In
https://access.redhat.com/knowledge/solutions/68828
Redhat says:
Select a password and then generate a hash from it by running:
# grub-crypt --sha-512
Insert the following line into /etc/grub.conf immediately after the header comments. (Use
the output from grub-crypt as the value of password-hash)
password --encrypted password-hash
It should look like below.
default=0
timeout=5
password --encrypted password-hash
splashimage=(hd0,0)/grub/splash.xpm.gz
Verify the permissions on /etc/grub.conf (which is a symlink to ../boot/grub/grub.conf):
# chown root:root /etc/grub.conf
# chmod 600 /etc/grub.conf
grub-crypt utility is now shipped with three types of password encryption.
--md5 Use MD5 to encrypt the password
--sha-256 Use SHA-256 to encrypt the password
--sha-512 Use SHA-512 to encrypt the password (default)
Signed-off-by: Joe Nall <joe(a)nall.com>
---
rhel6/src/input/checks/bootloader_password.xml | 2 +-
rhel6/src/input/system/accounts/physical.xml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/rhel6/src/input/checks/bootloader_password.xml
b/rhel6/src/input/checks/bootloader_password.xml
index 8074097..ceff1b7 100644
--- a/rhel6/src/input/checks/bootloader_password.xml
+++ b/rhel6/src/input/checks/bootloader_password.xml
@@ -18,7 +18,7 @@
<ind:textfilecontent54_object id="object_bootloader_password"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>grub.conf</ind:filename>
- <ind:pattern operation="pattern
match">password[\s]+--md5[\s]+.*</ind:pattern>
+ <ind:pattern operation="pattern
match">password[\s]+--encrypted[\s]+.*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/rhel6/src/input/system/accounts/physical.xml
b/rhel6/src/input/system/accounts/physical.xml
index 5c3a488..a8db13b 100644
--- a/rhel6/src/input/system/accounts/physical.xml
+++ b/rhel6/src/input/system/accounts/physical.xml
@@ -70,11 +70,11 @@ this file.
<description>The grub boot loader should have password protection
enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running:
-<pre># grub-md5-crypt</pre>
+<pre># grub-crypt --sha-512</pre>
Insert the following line into <tt>/etc/grub.conf</tt> immediately
-after the header comments. (Use the output from <tt>grub-md5-crypt</tt> as
the
+after the header comments. (Use the output from <tt>grub-crypt</tt> as the
value of <b>password-hash</b>):
-<pre>password --md5 <b>password-hash</b></pre>
+<pre>password --encrypted <b>password-hash</b></pre>
</description>
<rationale>
Password protection on the boot loader configuration ensures that
--
1.7.1