Password protect

Anyone know if its possible to password protect the CD to keep it from being used by unwanted folks?

Grub4dos should be compatible with the grub password (MD5) syntax.
Reference:
http://www.cs.wcupa....Linux/grub.html

Reference:
http://grub4dos.sour...24341;#password

<pre> Password [-- md5] PASSWD [FILE] </ pre> set a password. When the menu at the first document, to ban all interactive menu editing functions, including editing menu items ( `e`) / access the command line ( `c`). When the correct password (PASSWD designated), included in the new menu (designated by the FILE). If you do not specify FILE, then these were banned function will be opened. Of course, you can use this command a certain menu items, to enhance the security of the system. Parameters -- Note md5 password (PASSWD) is the use of encryption md5crypt.

jaclaz

Depends a little on what you want exactly: i) simply stop unwanted use of your disk; or ii) to stop unwanted use and protect commercial software lisences.

I achieve the second by splitting off "system files" from "program files", ie those files which are necessary for booting, and those files which are additional. Program files get loaded into a vmware image (so that this can be mounted as writable with an undo file) which is then loaded into an UltraISO encrypted password-protected .isz image which is mounted at boot after the sucessful entry of the password. I like the .isz file because it can be compressed vis-a-vis a truecrypt container which is another possibility. Reg files with software lisences can be kept in the image and merged after the image is mounted etc.

Hope this helps. I can add more detail if needed.

Regards,
Galapo.

Depends a little on what you want exactly: i) simply stop unwanted use of your disk; or ii) to stop unwanted use and protect commercial software lisences.

I achieve the second by splitting off "system files" from "program files", ie those files which are necessary for booting, and those files which are additional. Program files get loaded into a vmware image (so that this can be mounted as writable with an undo file) which is then loaded into an UltraISO encrypted password-protected .isz image which is mounted at boot after the sucessful entry of the password. I like the .isz file because it can be compressed vis-a-vis a truecrypt container which is another possibility. Reg files with software lisences can be kept in the image and merged after the image is mounted etc.

Hope this helps. I can add more detail if needed.

Regards,
Galapo.

Um yah, thats a bit too deep for me, just looking to password protect the CD from booting or password protect the environment.

You could use CDShell as a boot loader, and make a script that would require a password.
Even if your CD got cloned by someone, it would still require a password to boot.

CDShell is a free boot loader, that supports complex scripts. I used it to create a boot menu on my unattended XP CD a while back. It also has example scripts, including one that uses a password to protect the CD.

http://www.cdshell.org/

You could use CDShell as a boot loader, and make a script that would require a password.
Even if your CD got cloned by someone, it would still require a password to boot.

CDShell is a free boot loader, that supports complex scripts. I used it to create a boot menu on my unattended XP CD a while back. It also has example scripts, including one that uses a password to protect the CD.

http://www.cdshell.org/

Well wanted to keep using GRUB for my VistaPE package. Does CDShell support VistaPE?

OK, I simply cannot stand this.

As said, grub4dos has password protection features.
What is debatable is whether they are secure or not, see this:
http://www.cyberciti...r-password.html

Example:
1) copy and paste this to menu.lst:

password mytest (fd0)/test.lst
color black/cyan yellow/cyan
timeout 30

title Unprotected item IO.SYS
find --set-root /io.sys
chainloader /io.sys

2) copy and paste this to test.lst:

color black/cyan yellow/cyan
timeout 30

title NT password protected item
find --set-root /ntldr
chainloader /ntldr

Copy both menu.lst and test.lst to root of the device.

Try booting from it.

Customize as you wish, in the line:
password mytest (fd0)/test.lst
password is the command
mytest is the password value
(fd0)/test.lst is where to find the password protected menu.

If you want a minimum of security about the password, encrypt it with MD5, RTFM to learn how to do it.

jaclaz

OK, I simply cannot stand this.
...
If you want a minimum of security about the password, encrypt it with MD5, RTFM to learn how to do it.

jaclaz

Not sure why the anger, just asking for some tips on how best to do it. Looking to see if its something that can easily be done via scripting (such as build the password on the fly prior to compiling the iso).

s

Not sure why the anger, just asking for some tips on how best to do it.

Not anger, just momentary irritation .

As I saw (and still see ) it:
1) You asked a rather "narrow" question:

Password protect, Either via Grub or at PE Switcher

2) I replied you that grub4dos, which is NOT Grub, is compatible with Grub password feature.
(the distinction is VERY important, as grub4dos is derived from Grub, but, while having a number of added features, it still lacks some of the original Grub)

At this point, one could have posted something like "Ok, thanks" and would have googled his way to understand, if needed, how the password syntax worked.

Galapo offered his help, hinting a way to limit access to the CD to which you replied something to the effect of "No, too difficult for me".

Ove proposed CDshell as an alternative, maybe slightly outside your question, as you pointed out.

I got (maybe wrongly) the impression of a kind of "lazyness" on your part or however a non compliance to point f5 of Common Sense Advice given in rules:
http://www.boot-land...?act=boardrules

It seemed to me like you were a sultan, comfortably laying in his dormeuse, supervising a number of merchants coming from the East and showing their goods, saying "I don't like this", "I do not fancy this other", "This is too colourful", "This other is dull", hence the quick howto, in order to be able to consider the topic closed, and the esortation to RTFM.

jaclaz

Not anger, just momentary irritation .

As I saw (and still see ) it:
1) You asked a rather "narrow" question:

2) I replied you that grub4dos, which is NOT Grub, is compatible with Grub password feature.
(the distinction is VERY important, as grub4dos is derived from Grub, but, while having a number of added features, it still lacks some of the original Grub)

At this point, one could have posted something like "Ok, thanks" and would have googled his way to understand, if needed, how the password syntax worked.

Galapo offered his help, hinting a way to limit access to the CD to which you replied something to the effect of "No, too difficult for me".

Ove proposed CDshell as an alternative, maybe slightly outside your question, as you pointed out.

I got (maybe wrongly) the impression of a kind of "lazyness" on your part or however a non compliance to point f5 of Common Sense Advice given in rules:
http://www.boot-land...?act=boardrules

It seemed to me like you were a sultan, comfortably laying in his dormeuse, supervising a number of merchants coming from the East and showing their goods, saying "I don't like this", "I do not fancy this other", "This is too colourful", "This other is dull", hence the quick howto, in order to be able to consider the topic closed, and the esortation to RTFM.

jaclaz

Let me see if I can be more straight. I'm not familiar with GRUB at all and am trying to find a simple way to add some type of password protection to my VistaPE CD either from the GRUB menu or before entering the environment. Sorry but I am fairly new at the whole Winbuilder method (I come from a BartPE background where I used SecureScreen plugin to password protect my CD).

I create a RescueCD for co workers to assist with reimaging machines. I have setup a server so that each worker can generate their own RescueCD with the password of their choice. Trying to do such a feat with VistaPE and Grub seems to be a bit complex for me at this time (I'm sure I'll come around) but I was looking for suggestions and tips from anyone out there.

Usually people come to a forum looking for help or assistance. If everyone just says Google it or RTFM then why not just have that on the main page and do away with forums all together.

Sorry but as you were irritated in your last message I am too.

Just looking for guidance. Again, I've never used GRUB before.

Again, I've never used GRUB before.

Yep, and, again, if you are going to use Vistape, you are going to use grub4dos, NOT Grub.

So, let's do a "cold boot", and re-start.

I posted a simple howto to password protect a Grub/grub4dos menu.lst.

Grub and grub4dos have a command to generate a md5 password hash, to increase security as compared to "plain text".

In the link I already posted:
http://www.cs.wcupa....Linux/grub.html
first link in ""You may be also interested in" is this one:
http://www.cyberciti...oot-loader.html
that describes the usage of the -md5 option.

So, no need to Google around, but you have to read the suggested pages, in order to understand how the password and md5 options work.

Their usage is pretty straightforward, if you have problems following the very simple howto I posted, or in using the md5 option, do post so, I will do my best to help you.

I don't know of any straightforward way to script the generation of the md5 password, but my guess is that searching a little bit you will be able to find a command line Win32 program that creates a md5 hash compatible with grub4dos method.

jaclaz

Yep, and, again, if you are going to use Vistape, you are going to use grub4dos, NOT Grub.

So, let's do a "cold boot", and re-start.

I posted a simple howto to password protect a Grub/grub4dos menu.lst.

Grub and grub4dos have a command to generate a md5 password hash, to increase security as compared to "plain text".

In the link I already posted:
http://www.cs.wcupa....Linux/grub.html
first link in ""You may be also interested in" is this one:
http://www.cyberciti...oot-loader.html
that describes the usage of the -md5 option.

So, no need to Google around, but you have to read the suggested pages, in order to understand how the password and md5 options work.

Their usage is pretty straightforward, if you have problems following the very simple howto I posted, or in using the md5 option, do post so, I will do my best to help you.

I don't know of any straightforward way to script the generation of the md5 password, but my guess is that searching a little bit you will be able to find a command line Win32 program that creates a md5 hash compatible with grub4dos method.

jaclaz

Thanks. I'm thinking I may need to use Cygwin to generate a md5 password that is grub4dos compatible if I can't find one for win32.

I see what I can get going and come back and post my findings.
thanks

What I've noticed is that grub's md5 hash is different than if I were to use fsum or md5sum tool to create the same hash. Any idea why?

Did some searching and it appears Grub uses a salt when generating its hash. Did even more searching and someone had generated a Python script to handle this. Had a friend tweak it for me and got a working Python script that generates a hash which Grub likes

I'll try to see if I can compile this python into an exe and create a script for Winbuilder for those who wish to password protect their CDs. Although it may be trivial based on each individual to have the CD password protect as you can protect either everything or only certain titles. This part may be tricky for me to customize in a script. See where I go with it I guess.

Yes, I checked too, and found some info, but no solution .

It seems like there are two algorithms, md5sum and md5crypt, the first is widely used to make checksums, the second is used in GNU/Linux for password hashing.
These are the only 5 lines of text I could find in "human readable form" that explain briefly how it is made.

from what I have understood so far linux uses md5 encryption for example
$1$PzWoHIp0$OBl0/opUYe7ciRrfQsPuk1
$1$-depicts that this is a md5 encryption
PzWoHIp0-this is the 8 charecter salt
OBl0/opUYe7ciRrfQsPuk1-this is the 22 character encrypted password

The GNUwin32 project has a "crypt" port:
http://gnuwin32.sour...kages/crypt.htm
http://sourceforge.n...ackage_id=36656

the downloaded .bin has these files:
30/04/2002 11.21 7.168 cert.exe
30/04/2002 11.21 28.632 crypt.dll
30/04/2002 11.14 6.656 md5c-test.exe
30/04/2002 11.21 7.168 md5test.exe
30/04/2002 11.21 6.656 ufc.exe

That I simply cannot find a way to run , there is no "usage" with /? -? or /h -h or --help and I could not find ANYTHING useful in the docs.

Found also a java library:
http://tools.arlut.u...5/MD5Crypt.html
and a TCL one:
http://gid.cimne.upc...t/md5crypt.html

jaclaz

Update:
Found a solution

Though not as "portable" as I would like it to be.

OpenSSL has a tool that makes the crypted password hash.

The minimum download is here:
http://www.slproweb....n32OpenSSL.html
http://www.slproweb....ight-0_9_8e.exe
Once installed , run either:

openssl passwd -1 yourpassword

to generate a crypted password hash with random "salt", or:

openssl passwd -1 -salt yoursalt yourpassword

yoursalt in the grub4dos md5 crypting appears to be 4 charactes long, a..z, A...Z, 0..9, maybe some more chars like . and /

thus a 4 character salt is needed.

So we have:

$1$ -> the "md5 signature"

xxxx -> 4 chars "salt"

$ -> separator

0123456789012345678901 -> 22 character hash

The only needed files appear to be:

27/02/2007  21.39			1.040.384 libeay32.dll

27/02/2007  21.41			  290.816 openssl.exe

27/02/2007  21.40			  196.608 ssleay32.dll

jaclaz

Update:
Found a solution

Though not as "portable" as I would like it to be.

OpenSSL has a tool that makes the crypted password hash.

The minimum download is here:
http://www.slproweb....n32OpenSSL.html
http://www.slproweb....ight-0_9_8e.exe

Once installed , run either:

openssl passwd -1 yourpassword

to generate a crypted password hash with random "salt", or:

openssl passwd -1 -salt yoursalt yourpassword

yoursalt in the grub4dos md5 crypting appears to be 4 charactes long, a..z, A...Z, 0..9, maybe some more chars like . and /

thus a 4 character salt is needed.

So we have:

$1$ -> the "md5 signature"

xxxx -> 4 chars "salt"

$ -> separator

0123456789012345678901 -> 22 character hash

The only needed files appear to be:

27/02/2007  21.39			1.040.384 libeay32.dll

27/02/2007  21.41			  290.816 openssl.exe

27/02/2007  21.40			  196.608 ssleay32.dll

jaclaz

Here's the Python script. My friend added this to it: new and improved. if you dont give a salt on the command line, it generates a random one between 1 and 99999999

Just rename to .py

Just issue python md5_grub.py password

I know there is a way to make .py into .exe If so then its a really simple solution. I have tried creating a hash with this script and putting the hash into the menu.lst with 100% success.

I'll take a look at the method you posted above.

I found the original python script here: http://mail.python.o...rch/195202.html

Try this: http://www.py2exe.org/

Try this: http://www.py2exe.org/

Thanks I'll have to play with that.

Now just need to figure out how to make the CD expire. I guess I could write an autoit that autostarts and checks the date (either by BIOS or by a date of a file on the cd).

Anyone know of an easier solution? I used to use secscr for BartPE but don't see anything for VistaPE (yet).

Also here is the python script compiled. Use as such:

md5_grub password

The output is the hash with a random salt each time.

Something is "wrong" with this file.

It needs a python25.dll which you can get downloading and installing the entire Python package, about 10 Mb :
http://www.python.or.../python-2.5.msi
the python25.dll itself is around 2 Mbytes

Once copied it to the directory where MD5_grub.exe is, the error is gone.

Then it seems like it needs (the path is hardcoded):
"C:\Python25\lib\site-packages\py2exe\boot_common.py"

So you need as well to download and install the py2exe package,

Then it needs a module called "linecache" and one called "md5".

I could not find where these modules should be put (ny ubstall is on G:\Python25, instead of C:\Python25)

I removed the install and re-installed Python on C:\Python25\

Still the same problems, I copied md5_grub.exe to C:\Python25\ and got again:

C:\Python25>md5_grub
LoadLibrary(pythondll) failedCannot find specified module.
C:\Python25\PYTHON25.DLL

Copied to it Python25.dll and got, again:

C:\Python25>md5_grub
Traceback (most recent call last):
File "C:\Python25\lib\site-packages\py2exe\boot_common.py", line 92, in <module>
import linecache
ImportError: No module named linecache
Traceback (most recent call last):
File "md5_grub.py", line 3, in <module>
import md5
ImportError: No module named md5

copied both linecache.py and md5.py to C:\Python25\
and same error occurs.
Tried copying them to C:\Python25\Lib\site-packages\py2exe\ too, and same error comes out.

Maybe a reboot (something I am not going to do right now) is needed to let python get the configuration?

However, as is, it appears not to be a handy solution .

jaclaz

EDIT:
Since I had Python installed anyway, I re-compiled the md5_grub.py with py2exe, and this was the result in the \dist folder:

Directory di C:\Python25\dist15/09/2007  16.38	   <DIR>		  .15/09/2007  16.38	   <DIR>		  ..19/09/2006  09.52			  323.584 _hashlib.pyd19/09/2006  09.52			   77.824 bz2.pyd19/09/2006  09.52			  475.136 unicodedata.pyd11/01/2005  13.51			  348.160 MSVCR71.dll19/09/2006  09.52			2.109.440 python25.dll19/09/2006  09.52				4.608 w9xpopen.exe15/09/2007  16.40			  920.386 library.zip15/09/2007  16.40			   18.432 md5_grub.exe			   8 File	  4.277.570 byte

running the new md5_grub.exe from this directory works

but as I see it, it is simply crazy to have 4 Mb to replicate this md5 crypt thingy.

I find it incredible that someone (a programmer, I mean) did not make the same as a smallish selfstanding executable.

but as I see it, it is simply crazy to have 4 Mb to replicate this md5 crypt thingy.

I find it incredible that someone (a programmer, I mean) did not make the same as a smallish selfstanding executable.

My thoughts exactly. a script so small needs 4 megs to execute properly. There has to be an easier way. Maybe someone could do this in Delphi (ahem; Nuno; ahem)

Sorry about it not executing for yah, it was working fine for me but mostly because I had python already installed.

Some folks have written MD5 plugins for AutoIt. Played with it last night but can't figure out how to include a salt based on the way Grub uses it.

Will see what I come up with.

Good

I have found some source code around, but definitely nothing I can understand/help with.

jaclaz

UPDATE:

NOW we are getting somewhere:
Download 3proxy:
http://sourceforge.n...cts/three-proxy
118,100 bytes download, extract from zip mycrypt.exe, 12,288 bytes.

It needs a "salt", but I guess that having saved more than 4 Mb of space, and having got rid of the depencies nightmare afore mentioned one could use a random generator to create it.

By the way, it seems like the "salt" that grub4dos md5crypt generates is based on system time, so, even a batch file is enough to have the same semi-random numbers.

jaclaz