作为Salam-o-Alikum,我写了一个Ansible剧本,用于在RedHat和Ubuntu上设置GRUB引导程序密码,没有错误,并且我可以在两个位置的Grub2.cfg中看到更改。奇怪的是,当我重新启动两台机器时,Ubuntu机器要求输入用户名和密码,而Redhat机器不要求。我已经看到50多个教程的过程是相同的,而且非常简单,但是我不明白为什么它会那样。任何帮助将不胜感激。
这是我尝试过的。
Hardening.yml
---
- hosts: localhost
become: yes
gather_facts: true
vars:
grub_password_v1_passwd: puffersoft
grub_password_v2_passwd: grub.pbkdf2.sha512.10000.A4DE89CBFB84A34253A71D5DD4939BED709AB2F24E909062A902D4751E91E3E82403D9D216BD506091CAA5E92AB958FBEF4B4B4B7CB0352F8191D47A9C93239F.0B07DD3D5AD46BF0F640136D448F2CFB84A6E05B76974C51B031C8B31D6F9B556802A28E95A5E65EC1F95983E24618EE2E9B21A0233AAA8D264781FE57DCE837
grub_user: cloud_user
tasks:
- stat: path=/sys/firmware/efi/efivars/
register: grub_efi
- debug: vars=grub_efi
when: ansible_distribution == 'Redhat'
tags: grub-password
- name: "Installing Template on Redhat Systems"
template:
src: grub-redhat.j2
dest: /etc/grub.d/01_users
owner: root
group: root
mode: '0700'
notify:
- grub2-mkconfig EFI
- grub2-mkconfig MBR
when: ansible_distribution == 'Redhat'
tags: grub-password
- name: "Installing Template on Ubuntu Systems"
template:
src: grub-ubuntu.j2
dest: /etc/grub.d/40_custom
owner: root
group: root
mode: '0700'
notify:
- grub2-mkconfig EFI
- grub2-mkconfig MBR
when: ansible_distribution == 'Ubuntu'
tags: grub-password
- name: "Grub EFI | Add Password"
lineinfile: dest=/etc/grub2-efi.cfg regexp = "^password_pbkdf2 {{ grub_user }}" state=present insertafter = EOF line= "password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}"
when: grub_efi.stat.exists == True
tags: grub-password
- name: "Grub v2 MBR | Add Password"
lineinfile: dest=/etc/grub2.cfg regexp = "^password_pbkdf2 {{ grub_user }}" state=present insertafter = EOF line= "password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}"
when: grub_efi.stat.exists == False
- name: "grub2-mkconfig EFI"
command: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
when: grub_efi.stat.exists == True
- name: "grub2-mkconfig MBR"
command: grub2-mkconfig -o /boot/grub2/grub.cfg
when: grub_efi.stat.exists == False
grub-redhat.j2
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root \${GRUB2_PASSWORD}
fi
fi
set supperusers="{{ grub_user }}"
password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}
EOF
grub-ubuntu.j2
#!/bin/sh
tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
set superusers="{{grub_user}}"
password_pbkdf2 {{grub_user}} {{grub_password_v2_passwd}}
Ansible Distribution
[Red Hat 7.7 Maipo和Ubuntu 18.04仿生
grub-redhat.j2有一些错别字。
第11行:set supperusers="{{ grub_user }}"
更改为:set superusers="{{ grub_user }}"
第12行:password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}
更改为:password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}
[如果要在多台计算机上使用相同的grub密码,则可能要考虑使用ansible-vault encrypt_string加密原始密码,然后创建一个运行grub2-mkpasswd-pdkdf2的附加任务(grub2-tools的一部分) -minimal)和命令模块,并将其传递给Vaulted变量。注册该任务的输出(例如,作为grub_password_v2_passwd),即使基础密码相同,也会导致您运行剧本的每个目标都不会收到唯一的哈希值。