Resetting the root Password on RHEL (RHEL 9 & 10)

Resetting the root Password on RHEL (RHEL 9 & 10)

Resetting the root password on RHEL 9/10 is critical for system recovery, requiring either rd.break (RHEL 9) or init=/bin/bash (RHEL 10) to bypass secure boot and remount the filesystem read-write. A misconfigured sudoers file or unpropagated secrets can lock out administrators, necessitating these procedures.

Why This Matters

Administrative access loss due to sudoers misconfigurations or unpropagated secrets is a common cause for system recovery. While secure systems aim to prevent unauthorized access, the reality of production environments demands robust recovery mechanisms. Forgetting to remount the filesystem read-write or skipping SELinux relabeling can lead to failed logins or extended downtime, with costs measured in hours of service disruption and security risks.

Key Insights

• “Losing administrative access happens: a sudoers misconfiguration, a rotated vault secret that wasn’t propagated, or an offboarding gone wrong.” (DhavalThakar, 2025)
• “Sagas over ACID for e-commerce” – analogous to using rd.break or init=/bin/bash for transactional password resets in distributed systems.
• “Cloud providers (AWS, Azure, GCP) use serial consoles or rescue VMs for password resets on encrypted or locked GRUB systems.”

Working Example

# Method A: RHEL 9 (rd.break)
mount -o remount rw /sysroot
chroot /sysroot
passwd
touch /.autorelabel
exit
exit

# Method B: RHEL 10 (init=/bin/bash)
mount -o remount rw /
passwd
touch /.autorelabel
exec /sbin/init

Practical Applications

• Use Case: Cloud VMs with locked GRUB require rescue ISOs to edit /etc/shadow or use chroot for password resets.
• Pitfall: Forgetting to remount the filesystem read-write leads to “Permission denied” errors during password reset.

References:

• https://dev.to/dhavalthakar97/linux-in-action-resetting-the-root-password-on-rhel-10-28j2

---