Locked out - using various system recovery options to reset the password

From Void Linux Wiki
Jump to: navigation, search


There are 2 main approaches to changing a password, using passwd or altering /etc/shadow. A backup is created by passwd, /etc/shadow-, so this can be copied back too. Using the passwd command is preferable because the actions it takes might change in the future.

If you use encrypted volumes caution is required. A lost password might be recovered using cracking software like john-the-ripper, but this works by unencrypting the password from the information in /etc/passwd and /etc/shadow so changing these could be a big mistake.

Rescue mode from the Grub menu.

Depending on how rescue mode and sulogin have been set up, rescue mode could give you a root shell without a password being required. 3 methods of gaining a root shell early in the boot process by editing the kernel command line. After BIOS completes a Grub menu is shown, if it isn't then it might be possible to persuade it to be visible by some means. Press the down arrow to select advanced options. Then with the usual kernel entry (usually the entry at the top) highlighted press e to edit it. Move the cursor with the arrow keys down to the line below the one starting:

 linux       /boot/vmlinuz...

Move the cursor back to the end of that line and add this:

 rd.break

Then following the onscreen Grub instructions press F10 to boot. Adding rd.break uses dracut to boot to an initramfs root shell early in the boot sequence. There are a minimal set of facilities in / and the usual / partition on the hard drive is mounted read only in /sysroot. To reset the password and continue the boot to the usual environment:

 mount -o remount,rw /sysroot
 /sysroot/usr/bin/passwd root
 Enter new password as directed by passwd dialogue
 cd /
 /sysroot/bin/sync
 mount -o remount,ro /sysroot
 /sysroot/bin/sync
 exec /sysroot/sbin/init 016

It's also possible to bind the VFS and chroot to /sysroot:

 mount -l
 findmnt
 mount -o remount,rw /sysroot
 for d in dev sys run proc; do mount --bind /$d /sysroot/$d; done
 chroot sysroot
 passwd
 Enter new password as directed by passwd dialogue
 exit
 for d in dev sys run proc; do umount -R /sysroot/$d; done
 /sysroot/bin/sync
 mount -o remount,ro /sysroot
 /sysroot/bin/sync
 exec /sysroot/sbin/init

Init needs to be PID1 so exec is required as the terminal is PID1, exec replaces the process with the new one. cd / isn't needed if you're there already.


Or append one of these to the kernel command line to get a root shell slightly later in the boot process:

 init=/bin/bash
 init=/bin/sh

The most user friendly shell environment is bash, with autocomplete, history, better command prompt editing and general behaviour. These give a more familiar rescue mode type environment with a root shell and everything in / as usual, although rd.break could provide more flexibility for problematic file system arrangements.

 mount -o remount,rw /
 passwd
 cd /
 sync
 mount -o remount,ro /
 sync
 exec /sbin/init

Using a Void Linux installation image as a rescue disk.

Boot to the desktop using load to RAM if possible. Open a terminal. Identify the drive partition(s) that need to be mounted:

 sudo fdisk -l
 lsblk

In this example /dev/sda1 contains everything except swap. The partition is formatted as ext4. It's a BIOS MBR and doesn't use LVM or RAID. Extra steps could be required for more complex setups. Mount the partition on /mnt and use the passwd on the recovery disk, then shutdown after unmounting and remove the rescue disk.

 sudo mount -t ext4 /dev/sda1 /mnt
 sudo passwd -R /mnt root
 sudo umount /mnt

Use the passwd on the target drive using chroot. This approach could be required if LVM is used.

Mount the partition and bind the various virtual file systems to create a fully operational environment. Leave the rescue disk environment and chroot into the target OS. This starts a root shell using sh. While not essential for this simple task, a more user friendly shell can be easily set up. Switch to bash as the shell and set up the usual environment variables with /etc/profile. Change the password, exit the bash shell, exit the chroot, and unmount everything.

 sudo mount -t ext4 /dev/sda1 /mnt
 for d in dev sys run proc; do sudo mount --bind /$d /mnt/$d; done
 sudo chroot /mnt
 bash
 source /etc/profile
 passwd root
 exit
 exit
 sudo umount --recursive /mnt

It's possible umount can fail due to a process still using some file inside /mnt. Closing the terminal window in the rescue image desktop and opening a new one might fix this. The ps and kill commands could be used too. The above sequence completed without problems. The directories which are attached using mount --bind are from the rescue image, changes made to these inside the chroot would persist outside.

Editing /etc/shadow

This entry shows the root account with a locked password, there is an exclamation mark in the first field :!:

 root:!:16927:0:99999:7:::

This entry shows root with an encrypted password

 root:$6$/sih1uZz$o478zJPoVIjPkP.tASZvelnlHZPVNlatyPE2Qt3ZlHy9oxF/07RlE3y4.shfOnxwigZWjcy6doAtqRNKyVMM5/:16927:0:99999:7:::

A user password can be utilised if one is set up to regain root access. Copy the encrypted field for the user password to the root entry after deleting ! and the user password will work for root. Deleting the ! and leaving the password field empty will render the account passwordless but this is a bad idea. If any malware is present this allows it to gain and keep full access, regardless of how fast the password is reinstated.

The passwd command creates a backup of /etc/shadow called /etc/shadow- which can be copied back. When editing /etc/shadow you might need to alter the file permissions to make it writable and change it back afterwards:

 ls -l /etc/shadow
 -r-------- 1 root root 247 May  7 14:11 /etc/shadow
 sudo chmod u+w /etc/shadow
 ls -l /etc/shadow
 -rw------- 1 root root 247 May  7 14:11 /etc/shadow
 sudo chmod u-w /etc/shadow
 ls -l /etc/shadow
 -r-------- 1 root root 247 May  7 14:11 /etc/shadow

This wasn't required using:

 sudo nano /etc/shadow

Other passwords

BIOS security password
Many BIOS's include an option to set a supervisor and user password. These can be reset via a hardware specific unmarked jumper on the motherboard or in the BIOS menu if access is still possible. If no option to remove the password is available, it might be rendered passwordless again by selecting reset, then just press enter. These can be used to selectively lock the BIOS menu and other actions like booting the computer.
HDD password
In the BIOS menu you will probably find you can set a password on the hard drive. This may require a data recovery specialist to unlock it, replacing the drive might be more cost effective. Possibly this could also be reset as above if suitable information could be found.