When there are errors during the initrd part of a system boot, dracut will drop to a shell (so you can fix things). Is there a way to require a password before going into the shell, in the manner that Debian's initramfs-tools rescue shell works?
I have several Fedora machines (currently Fedora 17, soon to be Fedora 20) run in a public lab environment. One of them had an fsck error today and dropped to the the rescue shell. Someone tried to use the system before I got to it (and, fortunately, didn't hit any of the commands available in the rescue shell). I'd like to prevent a recurrence.
I think you should be able to disable it by adding
rd.shell=0to your kernel command line. Then if the boot fails it will print a message but not drop to a shell, and you will have to go into grub and reboot with a modified command line to get the shell.This occurs when the emergency shell is enabled. This debugging shell is spawned when dracut is unable to mount the root filesystem. Since the passwords are on the root filesystem, authentication isn't really possible at this early stage.
Check the kernel command line for
rd.shell. This option should be set to0or be absent, to disable the emergency shell.