<artwork />   <projects />   <rhetoric />   <snippets />

Setting a Grub MD5 Password with Augeas and Puppet

This took a little doing, and most of what I found on the Internet was very slightly off. Here’s what I came up with (and what works on RHEL 6):

augeas {
  "Add MD5 password to Grub":
    context => "/files/boot/grub/menu.lst",
    changes => [
      "ins password after timeout",
      "clear password/md5",
      "set password \$1\$KeSTX0\$giM/W8SGhE4tbBTSiaguu.",
    ],
    onlyif  => "match password size == 0";
}

The password here, by the way, is ‘password’ encrypted with the tool grub-md5-crypt. Special characters like $ must be escaped with backslashes. On my computer, /boot/grub/menu.lst is a symlink to /boot/grub/grub.conf (so is /etc/grub.conf). Different versions of puppet and augeas look for the grub configuration file in different places. It all depends on how the lens is configured. On EFI systems, the file /boot/grub/grub.conf may not exist. In that case, for context, try using /files/etc/grub.conf, which should always point to the right location.

Update: The usual way to set a grub password is actually with SHA-512. Here’s how you’d use Augeas to set a normal SHA-512 password (generate one with grub-crypt, not grub-md5-crypt):

augeas {
  "Add SHA-512 password to Grub":
    context => "/files/boot/grub/menu.lst",
    changes => [
      "ins password after timeout",
      "clear password/encrypted",
      "set password \$6\$uWBUVE443zRnRHyY\$/NuljJoao/DnN/KVCQRyQPWJdt2kgRIuKlp8K4QuAuuoUIyUnBmsTPCeT8oWm1jvhBIuPwW5o18F.KpfyClB1.",
    ],
    onlyif  => "match password size == 0";
}

One Response to “Setting a Grub MD5 Password with Augeas and Puppet”

  1. Benjamin Fischer Says:

    Hi,

    I know this artice is quite old, but the situation on setting grub pw with augeas hasn’t improved ever since. Your article really helped me, so I wanted to share an improvement with you. The problem in this example is, that puppet doesn’t reset a password that has the wrong value. So I came up with this solutiuon:

    $pw = ‘\$6\$uWBUVE443zRnRHyY\$/NuljJoao/DnN/KVCQRyQPWJdt2kgRIuKlp8K4QuAuuoUIyUnBmsTPCeT8oWm1jvhBIuPwW5o18F.KpfyClB1.’

    augeas {
    “remove nonmatching pws”:
    context => “/files/etc/grub.conf”,
    changes => [
    ‘rm password’,
    ],
    onlyif => “get password != $pw”,
    } ->

    augeas {
    “Add SHA512 PW to Grub”:
    context => “/files/etc/grub.conf”,
    changes => [
    ‘ins password after timeout’,
    ‘clear password/encrypted’,
    “set password $pw”,
    ],
    }

    Maybe that helps someone.

    Regards

    Raskil

Leave a Reply




about | blog | email | links | sitemap

Entries (RSS) and Comments (RSS).