How can I prevent someone from resetting my password with a Live CD?

Question

Recently one of my friends came over to my place, within 15 minutes he hacked my account using a Live CD and reset the password in front of me. I was baffled to see such a thing. Please guide me to prevent such a future attempt using a Live CD.

Answer 1

Stand next to your computer while holding a tee-ball bat. Severely beat anyone who gets close.

Or lock it up.

If your computer is physically accessible, it is unsafe.

Answer 2

A quick and easy way to do this is to disable booting from CDs and USB sticks in your BIOS and set a BIOS password.

According to this wiki page:

Placing passwords or locking menu items (in the Grub configuration files) does not prevent a user from booting manually using commands entered at the grub command-line.

However there's nothing stopping someone from just stealing your hard drive and mounting it on another machine, or resetting your BIOS by removing the battery, or one of the other methods that an attacker can use when they have physical access to your machine.

A better way would be to encrypt your drive, you can either do this by encrypting your home directory, or encrypting the entire disk:

• How do I encrypt my home partition?
• https://help.ubuntu.com/community/FullDiskEncryptionHowto

Answer 3

First the warning...

The grub2 password protection procedure can be quite tricky and if you get it wrong there is a possibility of leaving yourself with a non-bootable system. Thus always make a full image backup of your hard-drive first. My recommendation would be to use Clonezilla - another backup tool such as PartImage could also be used.

If you want to practice this - use a virtual machine guest which you can rollback a snapshot.

let's begin

The procedure below protects unauthorised editing of Grub settings whilst booting - that is, pressing e to edit allows you to change the boot options. You could for example, force booting to single user mode and thus have access to your hard-disk.

This procedure should be used in conjunction with hard-disk encryption and a secure bios boot option to prevent booting from live cd as described in the associated answer to this question.

almost everything below can be copied and pasted one line at a time.

First lets backup the grub files we will be editing - open a terminal session:

sudo mkdir /etc/grub.d_backup
sudo cp /etc/grub.d/* /etc/grub.d_backup

Lets create a username for grub:

gksudo gedit /etc/grub.d/00_header &

Scroll to the bottom, add a new empty line and copy and paste the following:

cat << EOF
set superusers="myusername"
password myusername xxxx
password recovery 1234
EOF

In this example two usernames were created: myusername and recovery

Next - navigate back to the terminal (don't close gedit):

Natty and Oneiric users only

Generate an encrypted password by typing

grub-mkpasswd-pbkdf2

Enter your password you will use twice when prompted

Your PBKDF2 is grub.pbkdf2.sha512.10000.D42BA2DB6CF3418C413373CD2D6B9A91AE4C0EB4E6AA20F89DFA027CA6E6CBF3542CB39E951607E9D651D82700AF47884929BDD193E36CB262CC96201B5789AA.1A9B0033928E3D3D0338583A5BF13AF7D5CC6EC5A41456F8FE8D8EBEB7A093CD0A0CE8688949E6007188ECB3FB0FF916F258602D130CF5C8525FB318FBBE2646

The bit we are interested in starts grub.pbkdf2... and ends BBE2646

Highlight this section using your mouse, right click and copy this.

Switch back to your gedit application - highlight the text "xxxx" and replace this with what you copied (right click and paste)

i.e. the line should look like

password myusername grub.pbkdf2.sha512.10000.D42BA2DB6CF3418C413373CD2D6B9A91AE4C0EB4E6AA20F89DFA027CA6E6CBF3542CB39E951607E9D651D82700AF47884929BDD193E36CB262CC96201B5789AA.1A9B0033928E3D3D0338583A5BF13AF7D5CC6EC5A41456F8FE8D8EBEB7A093CD0A0CE8688949E6007188ECB3FB0FF916F258602D130CF5C8525FB318FBBE2646

all 'buntu versions (lucid and above)

Save and close the file.

Finally you need to password protect each grub menu entry (all files that have a line that begins menuentry):

cd /etc/grub.d
sudo sed -i -e '/^menuentry /s/ {/ --users myusername {/' *

This will add a new entry --users myusername to each line.

Run update-grub to regenerate your grub

sudo update-grub

When you try to edit a grub entry it will ask for your user name i.e. myusername and the password you used.

Reboot and test that username and password is being enforced when editing all of the grub-entries.

N.B. remember to press SHIFT during boot to display your grub.

Password protecting recovery mode

All of the above can easily be workaround by using recovery mode.

Fortunately you can also force a username and password to use the recovery-mode menu entry. In the first part of this answer we create an additional username called recovery with a password of 1234. To use this username we need to edit the following file:

gksudo gedit /etc/grub.d/10_linux

change the line from:

printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"

To:

if ${recovery} ; then
   printf "menuentry '${title}' --users recovery ${CLASS} {\n" "${os}" "${version}"
else
   printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
fi 

When using recovery use the username recovery and the password 1234

Run sudo update-grub to regenerate your grub file

Reboot and test that you are asked for as username and password when trying to boot into recovery mode.

---

More Information - http://ubuntuforums.org/showthread.php?t=1369019

Answer 4

It's important to remember that if someone has physical access to your machine, they will always be able to do things to your PC. Things like locking your PC case and BIOS passwords won't stop a determined person from taking your hard drive and data anyway.

Answer 5

In short, you need:

• The most important: Full disk encryption with luks. This protects hardware storage extraction and boot to external CD-ROM/USB attacks. Encrypting home directory is not sufficient.
• Set BIOS password. This is important because /boot is still unencrypted, and more important when you store passwords in TPM.
• Optional: set GRUB password.

Answer 6

You can make it so that even in a case of resetting, the "resetter" wont be able to see the data.

To do this, just encrypt /home.

If you want to make it so that resetting isn't possible, something needs to be removed, which is in charge of changing the password.