1.\" Copyright (c) 2011-2018 Devin Teske 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.Dd June 24, 2018 26.Dt CHECK-PASSWORD.4TH 8 27.Os 28.Sh NAME 29.Nm check-password.4th 30.Nd FreeBSD password-checking boot module 31.Sh DESCRIPTION 32The file that goes by the name of 33.Nm 34is a set of commands designed to do one or more of the following: 35.Pp 36.Dl o Prevent booting without password 37.Dl o Prevent modification of boot options without password 38.Dl o Provide a password to mount geli(8) encrypted root disk(s) 39.Pp 40The commands of 41.Nm 42by themselves are not enough for most uses. 43Please refer to the 44examples below for the most common situations, and to 45.Xr loader 8 46for additional commands. 47.Pp 48Before using any of the commands provided in 49.Nm , 50it must be included 51through the command: 52.Pp 53.Dl include check-password.4th 54.Pp 55This line is present in 56.Pa /boot/loader.4th 57file, so it is not needed (and should not be re-issued) in a normal setup. 58.Pp 59The commands provided by it are: 60.Pp 61.Bl -tag -width disable-module_module -compact -offset indent 62.It Ic check-password 63Multi-purpose function that can protect the interactive boot menu, 64prevent boot without password, or prompt for geli(8) passphrase 65.Pq depending on Xr loader.conf 5 settings . 66.Pp 67First checks 68.Va bootlock_password 69and if-set, the user cannot continue until the correct password is entered. 70.Pp 71Next, checks 72.Va geom_eli_passphrase_prompt 73and if set to 74.Li YES 75.Pq case-insensitive 76prompts the user to enter their GELI password for later mounting of the root 77device(s) during boot. 78.Pp 79Last, checks 80.Va password 81and if-set, tries to 82.Ic autoboot 83and only prompts for password on failure or user-interrupt. 84See 85.Xr loader.conf 5 86for additional information. 87.El 88.Pp 89The environment variables that effect its behavior are: 90.Bl -tag -width bootlock_password -offset indent 91.It Va bootlock_password 92Sets the bootlock password (up to 255 characters long) that is required by 93.Ic check-password 94to be entered before the system is allowed to boot. 95.It Va geom_eli_passphrase_prompt 96Selects whether loader(8) will prompt for GELI credentials, handing-off to the 97kernel for later mounting of 98.Xr geli 8 99encrypted root device(s). 100.It Va password 101Sets the password (up to 255 characters long) that is required by 102.Ic check-password 103before the user is allowed to visit the boot menu. 104.El 105.Sh FILES 106.Bl -tag -width /boot/check-password.4th -compact 107.It Pa /boot/loader 108The 109.Xr loader 8 . 110.It Pa /boot/check-password.4th 111.Nm 112itself. 113.It Pa /boot/loader.rc 114.Xr loader 8 115bootstrapping script. 116.El 117.Sh EXAMPLES 118Standard i386 119.Pa /boot/loader.rc : 120.Pp 121.Bd -literal -offset indent -compact 122include /boot/loader.4th 123check-password 124.Ed 125.Pp 126Set a password in 127.Xr loader.conf 5 128to prevent modification of boot options: 129.Pp 130.Bd -literal -offset indent -compact 131password="abc123" 132.Ed 133.Pp 134Set a password in 135.Xr loader.conf 5 136to prevent booting without password: 137.Pp 138.Bd -literal -offset indent -compact 139bootlock_password="boot" 140.Ed 141.Pp 142Add the following to 143.Xr loader.conf 5 144to generate a prompt at boot to collect GELI credentials for mounting 145.Xr geli 8 146encrypted root device(s): 147.Pp 148.Bd -literal -offset indent -compact 149geom_eli_passphrase_prompt="YES" 150.Ed 151.Sh SEE ALSO 152.Xr loader.conf 5 , 153.Xr loader 8 , 154.Xr loader.4th 8 155.Sh HISTORY 156The 157.Nm 158set of commands first appeared in 159.Fx 9.0 . 160.Sh AUTHORS 161The 162.Nm 163set of commands was written by 164.An -nosplit 165.An Devin Teske Aq dteske@FreeBSD.org . 166