Protect Ubuntu so it cant be booted without a password

You can lock the boot menu so that selected boot options won't work unless the menu is unlocked by hitting [p and typing a password. Additionally, unless the menu is unlocked, it won't be possible to edit the boot menu entries, so an intruder can't edit a boot menu entry to get around the protection.

To be honest, a password-protected boot menu doesn't offer any serious security because it's easily overcome by booting from the Ubuntu installation CD, which will provide unrestricted access to the hard disk contents.9 However, the technique might be useful to protect your data from nosey family members or work colleagues who are casually nosey but not technically adept.

Start by opening a terminal window and typing the following: $ grub-md5-crypt

You'll then be prompted for a password. This will be the boot menu password, so type it carefully. Then type it again when prompted to confirm it. As with any password, it can include letters, numbers, symbols or spaces.

Once the password has been entered, a password hash is outputted at the prompt—a stream of seemingly random letters, numbers and/or symbols. This is the password in encrypted form. It's encrypted so that it can be added to the boot menu configuration file in a way that people won't be able to decode it by looking at the file.

To add it, open the boot menu file using Gedit: $ gksu gedit /boot/grub/menu.lst

9. Better protection for a PC with a password-protected boot menu, as described in Tip 45, can be had by simply removing the floppy and CD/DVD drive hardware from the PC, thus limiting the opportunities to use a boot media that will give root access. You should also disable booting from removable storage in the PC's BIOS, and add a BIOS password. Even after all this I can still think of a few ways of getting around the protection, but it's perhaps as good as it can get, short of locking away the PC or mounting 24-hour surveillance on it.

...and, at the top, add a new line that reads password --md5, then, immediately following, copy and paste-in the password hash you created. Here's how the line looked on my test machine: password --md5 $1$Qeb3b$XO.lbPvj47A3GEywBcR6m

Following this, look for the line in the boot menu file that refers to your ubuntu installation. it'll probably be something like the following, and will be immediately below a line that reads ## ## End Default Options ## (note that i've truncated the third line of the entry for reproduction here):

title Ubuntu 8.04.1, kernel 2.6.24-19-generic root (hd0,4)

kernel /boot/vmlinuz-2.6.24-19-generic root=UUID= ...

i nitrd /boot/i nitrd.img-2.6.24-19-generi c

Add a new line at the end of the entry and type the word lock.

Here's how the entry looked after i'd finished editing it (again, with the third line truncated):

Add lock to all the other boot menu entries too, assuming you want to stop somebody booting them without typing the password—if you only want to stop ubuntu being booted then no further work is needed. if lock isn't added to an entry in the boot menu file then any user will be able to select that entry and boot into it.

See Figure 3.14, on the next page for an example of how the boot menu file looked on my computer once i'd added lock to each entry.

Once done, save the file and quit Gedit. Following this, test out your password protection by rebooting. once the computer restarts, you'll see that the boot menu appears as usual, and you'll be able to move the selection highlight up and down using the cursor keys. But you won't be able to select any to boot into—if you try, you'll see the error message Error 32: Must be authenticated. You'll then be prompted to hit a key and return to the boot menu. Hitting Q to try and edit an entry won't work either.

quiet ti tl e root kernel i nitrd qui et lock

Ubuntu 8.04.1, kernel 2.6.24-19-generic (hd0,4)

/boot/vmlinuz-2.6.24-19-generic root=UUID= /boot/i nitrd.img-2.6.24-19-generi c

"^luajiijikii siaüfe


Edit View Search Jools



a . a i a

* '


Open Save Print,.,

Undo i



title Ubuntu 8,04.1, kernel 2,6.24-19-generic root (hd0,4)

kernel /boot/vmlinuz-2.6,24-19-generic root=UUID=5b3deae9-21de-469f-8fff-5ccb3d70fbb8 ro quiet splash initrd /boot/initrd, img-2,6.24-19-generic quiet title Ubuntu 8,04,1, kernel 2,6.24-19-generic (recovery mode)

kernel /boot/vmlinuz-2.6.24-19-generic root=UUID=5b3deae9-21de-469f-8fff-5ccb3d70fbb8 ro single initrd /boot/initrd. img-2.6.24-19-generic lock title Ubuntu 8.04.1, memtest86+-

kernel /boot/memtest86*.bin


# This is a divider, added to separate the menu items belov from the Debian t ones, title Other operating systems:


# This entry automatically added by the Debian installer for a non-linux OS

# on /dev/sdal title Microsoft Windows XP Home Edition root (hdQ.O)

savedefault makeactive chainloader +1


Ln 164, col 5 INS

Figure 3.14: Adding password-protection to the boot menu file (see Tip 45, on page 107)

To authenticate, hit (p when the boot menu appears. Then type the password you chose earlier (the actual password, not the encrypted hash!). Following this you'll be able to select any entry on the boot menu and subsequently boot the computer.

To do another interesting thing to the boot menu, see Tip 139, on page 180.

Was this article helpful?

0 0

Post a comment