
<br>
#boot=/dev/sda<br>
default=0<br>
timeout=5<br>
splashimage=(hd0,0)/grub/<br>
<blockquote>
splash.xpm.gz<br>
<br>
password --md5 $1vcvbhnjmk,l;;lbvcdC.<br>
<br>
title Fedora<br>
<br>
Now, with that in place, only someone who knows the password can press<br>
the "e" key in the grub boot screen to temporarily change how the<br>
computer will boot. All they can do is pick from the choices in the<br>
menu. If they attempt to use the "e" (edit) function, they'll be asked<br>
to type in the password.<br>
<br>
On top of that, if you wish to lock out some of the menu choices, so<br>
that only someone with the password can use them, then simply put the<br>
"lock" instruction directly under the title line. Like this:<br>
<br>
title Boot from floppy disk drive<br>
lock<br>
rootnoverify (fd0)<br>
chainloader +1<br>
<br>
And then.... if you want different passwords for different menu items,<br>
put the password line within the different title sections of the<br>
grub.conf file, instead of having one password line above all of them.<br>
<br>
title WinXP<br>
password --md5 $1iuyfd56tghjhgC.<br>
lock<br>
rootnoverify (hd0,0)<br>
chainloader +1<br>
<br>
title Boot from floppy disk drive<br>
password --md5 $1vcvbhnjmk,l;;lbvcdC.<br>
lock<br>
rootnoverify (fd0)<br>
chainloader +1<br>
<br>
If you're going to lock up the booting choices to stop people fiddling<br>
with your PC, then you'll also want to change the BIOS settings, so that<br>
someone can't simply boot from a CD or floppy, and bypass your grub.<br>
<br>
Go into your BIOS, change the boot options so that your hard drive is<br>
the only device that can be booted from, set a password on the BIOS,<br>
save the settings and exit.<br>
<br>
Now someone who wants to mess with your computer will have to open up<br>
the case and yank out the drive or the BIOS clock battery, or reset the<br>
BIOS. That's going to be difficult to do without someone seeing them do<br>
it.<br>
<br>
<br>
--<br>
[tim@localhost ~]$ uname -r<br>
2.6.27.25-78.2.56.fc9.i686<br>
<br>
Don't send private replies to my address, the mailbox is ignored. I<br>
read messages from the public lists.<br>
</blockquote>
</blockquote>
<br>
-- <br>
<br>
<br>
Calin<br>
<br>
Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857<br>
<br>
==============================<table width="100%" cellpadding="0" cellspacing="0"><tbody><tr><td>===================<br>
The life of a repo man is always intense.
</td></tr></tbody></table>