Recover Root Password on CentOS 7

Post Written by
Mile Stojaković
Last modified on July 3rd, 2020 at 5:18 pm

As lots of system administrators have been in a situation where they misplaced their root passwords or confused Girlfriend's birthday with it... Well, to some of us at least :) Anyhow, just recently I happen to have got into an argument about whether to change the password on a monthly basis or less frequently. The only pros for changing passwords more frequently is that you will actually change it :), however, the very fact that humans are the weakest links in any security context, the same happens to be a problem here. People tend to use less secured passwords as frequently they are changing them. At one point, after I got back from vacation one of my private servers needed maintenance and I couldn't remember what was the latest root password - I tend not to write them anywhere.

So, I went down to hunt it back by following steps:

1. >Rebooted the server.
2. Accessed GRUB menu on the following message: The selected entry will be started automatically in 5s.
3. Pressed E to edit the current menu entry.
4. Scrolled down to locate the line starting with linux16. Pressed CTRL-E or END to move to the end of the line, and then typed the string rd.break.
5. Pressed CTR-X to boot the system.
6. The rd.break directive interrupts the boot sequence before the root filesystem is properly mounted. Confirmed this by running ls /sysroot
7. Remounted the root /sysroot filesystem as read-write and changed the root directory to /sysroot:mount –o remount, rw /sysroot chroot /sysroot
8. Changed the root password using passwd command.
9. Because SELinux is not running, the passwd command does not preserve the context of the /etc/passwd file. To ensure that the /etc/passwd file is labeled with the correct SELinux context, I have instructed Linux to relabel all files at the next boot with the following command:touch /.autorelabel
10. Typed exit to close the chroot jail, and then typed exit again to reboot the system.
11. It may have taken a few minutes for SELinux to relabel all files. Once I got a login prompt I was able to get in with new password.
12. Voila!

NOTE: Do not use your wife's, girlfriend's or boyfriend's birthdays as passwords, it is just making brute force much more effective. Instead, go for encrypted password containers, this way you don't have to memorize all passwords you use and still would be keeping them in secured environment.

Cya later!