diff options
Diffstat (limited to 'stand/forth/check-password.4th.8')
-rw-r--r-- | stand/forth/check-password.4th.8 | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/stand/forth/check-password.4th.8 b/stand/forth/check-password.4th.8 new file mode 100644 index 000000000000..db0aa4bc6bc4 --- /dev/null +++ b/stand/forth/check-password.4th.8 @@ -0,0 +1,167 @@ +.\" Copyright (c) 2011-2015 Devin Teske +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd March 20, 2015 +.Dt CHECK-PASSWORD.4TH 8 +.Os +.Sh NAME +.Nm check-password.4th +.Nd FreeBSD password-checking boot module +.Sh DESCRIPTION +The file that goes by the name of +.Nm +is a set of commands designed to do one or more of the following: +.Pp +.Dl o Prevent booting without password +.Dl o Prevent modification of boot options without password +.Dl o Provide a password to mount geli(8) encrypted root disk(s) +.Pp +The commands of +.Nm +by themselves are not enough for most uses. +Please refer to the +examples below for the most common situations, and to +.Xr loader 8 +for additional commands. +.Pp +Before using any of the commands provided in +.Nm , +it must be included +through the command: +.Pp +.Dl include check-password.4th +.Pp +This line is present in +.Pa /boot/loader.4th +file, so it is not needed (and should not be re-issued) in a normal setup. +.Pp +The commands provided by it are: +.Pp +.Bl -tag -width disable-module_module -compact -offset indent +.It Ic check-password +Multi-purpose function that can protect the interactive boot menu, +prevent boot without password, or prompt for geli(8) passphrase +.Pq depending on Xr loader.conf 5 settings . +.Pp +First checks +.Va bootlock_password +and if-set, the user cannot continue until the correct password is entered. +.Pp +Next, checks +.Va geom_eli_passphrase_prompt +and if set to +.Li YES +.Pq case-insensitive +prompts the user to enter their GELI password for later mounting of the root +device(s) during boot. +.Pp +Last, checks +.Va password +and if-set, tries to +.Ic autoboot +and only prompts for password on failure or user-interrupt. +See +.Xr loader.conf 5 +for additional information. +.El +.Pp +The environment variables that effect its behavior are: +.Bl -tag -width bootlock_password -offset indent +.It Va bootlock_password +Sets the bootlock password (up to 16 characters long) that is required by +.Ic check-password +to be entered before the system is allowed to boot. +.It Va geom_eli_passphrase_prompt +Selects whether loader(8) will prompt for GELI credentials, handing-off to the +kernel for later mounting of +.Xr geli 8 +encrypted root device(s). +.It Va password +Sets the password (up to 16 characters long) that is required by +.Ic check-password +before the user is allowed to visit the boot menu. +.El +.Sh FILES +.Bl -tag -width /boot/check-password.4th -compact +.It Pa /boot/loader +The +.Xr loader 8 . +.It Pa /boot/check-password.4th +.Nm +itself. +.It Pa /boot/loader.rc +.Xr loader 8 +bootstrapping script. +.El +.Sh EXAMPLES +Standard i386 +.Pa /boot/loader.rc : +.Pp +.Bd -literal -offset indent -compact +include /boot/loader.4th +check-password +.Ed +.Pp +Set a password in +.Xr loader.conf 5 +to prevent modification of boot options: +.Pp +.Bd -literal -offset indent -compact +password="abc123" +.Ed +.Pp +Set a password in +.Xr loader.conf 5 +to prevent booting without password: +.Pp +.Bd -literal -offset indent -compact +bootlock_password="boot" +.Ed +.Pp +Add the following to +.Xr loader.conf 5 +to generate a prompt at boot to collect GELI credentials for mounting +.Xr geli 8 +encrypted root device(s): +.Pp +.Bd -literal -offset indent -compact +geom_eli_passphrase_prompt="YES" +.Ed +.Sh SEE ALSO +.Xr loader.conf 5 , +.Xr loader 8 , +.Xr loader.4th 8 +.Sh HISTORY +The +.Nm +set of commands first appeared in +.Fx 9.0 . +.Sh AUTHORS +The +.Nm +set of commands was written by +.An -nosplit +.An Devin Teske Aq dteske@FreeBSD.org . |