RH134 - ch10s03

Bookmark this page

Reset the Root Password

Objectives

Reset the Root Password from the Boot Loader

One task that every system administrator should be able to accomplish is resetting a lost root password. This task is trivial if the administrator is still logged in, either as an unprivileged user but with full sudo access, or as root. This task becomes slightly more involved when the administrator is not logged in.

Several methods exist to set a new root password. A system administrator could, for example, boot the system by using a Live CD, mount the root file system from there, and edit /etc/shadow. This section explores a method that does not require the use of external media.

On Red Hat Enterprise Linux 9, the scripts that run from the initramfs image can be paused at certain points, to provide a root shell, and then continue when that shell exits. This script is mostly meant for debugging, and also to reset a lost root password.

Starting from Red Hat Enterprise Linux 9, if you install your system from a DVD, then the default kernel asks for the root password when you try to enter maintenance mode. Thus, to reset a lost root password, you must use the rescue kernel.

To access that root shell, follow these steps:

Reboot the system.
Interrupt the boot-loader countdown by pressing any key, except Enter.
Move the cursor to the rescue kernel entry to boot (the entry with the rescue word in its name).
Press e to edit the selected entry.
Move the cursor to the kernel command line (the line that starts with linux).
Append rd.break. With that option, the system breaks just before the system hands control from the initramfs image to the actual system.
Press Ctrl+x to boot with the changes.
Press Enter to perform maintenance when prompted.

At this point, the system presents a root shell, and the root file system on the disk is mounted read-only on /sysroot. Because troubleshooting often requires modifying the root file system, you must remount the root file system as read/write. The following step shows how the remount,rw option to the mount command remounts the file system where the new option (rw) is set.

Important

Because the system has not yet enabled SELinux, any file that you create does not have SELinux context. Some tools, such as the passwd command, first create a temporary file, and then replace it with the file that is intended for editing, which effectively creates a file without SELinux context. For this reason, when you use the passwd command with rd.break, the /etc/shadow file does not receive SELinux context.

To reset the root password, use the following procedure:

Remount /sysroot as read/write.
```
sh-5.1# mount -o remount,rw /sysroot
```
Switch into a chroot jail, where /sysroot is treated as the root of the file-system tree.
```
sh-5.1# chroot /sysroot
```
Set a new root password.
```
sh-5.1# passwd root
```
Ensure that all unlabeled files, including /etc/shadow at this point, get relabeled during boot.
```
sh-5.1# touch /.autorelabel
```
Type exit twice. The first command exits the chroot jail, and the second command exits the initramfs debug shell.

At this point, the system continues booting, performs a full SELinux relabeling, and then reboots again.

Recovery of a Cloud Image-based System

If your system was installed by deploying and modifying one of the official cloud images instead of using the installer, then some system configuration aspects might differ for the boot process.

The procedure to use the rd.break option to get a root shell is similar to the previously outlined procedure, with some minor changes.

If your system was deployed from a Red Hat Enterprise Linux cloud image, then your boot menu does not have a rescue kernel by default. However, you can use the default kernel to enter maintenance mode by using the rd.break option without entering the root password.

The kernel prints boot messages and displays the root prompt on the system console. Prebuilt images might have multiple console= arguments on the kernel command line in the bootloader. Even though the system sends the kernel messages to all the consoles, the root shell that the rd.break option sets up uses the last console that is specified on the command line. If you do not get your prompt, then you might temporarily reorder the console= arguments when you edit the kernel command line in the boot loader.

Inspect Logs

Looking at the logs of previously failed boots can be useful. If the system journals persist across reboots, then you can use the journalctl tool to inspect those logs.

Remember that by default, the system journals are kept in the /run/log/journal directory, and the journals are cleared when the system reboots. To store journals in the /var/log/journal directory, which persists across reboots, set the Storage parameter to persistent in the /etc/systemd/journald.conf file.

[root@host ~]# vim /etc/systemd/journald.conf
...output omitted...
[Journal]
Storage=persistent
...output omitted...
[root@host ~]# systemctl restart systemd-journald.service

To inspect the logs of a previous boot, use the journalctl command -b option. Without any arguments, the journalctl command -b option displays only messages since the last boot. With a negative number as an argument, it displays the logs of previous boots.

[root@host ~]# journalctl -b -1 -p err

This command shows all messages that are rated as an error or worse from the previous boot.

Repair Systemd Boot Issues

To troubleshoot service startup issues at boot time, Red Hat Enterprise Linux 8 and later versions provide the following tools:

Enable the Early Debug Shell

By enabling the debug-shell service with the systemctl enable debug-shell.service command, the system spawns a root shell on TTY9 (Ctrl+Alt+F9) early during the boot sequence. This shell is automatically logged in as root, so that administrators can debug the system when the operating system is still booting.

Warning

Disable the debug-shell.service service when you are done debugging, because it leaves an unauthenticated root shell open to anyone with local console access.

Alternatively, to activate the debug shell during the boot by using the GRUB2 menu, follow these steps:

Reboot the system.
Interrupt the boot-loader countdown by pressing any key, except Enter.
Move the cursor to the kernel entry to boot.
Press e to edit the selected entry.
Move the cursor to the kernel command line (the line that starts with linux).
Append systemd.debug-shell. With this parameter, the system boots into the debug shell.
Press Ctrl+x to boot with the changes.

Use the Emergency and Rescue Targets

By appending either systemd.unit=rescue.target or systemd.unit=emergency.target to the kernel command line from the boot loader, the system enters into a rescue or emergency shell instead of starting normally. Both of these shells require the root password.

The emergency target keeps the root file system mounted read-only, while the rescue target waits for the sysinit.target unit to complete, so that more of the system is initialized, such as the logging service or the file systems. The root user at this point cannot change /etc/fstab until the drive is remounted in a read write state with the mount -o remount,rw / command.

Administrators can use these shells to fix any issues that prevent the system from booting normally, for example, a dependency loop between services, or an incorrect entry in /etc/fstab. Exiting from these shells continues with the regular boot process.

Identify Stuck Jobs

During startup, systemd spawns various jobs. If some of these jobs cannot complete, then they block other jobs from running. To inspect the current job list, administrators can use the systemctl list-jobs command. Any jobs that are listed as running must complete before the jobs that are listed as waiting can continue.

References

dracut.cmdline(7), systemd-journald(8), journald.conf(5), journalctl(1), and systemctl(1) man pages

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-9.0-fa57cbe