Security Handbook/Bootloader security

Tightening security during and after installation.

USE flags
The file contains user defined USE flags and  contains the default USE flags for Gentoo Linux. For this guide's purposes, the important flags are  (Pluggable Authentication Modules),   (TCP wrappers), and   (Secure Socket Layer). These are all in the default USE flags.

Password protecting GRUB
GRUB supports two different ways of adding password protection to your boot loader. The first uses plain text, while the latter uses md5+salt encryption.

This will add the password. If no password is entered at boot, GRUB will simply use the default boot setting.

When adding an md5 password, you must convert your password into crypt format, which is the same format used in. For more information see. The encrypted password, for example, could look like this:

You can encrypt your password directly at the GRUB shell:

Then, cut and paste the password to :

The 5 seconds timeout becomes handy if the system is remote and should be able to reboot without any keyboard interaction. Learn more about GRUB passwords by executing.

Password protecting LILO
LILO also supports two ways of handling passwords: global and per-image, both in clear text.

The global password is set at the top of the configuration file, and applies to every boot image:

The per-image password is set as below:

If the  option is not entered, it will prompt for a password every time.

In order to store the new information in, you must run.

Restricting console usage
The file allows you to specify which tty (terminal) devices root is allowed to login to.

We suggest that you comment out all lines except vc/1 if you are using devfs and all lines except tty1 if you are using udev. This will ensure that root only can login once and only on one terminal.