Index: debian/grub-installer.templates =================================================================== --- debian/grub-installer.templates (revision 52191) +++ debian/grub-installer.templates (working copy) @@ -108,11 +108,25 @@ . If you do not wish to set a GRUB password, leave this field blank. +Template: grub-installer/password-again +Type: password +# :sl2: +_Description: Re-enter GRUB password to verify: + Please enter the same GRUB password again to verify that you typed it + correctly. + +Template: grub-installer/password-mismatch +Type: error +# :sl2: +_Description: Password input error + The two passwords you entered were not the same. Please enter + a password again. + +# Allow preseeding the GRUB password with a crypted password +# rather than cleartext Template: grub-installer/password-crypted -Type: boolean -Default: false +Type: password Description: for internal use; can be preseeded - Has the value of grub-installer/password already been encrypted? Template: grub-installer/apt-install-failed Type: error Index: grub-installer =================================================================== --- grub-installer (revision 52191) +++ grub-installer (working copy) @@ -628,23 +628,60 @@ # Set up a password if asked if [ "$grub_version" = "grub" ] ; then - db_input low grub-installer/password || true - if ! db_go; then - # back up to menu - db_progress STOP - exit 10 - fi - db_get grub-installer/password + # Set up a password if asked or preseeded. + db_get grub-installer/password-crypted if [ "$RET" ]; then + # password-crypted used to be a boolean template + if [ $RET = false ] || [ $RET = true ]; then + error "Preseeding of encrypted passwords changed! Check installation guide." + exit 1 + fi password="$RET" - # check if the password is crypted - db_get grub-installer/password-crypted - if [ "$RET" = false ]; then - password=$(echo -e "md5crypt\n$password" | \ - grub --batch --device-map=/dev/null 2>&1 | \ - grep "^Encrypted:" | cut -d' ' -f2) - fi - echo "password --md5 $password" >/tmp/menu.lst.password + else + PW_PRIO=low + while :; do + password="" + db_input $PW_PRIO grub-installer/password || true + if ! db_go; then + # back up to menu + db_progress STOP + exit 10 + fi + + db_get grub-installer/password + if [ "$RET" ]; then + password="$RET" + db_input $PW_PRIO grub-installer/password-again || true + if ! db_go; then + db_progress STOP + exit 10 + fi + + db_get grub-installer/password-again + if [ "$password" = "$RET" ]; then + break + else + db_input critical grub-installer/password-mismatch || true + fi + else + # The user doesn't want a password + break + fi + # We only get here if passwords don't match + PW_PRIO=critical + db_set grub-installer/password "" + db_set grub-installer/password-again "" + db_fset grub-installer/password seen false + db_fset grub-installer/password-again seen false + done + fi + + if [ "$password" ]; then + password=$(echo -e "md5crypt\n$password" | \ + $chroot $ROOT \ + grub --batch --device-map=/dev/null 2>&1 | \ + grep "^Encrypted:" | cut -d' ' -f2) + echo "password --md5 $password" >>/tmp/menu.lst.password # Add a line to menu.lst to use the given password # The line is appended after the commented example sed -i '/^# password/r /tmp/menu.lst.password' $ROOT/boot/grub/$menu_file @@ -652,7 +689,7 @@ # contains a password. chmod o-r $ROOT/boot/grub/$menu_file rm -f /tmp/menu.lst.password - fi + fi fi # Add user parameters to menu.list; some options are only added to the