Update a Grub2 password on a Photon Appliance
search cancel

Update a Grub2 password on a Photon Appliance

book

Article ID: 397101

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite) VMware vCenter Server

Issue/Introduction

To provide an appropriate level of security, configure boot loader authentication on your VMware virtual appliances. If the system boot loader requires no authentication, users with console access to the system might be able to alter the system boot configuration or boot the system to single user or maintenance mode, which can result in denial of service or unauthorized system access.

Environment

VMware Aria Suite

Photon

vCenter

Cause

Boot loader authentication is not set by default on the VMware virtual appliances, you must create a GRUB password to configure it.

Resolution

Pre-requisites:

  • Snapshot and Backup the Virtual Appliance
  • Backup the grub.cfg file: # cp /boot/grub/grub.cfg /boot/grub/grub.cfg.backup
  • At the command line, run the following command: # grub2-mkpasswd-pbkdf2

    Enter a secure password and ensure this password is stored for break-glass situations. The root account cannot be recovered without knowing this separate password. Copy the resulting encrypted string.

An example string is below:

grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840

Method 1 - Control 'PHTN-30-000031' 'The Photon operating system must require authentication upon booting into single-user and maintenance modes'

Set/Replace the grub password directly on the grub.cfg file.

STIG ID: PHTN-30-000031
SEVERITY: CAT II
Rule Title: The Photon operating system must require authentication upon booting into single-user and maintenance modes.

Locate (/boot/grub2/grub.cfg) the previously set grub2 password encrypted string and update it with the new string.

set rootpartition=PARTUUID=326e5b0f-42fb-471a-8209-18964c4a2ed3
set superusers=\"root\"
password_pbkdf2 root grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840

Method 2 - Set Boot Loader Authentication

If using a /etc/grub.conf.d/40_custom file,

Backup the 40_custom file: # cp /etc/grub.d/40_custom /etc/grub.d/40_backup

Update the following lines at the end of /etc/grub.d/40_custom with the new encrypted grub2 password string

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840

Update the grub configuration: #/usr/sbin/grub2-mkconfig -p /boot/grub/grub.cfg command.

Note, do not mix methods

Powered by Wolken Software