14.2 Resetting Passwords

When you have lost the password of your server of your own user and even root it becomes nececacry to change the password.

Gettting into single user mode

We can do this in single-user mode again, go into single user mode

At the following screen use the cursus key to move up and down to stop the timer: kernelselection.png

Go to the top kernel and press the e button.

Go to the line that begins with linux ($root)

Go to the end of this line and add rd.break

It should now look like this: kernelrdbreak.png

Press ctrl-x to start the boot process with this kernel and thus into single user mode.

During boot the real root file system will be mounted under /sysroot but the mount is in read-only so we cannot change anything.

To change the /sysroot to read-write we must remount it:

mount -o remount,rw /sysroot

Reseting the password

Now that the machine is in single user mode and the /sysroot has been remounted into read-write, we can start the reset process.

What we need next is to change our root from the booting process to being the root of our main system in /sysroot.

We can do this with the chroot command which suprisingly stands for Change root:

chroot /sysroot

The prompt should slightly change.

Now it is like we are in an incomplete version of our normal root system and we can change the password as normal with the passwd command.

passwd root

Now that we made these password changes, the /etc/shadow file was changed with the new password. However, selinux is not running, so it is unaware of the changes to this file, meaning that SeLinux, when turned on, will deny us access to this file since it is unaware of it’s new status and this will prevent us from logging in.

We need to relabel the /etc/shadows file. We can do this in a very simple way. SeLinux checks for the existence of the file .autorelabel during the boot procedures, if it finds this file it will trigger an automatic relabeling of the entire filesystem and then remove that file.

We can make this file with the touch command like this:

touch /.autorelabel

Type exit twice to continue booting your system as normal. The system will run an SELinux relabel (notice: this can take pretty long).
When done, see if you can login as root with the new password.