Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
31323334353637383940
Password Security
23
Replace <password-hash> with the value returned by /sbin/grub-md5-crypt
2
.
The next time the system boots, the GRUB menu prevents access to the editor or command interface
without first pressing p followed by the GRUB password.
Unfortunately, this solution does not prevent an attacker from booting into an insecure operating
system in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must
be edited.
Look for the title line of the operating system that you want to secure, and add a line with the lock
directive immediately beneath it.
For a DOS system, the stanza should begin similar to the following:
title DOS lock
Warning
A password line must be present in the main section of the /boot/grub/grub.conf file for
this method to work properly. Otherwise, an attacker can access the GRUB editor interface and
remove the lock line.
To create a different password for a particular kernel or operating system, add a lock line to the
stanza, followed by a password line.
Each stanza protected with a unique password should begin with lines similar to the following
example:
title DOS lock password --md5 <password-hash>
2.1.3. Password Security
Passwords are the primary method that Red Hat Enterprise Linux uses to verify a user's identity. This
is why password security is so important for protection of the user, the workstation, and the network.
For security purposes, the installation program configures the system to use Secure Hash Algorithm
512 (SHA512) and shadow passwords. It is highly recommended that you do not alter these settings.
If shadow passwords are deselected during installation, all passwords are stored as a one-way hash
in the world-readable /etc/passwd file, which makes the system vulnerable to offline password
cracking attacks. If an intruder can gain access to the machine as a regular user, he can copy the /
etc/passwd file to his own machine and run any number of password cracking programs against
it. If there is an insecure password in the file, it is only a matter of time before the password cracker
discovers it.
Shadow passwords eliminate this type of attack by storing the password hashes in the file /etc/
shadow, which is readable only by the root user.
This forces a potential attacker to attempt password cracking remotely by logging into a network
service on the machine, such as SSH or FTP. This sort of brute-force attack is much slower and
leaves an obvious trail as hundreds of failed login attempts are written to system files. Of course, if the
2
GRUB also accepts unencrypted passwords, but it is recommended that an MD5 hash be used for added security.