From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1Lgd3d-0003zS-3X for mharc-grub-devel@gnu.org; Mon, 09 Mar 2009 06:50:05 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Lgd3b-0003y3-9h for grub-devel@gnu.org; Mon, 09 Mar 2009 06:50:03 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Lgd3X-0003t2-8t for grub-devel@gnu.org; Mon, 09 Mar 2009 06:50:02 -0400 Received: from [199.232.76.173] (port=51064 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Lgd3X-0003su-3q for grub-devel@gnu.org; Mon, 09 Mar 2009 06:49:59 -0400 Received: from op1atm.webtech.pl ([217.149.249.51]:55953) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1Lgd3W-0003XW-Q1 for grub-devel@gnu.org; Mon, 09 Mar 2009 06:49:59 -0400 Received: from [193.218.153.203] (helo=localhost) by op1atm.webtech.pl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Lgd3P-0000Ds-VL for grub-devel@gnu.org; Mon, 09 Mar 2009 11:49:52 +0100 Date: Mon, 9 Mar 2009 11:49:51 +0100 From: =?iso-8859-2?Q?Micha=B3?= Radomski To: The development of GRUB 2 Message-ID: <20090309104951.GB15511@vm93.example.net> References: <20090227205327.GA32242@thorin> <20090308221449.GA15511@vm93.example.net> <49B4C240.5050105@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <49B4C240.5050105@gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) X-detected-operating-system: by monty-python.gnu.org: Genre and OS details not recognized. Subject: Re: Menu locks / password authentication X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: The development of GRUB 2 List-Id: The development of GRUB 2 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2009 10:50:03 -0000 On Mon, Mar 09, 2009 at 08:16:16AM +0100, phcoder wrote: > Micha³ Radomski wrote: >> On Fri, Feb 27, 2009 at 09:53:27PM +0100, Robert Millan wrote: >>> It's funny, we're all discussing about performing security measurements in >>> GRUB and nobody mentioned that our user interface lacks even the most basic >>> lock mechanism :-) >>> >> Actualy... I'm working on password command... >> >> At this moment I have plain password checking and almost finished MD5 >> support. >> > What is your design? Is it expandable? Flexible? > Flexible Yes, expandable I think yes. Password checking is implemented as grub module, which blocks grub execution until user supply a valid password. Take a look at 2 sample configs: # this config will wait for valid password # after that it will show grub menu set timeout=5 password --plain qwerty menuentry "Linux" { set root=(hd0,1) linux /vmlinuz26 root=/dev/sda1 ro initrd /kernel26.img } # this config will show menu, but if user would like to boot os, # it will ask for a password. set timeout=5 menuentry "Linux" { password --md5 md5_hash set root=(hd0,1) linux /vmlinuz26 root=/dev/sda1 ro initrd /kernel26.img } md5 algoritm is implemented as a library(grub2/lib), So it can by easy used in other source files. I've also think about more complex solution (password file) And I think that it is possible to add, without many changes. -- - - (_ _) Regards -----, (_ _) - - - ',' | Micha³ Radomski | ',' - - - vv- `--- -vv - -