How to Reset Root Password on Rocky Linux 9/10, RHEL 9, CentOS Stream: GRUB Guide

-



Losing or forgetting the root password can lock you out of a Linux system entirely. This guide explains how to safely reset the root password on RHEL-based distributions (RHEL, CentOS, Rocky Linux) using the GRUB recovery method.

The demonstration uses Rocky Linux, but the same steps apply to all RHEL-based distributions.

Please Note: 
  • This guide is intended for system owners or administrators with authorized access to the system.
  • This method requires direct console access (physical or virtual) to the system. It cannot be performed over SSH.
  • For encrypted systems, the LUKS passphrase is still required to unlock the disk before proceeding.

Step 01: Access GRUB Edit Mode

Reboot the system (VM: power cycle; physical: shutdown -r if you have sudo).
At the GRUB boot menu, press E  (or Shift during boot if hidden) and select the first entry (latest kernel) with arrows if needed.

Rocky Linux 9 GRUB2 boot menu - press e to edit

Step 02: Modify Kernel Parameters

Locate the kernel line that starts with linux or linux16, find ro, and replace ro with the following parameters: 
rw init=/sysroot/bin/sh
Example: 
linux /vmlinuz-5.14.0-427.el9.x86_64 root=/dev/mapper/rlx-root rw init=/sysroot/bin/sh rd.lvm.lv=rlx/root rd.lvm.lv=rlx/swap rhgb quiet

This mounts the root filesystem in read-write mode and boots directly into a shell instead of the normal init process.

GRUB editor - before replacing ro

GRUB editor - after rw init=/sysroot/bin/sh

Step 03: Boot to Rescue Shell

Press "Ctrl + X" to boot the system with the modified parameters.
System drops to emergency shell (no login prompt):

Rocky Linux recovery shell

Step 04: Mount The Real Root Filesystem

Use the command:
chroot /sysroot
Now commands affect the real system (not initramfs).

chroot /sysroot executed in recovery mode

Step 05: Reset Root Password

Use the command: 
passwd root
Then enter the new password in the prompt & re-enter it in the following prompt to confirm the password.
(Note: You won’t see the password as you type; this is expected behavior.)

passwd root command output - password changed"

Step 06: Fix SELinux Labels (CRITICAL)

Use the command:
touch /.autorelabel
RHEL-based systems use SELinux, and changing the root password this way can cause incorrect SELinux labels. Above command forces SELinux to relabel files on the next boot.
(
Note 01: If you don't enter this command you will not be able to access the "root" account
Note 02: If your new password doesn't work, you most probably must have made a mistake during this step, and if that happens retry starting from step 01 again.)

"touch /.autorelabel created in recovery mode"

Step 07: Exit & Reboot

Use the command: 
exit
to exit the rescue shell and reboot the system. Depending on distro/version, exit may drop back to initramfs instead of rebooting, in that case use:
exit
reboot
"exit recovery mode and reboot"

The system will reboot, which may take some time due to SELinux relabeling, and you will be able to login as root using the new password.

Please leave a comment if you find this helpful or have any suggestions.

For cloud Rocky, see my EC2 Launch Template or EC2 Instance Setup guides. Need Ansible role for automated hardening? Hit me up on Fiverr!

Comments

Post a Comment