NAME

check-password.4th — FreeBSD password-checking boot module

DESCRIPTION

The file that goes by the name of check-password.4th is a set of commands designed to do one or more of the following:

o Prevent booting without
  password

o Prevent modification of boot
  options without password

o Provide a password to mount geli(8)
  encrypted root disk(s)

The commands of check-password.4th by themselves are not enough for most uses. Please refer to the examples below for the most common situations, and to loader(8) for additional commands.

Before using any of the commands provided in check-password.4th, it must be included through the command:

include
  check-password.4th

This line is present in /boot/loader.4th file, so it is not needed (and should not be re-issued) in a normal setup.

The commands provided by it are:

check-password

Multi-purpose function that can protect the interactive boot menu, prevent boot without password, or prompt for geli(8) passphrase (depending on loader.conf(5) settings).

First checks bootlock_password and if-set, the user cannot continue until the correct password is entered.

Next, checks geom_eli_passphrase_prompt and if set to YES (case-insensitive) prompts the user to enter their GELI password for later mounting of the root device(s) during boot.

Last, checks password and if-set, tries to autoboot and only prompts for password on failure or user-interrupt. See loader.conf(5) for additional information.

The environment variables that effect its behavior are:

bootlock_password: Sets the bootlock password (up to 255 characters long) that is required by check-password to be entered before the system is allowed to boot.
geom_eli_passphrase_prompt: Selects whether loader(8) will prompt for GELI credentials, handing-off to the kernel for later mounting of geli(8) encrypted root device(s).
password: Sets the password (up to 255 characters long) that is required by check-password before the user is allowed to visit the boot menu.