Setup a Grub Password Using a Bash Script

LinuxRSA · 11-08-2021, 05:33 AM

Hi All

Im on a RHEL 6 server, im writing a bash script to configure GRUB automatically.

I wish to run the bash script and enter the grub password.

Once the md5-crypt password is generated, is it possible to take the output and enter it to the /boot/grub/grub.conf file without editing the file using vi

Is this possible to automate, or does it have to be done manually ?

Thanks

boughtonp · 11-08-2021, 05:56 AM

The author of the Md5crypt algorithm declared it insecure nine years ago.

Also, if you're still using RHEL 6 then surely you're paying RedHat for support, so why aren't you making use of that?

LinuxRSA · 11-08-2021, 06:05 AM

Hi, Thanks for the reply.

There is extended RHEL support for the Engineers, im trying to complete the ISO 27001 C.I.S Server Hardening Standard, one of the requirements is to set a Grub password.

I can do this manually but would save time to automate the process for mass role out purposes.

boughtonp · 11-08-2021, 06:13 AM

A shell script is nothing more than a pre-typed series of commands that are executed on demand.

If you know how to do what you want manually, open a text file, put "#!/bin/bash" on the first line, write out the relevant commands, then save it and "chmod +x 'filename'"

Have you tried that? If so, what does the script look like and where did you get stuck?

LinuxRSA · 11-08-2021, 06:42 AM

Hi, so the idea is to take the below manual process and automate it.

This is the head of the bash script

Code:

#!/bin/bash

# Set GRUB password
  echo \*\*\*\* Ensure\ Grub\ Password\ is\ Set\

Here's where i need help

When you run the below command you get a password for your Grub

Code:

[root@rhel~]# grub-md5-crypt
Password:
Retype password:
$HiThereThisIsMyPassword
[root@rhel~]#

Once you get this password you have to insert it into the Grub File /boot/grub/grub.conf

This is where you insert the entry.

Code:

[root@rhel-grub]# cat grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg01-root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.32-754.35.1.el6.x86_64)
password --md5 $HiThereThisIsMyPassword
        root (hd0,0)
        kernel /vmlinuz-2.6.32-754.35.1.el6.x86_64 ro root=/dev/mapper/vg01-root rd_NO_LUKS LANG=en_US.UTF-/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-754.35.1.el6.x86_64.img
title Red Hat Enterprise Linux (2.6.32-220.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-220.el6.x86_64 ro root=/dev/mapper/vg01-root rd_NO_LUKS LANG=en_US.UTF-8 rd_  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-220.el6.x86_64.img
[root@rhel-grub]#

Once the entry is completed, the file must be saved.

I need a process to achieve this via a bash script

shruggy · 11-08-2021, 06:58 AM

RHEL 6 uses GRUB Legacy. /boot/grub/grub.conf can just be edited in-place with sed -i

Code:

#!/bin/sh
grubconf=/boot/grub/grub.conf
test -r "$grubconf" || { echo "Cannot read $grubconf"; exit 1;}
password='my_password'
enc_pass=$(echo \
"md5crypt
$password
quit" | /sbin/grub --batch --device-map=/dev/null |
  sed -n 's/^Encrypted: //p')
grep -q '^password\>' "$grubconf" &&
  sedcmd="/^password\>/s|\s.*| --md5 $enc_pass|" ||
  sedcmd="1i password --md5 $enc_pass"
sed -i "$sedcmd" "$grubconf"

But be aware that the s command in sed handles & in replacement string specially. IIRC, md5crypt uses B64 encoding for salt and hash, and thus & cannot appear in the output. Otherwise, you may have to guard against this.

Note also that forward slash (/) is part of the B64 alphabet, and this is why I'm using | as delimiter for substitute.

You can completely avoid the trouble by doing it like this

Code:

#!/bin/sh
grubconf=/boot/grub/grub.conf
test -r "$grubconf" || { echo "Cannot read $grubconf"; exit 1;}
password='my_password'
enc_pass=$(echo \
"md5crypt
$password
quit" | /sbin/grub --batch --device-map=/dev/null |
  sed -n 's/^Encrypted:/password --md5/p')
grep -q '^password\>' "$grubconf" &&
  sedcmd="/^password\>/{i\\
$enc_pass
         d}" ||
  sedcmd="0,/^\w/{//i\\
$enc_pass
         }"
sed -i "$sedcmd" "$grubconf"

As a bonus it inserts the missing password command after the initial comment lines. But I feel this is less readable.

LinuxRSA · 11-08-2021, 11:34 AM

Hi shruggy

Thanks for the script, successfully tested on both options, works perfectly, Grub automation is now running thanks to you, much appreciated.

LinuxRSA · 11-12-2021, 10:22 AM

Hi Shruggy

The script worked fine inserting the password into the file /boot/grub/grub.conf

But for some reason it inserts the entry on top on the file before Line 1 or at Line 10 which does not work after rebooting the system & testing GRUB password, see file below.

Code:

root@server ~]# vi /boot/grub/grub.conf
      1 # grub.conf generated by anaconda
      2 #
      3 # Note that you do not have to rerun grub after making changes to this file
      4 # NOTICE:  You have a /boot partition.  This means that
      5 #          all kernel and initrd paths are relative to /boot/, eg.
      6 #          root (hd0,0)
      7 #          kernel /vmlinuz-version ro root=/dev/mapper/vg01-root
      8 #          initrd /initrd-[generic-]version.img
      9 #boot=/dev/sda
     10 password --md5 $1$GyMgi1$0AGfCAayfhNQeGYMn13aO1
     11 default=0
     12 timeout=5
     13 splashimage=(hd0,0)/grub/splash.xpm.gz
     14 hiddenmenu
     15 title Red Hat Enterprise Linux Server (2.6.32-754.35.1.el6.x86_64)
     16         root (hd0,0)
     17         kernel /vmlinuz-2.6.32-754.35.1.el6.x86_64 ro root=/dev/mapper/vg01-root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD quiet rd_LVM_LV=vg01/root SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_LVM        _LV=vg01/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM audit=1
     18         initrd /initramfs-2.6.32-754.35.1.el6.x86_64.img
     19 title Red Hat Enterprise Linux (2.6.32-220.el6.x86_64)
     20         root (hd0,0)
     21         kernel /vmlinuz-2.6.32-220.el6.x86_64 ro root=/dev/mapper/vg01-root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD quiet rd_LVM_LV=vg01/root SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_LVM_LV=v        g01/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM audit=1
     22         initrd /initramfs-2.6.32-220.el6.x86_64.img
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorised to and must not disclose, copy, distribute or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside England and Wales). AA Corporation Limited - Registered Office: Fanum House, Basing View, Basingstoke, Hampshire RG21 4EA Registered in England and Wales number: 03797747

The entry works if inserted between Line 15 & Line 16, upon reboot the grub password works if inserted here.

Any advice on how to get the entry between Line 15 & Line 16 ?

Thanks

shruggy · 11-12-2021, 12:00 PM

Change this line

Code:

sedcmd="0,/^\w/{//i\\

to

Code:

sedcmd="0,/^title/{//a\\

LinuxRSA · 11-15-2021, 08:56 AM

Hi Shruggy, Works Perfectly thanks once again

LinuxRSA · 11-16-2021, 08:44 AM

Hi Shruggy, RHEL6 Grub Automation works perfectly, Will the same code work for automating this in RHEL7, see commands in red ?

Code:

# Set RHEL 7 GRUB password
  echo
  echo \*\*\*\* Backup\ GRUB\ Files
  cp /etc/grub.d/10_linux /etc/grub.d/10_linux.bk
  cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bk
  
  echo \*\*\*\* Ensure\ GRUB\ password\ is\ Set
grubconf=/boot/grub2/grub.conf

To achieve setting up GRUB in RHEL7 below is the manual process.

Code:

[root@rhel7] ~]# sed -i "/^CLASS=/s/ --unrestricted//" /etc/grub.d/10_linux                  
[root@rhel7] ~]#
[root@rhel7] ~]# grub2-setpassword
Enter password:
Confirm password:
[root@rhel7] ~]#
[root@rhel7] ~]# cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.63D51456A439704613125594E578BE1CC6CC2B611B451D48AB2C5225B7DE171AEF9D428EE77DB5CB09CCB4EA363714407E9A570C1616CB996965397BF6A31AC9.97E1FB1F6C696D32B7CE0096462B409B01937E6B1AC6FAA56EA552E0A45C88AA1920A5F65DC8BB6E3C9298A63A9F1788F6D75677F9228D81083636B0652F36DB
[root@rhel7] ~]#
[root@rhel7] ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-1160.45.1.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-1160.45.1.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-1062.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-1062.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-7558604763c74fc29fdfd5e6e5f7d9da
Found initrd image: /boot/initramfs-0-rescue-7558604763c74fc29fdfd5e6e5f7d9da.img
done
[root@rhel7] ~]#
[root@rhel7]# cat /etc/grub2.cfg | grep GRUB2_PASSWORD
  if [ -n "${GRUB2_PASSWORD}" ]; then
    password_pbkdf2 root ${GRUB2_PASSWORD}
[root@rhel7#

Thanks

shruggy · 11-16-2021, 11:36 AM

Actually, GRUB 2 makes things much easier

Code:

password='my_password'
printf %s\\n "$password" "$password"|
  LC_ALL=C grub2-mkpasswd-pbkdf2|
  sed -n 's/.* is /GRUB2_PASSWORD=/p' >/boot/grub2/user.cfg

Note that on a UEFI system, the file would be /boot/efi/EFI/centos/user.cfg.

LinuxRSA · 11-17-2021, 05:26 AM

Hi Shruggy, Thanks, i got the below error when running the code.

Code:

[root@rhel7 ~]# ls
grub.sh
[root@rhel7 ~]#
[root@rhel7 ~]# cat grub.sh
#!/bin/bash
  # Setup RHEL 7 GRUB password
  echo
  echo \*\*\*\* Backup\ Grub\ Files
  cp /etc/grub.d/10_linux /etc/grub.d/10_linux.bk
  cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bk
  echo
  echo \*\*\*\* Ensure\ Grub\ password\ is\ Set
  echo
  password='my_password'
  printf -n '%s\n%s\n' "$password" "$password"|
  LC_ALL=C grub2-mkpasswd-pbkdf2|
  sed -n 's/.* is /GRUB2_PASSWORD=/p' >/boot/grub2/user.cfg
[root@rhel7 ~]#

This is the error output.

Code:

[root@rhel7 ~]# ./grub.sh

**** Backup Grub Files

**** Ensure Grub password is Set

./grub.sh: line 11: printf: -n: invalid option
printf: usage: printf [-v var] format [arguments]
grub2-mkpasswd-pbkdf2: error: failure to read password.
[root@rhel7 ~]# [root@rhel7 ~]# [root@rhel7 ~]# [root@rhel7 ~]# [root@rhel7 ~]# [root@rhel7 ~]#

After running the code the prompt moves horizontally

Code:

[root@rhel7 ~]# [root@rhel7 ~]# [root@rhel7 ~]# [root@rhel7 ~]# [root@rhel7 ~]# [root@rhel7 ~]

Am i missing a setting ?

Thanks

shruggy · 11-17-2021, 05:32 AM

Ah, sorry. Just remove the -n. I corrected my post above.

LinuxRSA · 11-18-2021, 02:24 AM

Thanks shruggy all working 100% now, much appreciated cheers