Password protect
#1
Posted 04 September 2007 - 03:36 PM
#2
Posted 04 September 2007 - 05:10 PM
Reference:
http://www.cs.wcupa....Linux/grub.html
Reference:
http://grub4dos.sour...24341;#password
<pre> Password [-- md5] PASSWD [FILE] </ pre> set a password. When the menu at the first document, to ban all interactive menu editing functions, including editing menu items ( `e`) / access the command line ( `c`). When the correct password (PASSWD designated), included in the new menu (designated by the FILE). If you do not specify FILE, then these were banned function will be opened. Of course, you can use this command a certain menu items, to enhance the security of the system. Parameters -- Note md5 password (PASSWD) is the use of encryption md5crypt.
jaclaz
#3
Posted 04 September 2007 - 10:58 PM
I achieve the second by splitting off "system files" from "program files", ie those files which are necessary for booting, and those files which are additional. Program files get loaded into a vmware image (so that this can be mounted as writable with an undo file) which is then loaded into an UltraISO encrypted password-protected .isz image which is mounted at boot after the sucessful entry of the password. I like the .isz file because it can be compressed vis-a-vis a truecrypt container which is another possibility. Reg files with software lisences can be kept in the image and merged after the image is mounted etc.
Hope this helps. I can add more detail if needed.
Regards,
Galapo.
#4
Posted 04 September 2007 - 11:40 PM
Depends a little on what you want exactly: i) simply stop unwanted use of your disk; or ii) to stop unwanted use and protect commercial software lisences.
I achieve the second by splitting off "system files" from "program files", ie those files which are necessary for booting, and those files which are additional. Program files get loaded into a vmware image (so that this can be mounted as writable with an undo file) which is then loaded into an UltraISO encrypted password-protected .isz image which is mounted at boot after the sucessful entry of the password. I like the .isz file because it can be compressed vis-a-vis a truecrypt container which is another possibility. Reg files with software lisences can be kept in the image and merged after the image is mounted etc.
Hope this helps. I can add more detail if needed.
Regards,
Galapo.
Um yah, thats a bit too deep for me, just looking to password protect the CD from booting or password protect the environment.
#5
Posted 05 September 2007 - 07:59 AM
Even if your CD got cloned by someone, it would still require a password to boot.
CDShell is a free boot loader, that supports complex scripts. I used it to create a boot menu on my unattended XP CD a while back. It also has example scripts, including one that uses a password to protect the CD.
http://www.cdshell.org/
#6
Posted 05 September 2007 - 12:27 PM
You could use CDShell as a boot loader, and make a script that would require a password.
Even if your CD got cloned by someone, it would still require a password to boot.
CDShell is a free boot loader, that supports complex scripts. I used it to create a boot menu on my unattended XP CD a while back. It also has example scripts, including one that uses a password to protect the CD.
http://www.cdshell.org/
Well wanted to keep using GRUB for my VistaPE package. Does CDShell support VistaPE?
#7
Posted 05 September 2007 - 02:03 PM
As said, grub4dos has password protection features.
What is debatable is whether they are secure or not, see this:
http://www.cyberciti...r-password.html
Example:
1) copy and paste this to menu.lst:
password mytest (fd0)/test.lst
color black/cyan yellow/cyan
timeout 30
title Unprotected item IO.SYS
find --set-root /io.sys
chainloader /io.sys
2) copy and paste this to test.lst:
color black/cyan yellow/cyan
timeout 30
title NT password protected item
find --set-root /ntldr
chainloader /ntldr
Copy both menu.lst and test.lst to root of the device.
Try booting from it.
Customize as you wish, in the line:
password mytest (fd0)/test.lst
password is the command
mytest is the password value
(fd0)/test.lst is where to find the password protected menu.
If you want a minimum of security about the password, encrypt it with MD5, RTFM to learn how to do it.
jaclaz
#8
Posted 07 September 2007 - 12:43 AM
OK, I simply cannot stand this.
...
If you want a minimum of security about the password, encrypt it with MD5, RTFM to learn how to do it.
jaclaz
Not sure why the anger, just asking for some tips on how best to do it. Looking to see if its something that can easily be done via scripting (such as build the password on the fly prior to compiling the iso).
s
#9
Posted 12 September 2007 - 01:12 PM
Not sure why the anger, just asking for some tips on how best to do it.
Not anger, just momentary irritation .
As I saw (and still see ) it:
1) You asked a rather "narrow" question:
2) I replied you that grub4dos, which is NOT Grub, is compatible with Grub password feature.Password protect, Either via Grub or at PE Switcher
(the distinction is VERY important, as grub4dos is derived from Grub, but, while having a number of added features, it still lacks some of the original Grub)
At this point, one could have posted something like "Ok, thanks" and would have googled his way to understand, if needed, how the password syntax worked.
Galapo offered his help, hinting a way to limit access to the CD to which you replied something to the effect of "No, too difficult for me".
Ove proposed CDshell as an alternative, maybe slightly outside your question, as you pointed out.
I got (maybe wrongly) the impression of a kind of "lazyness" on your part or however a non compliance to point f5 of Common Sense Advice given in rules:
http://www.boot-land...?act=boardrules
It seemed to me like you were a sultan, comfortably laying in his dormeuse, supervising a number of merchants coming from the East and showing their goods, saying "I don't like this", "I do not fancy this other", "This is too colourful", "This other is dull", hence the quick howto, in order to be able to consider the topic closed, and the esortation to RTFM.
jaclaz
#10
Posted 12 September 2007 - 03:48 PM
Not anger, just momentary irritation .
As I saw (and still see ) it:
1) You asked a rather "narrow" question:
2) I replied you that grub4dos, which is NOT Grub, is compatible with Grub password feature.
(the distinction is VERY important, as grub4dos is derived from Grub, but, while having a number of added features, it still lacks some of the original Grub)
At this point, one could have posted something like "Ok, thanks" and would have googled his way to understand, if needed, how the password syntax worked.
Galapo offered his help, hinting a way to limit access to the CD to which you replied something to the effect of "No, too difficult for me".
Ove proposed CDshell as an alternative, maybe slightly outside your question, as you pointed out.
I got (maybe wrongly) the impression of a kind of "lazyness" on your part or however a non compliance to point f5 of Common Sense Advice given in rules:
http://www.boot-land...?act=boardrules
It seemed to me like you were a sultan, comfortably laying in his dormeuse, supervising a number of merchants coming from the East and showing their goods, saying "I don't like this", "I do not fancy this other", "This is too colourful", "This other is dull", hence the quick howto, in order to be able to consider the topic closed, and the esortation to RTFM.
jaclaz
Let me see if I can be more straight. I'm not familiar with GRUB at all and am trying to find a simple way to add some type of password protection to my VistaPE CD either from the GRUB menu or before entering the environment. Sorry but I am fairly new at the whole Winbuilder method (I come from a BartPE background where I used SecureScreen plugin to password protect my CD).
I create a RescueCD for co workers to assist with reimaging machines. I have setup a server so that each worker can generate their own RescueCD with the password of their choice. Trying to do such a feat with VistaPE and Grub seems to be a bit complex for me at this time (I'm sure I'll come around) but I was looking for suggestions and tips from anyone out there.
Usually people come to a forum looking for help or assistance. If everyone just says Google it or RTFM then why not just have that on the main page and do away with forums all together.
Sorry but as you were irritated in your last message I am too.
Just looking for guidance. Again, I've never used GRUB before.
#11
Posted 12 September 2007 - 04:38 PM
Yep, and, again, if you are going to use Vistape, you are going to use grub4dos, NOT Grub.Again, I've never used GRUB before.
So, let's do a "cold boot", and re-start.
I posted a simple howto to password protect a Grub/grub4dos menu.lst.
Grub and grub4dos have a command to generate a md5 password hash, to increase security as compared to "plain text".
In the link I already posted:
http://www.cs.wcupa....Linux/grub.html
first link in ""You may be also interested in" is this one:
http://www.cyberciti...oot-loader.html
that describes the usage of the -md5 option.
So, no need to Google around, but you have to read the suggested pages, in order to understand how the password and md5 options work.
Their usage is pretty straightforward, if you have problems following the very simple howto I posted, or in using the md5 option, do post so, I will do my best to help you.
I don't know of any straightforward way to script the generation of the md5 password, but my guess is that searching a little bit you will be able to find a command line Win32 program that creates a md5 hash compatible with grub4dos method.
jaclaz
#12
Posted 12 September 2007 - 05:50 PM
Yep, and, again, if you are going to use Vistape, you are going to use grub4dos, NOT Grub.
So, let's do a "cold boot", and re-start.
I posted a simple howto to password protect a Grub/grub4dos menu.lst.
Grub and grub4dos have a command to generate a md5 password hash, to increase security as compared to "plain text".
In the link I already posted:
http://www.cs.wcupa....Linux/grub.html
first link in ""You may be also interested in" is this one:
http://www.cyberciti...oot-loader.html
that describes the usage of the -md5 option.
So, no need to Google around, but you have to read the suggested pages, in order to understand how the password and md5 options work.
Their usage is pretty straightforward, if you have problems following the very simple howto I posted, or in using the md5 option, do post so, I will do my best to help you.
I don't know of any straightforward way to script the generation of the md5 password, but my guess is that searching a little bit you will be able to find a command line Win32 program that creates a md5 hash compatible with grub4dos method.
jaclaz
Thanks. I'm thinking I may need to use Cygwin to generate a md5 password that is grub4dos compatible if I can't find one for win32.
I see what I can get going and come back and post my findings.
thanks
#13
Posted 13 September 2007 - 04:50 AM
#14
Posted 13 September 2007 - 12:03 PM
I'll try to see if I can compile this python into an exe and create a script for Winbuilder for those who wish to password protect their CDs. Although it may be trivial based on each individual to have the CD password protect as you can protect either everything or only certain titles. This part may be tricky for me to customize in a script. See where I go with it I guess.
#15
Posted 13 September 2007 - 12:40 PM
It seems like there are two algorithms, md5sum and md5crypt, the first is widely used to make checksums, the second is used in GNU/Linux for password hashing.
These are the only 5 lines of text I could find in "human readable form" that explain briefly how it is made.
from what I have understood so far linux uses md5 encryption for example
$1$PzWoHIp0$OBl0/opUYe7ciRrfQsPuk1
$1$-depicts that this is a md5 encryption
PzWoHIp0-this is the 8 charecter salt
OBl0/opUYe7ciRrfQsPuk1-this is the 22 character encrypted password
The GNUwin32 project has a "crypt" port:
http://gnuwin32.sour...kages/crypt.htm
http://sourceforge.n...ackage_id=36656
the downloaded .bin has these files:
30/04/2002 11.21 7.168 cert.exe
30/04/2002 11.21 28.632 crypt.dll
30/04/2002 11.14 6.656 md5c-test.exe
30/04/2002 11.21 7.168 md5test.exe
30/04/2002 11.21 6.656 ufc.exe
That I simply cannot find a way to run , there is no "usage" with /? -? or /h -h or --help and I could not find ANYTHING useful in the docs.
Found also a java library:
http://tools.arlut.u...5/MD5Crypt.html
and a TCL one:
http://gid.cimne.upc...t/md5crypt.html
jaclaz
#16
Posted 13 September 2007 - 03:27 PM
Found a solution
Though not as "portable" as I would like it to be.
OpenSSL has a tool that makes the crypted password hash.
The minimum download is here:
http://www.slproweb....n32OpenSSL.html
http://www.slproweb....ight-0_9_8e.exe
Once installed , run either:
openssl passwd -1 yourpassword
to generate a crypted password hash with random "salt", or:
openssl passwd -1 -salt yoursalt yourpassword
yoursalt in the grub4dos md5 crypting appears to be 4 charactes long, a..z, A...Z, 0..9, maybe some more chars like . and /
thus a 4 character salt is needed.
So we have:
$1$ -> the "md5 signature" xxxx -> 4 chars "salt" $ -> separator 0123456789012345678901 -> 22 character hash
The only needed files appear to be:
27/02/2007 21.39 1.040.384 libeay32.dll 27/02/2007 21.41 290.816 openssl.exe 27/02/2007 21.40 196.608 ssleay32.dll
jaclaz
#17
Posted 14 September 2007 - 02:08 AM
Update:
Found a solution
Though not as "portable" as I would like it to be.
OpenSSL has a tool that makes the crypted password hash.
The minimum download is here:
http://www.slproweb....n32OpenSSL.html
http://www.slproweb....ight-0_9_8e.exe
Once installed , run either:
openssl passwd -1 yourpassword
to generate a crypted password hash with random "salt", or:
openssl passwd -1 -salt yoursalt yourpassword
yoursalt in the grub4dos md5 crypting appears to be 4 charactes long, a..z, A...Z, 0..9, maybe some more chars like . and /
thus a 4 character salt is needed.
So we have:$1$ -> the "md5 signature" xxxx -> 4 chars "salt" $ -> separator 0123456789012345678901 -> 22 character hash
The only needed files appear to be:27/02/2007 21.39 1.040.384 libeay32.dll 27/02/2007 21.41 290.816 openssl.exe 27/02/2007 21.40 196.608 ssleay32.dll
jaclaz
Here's the Python script. My friend added this to it: new and improved. if you dont give a salt on the command line, it generates a random one between 1 and 99999999
Just rename to .py
Just issue python md5_grub.py password
I know there is a way to make .py into .exe If so then its a really simple solution. I have tried creating a hash with this script and putting the hash into the menu.lst with 100% success.
I'll take a look at the method you posted above.
I found the original python script here: http://mail.python.o...rch/195202.html
#19
Posted 14 September 2007 - 06:28 PM
Try this: http://www.py2exe.org/
Thanks I'll have to play with that.
Now just need to figure out how to make the CD expire. I guess I could write an autoit that autostarts and checks the date (either by BIOS or by a date of a file on the cd).
Anyone know of an easier solution? I used to use secscr for BartPE but don't see anything for VistaPE (yet).
#20
Posted 14 September 2007 - 07:02 PM
md5_grub password
The output is the hash with a random salt each time.
#21
Posted 15 September 2007 - 01:32 PM
It needs a python25.dll which you can get downloading and installing the entire Python package, about 10 Mb :
http://www.python.or.../python-2.5.msi
the python25.dll itself is around 2 Mbytes
Once copied it to the directory where MD5_grub.exe is, the error is gone.
Then it seems like it needs (the path is hardcoded):
"C:\Python25\lib\site-packages\py2exe\boot_common.py"
So you need as well to download and install the py2exe package,
Then it needs a module called "linecache" and one called "md5".
I could not find where these modules should be put (ny ubstall is on G:\Python25, instead of C:\Python25)
I removed the install and re-installed Python on C:\Python25\
Still the same problems, I copied md5_grub.exe to C:\Python25\ and got again:
Copied to it Python25.dll and got, again:C:\Python25>md5_grub
LoadLibrary(pythondll) failedCannot find specified module.
C:\Python25\PYTHON25.DLL
copied both linecache.py and md5.py to C:\Python25\C:\Python25>md5_grub
Traceback (most recent call last):
File "C:\Python25\lib\site-packages\py2exe\boot_common.py", line 92, in <module>
import linecache
ImportError: No module named linecache
Traceback (most recent call last):
File "md5_grub.py", line 3, in <module>
import md5
ImportError: No module named md5
and same error occurs.
Tried copying them to C:\Python25\Lib\site-packages\py2exe\ too, and same error comes out.
Maybe a reboot (something I am not going to do right now) is needed to let python get the configuration?
However, as is, it appears not to be a handy solution .
jaclaz
EDIT:
Since I had Python installed anyway, I re-compiled the md5_grub.py with py2exe, and this was the result in the \dist folder:
Directory di C:\Python25\dist15/09/2007 16.38 <DIR> .15/09/2007 16.38 <DIR> ..19/09/2006 09.52 323.584 _hashlib.pyd19/09/2006 09.52 77.824 bz2.pyd19/09/2006 09.52 475.136 unicodedata.pyd11/01/2005 13.51 348.160 MSVCR71.dll19/09/2006 09.52 2.109.440 python25.dll19/09/2006 09.52 4.608 w9xpopen.exe15/09/2007 16.40 920.386 library.zip15/09/2007 16.40 18.432 md5_grub.exe 8 File 4.277.570 byterunning the new md5_grub.exe from this directory works
but as I see it, it is simply crazy to have 4 Mb to replicate this md5 crypt thingy.
I find it incredible that someone (a programmer, I mean) did not make the same as a smallish selfstanding executable.
#22
Posted 16 September 2007 - 10:12 PM
but as I see it, it is simply crazy to have 4 Mb to replicate this md5 crypt thingy.
I find it incredible that someone (a programmer, I mean) did not make the same as a smallish selfstanding executable.
My thoughts exactly. a script so small needs 4 megs to execute properly. There has to be an easier way. Maybe someone could do this in Delphi (ahem; Nuno; ahem)
Sorry about it not executing for yah, it was working fine for me but mostly because I had python already installed.
#23
Posted 17 September 2007 - 01:21 PM
Will see what I come up with.
#24
Posted 17 September 2007 - 01:32 PM
I have found some source code around, but definitely nothing I can understand/help with.
jaclaz
#25
Posted 18 September 2007 - 09:18 AM
NOW we are getting somewhere:
Download 3proxy:
http://sourceforge.n...cts/three-proxy
118,100 bytes download, extract from zip mycrypt.exe, 12,288 bytes.
It needs a "salt", but I guess that having saved more than 4 Mb of space, and having got rid of the depencies nightmare afore mentioned one could use a random generator to create it.
By the way, it seems like the "salt" that grub4dos md5crypt generates is based on system time, so, even a batch file is enough to have the same semi-random numbers.
jaclaz
3 user(s) are reading this topic
0 members, 3 guests, 0 anonymous users