>Password protecting Ubuntu’s recovery console


In a previous article, I wrote about dropping to a recovery console to be able to add oneself back to the admin group.  This is a great feature of Ubuntu because, after all, mistakes happen and one should be able to recover from them without too much difficulty.  You’ll see that even enterprise-class routers and switches have a “reset button” allowing you root access to the device without a password. However, the concept of a recovery console on an easily-accessed machine like an office desktop or laptop that isn’t password-protected is none too reassuring.  This article provides a quick how-to on password-protection of a grub entry.

As a preamble, here’s a link to a great how-to on grub passwords:

I don’t just like providing links to articles though. Nothing pains me more than bookmarking a great article only to have it disappear off the face of the planet. I’ve lost too many good how-to’s this way; so here’s my summary of the procedure:

  1. The first thing you’re going to want to do is create a password hash which you’ll use in your GRUB menu list. You can do this by opening a command prompt and typing ‘grub-md5-crypt’ (no quotes, obviously). You’ll be prompted for the password, twice, then an MD5 hash will be created — select and copy the hash. Note that at this point, nothing in your system has changed.
  2. Edit your grub menu by opening /boot/grub/menu.lst with your favorite editor. Be very careful here. You should make a backup copy of the file just in case. If you mess this up, you’ll need a livecd to fix it. As a matter of fact, if you don’t have a livecd that you can use for this, download one. Scroll down to where your actual menu options are (you’ll see several blocks that start with, for instance, ‘title Ubuntu 8.04 kernel…’). You’ll have one pair of blocks for each kernel version available on your machine; one block will be for general boot, the other block will be recovery mode.

You should password-protect every recovery mode block, in the very least: at the end of each recovery mode block, add the line ‘password –md5 <the password hash that you generated in step 1>’ (no quotes here, either). For instance:

title        Ubuntu 8.04.2, kernel 2.6.24-22-generic (recovery mode) 

root (hd0,0)

kernel /boot/vmlinuz-2.6.24-22-generic root=UUID=d8bd6608-24c8-4df5-a429-513c9eaf3921 ro single

initrd /boot/initrd.img-2.6.24-22-generic

password –md5 $1$a66Jz$BFWIxUxVt1AhtWJEhSzEX1

Save menu.lst and reboot your machine!

IMPORTANT: Please do realize that MD5 hashes are NOT uncrackable. Don’t use a password GRUB password that you use elsewehere!

>Recover from accidental removal from the admin group

>We know, it’s happened to everyone before… You’re putzing about in your shell and you need to add yourself to a group, so you use the usermod command instead of the adduser command — adduser, useradd, who remembers details like that, right? You reboot your machine sometime after that and — oh shit — you can’t get root no more!

Like I said, it’s happened to everyone before. The reference to the forum where you can get a bit more support is:

The procedure, put quite simply, is this: reboot your computer and enter grub. Boot up in recovery mode and drop to a shell, then input the following:

adduser [your user name] admin

You may then proceed to the normal boot, rejoicing in the fact that you don’t have to reinstall your entire system 🙂