<artwork />   <projects />   <rhetoric />   <snippets />

Setting a Grub MD5 Password with Augeas and Puppet

This took a little doing, and most of what I found on the Internet was very slightly off. Here’s what I came up with (and what works on RHEL 6):

augeas {
  "Add MD5 password to Grub":
    context => "/files/boot/grub/menu.lst",
    changes => [
      "ins password after timeout",
      "clear password/md5",
      "set password \$1\$KeSTX0\$giM/W8SGhE4tbBTSiaguu.",
    ],
    onlyif  => "match password size == 0";
}

The password here, by the way, is ‘password’ encrypted with the tool grub-md5-crypt. Special characters like $ must be escaped with backslashes. On my computer, /boot/grub/menu.lst is a symlink to /boot/grub/grub.conf (so is /etc/grub.conf). Different versions of puppet and augeas look for the grub configuration file in different places. It all depends on how the lens is configured. On EFI systems, the file /boot/grub/grub.conf may not exist. In that case, for context, try using /files/etc/grub.conf, which should always point to the right location.

Update: The usual way to set a grub password is actually with SHA-512. Here’s how you’d use Augeas to set a normal SHA-512 password (generate one with grub-crypt, not grub-md5-crypt):

augeas {
  "Add SHA-512 password to Grub":
    context => "/files/boot/grub/menu.lst",
    changes => [
      "ins password after timeout",
      "clear password/encrypted",
      "set password \$6\$uWBUVE443zRnRHyY\$/NuljJoao/DnN/KVCQRyQPWJdt2kgRIuKlp8K4QuAuuoUIyUnBmsTPCeT8oWm1jvhBIuPwW5o18F.KpfyClB1.",
    ],
    onlyif  => "match password size == 0";
}

Leave a Reply




about | blog | email | links | sitemap

Entries (RSS) and Comments (RSS).