On Sun, Jul 26, 2009 at 06:20:03PM +0200, Vladimir 'phcoder' Serbinenko wrote: > I think you underestimate yourself. Especially if we agree on function > propotypes you are completely able to implement. Discussing on IRC I > formulated 3 criteria which our system must satisfy: > (1) you can't access shell without authenticating as "superuser". > (2) boot some entries without authenticating as one of users (list of > allowed users may differ per menuentry) > (3) new autentication schemes (e.g. ssh keys) should be implementable as > modules > > I propose following implementation guidelines: > Syntax: > set superusers=root,gnu > password root "GRUB" > md5_password operator $MD5$MD5$MD5 > fingeprint gnu /gnu.fp > menuentry "single mode" --users root,operator { > .... > } > > Wher user tries to authenticate GRUB2 will ask him login and then call > a function from module > > Prototypes: > grub_err_t grub_auth_register_authentication (const char *user, > grub_err_t (*callback) (const char*, void *), void *arg); > this will ask to call callback if login is USER. > grub_err_t grub_auth_authenticate (const char *user); > grub_err_t grub_auth_deauthenticate (const char *user); > grub_err_t grub_auth_check_authentication (const char *userlist); > > grub_auth_check_authentication will output login prompt if no user > from userlist is already authenticated
I agree with this proposal in general. Except with the concept of "users", which I think might be overkill. GRUB is not a Un*x with its /home and per-user settings. These passwords just protect resources, so I'm not sure if there's a point in managing users as an intermediate layer between passwords and the restricted resource. What does everyone else think? -- Robert Millan The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and how) you may access your data; but nobody's threatening your freedom: we still allow you to remove your data and not access it at all." _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel