Red Hat Enterprise Linux Diagnostics and Troubleshooting
When the root password for a system is lost or forgotten, an authorized administrator can reset it. Some methods can work remotely, such as through an SSH connection, while others require physical console access.
If any user is still logged in as the root account on an unlocked terminal, then use that active session to change the password. Similarly, use any accessible account that has sufficient sudo shell or passwd command access to reset the root password.
A more complex method is to manually edit the /etc/shadow file by copying in a known password hash from any account that has sudo text editor access, or by editing the virtual machine's disk image with the guestfish command.
If the previous methods are not available or unsuccessful, then rescue mode is an alternative. An administrator with physical system access can use the anaconda installation program's rescue mode to boot from installation media or an external media device, and then use that access to change the root password. This procedure requires that either the system's disks are not encrypted or that the encryption password is known. If the firmware password is configured and known, then you can boot from alternative devices on both BIOS and UEFI firmware. The anaconda rescue mode is accessed by booting from a Red Hat Enterprise Linux 8 boot media device, such as a USB installation device, and selecting the Troubleshooting option in the boot menu.
When the external boot media method is not available or unsuccessful, an administrator can use the systemd startup sequence to halt the initial ramdisk (initramfs) startup sequence. This method requires physical console access, or access through a remote management card or KVM switch, and knowledge of passwords for disk encryption and the boot loader, if configured.
This method for resetting a root password consists of these steps:
Reboot the system and interrupt the boot loader timer by pressing any key except Enter.
Find the entry that is normally booted, and change it so that it halts execution during the initial ramdisk startup sequence.
Use the cursor keys to highlight the entry that would normally be booted, and press e.
Use the cursor keys to move to the line that has the kernel and the kernel arguments. This line normally starts with
linux.Move the cursor to the end of the line by pressing Ctrl+e, and add
rd.break.Note
Classroom virtual machine images have a
console=kernel setting for a serial console. If you are not using a serial console, then remove this setting to force the initial ramdisk to use the virtual console. If you keep this setting, then control passes to a serial console that you cannot see, and a black screen appears.Press Ctrl+x to boot with the modified parameters.
The system now boots, but exits the process during initial ramdisk execution. If a prompt does not appear shortly, press Enter to see whether the prompt is obscured by kernel output.
Remount the root file system with read and write capabilities. The file system is currently mounted on the
/sysrootdirectory mount point.switch_root:/#
mount -o remount,rw /sysrootChange the working root directory to
/sysroot.switch_root:/#
chroot /sysrootReset the
rootpassword to a known value.sh-4.2#
echo "root:newpassword" | chpasswdForce SELinux to relabel during the next boot.
sh-4.2#
touch /.autorelabelImportant
The SELinux relabel in this method is required. SELinux detects whether an alternative access sequence occurred because the SELinux contexts are no longer present on the modified files. To trust the system again, SELinux will not boot until all files are properly relabeled.
Reboot the system by exiting from the
chrootenvironment and from theswitch_rootprompt by typingexittwice.Verify that the
rootpassword access is reset by either logging in as root or by logging in as a non-privileged user and switching to root with any method that requires entering therootpassword.
References
