How to change a forgotten or lost root password

[cah]

Red Hat Enterprise Linux 4, 5, 6

You can change the root password from either single user mode or rescue mode. The method for booting into single user mode depends on your bootloader:

GRUB - No password protection

Booting into single user mode using GRUB is accomplished by editing the kernel line of the boot configuration. This assumes that either the GRUB boot menu is not password protected or that you have access to the password if it is.

When the system boots up, you will see the GRUB countdown, which is set to 5 seconds by default . Press "Esc" to intercept this countdown and go enter a GRUB menu. Then follow these steps:

• Press 'e' to start editing.
• Scroll down to the "kernel..." line. This line tells GRUB which kernel to boot.
• Press 'e' again to edit this line.
• Move to the end of the line. Add the number "1" to the end after space.
• Once you have finished that change, press Enter to accept the edit.
• Press 'b' to boot using that kernel and boot into runlevel 1 (single user mode).

Change the root password when the "#" prompt appears by using the "passwd" command.

Note: The switch to runlevel 1 is not persistent. At next boot, the system will start in default runlevel as specified in the /etc/inittab file.

Rescue Mode (GRUB is protected, system is unbootable due to a Maintenance mode prompt, or other issues)

If the GRUB boot menu is password protected or the system is unbootable due to other issues and you do not have access to the password, you will need to use a rescue disk to boot the system.

Follow the instructions given by the rescue disk boot process:

Boot the system from boot disc 1. Once the system has successfully booted from the ISO image and the Red Hat Enterprise Linux boot screen appears, type "linux rescue" without the quotes at the boot prompt and press the enter key.

Code: Select all

[F1-Main] [F2-Options] [F3-General] [F4-Kernel] [F5-Rescue]

boot: linux rescue

NOTICE: RHEL 6.7 ISO image has a Rescue selection and it goes to the following steps directly.

• When prompted for language and keyboard, provide the pertinent information for the system. When prompted to enable the network devices on the system, select "No".
• Select "Continue" when prompted to allow the rescue environment to mount the Red Hat Enterprise Linux installation under the /mnt/sysimage directory.
• Run the command "chroot /mnt/sysimage" to change root to your system image.
• Use the command "passwd" to change the root password of the system.
• If the command "passwd" is not found, you will need to mount /usr in order to access usr/bin/passwd

LILO

When the system comes to the LILO prompt, type "linux single". When the "#" prompt appears you will need to type "passwd root". This will update the password to a newer one. At this point you can type "exit" and your system should return to the boot sequence. Alternatively, you can reboot your system with the "shutdown -r now" or "reboot" commands. The system should boot up normally. You can now use your new root password to gain root access.

If LILO is configured to not wait at the boot menu (the timeout value in /etc/lilo.conf is set to zero) you can still halt the boot process by pressing any key in the split second before LILO boots the kernel.

Red Hat Enterprise Linux 7

Starting with Red Hat Enterprise Linux 7 Beta, users have two means to change a forgotten root password:

1) With rescue media (recommended - least risky)
2) Without rescue media (risky)

Using Rescue Media (boot.iso)

1. Boot from boot.iso, choose Troubleshooting > Rescue a system
2. Mount the system normally (not read-only), i.e. default, OK
3. At shell prompt, chroot /mnt/sysimage
4. passwd root
5. reboot

Without using Rescue Media (boot.iso)

When the system boots up, you will see the GRUB 2 countdown, which is set to 5 seconds by default . Press "Esc" to intercept this countdown and go enter a GRUB 2 menu. Then follow these steps:

1. Boot with 'init=/bin/bash' argument
   • Press 'e' to start editing.
   • Scroll down to the "linux16..." or "linuxefi..." line. This line tells GRUB 2 which kernel to boot.
   • Move to the end of the line. Add the string "init=/bin/bash" to the end after space.
   • (Optional but recommended) If you want to see as you type-in, you have to also remove the "rhgb quiet" part of that line.
   • Once you have finished that change, press Ctrl-x to accept the edit, and to boot using that kernel and boot into runlevel 1 (single user mode).
   • The Linux kernel will run the /bin/bash shell rather than the system init daemon. Therefore, some functions may be limited or missing.
2. Run load_policy to load the installed policy file into the kernel.

   Code: Select all

       /usr/sbin/load_policy -i
   

   NOTICE: This command may show error (busy).
3. Remount the root filesystem in read-write mode:

   Code: Select all

       mount -o remount,rw /
   

4. Set the new password:

   Code: Select all

       passwd root
   

5. Run the "exec /sbin/init" command to resume the initialization and finish the system boot.
   Running the exec command with another command specified replaces the shell and creates a new process; init in this case.
   Alternatively, if you wish to reboot the system, run the exec /sbin/reboot command instead.
   NOTICE: If typing "exit", the root password will not be changed. Type "exec /sbin/init" is needed.

There is a bugzilla that is tracking a possible creation of a dracut module for simplifying this process.
Troubleshooting

If you boot to the shell and have and are unable to type, try the following:
1. Reboot the system
2. Edit the grub kernel line as described above, but also do the following:
- Remove all console and vconsole entries and their arguments
- Remove the rhgb option
- Remove the Lang= option and all arguments
3. Boot the modified grub line