加密grub防止通过单用户模式破解root密码

(1).CentOS6

1）产生加密密码

[root@CentOS6 ~]# grub-md5-crypt
Password: 
Retype password: 
$1$QPduF0$FNhzDUPQPV8ARQ5Lx.V421　　//这一串是加密后的密码

2）将加密密码加入到/boot/grub/grub.conf

[6n@CentOS6 ~]# vim /boot/grub/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_centos6-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$QPduF0$FNhzDUPQPV8ARQ5Lx.V421　　//添加这样的一行
title CentOS 6 (2.6.32-642.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-642.el6.x86_64 ro root=/dev/mapper/vg_centos6-lv_
root rd_NO_LUKS rd_NO_MD rd_LVM_LV=vg_centos6/lv_swap crashkernel=128M LANG=zh_C
N.UTF-8 rd_LVM_LV=vg_centos6/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb
quiet
        initrd /initramfs-2.6.32-642.el6.x86_64.img

3）重启时，想要进入单用户模式破解root密码就必须输入我们设置的密码了

　　无法再使用e进入单用户模式了，提示按p输入密码进入单用户模式。

(2).CentOS7

1）产生加密密码

[root@xuexi ~]$ LANG="en_US.UTF-8"
[root@xuexi ~]$ grub2-mkpasswd-pbkdf2 
Enter password: 
Reenter password: 
//从is向后都是加密密码
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.C88D38083C2E0D37296410F5D8F11294A1B38705D9C3F245BB449FE63F01D838E5D897C5F94C3605AE1A2CBB845D7FB69EA682CF81FE3470C856A829BEA2AF09.3E5F147E46C0A0FE5E27CE7D4075CAC77007472898C5058A078D77F3C6C0E91D652BA2906AAAAA3987EEBD3E5DDBD8743ADDFE8A22758722797399CE7334B4AA

2）将加密密码加入到/etc/grub.d/00_header

[root@xuexi ~]# vim /etc/grub.d/00_header
//到最后加一段
cat <<EOF
set superusers='xx'    //这里的用户名可以不存在于系统中，单独使用于grub加密
//这里也需要写用户名
password_pbkdf2 xx grub.pbkdf2.sha512.10000.C88D38083C2E0D37296410F5D8F11294A1B38705D9C3F245BB449FE63F01D838E5D897C5F94C3605AE1A2CBB845D7FB69EA682CF81FE3470C856A829BEA2AF09.3E5F147E46C0A0FE5E27CE7D4075CAC77007472898C5058A078D77F3C6C0E91D652BA2906AAAAA3987EEBD3E5DDBD8743ADDFE8A22758722797399CE7334B4AA
EOF
//然后保存退出

3）更新grub信息

[root@xuexi ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-957.10.1.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-957.10.1.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-957.5.1.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-957.5.1.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-957.1.3.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-957.1.3.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-862.14.4.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-862.14.4.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-862.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-862.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-f5097333f3d74aec9635cc62d6bc0638
Found initrd image: /boot/initramfs-0-rescue-f5097333f3d74aec9635cc62d6bc0638.img
done

　　注意：必须更新grub信息，否则不会生效

4）重启时，想进入单用户模式破解root用户时，就必须输入设置的用户名和密码

　　我们按下e进入单用户模式