xref: /freebsd/stand/forth/check-password.4th.8 (revision 5cc9fabecfab8ab76ace2521372eae00997fe16b)

.\" Copyright (c) 2011-2018 Devin Teske
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd June 24, 2018
.Dt CHECK-PASSWORD.4TH 8
.Os
.Sh NAME
.Nm check-password.4th
.Nd FreeBSD password-checking boot module
.Sh DESCRIPTION
The file that goes by the name of
.Nm
is a set of commands designed to do one or more of the following:
.Pp
.Dl o Prevent booting without password
.Dl o Prevent modification of boot options without password
.Dl o Provide a password to mount geli(8) encrypted root disk(s)
.Pp
The commands of
.Nm
by themselves are not enough for most uses.
Please refer to the
examples below for the most common situations, and to
.Xr loader 8
for additional commands.
.Pp
Before using any of the commands provided in
.Nm ,
it must be included
through the command:
.Pp
.Dl include check-password.4th
.Pp
This line is present in
.Pa /boot/loader.4th
file, so it is not needed (and should not be re-issued) in a normal setup.
.Pp
The commands provided by it are:
.Pp
.Bl -tag -width disable-module_module -compact -offset indent
.It Ic check-password
Multi-purpose function that can protect the interactive boot menu,
prevent boot without password, or prompt for geli(8) passphrase
.Pq depending on Xr loader.conf 5 settings .
.Pp
First checks
.Va bootlock_password
and if-set, the user cannot continue until the correct password is entered.
.Pp
Next, checks
.Va geom_eli_passphrase_prompt
and if set to
.Li YES
.Pq case-insensitive
prompts the user to enter their GELI password for later mounting of the root
device(s) during boot.
.Pp
Last, checks
.Va password
and if-set, tries to
.Ic autoboot
and only prompts for password on failure or user-interrupt.
See
.Xr loader.conf 5
for additional information.
.El
.Pp
The environment variables that effect its behavior are:
.Bl -tag -width bootlock_password -offset indent
.It Va bootlock_password
Sets the bootlock password (up to 255 characters long) that is required by
.Ic check-password
to be entered before the system is allowed to boot.
.It Va geom_eli_passphrase_prompt
Selects whether loader(8) will prompt for GELI credentials, handing-off to the
kernel for later mounting of
.Xr geli 8
encrypted root device(s).
.It Va password
Sets the password (up to 255 characters long) that is required by
.Ic check-password
before the user is allowed to visit the boot menu.
.El
.Sh FILES
.Bl -tag -width /boot/check-password.4th -compact
.It Pa /boot/loader
The
.Xr loader 8 .
.It Pa /boot/check-password.4th
.Nm
itself.
.It Pa /boot/loader.rc
.Xr loader 8
bootstrapping script.
.El
.Sh EXAMPLES
Standard i386
.Pa /boot/loader.rc :
.Pp
.Bd -literal -offset indent -compact
include /boot/loader.4th
check-password
.Ed
.Pp
Set a password in
.Xr loader.conf 5
to prevent modification of boot options:
.Pp
.Bd -literal -offset indent -compact
password="abc123"
.Ed
.Pp
Set a password in
.Xr loader.conf 5
to prevent booting without password:
.Pp
.Bd -literal -offset indent -compact
bootlock_password="boot"
.Ed
.Pp
Add the following to
.Xr loader.conf 5
to generate a prompt at boot to collect GELI credentials for mounting
.Xr geli 8
encrypted root device(s):
.Pp
.Bd -literal -offset indent -compact
geom_eli_passphrase_prompt="YES"
.Ed
.Sh SEE ALSO
.Xr loader.conf 5 ,
.Xr loader 8 ,
.Xr loader.4th 8
.Sh HISTORY
The
.Nm
set of commands first appeared in
.Fx 9.0 .
.Sh AUTHORS
The
.Nm
set of commands was written by
.An -nosplit
.An Devin Teske Aq dteske@FreeBSD.org .