This tutorial explains how to set, reset, break and remove GRUB password in RedHat and CentOS Linux step by step with practical examples. Learn how to set GRUB password in Linux to secure boot loader and vice versa how to break or remove GRUB password in case it is forgotten.
GRUB is the boot loader program in Linux. It includes several options for troubleshooting. These options are available at boot loader screen and can be accessed by pressing e key.
By default, Linux does not authenticate this access. Anyone, who can access boot loader screen, can access these options too.
A depraved user can use these options to gain unauthorized access in system. For example, he can accesses shell prompt with root privilege by booting system in emergency mode.
To keep the system safe and secure, GRUB options should be accessible only by authorized users.
Setting GRUB password
Main configuration file of GRUB is grub.cfg. It is available in /boot/grub2 directory. It includes several configuration directives, values and parameters.
Usually a user only needs to add, remove or update a particular directive or section in this file. For example, in this tutorial we want to add directives which provide authentication functionality at boot loader screen to secure troubleshooting options. Editing main configuration file for these kinds of small changes is not recommended. A little mistake in this file can make system completely inaccessible.
Linux provides a better way to configure directives in this file. It breaks configuration in several sections and make them available as separate files in /etc/grub.d/ directory. These files can be edited individually to add, update or remove specific functionality in particular section. Later a new configuration file can be built from these files. Once new configuration file is built, existing file can be replaced with new file.
Rather than editing directly, we will use recommended method to add authentication functionality in configuration file. The file 40_custom is used to manage authentication functionality.
Before we add this functionality in GRUB, let’s take the backup of existing grub.cfg file.
#mkdir backup #cp /boot/grub2/grub.cfg backup/ #ls backup/
First command makes a directory. Second command copies main configuration file in this directory and third command verifies that file has been copied successfully.
Following figure shows this operation step by step.
Now open file 40_custom for editing
#vim /etc/grub.d/40_custom
Following figure shows default entries in this file
Following directives are used to set a user name and password to authenticate the access of GRUB options at boot loader screen
set superuser=“[User Name]” password [User name] [Password]
For example to set username “sanjay” and password “123456”, insert following directives in file.
set superuser=“sanjay” password sanjay 123456
Make sure you insert directives just below the existing configuration as shown in following figure
Storing password as text is not a secure way to manage credentials. Luckily GRUB not only supports encrypted password but also provides a command to encrypt the text password.
To use encrypted password, open another terminal and run following command
#grub2-mkpasswd-pbkd2
Enter and Reenter the desired password.
Copy the hashed password
Now paste this hashed password in 40_custom file at place of text password.
Directive password_pbkdf2 is used for hashed password. To use hashed password, we have to change directive also.
At a time, we can use only one type of password. So either use text password or use password hash with respective directive.
password [user name] [text string] Or password_pbkdf2 [user name] [hashed string]
Use any one directive to set password with username and save the file.
Once both directives are added in 40_custom file, run following commands
#grub2-mkconfig –o /root/grub.cfg #grep sanjay /root/grub.cfg #cp /root/grub.cfg /boot/grub2/ #reboot
- First command creates new main configuration file grub.cfg in /root/ directory from all configuration files available at /etc/grub.d/ directory.
- Second command verifies that changes made by us are merged in new configuration file.
- Third command replaces the existing grub.cfg file with new configuration file.
- Last command reboots the system.
grep command is used to search a text string or pattern in given file. To learn how to use grep command in Linux sees this tutorial.
Learn how to use grep command in Linux step by step
After reboot, on boot loader screen, press e key to access the grub options
This time, an authentication is required to access the grub options. Authenticate yourself with the username and password which you set in 40_custom file.
We have successfully configured GRUB password to protect the troubleshooting options available at boot loader screen. Now only an authorized person can access these options. But what will happen if authorized person forget the password?
Removing/Resetting/Breaking GRUB password
If you know the root password, use following steps to remove or reset the GRUB password.
- Do not press any key at boot loader screen to interrupt the booting process. Let the system boot normally.
- Login in with root account and open the file /etc/grub.d/40_custom.
- To remove the password, remove the set superusers and password or password_pbkdf2 directives and save the file.
- To reset or change the password, update the password or password_pbkdf2 directives and save the file.
- Once necessary changes are made in file 40_custom, create a new configuration file.
- Replace existing file grub.cfg with new grub.cfg file.
- Restart the system and access the grub options from boot loader screen to verify the changes.
If you do not know the root password, use the following steps to remove the GRUB password.
Boot system with installation disk and on first screen select Troubleshooting option.
To remove GRUB password from Redhat Linux, use RHEL installation disk. To remove GRUB password from CentOS Linux, use CentOS installation disk.
From Troubleshooting options select Rescue a CentOS/RedHat Linux system option
Now select the first option which mounts the installed Linux in /mnt/sysimage directory.
Now run following commands
#chroot /mnt/sysimage #ls
- First command creates necessary root environment to work with installed Linux. After this command, whatever command we execute, will execute as it executes from installed Linux under the root privilege.
- Second command simply verifies that all directories are mounted properly.
Now open the file etc/grub.d/40_custom and remove the directives which set the authentication at boot loader screen.
Once authentication directives are removed, save the file
Now run following commands
#grub2-mkconfig –o tmp/grub-cfg #mv tmp/grub.cfg boot/grub2/ #exit #reboot
- First command creates a new configuration file in tmp directory.
- Second command replaces existing configuration file with new configuration file.
- Third command closes the temporary root environment and brings back the rescue disk shell prompt.
- Fourth command reboots the system.
While rebooting the system, remove the installation disk.
After reboot, access troubleshooting options from boot loader screen to verify that grub password has been removed.
That’s all for this tutorial. In next tutorial we will learn how to use grub options to reset the root password.