无法在Redhat中为GRUB引导程序设置密码

Question

作为Salam，我编写了一个用于在RedHat和Ubuntu上设置GRUB引导加载程序密码的Ansible剧本，没有错误，我可以在两个位置上看到Grub2.cfg中的更改。奇怪的是，当我重新启动我的这两台机器时，Ubuntu机器会询问用户名和密码，但是Redhat机器却不会。我已经看到50+教程过程是一样的，而且非常容易，但我不知道为什么它会那样做。任何帮助都将不胜感激。

这是我试过的。

Hardening.yml

   ---
   - hosts: localhost
     become: yes
     gather_facts: true
     vars:
         grub_password_v1_passwd: puffersoft
         grub_password_v2_passwd: grub.pbkdf2.sha512.10000.A4DE89CBFB84A34253A71D5DD4939BED709AB2F24E909062A902D4751E91E3E82403D9D216BD506091CAA5E92AB958FBEF4B4B4B7CB0352F8191D47A9C93239F.0B07DD3D5AD46BF0F640136D448F2CFB84A6E05B76974C51B031C8B31D6F9B556802A28E95A5E65EC1F95983E24618EE2E9B21A0233AAA8D264781FE57DCE837
         grub_user: cloud_user
     tasks:
    - stat: path=/sys/firmware/efi/efivars/
      register: grub_efi
    - debug: vars=grub_efi
      when: ansible_distribution == 'Redhat'
      tags: grub-password

    - name: "Installing Template on Redhat Systems"
      template:
            src: grub-redhat.j2
            dest: /etc/grub.d/01_users
            owner: root
            group: root
            mode: '0700'
            notify:
                    - grub2-mkconfig EFI
                    - grub2-mkconfig MBR
      when: ansible_distribution == 'Redhat'
      tags: grub-password

    - name: "Installing Template on Ubuntu Systems"
      template:
            src: grub-ubuntu.j2
            dest: /etc/grub.d/40_custom
            owner: root
            group: root
            mode: '0700'
            notify:
                    - grub2-mkconfig EFI
                    - grub2-mkconfig MBR
      when: ansible_distribution == 'Ubuntu'
      tags: grub-password

    - name: "Grub EFI | Add Password"
      lineinfile: dest=/etc/grub2-efi.cfg regexp = "^password_pbkdf2 {{ grub_user }}" state=present insertafter = EOF line= "password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}"
      when: grub_efi.stat.exists == True
      tags: grub-password

    - name: "Grub v2 MBR | Add Password"
      lineinfile: dest=/etc/grub2.cfg regexp = "^password_pbkdf2 {{ grub_user }}" state=present insertafter = EOF line= "password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}"
      when: grub_efi.stat.exists == False

    - name: "grub2-mkconfig EFI"
      command: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
      when: grub_efi.stat.exists == True

    - name: "grub2-mkconfig MBR"
      command: grub2-mkconfig -o /boot/grub2/grub.cfg
      when: grub_efi.stat.exists == False

grub-redhat.j2

#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
set supperusers="{{ grub_user  }}"
password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd  }}
EOF

grub-ubuntu.j2

#!/bin/sh
tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
set superusers="{{grub_user}}"
password_pbkdf2 {{grub_user}} {{grub_password_v2_passwd}}

无源分布

红帽7.7麦坡和Ubuntu 18.04仿生

Answer 1

J2有一些排版。

第11行：set supperusers="{{ grub_user }}"

改为：set superusers="{{ grub_user }}"

第12行：password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}

改为：password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}

如果要在多台机器上使用相同的grub密码，您可能需要考虑使用字符串对原始密码进行加密，然后创建一个额外的任务，它使用命令模块运行grub2-mkpasswd-pbkdf 2(grub2-tools的一部分)，并传递给它拱形变量。注册该任务的输出(例如，grub_password_v2_passwd)将导致运行剧本的每个目标都不接收唯一的散列，即使底层密码是相同的。expect模块在这方面做得很好：

expect:
  command: grub2-mkpasswd-pbkdf2
  responses:
    Enter password: '{{ vaulted_raw_password }}'
    Reenter password: '{{ vaulted_raw_password }}'
no_log: true