Latest Entry
How to reset a forgotten root password & why it means a bootloader password is needed
Apr 18, 2009 Linux Leave a comment
Linux Systems: Sometimes we can become a little forgetful and we don’t remember our password to login to our user account. This is generally no big deal because we can just login to the root account, reset the password, and move on. What happens when we forget our root password, though? It’s actually fairly simple to reset a forgotten root account password.
When your computer is booting up, you will notice a screen which says “Press Esc to enter menu…”, or something similar. Press Esc. You should see a screen similar to this come up. Yours may look a little different but GRUB is GRUB no matter which distribution you are using.
Next you are going to use the arrow key to select the OS you want to boot into, and then hit the e key. You will see 3 options: root, kernel, and initrd. Use your arrow key to select kernel, and once again, hit the e key.
In the next screen, all we are going to do is add a space and then an S to the end of the line. (Make sure it is a capital S.) Hit Enter. This will bring you back to the edit options screen shown above, with kernel still selected. Press b to boot the OS into Single User Mode.
Your OS will boot up into a virtual terminal with a shell prompt, that should look something like this:
You can now change your root password. To do so type:
passwd
It will then prompt you to enter the new password. Type in your password, hit enter. It will prompt you to type in your password again. Once you have typed your password in twice, you will want to reboot your computer, by typing:
reboot
Once the computer reboots, you should be able to login to your root account with your new password with no problems.
So what does this have to do with a bootloader password? Imagine if your box gets into the wrong hands, and those hands know how to boot into Single User Mode. They could wreak havoc on your system with root access, and worst of all, they could change your root password and add their own bootloader password, locking you out of your system. The lack of a bootloader password presents a potentially dangerous security risk and should be considered for your network’s security policy.
To add a password to GRUB bootloader, go into your command prompt / virtual terminal, as root, and type:
grub-md5-crypt
You will be prompted for a password twice. Once you enter your password twice, the encrypted password is shown.
Select and right click the encrypted password, select Copy, and then type:
vi /etc/grub.conf (for Red Hat based distributions)
Now your grub configuration file is in front of you. Look for where it says splashimage and use your arrow key to go to that line. Type a lower case o, and it will put you in insert mode, creating a new line below the current line with the splashimage settings. In this new line type:
password --md5 <paste the encrypted password here>
Once you have finished adding the encrypted password to the grub configuration file, hit Esc. To save and quit type:
:wq
And hit Enter. Note: Don’t worry about where on the file to type :wq, as it will automatically be shown at the bottom. The next time you reboot, you will notice the grub bootloader screen (as shown in the first screenshot in this tutorial) now looks a little different, by asking you to to hit p to enter a password for the options that were there before we secured the bootloader.
This tutorial was written using CentOS 5 and can be used for any Red Hat based distribution. For information on how to do this in Debian based distributions, (e.g. Ubuntu), please visit Debian Tutorials. For more information about GNU GRUB, please read the GNU GRUB man page at GNU.
