grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Menu locks / password authentication


From: phcoder
Subject: Re: Menu locks / password authentication
Date: Mon, 09 Mar 2009 11:57:40 +0100
User-agent: Thunderbird 2.0.0.19 (X11/20090105)

Michał Radomski wrote:
On Mon, Mar 09, 2009 at 08:16:16AM +0100, phcoder wrote:
Michał Radomski wrote:
On Fri, Feb 27, 2009 at 09:53:27PM +0100, Robert Millan wrote:
It's funny, we're all discussing about performing security measurements in
GRUB and nobody mentioned that our user interface lacks even the most basic
lock mechanism :-)

Actualy... I'm working on password command... At this moment I have plain password checking and almost finished MD5 support.

What is your design? Is it expandable? Flexible?

Flexible Yes, expandable I think yes.
Password checking is implemented as grub module, which blocks grub
execution until user supply a valid password. Take a look at 2 sample
configs: # this config will wait for valid password # after that it will show grub menu set timeout=5 password --plain qwerty
menuentry "Linux" {
set root=(hd0,1)
linux /vmlinuz26 root=/dev/sda1 ro
initrd /kernel26.img
}
# this config will show menu, but if user would like to boot os, # it will ask for a password. set timeout=5

menuentry "Linux" {
password --md5 md5_hash set root=(hd0,1)
linux /vmlinuz26 root=/dev/sda1 ro
initrd /kernel26.img
}


md5 algoritm is implemented as a library(grub2/lib), So it can by easy
used in other source files.
I've also think about more complex solution (password file)
And I think that it is possible to add, without many changes.


What prevents an attacker from simply pressing 'e' or 'c' in menu? I personally would prefer the architecture with users as I described. Also I would recommend using other hashes that md5 (e.g. whirlpool or sha-2) because it's been depreceated And blocking is a bad idea because if a legitimate user accidently chooses wrong entry he can't press ESC to go back.
Do you already have a copyright assignment?

--

Regards
Vladimir 'phcoder' Serbinenko




reply via email to

[Prev in Thread] Current Thread [Next in Thread]