Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
CHECK-PASSWORD.4TH(8)	  BSD System Manager's Manual	 CHECK-PASSWORD.4TH(8)

NAME
     check-password.4th	-- FreeBSD password-checking boot module

DESCRIPTION
     The file that goes	by the name of check-password.4th is a set of commands
     designed to do one	or more	of the following:

	   o Prevent booting without password
	   o Prevent modification of boot options without password
	   o Provide a password	to mount geli(8) encrypted root	disk(s)

     The commands of check-password.4th	by themselves are not enough for most
     uses.  Please refer to the	examples below for the most common situations,
     and to loader(8) for additional commands.

     Before using any of the commands provided in check-password.4th, it must
     be	included through the command:

	   include check-password.4th

     This line is present in /boot/loader.4th file, so it is not needed	(and
     should not	be re-issued) in a normal setup.

     The commands provided by it are:

	   check-password	  Multi-purpose	function that can protect the
				  interactive boot menu, prevent boot without
				  password, or prompt for geli(8) passphrase
				  (depending on	loader.conf(5) settings).

				  First	checks bootlock_password and if-set,
				  the user cannot continue until the correct
				  password is entered.

				  Next,	checks geom_eli_passphrase_prompt and
				  if set to YES	(case-insensitive) prompts the
				  user to enter	their GELI password for	later
				  mounting of the root device(s) during	boot.

				  Last,	checks password	and if-set, tries to
				  autoboot and only prompts for	password on
				  failure or user-interrupt.  See
				  loader.conf(5) for additional	information.

     The environment variables that effect its behavior	are:

	   bootlock_password  Sets the bootlock	password (up to	255 characters
			      long) that is required by	check-password to be
			      entered before the system	is allowed to boot.

	   geom_eli_passphrase_prompt
			      Selects whether loader(8)	will prompt for	GELI
			      credentials, handing-off to the kernel for later
			      mounting of geli(8) encrypted root device(s).

	   password	      Sets the password	(up to 255 characters long)
			      that is required by check-password before	the
			      user is allowed to visit the boot	menu.

FILES
     /boot/loader	       The loader(8).
     /boot/check-password.4th  check-password.4th itself.
     /boot/loader.rc	       loader(8) bootstrapping script.

EXAMPLES
     Standard i386 /boot/loader.rc:

	   include /boot/loader.4th
	   check-password

     Set a password in loader.conf(5) to prevent modification of boot options:

	   password="abc123"

     Set a password in loader.conf(5) to prevent booting without password:

	   bootlock_password="boot"

     Add the following to loader.conf(5) to generate a prompt at boot to col-
     lect GELI credentials for mounting	geli(8)	encrypted root device(s):

	   geom_eli_passphrase_prompt="YES"

SEE ALSO
     loader.conf(5), loader(8),	loader.4th(8)

HISTORY
     The check-password.4th set	of commands first appeared in FreeBSD 9.0.

AUTHORS
     The check-password.4th set	of commands was	written	by Devin Teske
     <dteske@FreeBSD.org>.

BSD				 June 24, 2018				   BSD

NAME | DESCRIPTION | FILES | EXAMPLES | SEE ALSO | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=check-password.4th&sektion=8&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help