As Salam-o-Alikum, I have written an Ansible playbook for setting GRUB bootloader password on RedHat and Ubuntu, there are no error and i can see changes in Grub2.cfg on both locations. It's weird that when i reboot my both machines, Ubuntu machine asks for username and password but Redhat machine don't. I have seen 50+ tutorials procedure is the same and its pretty easy but i don't why its behaving like that. Any help would be greatly appreciated.
Here is what i've tried.
Hardening.yml
---
- hosts: localhost
become: yes
gather_facts: true
vars:
grub_password_v1_passwd: puffersoft
grub_password_v2_passwd: grub.pbkdf2.sha512.10000.A4DE89CBFB84A34253A71D5DD4939BED709AB2F24E909062A902D4751E91E3E82403D9D216BD506091CAA5E92AB958FBEF4B4B4B7CB0352F8191D47A9C93239F.0B07DD3D5AD46BF0F640136D448F2CFB84A6E05B76974C51B031C8B31D6F9B556802A28E95A5E65EC1F95983E24618EE2E9B21A0233AAA8D264781FE57DCE837
grub_user: cloud_user
tasks:
- stat: path=/sys/firmware/efi/efivars/
register: grub_efi
- debug: vars=grub_efi
when: ansible_distribution == 'Redhat'
tags: grub-password
- name: "Installing Template on Redhat Systems"
template:
src: grub-redhat.j2
dest: /etc/grub.d/01_users
owner: root
group: root
mode: '0700'
notify:
- grub2-mkconfig EFI
- grub2-mkconfig MBR
when: ansible_distribution == 'Redhat'
tags: grub-password
- name: "Installing Template on Ubuntu Systems"
template:
src: grub-ubuntu.j2
dest: /etc/grub.d/40_custom
owner: root
group: root
mode: '0700'
notify:
- grub2-mkconfig EFI
- grub2-mkconfig MBR
when: ansible_distribution == 'Ubuntu'
tags: grub-password
- name: "Grub EFI | Add Password"
lineinfile: dest=/etc/grub2-efi.cfg regexp = "^password_pbkdf2 {{ grub_user }}" state=present insertafter = EOF line= "password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}"
when: grub_efi.stat.exists == True
tags: grub-password
- name: "Grub v2 MBR | Add Password"
lineinfile: dest=/etc/grub2.cfg regexp = "^password_pbkdf2 {{ grub_user }}" state=present insertafter = EOF line= "password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}"
when: grub_efi.stat.exists == False
- name: "grub2-mkconfig EFI"
command: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
when: grub_efi.stat.exists == True
- name: "grub2-mkconfig MBR"
command: grub2-mkconfig -o /boot/grub2/grub.cfg
when: grub_efi.stat.exists == False
grub-redhat.j2
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root \${GRUB2_PASSWORD}
fi
fi
set supperusers="{{ grub_user }}"
password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}
EOF
grub-ubuntu.j2
#!/bin/sh
tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
set superusers="{{grub_user}}"
password_pbkdf2 {{grub_user}} {{grub_password_v2_passwd}}
Ansible Distribution
Red Hat 7.7 Maipo and Ubuntu 18.04 bionic
grub-redhat.j2 has some typos.
Line 11: set supperusers="{{ grub_user }}"
Change to: set superusers="{{ grub_user }}"
Line 12: password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}
Change to:password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}
If you're going to use the same grub password on multiple machines, you might want to consider using ansible-vault encrypt_string to encrypt the raw password, then create an additional task which runs grub2-mkpasswd-pbkdf2 (part of grub2-tools-minimal) with the command module and pass it the vaulted variable. Registering the output of that task (e.g. as grub_password_v2_passwd) would result in every target that you run the playbook against receiving a unique hash even though the underlying password would be the same. The expect module works great for this:
expect:
command: grub2-mkpasswd-pbkdf2
responses:
Enter password: '{{ vaulted_raw_password }}'
Reenter password: '{{ vaulted_raw_password }}'
no_log: true