Re: Menu locks / password authentication

[Michał Radomski]

On Mon, Mar 09, 2009 at 08:16:16AM +0100, phcoder wrote:
> Michał Radomski wrote:
>> On Fri, Feb 27, 2009 at 09:53:27PM +0100, Robert Millan wrote:
>>> It's funny, we're all discussing about performing security measurements in
>>> GRUB and nobody mentioned that our user interface lacks even the most basic
>>> lock mechanism :-)
>>>
>> Actualy... I'm working on password command... 
>>
>> At this moment I have plain password checking and almost finished MD5 
>> support.
>>
> What is your design? Is it expandable? Flexible?
>
Flexible Yes, expandable I think yes. 

Password checking is implemented as grub module, which blocks grub
execution until user supply a valid password. Take a look at 2 sample
configs: 

# this config will wait for valid password 
# after that it will show grub menu 
set timeout=5
password --plain qwerty 

menuentry "Linux" {
set root=(hd0,1)
linux /vmlinuz26 root=/dev/sda1 ro
initrd /kernel26.img
}
 
# this config will show menu, but if user would like to boot os,
# it will ask for a password.  
set timeout=5

menuentry "Linux" {
password --md5 md5_hash  
set root=(hd0,1)
linux /vmlinuz26 root=/dev/sda1 ro
initrd /kernel26.img
}


md5 algoritm is implemented as a library(grub2/lib), So it can by easy
used in other source files. 

I've also think about more complex solution (password file)
And I think that it is possible to add, without many changes. 


-- 
- -  (_ _) Regards                                       -----,  (_ _)  - -
-     ','  |  Michał Radomski <ezzo (at) poczta (dot) pl>     |   ','     -
- -  vv-   `---                                                    -vv  - -