Back to homepage

Reset a lost UNIX password

I found myself needing to reuse a box that was sitting in my room for a longer time unused. After I booted it up I realized that I forgot both the username and the password. That's kindof a problem. I tried to boot into recovery mode via the GRUB entry (debian stable), but it greeted me with a message Press Control-D to continue or give root password for maintenance. Well that's a catch 22.

Update 2019-09-08: added offline /etc/shadow way with openssl(1)

So how do you reset a password on UNIX?

It's as simple as it gets.

In general changing the root password consists of three steps

  1. Get into a root shell
  2. Remount the root filesystem as rw (otherwise the passwd(8) will fail)
  3. Change the password

Usually its the first step that is difficult. Here are some ways of getting a root shell

Single user mode

Some systems (especially BSDs) have a special boot option that runs the system in single-user mode, and usually gives you a root shell. NetBSD, OpenBSD and FreeBSD use the -s boot flag to bring the system up in single user mode. This should give you a root shell in most cases. See man boot.

Linux based systems take the argument single on the cmdline to boot it single-user mode, but its way easier to tell it to boot bash straight away with init=/bin/bash, which will execute the shell as soon as the kernel boots. This is so far the easiest way to do it.

Activating the boot loader varies on the system, on x86 based machines you usually get a menu that allows you to enter the options, and on Sparc based machines the boot prompt shows up after you press the Break key on the keyboard, or send a break if you are using a serial console. ARM machines don't really have a standard bootloader and vary depending on what you installed. If they have U-Boot, it shoul allow you to enter the boot consle some way (serial port, video output) - but not necesarily. Sometimes they just boot straight from the system disk, flash memory, etc. without any bootloader messages (for example, a typical Raspbian install does that). If that's the case, scroll down to see the offline password change method.

Remounting the shadow file partiton (single-user mode)

Systems booted in single user mode usually do not remount their root file system as rw, so you have to manually remount it. Other filesystems are usually not mounted at all, so if your passwd (shadow) file is on a filesystem separate from the rootfs, then you need to mount it first

On Linux, remounting the / partition is done this way:

# mount -o remout,rw /
BSDs dont have the remount nor rw option so it's done like this:
# mount -w /

It's worth to note here that the system may refuse to mount the filesystem if it was marked dirty, in which case you need to run fsck. It should tell you that anyway, so that's easy

Live/Install CD boot

Boot up an OS from a CD (it should be similar, or best, the same that you are recovering, and be of the same architecture of course). In my case there was debian stable x64 on the box, and I used an Arch install ISO (because I was sure it has the chroot command which is essential for what we are planning to do.)

Remounting the shadow file partition and chrooting (in case of livecd boot)

After it boots up and logs you in (or you log in with the default ISO credientials), find out where is your boxes / partition (or, to be precise, where /etc/shadow and /etc/passwd are)

fdisk -l

Now if you spot the partition which might look like your /, mount it:

mount /dev/sdXY /mnt 

Verify it's the / partition

ls /mnt

You should see the usual directories (/bin, /dev, /root etc.). If not, try another partiton (unmount this one with umount /mnt)

Now chroot into your box' /

chroot /mnt /bin/bash

It's good to provide the shell to run to chroot (/bin/bash) in case the Live CD uses a different shell (in case of arch it uses zsh which was not installed on the debian box, and chroot gave an error).

Now you can reset the password with

passwd

to reset root's password, or

passwd [username]

to reset it for a given user (provided you actually remember your username on the box which was not the case here ;) )

Its worth to mention that at this point you can do many other things, like add users, change groups, run visudo, etc., but I think it's more conveinient to do that when booted from the normal system after you recover your root pass

reboot

If everything went well you should be able to log in to your box with the new password

Manually editing /etc/shadow with a new hash from openssl(1)

This is a useful method if the system disk is a removable medium (for example an SD card on a Raspberry Pi, or an image file) or you can't chroot. You can mount the disk as a regular storage device with mount(8) or your file manager, and open the passwd file with a text editor. Then generatea new passwd hash with

openssl passwd -1

For example

$ openssl passwd -1
Password:
Verifying - Password:
$1$wQ8SQmPg$sKeetTLxSZvZbZfLHOgXU.

Obviously the password was typed in on stdin. There's your hash!

Then replace the hash in the passwd file for the specified user. -1 uses MD5 hashes. See openssl help passwd for more options.

Other tips and tricks

There are two files, passwd and shadow. passwd is a copy of the shadow file, but without the password data. It's used to look up user data. YOu can see that they have different permissions

You can see the list of users by examining /etc/passwd

In single-user mode, FreeBSD will ask for a password if the console is marked as insecure in /etc/ttys

On BSDs, the manpage for the bootloader is boot(8)

On Linux, the boot process is descibed in the boot(7) manpage, but the boot options are in the bootparam(7) manpage

When using a serial console, pressing ^\ (that is Control-backslash) will generate a break. VT320 sends a break after pressing the F5 key, other serial terminals have different keys for that (if you are using one, you probably know it anyway ;-) )

Back to homepage