1. HOME
  2. THE HOMEBREW SECURITY BLOG
  3. How To Recover The Root Password in Red Hat Enterprise Linux 9

How To Recover The Root Password in Red Hat Enterprise Linux 9

Logan Bennett
5 min read
10 Mar
10Mar

System administrators are destined to come across a system where the password has been forgotten or set by the previous administrator. Usually, these consist of local accounts on servers that have not been logged into for some time. Password management is a complex and difficult problem to solve, as with key management, so it is important to know how to recover lost passwords without recreating the server from a new image.

From a security perspective, security professionals will likely be launching vulnerability scans from a Linux host, such as Nessus, Nmap, and OpenVAS, so knowing how to recover the most powerful account in the Linux OS may come in handy. Not to mention, if adversaries end up gaining physical access to a host, then they will have the ability to use the same methods described here. By knowing various attack vectors, organizations can deploy effective countermeasures to prevent damage, reduce impact, and manage risk.

In this post, I will be showing you step-by-step how to recover the root password in Red Hat Enterprise Linux 9 (RHEL). It is worth mentioning that earlier versions, such as RHEL 7, follow a different process. However, since these versions are quickly becoming end-of-life in the coming months at the time of this writing, RHEL 9 will be the main focus.

Recovering the Root Password with Sudo

The simplest method, which could be considered a privilege escalation technique, is to leverage the sudo command using a user account placed in the wheel group. The wheel group can be thought of as an administrator group where users are able to run commands as root through sudo. This technique does require knowing the login credentials of a user account with administrative privileges, so skip to the next section if this is not an available option.

To start, log into the user account, open the terminal, and check the sudo privileges with the following command. The user must have privileges to run the command:

$>sudo -l

The following output will look similar to the below:

Notice that the jdoe user account is able to run all commands using sudo. If the command is denied, or sudo is configured with limited privileges, then the next command will not work.

Since we verified that the account is able to run commands as root, enter the following command:

$>sudo su -

After entering the sudo password for the jdoe account, the prompt changes to the root account as shown below:

Entering the whoami command verifies that you are logged in with the root account. Now simply run the passwd command to change the root password:

#>passwd

After specifying a new password, log out and log back into the root account with the newly set credentials.


Recovering the Root Password with GRUB

Most of the time administrators do not have the luxury of using a user account to reset the root password depending on the level of security the organization mandates. Generally, because of the above method, granting one user account to run every command as root is deemed poor security practice as it does not follow the principle of least privilege. This is why access controls are absolutely necessary in the event that a user account is compromised. Changing the default permissions in the /etc/sudoers file is one way to mitigate this type of abuse.

If access to a user account with sudo permissions is not available, then we can reset the root password by editing the bootloader configuration file. However, note that this method does require a restart of the server, so plan accordingly with affected stakeholders.

To start, make sure you have console access to the server or access through the hypervisor if it is a virtual machine.

Reboot the server and reach the bootloader screen as shown below:

Press to edit the boot parameters. Find the line that starts with linux, go to the end of the line, and append the following parameter:

rd.break

Press Ctrl+x or F10 as stated in the instructions to continue the boot process. You should now be in a temporary shell as the root user. We can verify the target level by typing the following:

#>systemctl get-default

Enter the following commands to mount and chroot to the sysroot directory:

#>mount -o remount,rw /sysroot
#>chroot /sysroot

Now we can reset the root password for our system:

#>passwd root

For safe measure, add the autolabel file to tell SELinux to re-label the system. This is to ensure that labels are not being affected by our changes:

#>touch /.autorelabel

Exit the shell and reboot the system. No need to re-enter the GRUB parameters since it automatically reverts our change. Notice that the relabeling process starts when rebooting. Allow the process to finish:

Login using the new credentials.

There you have it- the root password has now been reset, and control of the system is restored.

To secure the boot process, one method is to encrypt the drives using dm-crypt when installing the system for the first time. cryptsetup is another tool that uses the dm-crypt module to encrypt drives using LUKS, requiring a key to be entered in during the boot process. Otherwise, the disk is unreadable and files cannot be edited, preventing adversaries from performing their own account recovery.


Conclusion

Password management is complex, and due to the amount of passwords that are managed by each organization it is not uncommon to forget credentials. Unfortunately, it is even more common for administrators to leave without passing along credentials for the next administrator. Adversaries could also break into systems using recovery techniques, requiring security professionals to implement controls to secure their assets. Because these situations are so common, it is important to know how to recover critical accounts in the Linux OS.

20Dec
The Homebrew Security Blog
22Dec
Top Cybersecurity Resources
01Jan
Step-By-Step Networking: A Project-Based Approach