In this tutorial, we are going to learn how to protect single user mode with password on Ubuntu 18.04 server such that whoever wants to access the system root filesystem through this runlevel/target has to supply the password first.
Single user mode, also known as maintenance mode is a mode in which a multi-user computer OS boots into a single superuser. This mode is commonly know as runlevel 1 or rescue.target (rescue mode) in systems that implement Sys-V or Systemd style initialization respectively.
The single user mode allows administrators direct access to the root filesystem without a password in order to carry out system maintenance e.g resetting forgotten root password, repairing messed-up system initialization files etc. This, however, is a security loophole and therefore is important to configure your system to requires password for such access.
Want to enforce complex password policy for local accounts on you Ubuntu 18.04 system? See our article by following the link below;
Protect Single User Mode with Password in Ubuntu 18.04
Set the Grub Password
In order to secure your system’s single user mode, you need to set the grub password. In this case we are going to generate hashed password for GRUB by running the command below.
# grub2-mkpasswd-pbkdf2 Enter password: Enter Your STRONGPASSWORD Reenter password: Re-Enter Your STRONGPASSWORD PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.2E76F00F221375A635334DEE22E9EF48A3C752EDCFA01221789FDFFE34251C23C1EF11E39CF13EB525D4E99008598CE81035EF0AA67C8B4F0569B0C3BE5A20F1.0A43B4FC74BF2EEE479E3CE0697B933BC7249894029523CEF2D01605480FA869CAA9B44BFCBAB4316338EF6DDA9F8D4E30E996FB14E2ED0B42B05F5435778A73
As you can see above, your GRUB hashed password has been generated;
Enable GRUB Password Protection
To enable grub password protection, you have to identify grub menu items to protect, users authorized to access the GRUB and their passwords. The users and their passwords are manually added /etc/grub.d/00_header file.
To edit the /etc/grub.d/00_header, run the command below;
# vim /etc/grub.d/00_header
You may also use you preferred editor.
Define Superuser and the Password
Once you have opened the above file for editing, enter the superuser and its password at the end of the file in the following format.
cat << EOF set superusers="user1" password_pbkdf2 <user> <password> EOF
This should finally look like;
cat << EOF set superusers="admin" password_pbkdf2 admin grub.pbkdf2.sha512.10000.2E76F00F221375A635334DEE22E9EF48A3C752EDCFA01221789FDFFE34251C23C1EF11E39CF13EB525D4E99008598CE81035EF0AA67C8B4F0569B0C3BE5A20F1.0A43B4FC74BF2EEE479E3CE0697B933BC7249894029523CEF2D01605480FA869CAA9B44BFCBAB4316338EF6DDA9F8D4E30E996FB14E2ED0B42B05F5435778A73 EOF
Once you are done editing, save the file and update grub by running the following command.
# update-grub2 Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.15.0-36-generic Found initrd image: /boot/initrd.img-4.15.0-36-generic done
When grub is updated, the user/password information is automatically added to the GRUB 2 menu configuration file, grub.cfg.
Now your grub is password protected. To verify this, reboot your system and try to boot to single user mode as described below;
- At the GRUB splash screen at boot time, press any key to enter the GRUB interactive menu.
- Select the Kernel line and press ‘e‘ to edit.
Immediately you press e, you will be prompted for the username and password.
That is all about how to Protect Single User Mode with Password in Ubuntu 18.04. We hope that this helped.
Note that if you lost you both your grub password as well as the root password, the only way to get to the shell is by booting your system with LiveCD, mount the root partition in rw mode and remove the password in the grub configuration file.