Please enable JavaScript.
Coggle requires JavaScript to display documents.
Linux Password Reset During Boot (Enterprise Level) - Coggle Diagram
Linux Password Reset During Boot (Enterprise Level)
Overview
Purpose
Reset forgotten local user password
Recover root account access
Emergency administrative access
Common Use Cases
Administrator forgot password
Root password expired
User account locked
Break-glass emergency recovery
Prerequisites
Physical Access
Console access
KVM/IPMI/iLO/iDRAC access
VMware/Hyper-V console access
Permissions
Authorized administrator approval
Change management process
Security team notification
Method 1 - RHEL / Rocky / AlmaLinux / Oracle Linux
Boot Process
Reboot Server
At GRUB Menu Press "e"
Locate Linux Kernel Line
Starts with "linux"
Contains "ro" parameter
Modify Kernel Parameters
Append
rd.break
Example
linux ... ro rd.break
Boot Into Emergency Shell
Press Ctrl + X
Remount Sysroot
Command
mount -o remount,rw /sysroot
Purpose
Make filesystem writable
Switch Root Environment
Command
chroot /sysroot
Purpose
Access installed OS environment
Reset Password
Root Account
passwd root
User Account
passwd username
SELinux Relabel
Command
touch /.autorelabel
Purpose
Fix SELinux contexts after password change
Exit Recovery Mode
Command
exit
exit
Reboot
reboot
Method 2 - Ubuntu
Boot Process
Reboot Server
Hold Shift During Boot
Open GRUB Menu
Select Recovery Mode
Recovery Menu
Choose
root Drop to Root Shell Prompt
Remount Root Filesystem
Command
mount -o remount,rw /
Reset Password
Root
passwd root
User
passwd username
Reboot
Command
reboot
Method 3 - Single User Mode
Edit GRUB Entry
Press "e"
Modify Kernel Line
Replace
ro
With
rw init=/bin/bash
Boot
Press Ctrl + X
Reset Password
Command
passwd username
Sync Filesystem
Command
sync
Reboot
Command
exec /sbin/reboot -f
Enterprise Security Controls
GRUB Password Protection
Prevent Unauthorized Recovery Access
Protect Bootloader Configuration
Configure GRUB Password
Generate Hash
grub2-mkpasswd-pbkdf2
Add To GRUB
superusers="admin"
password_pbkdf2 admin HASH
Rebuild GRUB
RHEL
grub2-mkconfig -o /boot/grub2/grub.cfg
UEFI
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
Benefits
Blocks password reset attacks
Protects kernel parameter editing
Improves compliance
Enterprise Recovery Workflow
Incident Reported
Password Lost
Ticket Created
Approval Process
Manager Approval
Security Approval
Recovery Access
Console Access
Authorized Administrator
Password Reset
Recovery Procedure
New Temporary Password
Post Recovery
User Changes Password
Audit Logs Reviewed
Ticket Closed
Enterprise Best Practices
Enable GRUB Password
Enable Full Disk Encryption
LUKS
TPM Integration
Maintain Break-Glass Accounts
Store Credentials In Vault
CyberArk
HashiCorp Vault
Restrict Console Access
Audit Password Resets
Document Recovery Procedures
Virtualization Environment
VMware
Open VM Console
Edit GRUB
Reset Password
Hyper-V
Connect VM Console
Edit GRUB
Reset Password
KVM
virsh console
GRUB Recovery
Cloud Servers
AWS EC2 Serial Console
Azure Serial Console
GCP Serial Console
Important Commands
Show Current User
whoami
Change Password
passwd username
Change Root Password
passwd root
Remount Filesystem
mount -o remount,rw /
Enter Installed System
chroot /sysroot
Trigger SELinux Relabel
touch /.autorelabel
Reboot
reboot
Security Risks
No GRUB Password
Anyone With Console Access Can Reset Password
Physical Access
Physical Access Equals System Control
Compliance Impact
PCI-DSS
ISO 27001
CIS Benchmarks
Interview Questions
How Do You Reset Root Password In Linux?
Boot Into GRUB
Add rd.break
Mount Filesystem RW
chroot /sysroot
passwd root
touch /.autorelabel
reboot
Why Use touch /.autorelabel?
Rebuild SELinux Labels
Prevent Login Issues
Why Is GRUB Password Important?
Prevent Unauthorized Password Resets
What Is chroot?
Changes Root Directory
Provides Access To Installed Operating System
Difference Between Recovery Mode And Single User Mode
Recovery Mode
Safer
Menu Driven
Single User Mode
Direct Shell Access
Faster Recovery
Enterprise Interview Answer
Forgotten Password Scenario
Verify Authorization
Access Console
Boot To GRUB
Enter Recovery Mode
Reset Password
Relabel SELinux
Reboot Server
Validate Login
Document Change
Update Ticket
Review Security Controls