[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC] Grub2 lock and password implementation

From: Tomáš Ebenlendr
Subject: Re: [RFC] Grub2 lock and password implementation
Date: Tue, 27 May 2008 19:12:47 +0200 (CEST)
User-agent: SquirrelMail/1.5.1

Dne 27 Květen 2008, 15:29, Julien Ranc napsal(a):

> e) multiple users
> The implementation I proposed does not cop very well with multiple
> user/groups needs. However, it could be handled by a "multiuser" module,
> which would in turn defer authentication work to other specialized modules
> (like md5 for example). It assumes that ALL users
> log in with the same method?. which is quite plausible I think.

I would like to say something on this. First of all I don't think that ALL
users want to log with the same method. Assume some school environment:
The administrator want access to the grubs command line and there are many
smart students so he has some hw method to authenticate (just for better
safety). Then there is the service of computer laboratory. They are
allowed to boot system on CD or usb-stick, because some students have
projects that need to boot something special (These students have some
permit by school, and they authenticate themself to the lab service people,
e.g, visually). The lab service logs in just using md5 (assume crypted
partitions, so the system from usb stick cannot read data on it). And also
there are ordinary students. They want to turn the machine on and use the
preconfigured booting method, without any password.

Yes it is marginal type of use. And in fact the single-user authetication
command, together with scripting can handle this environment.

Moreover multi-method configuration may be unsecure if configured in wrong
way. So I elaborated more on some methods how to use multiple methods
to authenticate.

The multi-method authentication can be done e.g. in following ways

1.) menu + single-method authentication
      This needs only allowing single-method authentication to ABORT.
      The return value (if authenticated/who authenticated) should be
      testable by grub scripting support.
      Moreover, we need no usernames here if the underlying authentication
      metods does not need them. Thus this case is as secure as underlying

2.) authentication defined by username (scripting + single-method)
      Here user must give his user name. Script then decides the method
      by given username. - Here we want to have some test if user is
      in set defined by the method. - Note that some methods does not allow
      user testing to increase security (this may be the case of e.g. LDAP)

3.) username + password + trying all methods
      Assume we autheticate both by local passwd file and by LDAP.
      Both methods require username and password. This must be properly
      configured: if we try network first with plain passwords, we will
      send local passwords to the network server which is unsecure.

4.) Event system:
      Most difficult, may be we wan't implement this.
      Here grub displays some preconfigured menu or whatever and besides
      waiting for keyboard input it also waits for insertion of smartcards
      and takes actions accordingly.

So we need to allow the authentication to abort, then we are able to
use the cae 1 even without multi-user. In fact this method is sufficient
and I write here the other methods only for consideration.

For the case 2, we need to be able to ask for the username, assign it to
some variable and then call various grub commands including
the authentication command itself.

The example of a grub script in bash like language:

  if login -user $USERNAME -method passwd -file (hd1,1)/passwd.txt -exists
      login -user $USERNAME -method passwd -file (hd1,1)/passwd.txt
      login -user $USERNAME -method LDAP -server ...

Case 3 can be implemented in two ways:
  loginmulti -method passwd -file (hd1,1)/passwd.txt -or -method LDAP ...
    login -method passwd -file (hd1,1)/passwd.txt -savefailedcredentials
    login -user $USERNAME -pass $PASSWORD -method LDAP -server ...

I think that case 4 is too heavy to implement in boot manager, but maybe
someone don't think so. It will be also interesting to look at libpam,
how it deals with multiple methods when logging into the system.

The loginmulti command for case 3 and maybe case 4 should be always
implementable provided that the modules export apropriate symbols.

Note that login command should always save at least username of positively
authenticated user to variable, so that scripting support may then take
apropriate actions (e.g. pass the username to booted system). It will be
also nice when autheticating e.g. by kerberos, to pass the kerberos ticket
to the system that we boot later, so the user needs not to authenticate
twice (for grub and for operating system).

                            Tomas Ebenlendr

reply via email to

[Prev in Thread] Current Thread [Next in Thread]