CHECK-PASSWORD.4TH(8)   FreeBSD System Manager's Manual  CHECK-PASSWORD.4TH(8)

NAME
     check-password.4th - FreeBSD password-checking boot module

DESCRIPTION
     The file that goes by the name of check-password.4th is a set of commands
     designed to do one or more of the following:

           o Prevent booting without password
           o Prevent modification of boot options without password
           o Provide a password to mount geli(8) encrypted root disk(s)

     The commands of check-password.4th by themselves are not enough for most
     uses.  Please refer to the examples below for the most common situations,
     and to loader(8) for additional commands.

     Before using any of the commands provided in check-password.4th, it must
     be included through the command:

           include check-password.4th

     This line is present in /boot/loader.4th file, so it is not needed (and
     should not be re-issued) in a normal setup.

     The commands provided by it are:

           check-password         Multi-purpose function that can protect the
                                  interactive boot menu, prevent boot without
                                  password, or prompt for geli(8) passphrase
                                  (depending on loader.conf(5) settings).

                                  First checks bootlock_password and if-set,
                                  the user cannot continue until the correct
                                  password is entered.

                                  Next, checks geom_eli_passphrase_prompt and
                                  if set to YES (case-insensitive) prompts the
                                  user to enter their GELI password for later
                                  mounting of the root device(s) during boot.

                                  Last, checks password and if-set, tries to
                                  autoboot and only prompts for password on
                                  failure or user-interrupt.  See
                                  loader.conf(5) for additional information.

     The environment variables that effect its behavior are:

           bootlock_password  Sets the bootlock password (up to 255 characters
                              long) that is required by check-password to be
                              entered before the system is allowed to boot.

           geom_eli_passphrase_prompt
                              Selects whether loader(8) will prompt for GELI
                              credentials, handing-off to the kernel for later
                              mounting of geli(8) encrypted root device(s).

           password           Sets the password (up to 255 characters long)
                              that is required by check-password before the
                              user is allowed to visit the boot menu.

FILES
     /boot/loader              The loader(8).
     /boot/check-password.4th  check-password.4th itself.
     /boot/loader.rc           loader(8) bootstrapping script.

EXAMPLES
     Standard i386 /boot/loader.rc:

           include /boot/loader.4th
           check-password

     Set a password in loader.conf(5) to prevent modification of boot options:

           password="abc123"

     Set a password in loader.conf(5) to prevent booting without password:

           bootlock_password="boot"

     Add the following to loader.conf(5) to generate a prompt at boot to
     collect GELI credentials for mounting geli(8) encrypted root device(s):

           geom_eli_passphrase_prompt="YES"

SEE ALSO
     loader.conf(5), loader(8), loader.4th(8)

HISTORY
     The check-password.4th set of commands first appeared in FreeBSD 9.0.

AUTHORS
     The check-password.4th set of commands was written by Devin Teske
     <dteske@FreeBSD.org>.

FreeBSD 13.1-RELEASE-p6          June 24, 2018         FreeBSD 13.1-RELEASE-p6