h1

Recovering lost ROOT password

June 1, 2006

There are a number of different ways to do root password recovery on a Linux system. Different distributions make it easier than others. RedHat makes it very easy.

You must be physically in front of the system. Reboot the computer
(usually ctrl-alt-delete will do it safely) and after POST, the system
will come to a boot loader screen. Newer versions of RedHat (including the
AS versions) use grub as the boot loader, so you should see a graphical
menu in which to select what kernel you want to boot. Select the kernel to
boot and then hit ‘e’. This will take you into a mini-editor where you can
change the line that’s used to boot the system. What we want to do is to
pass an additional argument to the kernel, telling it what runlevel we
want to boot into. This will override the default runlevel setting in
/etc/inittab.

So after hitting ‘e’, we cursor down to the line that starts with ‘kernel’
and cursor all the way to the end of the line. Put a space after any
existing kernel arguments and type the number ‘1’ (without the single
quotes). Hit enter here to accept the change and you’re back at the grub
boot screen. Then hit ‘b’ to boot to this line. The system will boot into
runlevel 1 (single user mode) and you will be dropped to a root prompt
without being prompted for the password. From here you can type ‘passwd’
to change the root password. When you’re done, type ‘exit’ and the system
will boot to the default runlevel.

This works on all distributions; however some distros by default will
require that you know the root password before letting you boot into
runlevel 1 (Mandrake and SuSe come to mind). You can also password-protect grub itself so you have to know a special password in order to change the boot options.

On distros like this, the easiest way to change the root pw is to boot off
of a linux bootable cd-rom. There are many freely available ‘rescue’-type
distros out there, some even small enough to fit on a floppy. My personal
favorite is Tom’s Boot/Root disk (http://www.toms.net/rb/). The steps to
do password recovery with a boot/root disk are:

– Boot to the boot/root disk
– Mount your existing root partition under a temp directory
– edit the /etc/shadow file on your root partition
– Remove the encrypted password from root’s entry in the shadow file (the
second field in this colon delimited file)
– Reboot and boot to your normal partition. Root’s password is now blank.

On a system with the root partition on /dev/sda1 (The first partition on
the first scsi disk drive) it would look like this:

Boot to Tom’s Boot/Root disk
Log in as root

# mkdir /tmp/harddisk
# mount /dev/sda1 /tmp/harddisk
# vi /tmp/harddisk/etc/shadow
<>
# cd /
# umount /tmp/harddisk
# shutdown -r now

######################################################
Boot the system thru cd or rescue disk ( if
available).
Run : chroot /mnt/sysimage.
Run : /user/sbin/sys-unconfig

System will restart and new root password will be
asked. Then option will be shown to start which
services. Start them according to your needs.
######################################################

Just go to /mnt/sysimage

Find the directory etc in it (that is the etc on
your harddisk)

open etc/password

Find the line that looks like
root:x:0:0::/root:/bin/bash

change that to

root::0:0::/root:/bin/bash

Reboot and login as root without password, your
milage may vary.

From http://aplawrence.com/Linux/lostlinuxpassword.html

Linux © December 2003 Tony Lawrence All Rights Reserved

Lost root password (Linux)

More Articles

Have you ever forgotten your root password? I have a very good memory. I remember most of my client’s passwords (there are a few I forget regularly for no reason that I can understand, but I really do know most), I remember telephone numbers, and of course I know my own passwords. That last isn’t as easy as it might sound, because I have quite a few different systems and each has its own password, but though I might use the wrong one now and then, I’ll get it on the second or third try.

Well, not this time. A while back I installed Fedora on a system here, and today I wanted to look at something and .. what was the root password? Hmm, not that.. how about? .. nope, well it must be.. darn!

I had no idea. Fortunately, it wasn’t a boot password, so I did have access to the system. Without that, I would have had to dig up the CD’s (who knows where they are) and do a recovery that way, or download something from Tom’s Root and Boot Site. I had access to the Grub loader, so I had it easy.

If you’ve lost your root password, you might be able to recover it this way. However, some systems are protected with boot loader passwords that won’t let you do that without THAT password. If the boot loader is password protected, you need to boot from other media – for newer systems, the install CD probably has the recovery tools for that (“linux rescue” for example).

But let’s try it the easy way first. The first thing to try is to boot to single user mode. This MIGHT not work for you, because your system might be configured to still ask for a root password to get to single user mode. If that’s the case, we’ll use another trick that replaces init with /bin/bash.

First, try single user. If you don’t see either a LILO or GRUB boot screen, try hitting CTRL-X to get one. If it’s LILO, just type “linux single” and that should do it (assuming that “linux” is the lilo label). If GRUB, hit ‘e”, then select the “kernel” line, hit “e” again, and add ” single” (or just ” 1″) to the end of the line. Press ENTER, and then “b” to boot. (More modern grub uses “a” to append to the boot line)

You should get a fairly normal looking boot sequence except that it terminates a little early at a bash prompt. If you get a “Give root password for system maintenance”, this isn’t going to work, so see the “init” version below.

If you do get the prompt, the / filesystem may not be mounted rw (although “mount” may say it is). Do

mount -o remount,rw /

If that doesn’t work (it might not), just type “mount” to find out where “/” is mounted. Let’s say it is on /dev/sda2. You’d then type:

mount -o remount,rw /dev/sda2

If you can do this, just type “passwd” once you are in and change it to whatever you like. Or just edit /etc/shadow to remove the password field: move to just beyond the first “:” and remove everything up to the next “:”. With vi, that would be “/:” to move to the first “:”, space bar once, then “d/:” and ENTER. You’ll get a warning about changing a read-only file; that’s normal. Before you do this, /etc/shadow might look like:

root:$1$8NFmV6tr$rT.INHxDBWn1VvU5gjGzi/:12209:0:99999:7:-1:-1:1074970543
bin:*:12187:0:99999:7:::
daemon:*:12187:0:99999:7:::
adm:*:12187:0:99999:7:::

and after, the first few lines should be:

root::12209:0:99999:7:-1:-1:1074970543
bin:*:12187:0:99999:7:::
daemon:*:12187:0:99999:7:::
adm:*:12187:0:99999:7:::

You’ll need to force the write: with vi, “:wq!”. (If that still doesn’t work, you needed to do the -o remount,rw, see above).

Another trick is to add “init=/bin/bash” (LILO “linux init=/bin/bash” or add it to the Grub “kernel” line). This will dump you to a bash prompt much earlier than single user mode, and a lot less has been initialized, mounted, etc. You’ll definitely need the “-o remount,rw” here. Also note that other filesystems aren’t mounted at all, so you may need to mount them manually if you need them. Look in /etc/fstab for the device names.

Keep this in mind if you have a Linux machine in a publically accessible place : without more protection, it’s not usually hard to recover a lost root password, which means it’s just as easy for someone to CHANGE it, or access root without your knowlege.

Another way to do this is to remove the password from /etc/shadow. Just in case you screw up, I’d copy it somewhere safe first. You want to end up with the root line looking something like this:

# original line
root:$1$EYBTVZHP$QtjkCG768giXzPvW4HqB5/:12832:0:99999:7:::
# after editing
root::12832:0:99999:7:::

If you are having trouble with editing (you really do have to learn vi one of these days), you could just (after making a copy, of course) just

echo  "root::12832:0:::::" > /mnt/etc/shadow
or, if you were in single user mode
  echo  "root::12832:0:::::" > /etc/shadow

and then fix things up when rebooted.

If using something like “linux rescue” or other boot media, if the recovery disk doesn’t automatically mount your disk, you need to do it manually. This shouldn’t be difficult unless you have an unusual disk controller. For example, a Compaq raid controller will probably be /dev/ida/c0d0. Find the partitions by using fdisk /dev/ida/c0d0 (just “p” and quit) and then mount what you need.

If all else fails, consider that you can pull this drive (or install another drive in this machine) and mount it from another running Linux. Then recover the root password as explained above.

See also
http://aplawrence.com/Bofcusm/861.html
http://aplawrence.com/Bofcusm/872.html
http://aplawrence.com/Bofcusm/873.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: