How to Protect Single User Mode with Password in Ubuntu 18.04

|
Last Updated:
|
|

In this tutorial, we are going to learn how to protect single user mode with password on Ubuntu 18.04 server such that whoever wants to access the system root filesystem through this runlevel/target has to supply the password first.

Single user mode, also known as maintenance mode is a mode in which a multi-user computer OS  boots into a single superuser. This mode is commonly know as runlevel 1  or rescue.target (rescue mode) in systems that implement Sys-V or Systemd style initialization respectively.

The single user mode allows administrators direct access to the root filesystem without a password in order to carry out system maintenance e.g resetting forgotten root password, repairing messed-up system initialization files etc. This, however, is a security loophole and therefore is important to configure your system to requires password for such access.

Want to enforce complex password policy for local accounts on you Ubuntu 18.04 system? See our article by following the link below;

Protecting Single User Mode with Password in Ubuntu

Set the Grub Password

In order to secure your system’s single user mode, you need to set the grub password. In this case we are going to generate hashed password for GRUB by running the command below.

# grub2-mkpasswd-pbkdf2 
Enter password: Enter Your STRONGPASSWORD
Reenter password: Re-Enter Your STRONGPASSWORD
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.2E76F00F221375A635334DEE22E9EF48A3C752EDCFA01221789FDFFE34251C23C1EF11E39CF13EB525D4E99008598CE81035EF0AA67C8B4F0569B0C3BE5A20F1.0A43B4FC74BF2EEE479E3CE0697B933BC7249894029523CEF2D01605480FA869CAA9B44BFCBAB4316338EF6DDA9F8D4E30E996FB14E2ED0B42B05F5435778A73

As you can see above, your GRUB hashed password has been generated;

grub.pbkdf2.sha512.10000.2E76F00F221375A635334DEE22E9EF48A3C752EDCFA01221789FDFFE34251C23C1EF11E39CF13EB525D4E99008598CE81035EF0AA67C8B4F0569B0C3BE5A20F1.0A43B4FC74BF2EEE479E3CE0697B933BC7249894029523CEF2D01605480FA869CAA9B44BFCBAB4316338EF6DDA9F8D4E30E996FB14E2ED0B42B05F5435778A73

 Enable GRUB Password Protection

To enable grub password protection, you have to identify grub menu items to protect, users authorized to access the GRUB and their passwords. The users and their passwords are manually added /etc/grub.d/00_header file.

To edit the /etc/grub.d/00_header, run the command below;

# vim /etc/grub.d/00_header

You may also use you preferred editor.

Define Superuser and the Password

Once you have opened the above file for editing, enter the superuser and its password at the end of the file in the following format.

cat << EOF
set superusers="user1"
password_pbkdf2 <user> <password> 
EOF

This should finally look like;

cat << EOF
set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512.10000.2E76F00F221375A635334DEE22E9EF48A3C752EDCFA01221789FDFFE34251C23C1EF11E39CF13EB525D4E99008598CE81035EF0AA67C8B4F0569B0C3BE5A20F1.0A43B4FC74BF2EEE479E3CE0697B933BC7249894029523CEF2D01605480FA869CAA9B44BFCBAB4316338EF6DDA9F8D4E30E996FB14E2ED0B42B05F5435778A73
EOF

Once you are done editing, save the file and update grub by running the following command.

# update-grub2
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.15.0-36-generic
Found initrd image: /boot/initrd.img-4.15.0-36-generic
done

When grub is updated, the user/password information is automatically added to the GRUB 2 menu configuration file, grub.cfg.

Now your grub is password protected. To verify this, reboot your system and try to boot to single user mode as described below;

  • At the GRUB splash screen at boot time, press any key to enter the GRUB interactive menu.
  • Select the Kernel line and press ‘e‘ to edit.

Immediately you press e, you will be prompted for the username and password.

password-protected-single-user-mode
password-protected-single-user-mode

That is all about how to protecting Single User Mode with Password in Ubuntu 18.04. We hope that this helped.

Note that if you lost you both your grub password as well as the root password, the only way to get to the shell is by booting your system with LiveCD, mount the root partition in rw mode and remove the password in the grub configuration file.

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment