A system administrator can easily reset a password for a user that has forgotten their password. But what happens if the system administrator forgets the root password? This guide will show you how to reset a lost or forgotten root password. Note that to reset the root password, you need to have physical access to the machine in order to reboot and to access GRUB settings. Additionally, if the system is encrypted, you will also need to know the LUKS passphrase.
Edit the GRUB settings
First you need to interrupt the boot process. So you’ll need to turn on the system or restart, if it’s already powered on. The first step is tricky because the grub menu tends to flash by very quickly on the screen.
Press E on your keyboard when you see the GRUB menu:
After pressing ‘e’ the following screen is shown:
Use your arrow keys to move the the linux16 line.
Using your del key or backspace key, remove rhgb quiet and replace with the following.
rd.break enforcing=0
After editing the lines, Press Ctrl-x to start the system. If the system is encrypted, you will be prompted for the LUKS passphase here.
Note: Setting enforcing=0, avoids performing a complete system SELinux relabeling. Once the system is rebooted, restore the correct SELinux context for the /etc/shadow file. (this is explained a little further in this process)
Mounting the filesystem
The system will now be in emergency mode. Remount the hard drive with read-write access:
# mount –o remount,rw /sysroot
Password Change
Run chroot to access the system.
# chroot /sysroot
You can now change the root password.
# passwd
Type the new root password twice when prompted. If you are successful, you should see a message that all authentication tokens updated successfully.
Type exit, twice to reboot the system.
Log in as root and restore the SELinux label to the /etc/shadow file.
# restorecon -v /etc/shadow
Turn SELinux back to enforcing mode.
# setenforce 1
Costa A.
Couldn’t i just boot with “1 or s or S” and reset it ?
Or even, if you have except your root account, a second account with sudo, use something like “sudo systemctl isolate runlevel1.target” or “sudo systemctl isolate rescue.target” ?
I am not implying that the article is wrong on that matter, but we have to keep things simple.
Paul W. Frields
If memory serves, a broken file system can result in a prompt for the root password if you boot to single-user mode. So in some cases single-user might work fine, and in some it might not be sufficient. And it may not be safe to assume that there’s a sudo capable account setup, although if you have one, that will work as well. You might be trying to rescue the system of someone who isn’t familiar with sudo and lost the administrator password.
Radosław K.
The article is keeping things as simple as possible, while minding changed architecture (that was introduced along with systemd) and the fact that possibly user has no access to machine whatsoever. I completely agree with the method laid out here, as it is most error-proof in my experience.
Jancio Wodnik
Hi. is it not simpler – run in single user and then use passwd ?
Radek Ulatowski
If I’m correct single user don’t automaticaly mean root acces – you still need to type password. With boot parameter ‘1’ you will boot to command line (‘rescue’ mode I think).
Radosław K.
No, there is no single user mode any more and replacements like rescue.target and emergency.target will ask for root password.
tom
I doubt you’ll feel that way when the SEL violations start rolling in and you can’t boot anymore 😀
Vince Sh
Instead of changing the procedure every few version, why not just setup a grub menu option to boot to single user mode? Just sayin
Sebastiaan
Single user mode still asks for a root password
Zac
Could you please clarify. I’m new to fedora and linux so apologies for any redundancy in my questions. I merely am trying to learn how as much as I can.
Does this mean anyone needs only physical access to a workstation to gain root access to that machine? Just seems odd, as the sole purpose of a password for the root user, is to prevent someone from gaining root access. And this method seems to circumvent that.
Perhaps access to an encrypted disk is not possible with the workaround you described, and is the added security one would want?
Michael F
This was also quite a surprise to me.
Bruno
Maybe setting a password to Grub2 beforehand could help avoid editing the boot parameters.
But if one has physical access to the machine, he could always boot with a live media and gain access to data in it, be it Linux, Windows or other systems (if the file system isn’t encrypted, of course).
Neville A. Cross
If your workstation is a desktop in your office, you lock the office. If your workstation is a laptop, you encrypt the disk. You may additionally may want to set a password for the BIOS to avoid somebody boot your computer with a removable media. So, root password is one of several measures to secure your workstation. You need to ponder how at risk is your computer and what other measures you will put in place.
Dann Griggs
Have you ever reset an unknown local administrator password on a Windows machine? All you need is physical access and a USB stick with a linux live distro on it. The chntpw utility gets you into any Windows machine (7, 8, 10, and server versions) in about 40 seconds.
Hans Meiser
The solution is to encrypt your hard drive, not matter if laptop or desktop machine (re comment on locked office). Again, unless your hard drive is encrypted nothing is safe at all. Anyone could at anytime take out the drive and stick it into another machine for full access.
Erik Beck
Good article. My starting point would be a couple of steps back:
1) If the admin’s normal user account has sudo rights, ‘sudo passwd’ might be enough to do the trick.
2) If #1 isn’t workable, then boot the machine from a live dvd or some other rescue media that does not have a password protected root account. Mount the file system on the target machine with /etc. Edit the password file or shadow password file, as appropriate, blanking out the hashed password field for the root account. Dismount all file systems cleanly. Cut the machine off from all network connections (remove the ethernet cable). Reboot. Login as root, and set a new password. Reattach to the network and resume normal operations.
3)Else if, do as described in the article.
Einer
Let me help 🙂
1) If the root partition on the disk is encrypted, you will need the password at boot for the disk encryption
2) If GRUB is protected by a power on/boot password, you will need the GRUB boot password
3) Now, IF you can get to single user mode, you still have to do the chroot and passwd command as described earlier … OR ….. you can also vi /etc/etc/shadow file on the root device and remove the root password entirely (leaving root with no password at login) and change/set it once the OS is up (login as root and do passwd)
4) IF you have a user that is already permitted to sudo su – you can have that same user change the root password without having to do 1 – 3 …….
Einer
Also …. a couple of other things 🙂 ….
If the root account is set to require a password even at single user ………. then you have only a couple of options to recover / reset the lost root password
1) You can do #4 in previous comment
2) Get your bootable media and bott the affected machine from it (and you will still need to know everything in #1 – #3 of last comment …….
Einer
For the person that asked “How do I ultimately protect my machine from being hacked in this fashion?”
1) Disk encryption (protect you password for it)
2) Reduce/Eliminate unauthorized physical access to the machine/base tty console
Ujjwal Dey
Thank You Einer for being the only one giving the answer to the simple question of Zac which I also needed to know.
I will Google the terms “GRUB”, “tty” to understand more.
Curt’s article too is very useful and simple compared to various alternatives listed by professional Linux users who have many years of Linux use and understanding.
I guess there is a whole community of Linux users who may be very frustrated by the newbies trying to adopt Linux in their daily life. But I really hope Fedora becomes popular and widely used and it can’t happen unless an average Joe-Jane who uses a computer only for emails, facebook and tax calculation spreadsheet also switches to Fedora Linux as his / her first choice.
Adam Young
Why the disable of SELinux? This is an additional step beyond what RHEL 7 currently requires.
Robert Stanfield
you can do
if you’re in the sudo file too
Leslie Satenstein
Hi Robert,
That is you show is the method that works with SUSE and Fedora.
Even so when I install a new system I run visudo and uncomment the line that says NOPASSWD
That allows me to issue sudo su and sudo su –
passwd
Earl Ramirez
Hello Zac
This is correct, anyone with physical access any access your system and reset the root password; however, there are a number of things you can do to harden your server, workstation, laptop from this.
You can encrypt your HDD/SSD, enable grub password, which means that the individual will require your grub password and the passphrase to decrypt your HDD/SSD.
This is why physical security is extremely important.
Zach
These things is why I have a BIOS power on password! I think it helps.
Hans Meiser
BIOS password is not very secure – one can take out the hdd and plug it into another machine to gain access to your data, unless it is encrypted! Once it is encrypted, a BIOS password becomes obsolete (safe to the time to type that password)
Florian
On a Fedora 27 (U)EFI system, the relevant grub line does start with a
(not
as shown in the screenshots.)
Paulo Fidalgo
I believe this should be in the wiki… just in case we need something to follow
Florian
There is actually a wiki page for that topic, it just seems to be outdated.
https://fedoraproject.org/wiki/How_to_reset_a_root_password
cmurf
This seems overly complicated.
a. If you can get to any kind of console and login use ‘sudo -i’ to become root. Anyone in group wheel can do this.
b. If you’re having problems logging in as an admin, you can add a boot parameter ‘systemd.debug-shell=1’ and then you’ll be able to switch to tty9 and have a passwordless root shell from which you can change the password for any user. Obviously do this as a one shot, not a persistent change.
einer
Power on password works well ……. until the disk is connected to another machine …. then not so much 🙂
Probably the best protection short of locking the machine in a safe is disk encryption.
🙂
Zac
Thanks for all the feedback and helpful comments.
I’ll have to do some research on the Grub/Bios pw approach. I do have the SSD encrypted, but have often left the workstation laptop unattended in ‘locked’ mode, which I am now learning is not sufficient. Sounds like I will need to do a shutdown instead, or figure out how to set a Grub/Bios pw.
Thanks again.