Opensuse 13.2 Howto set password for single user mode in grub2 ?

I tried to set a password to protect single user mode.
First, I did /usr/sbin/grub-md5-crypt to get the hash. But where do I have to add this hash to the grub2 bootloader ?

Thanks for your help.

On Opensuse 12.2 Chapter 10 I found this, but the commands are not available in Opensuse 13.2:
Does anyone know how to password protect grub2 bootloader and avoid entering single mode ?

>>>>>>>>>>>
If you protected you bootloader with a password as described in Section 10.2.7, “Setting a Boot Password”, you need to first enter the specified username and password to “unlock” the bootloader.

 As the user root, proceed as follows to set a boot     password:    
  •    At the root prompt, encrypt the password using grub2-mkpasswd-pbkdf2:      
    

grub2-mkpasswd-pbkdf2

Password: ****
Reenter password: ****
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A…

  •    Paste the encrypted long string into the file       /etc/grub.d/40_custom together with the       **set superusers**
    

command. Remember to keep the commented lines at the beginning: set superusers=“root”
password_pbkdf2 root grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A…

  •    Run **grub2-mkconfig -o /boot/grub2/grub.cfg**
    

to import the changes into the main configuration file. After you reboot, you will be prompted for username and password when trying to boot any menu entry. Enter root and the password you typed during the grub2-mkpasswd-pbkdf2 command. If the credentials are correct, the system will boot the selected boot entry.

>>>>>>>>>>>

Thanks for your help

Doing it the hard way go to Yast - boot loader and set password there. To lock password knowers from going to Single user mode I’m not sure you can.

Which exactly commands are not available?

This one I could not find in /usr/sbin/

grub2-mkpasswd-pbkdf2

Are you using grub legacy or grub2? Is grub2 installed?

Maybe because it is in /usr/bin/ actually? :wink:

$ which grub2-mkpasswd-pbkdf2 
/usr/bin/grub2-mkpasswd-pbkdf2
$ rpm -qf /usr/bin/grub2-mkpasswd-pbkdf2
grub2-2.02~beta2-20.14.2.x86_64

I tried this, and I got this error

"Internal error Please report a bug report with logs.
Details. INTERNAL_ERROR: output do not contain encrypted password. …
Reenter password:
PBKDF2 hash of password es brub.pbkdf2.sha512.10000…

Caller: /usr/share/YaST2/lib/bootloader/brub2pwd.rb:49:in ’ encrypt’

Thanks, this one helped !

you where right, ut was in /usr/bin/

after that I could add the hash to etc/grub.d/40-custon and could run /usr/sbin/grub2-mkconfig as described in the OpenSUSE 12.2 howto above.

:slight_smile:

Hi,

IIRC there was no option to put a password in grub via yast/yast2 (it could be 13.1 though) but in any case the file you should be looking for is

/etc/grub.d/40_custom

or a similar file that contains a part of a string

grub.pbkdf2.sha512.10000....

I have script that does that before there was an option in yast2. Can’t find it now sorry.

Yes, I tried to set the user and the hash in /etc/grub.d/40_custom and actualized the /boot/grub2/grub.cfg.
BUT, after restarting, I got stucked, it always asked me for username and password, but did not accept the correct password and returned to grub2 bootmenu.

So I still have the same problem, using the commandline did not work and using the YAST Bootloader menu doesn’t work eighter.
And also I still did not find any option to avoid entering in single user mode without password protection.

Please let me know if you have found something. Thank you for your answer

Hi.

I tried to set username and password hash in /etc/grub.d/40_custom and modified the grub.cfg file using the commandline tools described above.

BUT, after rebooting, I GOT STUCKED on Bootloader, so I had to use emergency disc to remove the settings to get back into my system.
I still have the same problems. I does not work using commandlines, and I got an error using the YAST Bootloader option to set a password.
Also I still could not find if there is a way to protect single user mode.

Thank you for your answer

This should work:

YaST-System-Bootloader-Bootloader options
Set a password.

If you try to protect only one item ( f.e. one created manually to boot in single-user mode ), anyone could hit ‘e’ at one of the other boot options, and add a “1” to the boot parameters.

So show content of your /etc/grub.d/40_custom.

Hi this was it’s content:

set superusers=“root”
password_pbkdf2 root grub.pbkdf2.sha512.10000.D9DC380A85BA151F3D02029C0A14AEA1C2DDDAB8268829A0EFB7FD474FEDE01B72D2EDCFF2EAD36F8B1E832371A8B1ADD963F0B4F65D2B98320B9526E67C4765.DDE4A89178E35DEDE0C4D513E1ECF4243E58A3C730AE026229774D5928AF359BA7756B05243E4532EF0AC6748D46D0376DBF7D91A600A8D3ECACFFBAEAE8D7BD

The password I used with grub2-mkpasswd-pbkdf2 is not the real root-password, I used another password but with the usename “root”.
After rebooting, the password was rejected and system returned to grub2 bootmenu.

I tried this, please look at page one, it came up with an error. I posted the error-message.

Works for me on 13.2. Please upload your grub.cfg to http://susepaste.org/ and describe step by step what you see when you try to boot.

Here it is: SUSE Paste

When I see first the bootmenu, it askes me first for the username, I put in <root>, then it askes for password, I put in <used_password>, the screen hangs for a few seconds and the bootmenu comes up again. This sequence is repeated once and once again. System will not accept username and password.

Thanks

Finally I found the solution (OpenSUSE 13.2 x64 with UEFI):

In my case the password-lock for the bootloader just did not work because I have UEFI.
There is one command more to do to get it working. And maybe UEFI is also the reason why it was not possible to set the password in YAST directly:

Here the complete set of commands:

sudo grub2-mkpasswd-pbkdf2
Password: ****
Reenter password: ****
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A…

Open /etc/grub.d/40_custom and set the values like this:
set superusers=“root”
password_pbkdf2 root grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A…

Update Grub2-Config:
grub2-mkconfig

Repair UEFI Secure Boot Tables:
shim-install --config-file=/boot/grub2/grub.cfg

Reboot and everything is working :):):slight_smile:

Thanks to all for the tips and hints.

[QUOTE=pzlingo;2797841
Repair UEFI Secure Boot Tables:
[b]shim-install --config-file=/boot/grub2/grub.cfg
[/QUOTE]
This is irrelevant. What is relevant - you grub.cfg was missing new line after "password_pbkdf2’ command:

password_pbkdf2 root grub.pbkdf2.sha512.10000.D9DC380A85BA151F3D02029C0A14AEA1C2DDDAB8268829A0EFB7FD474FEDE01B72D2EDCFF2EAD36F8B1E832371A8B1ADD963F0B4F65D2B98320B9526E67C4765.DDE4A89178E35DEDE0C4D513E1ECF4243E58A3C730AE026229774D5928AF359BA7756B05243E4532EF0AC6748D46D0376DBF7D91A600A8D3ECACFFBAEAE8D7BD### END /etc/grub.d/40_custom ###

So comments were (attempted to be) interpreted as part of password.

P.S. to be clear - quoted code is one single line.