grub2 password fails

PiElle · September 6, 2012, 7:43pm

I tried to set a grub2 password following the reference guide:

As the user root, proceed as follows to set a boot password:
1 At the root prompt, encrypt the password using grub2-mkpasswd-pbkdf2:

grub2-mkpasswd-pbkdf2

Password: ****
Reenter password: ****
PBKDF2 hash of your password is
grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A…
2 Paste the encrypted long string into the file /etc/grub.d/40_custom together
with the set superusers command. Remember to keep the commented lines
at the beginning:
set superusers=“root”
password_pbkdf2 root grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A…
3 Run grub2-mkconfig -o /boot/grub2/grub.cfg to import the changes
into the main configuration file.
After you reboot, you will be prompted for username and password when trying to
boot any menu entry. Enter root and the password you typed during the
grub2-mkpasswd-pbkdf2 command. If the credentials are correct, the system
will boot the selected boot entry.

Actually, the system did not boot anymore: It kept asking for user name and password, which I provided with no avail.
I had to boot by the rescue system and clean the /etc/grub.d/40_custom (via the vim editor).
Now the system boots normally again.
I think to have properly followed the above guide … :\

hcvv · September 6, 2012, 8:05pm

As you did not post how those files you changed look like after the change, how could we check if you made a mistake (somethjing misunderstood or …)?

PiElle · September 6, 2012, 8:21pm

I only changed the /etc/grub.d/40_custom file, adding:

set superusers="root"
password_pbkdf2 root ...   " ...* encrypted long string"
*

The encrypted long string was the one generated by the grub2-mkpasswd-pbkdf2 command …

hcvv · September 6, 2012, 8:39pm

When I read the documentation you posted above, my impression is that you have to add the string “grub.pbkdf2.sha512.10000.” also before the encrypted part. Did you or didn’t you?

PiElle · September 6, 2012, 9:00pm

Yes lol! , because it’s part of the PBKDF2 hash generated by the above grub2-mkpasswd-pbkdf2 command.
In fact, the output of the command itself is:

PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.8A06F645A33 ...

The Ubuntu wiki (I found a link in the grub2 official site) shows similar instructions …

jdmcdaniel3 · September 9, 2012, 10:44pm

And when you show … at the end of the password hash, that is not really what you are pasting in, right? That is because it is very long. Why not hash 123456 and lets see if it matches mine:

PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.7A5AB70E4E36625E7C407ECFEB49F8D323B758E0D9BBDC20E9F1A44A3A70B6DE2711B5D35C4355F726DA6329313D744D6F1AAD5EE578D43BEEE58AF56A746FBE.806FE48A951A7A8D5C35322D9FC63E149171DC3E2C47294CBF17D3E6D3FA7B27FA0EF2079D5DDAADECEB50D3899F1E4207034FB74A664DE288550884A557FCEE

I put mine in a code field to prevent it from being modified. And I just tried this using openSUSE 12.2 in a VM, the user name was james and the password was 123456 and it worked like a champ. This is a very long hash that can not be modified in any way including it can not be broke up and can not include a space on the end. If you get it wrong, well you know what happens.

Thank You,

PiElle · September 11, 2012, 12:05pm

@ James,
thank you very much for your answer.

I repeated the above procedure and this time, after generating a new hash and reediting the /etc/grub.d/40_custom, I was finally able to set the boot loader password: now it works perfectly with the encrypted password. Here is, for reference, the relevant part of the grub.cfg file:

### END /etc/grub.d/30_os-prober ###
 ### BEGIN /etc/grub.d/40_custom ### # This file provides an easy way to add custom menu entries.  Simply type the # menu entries you want to add after this comment.  Be careful not to change # the 'exec tail' line above.
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.2AFB7F1B21F3A8DD3AF91AD6BFEF28E5B38BEE049DC73FC443238B99E484086516AA38C91089A0932CFBA3800D908F3F98867D88D4613A2BCE84CAE9505A6ECA.607AE848DDB79F2E3145717F5615427AAC04E837554F0E771DD14022CB1031E2256FA16DBD866D2D6CAA59AA205FA29B7763E2DDAE31F21C8A7DF19F174D280E ### END /etc/grub.d/40_custom ###
 ### BEGIN /etc/grub.d/41_custom ###

May be it was an error during the copy and paste operation (?). I think it’s unlikely, because I’ve tried several times (ending up to generate four different hashes).
Obviously, I’ve always pasted the entire hash generated by the grub2-mkpasswd-pbkdf2 command.
Anyway the problem now is solved!
openSUSE 12.2. rocks! rotfl!
Best regards.

jdmcdaniel3 · September 11, 2012, 1:02pm

PiElle:

@ James,
thank you very much for your answer.

I repeated the above procedure and this time, after generating a new hash and reediting the /etc/grub.d/40_custom, I was finally able to set the boot loader password: now it works perfectly with the encrypted password. Here is, for reference, the relevant part of the grub.cfg file:
### END /etc/grub.d/30_os-prober ###
 ### BEGIN /etc/grub.d/40_custom ### # This file provides an easy way to add custom menu entries.  Simply type the # menu entries you want to add after this comment.  Be careful not to change # the 'exec tail' line above.
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.2AFB7F1B21F3A8DD3AF91AD6BFEF28E5B38BEE049DC73FC443238B99E484086516AA38C91089A0932CFBA3800D908F3F98867D88D4613A2BCE84CAE9505A6ECA.607AE848DDB79F2E3145717F5615427AAC04E837554F0E771DD14022CB1031E2256FA16DBD866D2D6CAA59AA205FA29B7763E2DDAE31F21C8A7DF19F174D280E ### END /etc/grub.d/40_custom ###
 ### BEGIN /etc/grub.d/41_custom ### 
May be it was an error during the copy and paste operation (?). I think it’s unlikely, because I’ve tried several times (ending up to generate four different hashes).
Obviously, I’ve always pasted the entire hash generated by the grub2-mkpasswd-pbkdf2 command.
Anyway the problem now is solved!
openSUSE 12.2. rocks! rotfl!
Best regards.

I am happy to hear you got it working and like the new openSUSE 12.2. Just let us know if you need any other help.

Thank You,