Resetting the root password on Debian Linux

Maros Kukan

·

Follow

6 min read

·

Aug 7, 2023

6

Listen

Share

Foreword

Different paths can often lead to the same destination.
— unknown

Where is my water… sorry, I meant “Where is my password”? I am sure most of us are familiar with a situation where we deployed a system a long time ago and we did not write down the users’ credentials, because we were sure that we will not forget our favorite password, or we thought that this system is staying around temporarily.

Well, it never hurts to understand the password recovery process especially. And it is even better to practice this procedure at least once, so we are confident that when the time comes, you we ready to reset the root password.

Prerequisites

Although not mandatory, to fully benefit from this guide, I would recommend to get familiar with the Linux boot process. Below is a quick recap of important steps that take place:

1. Firmware initialization
2. Bootloader initialization
3. Initramfs initialization
4. Handover to kernel
5. Kernel initialization
6. Systemd initialization
7. Service activation
8. User login

Refer to Resetting the root password on Red Hat Enterprise Linux for more detailed description of the steps above and especially section about Initramfs (initial RAM disk).

Environment Setup

The environment for this exercise is very simple and consist of single Debian 12 (Bookworm) virtual machine. We use Vagrant to abstract the underlying VM lifecycle.

💡Tip: Not familiar with Vagrant? Learn how to save time managing local development environments at scale in Managing Dev Environments with Vagrant.

💡Tip: Curious how this virtual machine template was build in the first place? Learn how to automated golden image creation in Automating Golden Image builds with Packer.

# Create new project directory
New-Item -ItemType Directory -Force -Path "$HOME\projects\debian"

# Move to this directory
cd $HOME\projects\debian

# Download the Vagrant file
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/maroskukan/linux-cookbook/main/Vagrantfiles/debian12/Vagrantfile" `
                  -OutFile Vagrantfile

📝Note: The Vagrant Box used in this demo is maroskukan/debian12. This virtual machine template comes with EUFI firmware and supports Microsoft Hyper-V, VMware Workstation and Oracle VirtualBox.

Next, we create and start the virtual machine using vagrant up command. If you have multiple backends (Hyper-V, VMware Workstation or Oracle VirtualBox) available, we can use the --provider option.

vagrant up --provider vmware_desktop

Bringing machine 'debian12' up with 'vmware_desktop' provider...
==> debian12: Cloning VMware VM: 'maroskukan/debian12'. This can take some time...
==> debian12: Checking if box 'maroskukan/debian12' version '2023.07.26' is up to date...
==> debian12: Verifying vmnet devices are healthy...
==> debian12: Preparing network adapters...
==> debian12: Starting the VMware VM...
==> debian12: Waiting for the VM to receive an address...
==> debian12: Forwarding ports...
    debian12: -- 22 => 2222
==> debian12: Waiting for machine to boot. This may take a few minutes...
    debian12: SSH address: 127.0.0.1:2222
    debian12: SSH username: vagrant
    debian12: SSH auth method: private key
    debian12:
    debian12: Vagrant insecure key detected. Vagrant will automatically replace
    debian12: this with a newly generated keypair for better security.
    debian12:
    debian12: Inserting generated public key within guest...
==> debian12: Machine booted and ready!
==> debian12: Setting hostname...

Virtual machines provisioned through Vagrant will not show up in VMware Workstation UI by default. In order to open the VM console, we find and open the configuration file packer-debian12.vmx from VMware Workstation UI.

# Retrieve the Virtual Machine Configuration File
$vmPath = (Get-ChildItem -Path . -Filter 'packer-debian12.vmx' -Recurse).FullName

# Open configuration file
explorer $vmPath

Once the virtual machine console is displayed. Log in as a vagrant user with a password vagrant. By inspecting the /etc/shadow file, you may notice that the root user account does not have a password set and is locked.

# Inspect the root account
sudo grep root /etc/shadow

root:!:19564:0:99999:7:::

💡Tip: You can verify the state of the root user account password with sudo passwd -S root.

To make this example more realistic we are going to update the root password to a random value.

# Generate a random password
random="$(openssl rand -hex 16)"

# Update root credentials
echo -e "${random}\n${random}" | sudo passwd

New password: Retype new password: passwd: password updated successfully

Next, reboot the system with sudo systemctl reboot command.

💡Tip: While using VMware Workstation I found out that the default firmware boot order may not be optimal. EFI Network option is before the disk where boot loader is installed, this adds some delay to the initialization process.

Password Reset Process

Method 1: Using break kernel argument

The break kernel argument as described in initramfs-tools man page can be used to spawn a shell in the initramfs image. By default at premount runtime.

This is very useful, as it allows us to mount the real root file system. Once mounted we can use chroot to work with the target environment.

💡Tip: The change root or chroot for short, is a linux command that allows a user to change the apparent root directory for a running process and its children.

In order to spawn a shell in the initramfs image we need interrupt the boot process at grub menu. If grub timeout disabled, you can interrupt the boot process by holding left SHIFT key during boot process.

Press e at the main grub entry and append break to kernel line (contains vmlinuz keyword). Press Ctrl-x to finish booting. Press Ctrl-X to boot.

💡Tip: If you want to see more verbose output from boot process, remove the quiet argument from the list.

After boot. We need to create a mountpoint and mount the root file system (in this case a LVM volume) and chroot to this environment. From there we can change the root user password using the passwd command.

# Create a directory to mount the root volume
mkdir /sysroot

# Mount the root volume
mount -t ext4 /dev/debian-vg/root /sysroot

# Change root 
chroot /sysroot

# Update the password
passwd
New password: LinuxRocks
Retype new password: LinuxRocks

# Exit the chroot env
exit

# Unmount the root volume
umount /sysroot

# Exit the initramfs env
exit

Method 2: Using init kernel argument

The init kernel argument also described in initramfs-tools man page can be used to define the binary to hand over execution to on the root fs after the initramfs scripts are done. This is the first process, or PID 1 which is usually systemd or openrc.

By using this argument we can choose different binary to start as first process. From example we can start a bash shell process.

Press e at the main grub entry and append init=/bin/bash to kernel line (contains vmlinuz keyword). Press Ctrl-x to finish booting. Press Ctrl-X to boot.

After boot, root file system is mounted in read only mode at /. We need to remount it using read write mode and update the root user password with passwd command.

Finally, we use exec to replace the current process with the init process.

# Display the mount options for root filesystem
mount | grep root
/dev/mapper/debian-vg-root on / type ext4 (ro,relative)

# Remount the root filesystem as read-write
mount -o remount,rw /

# Update the root password
passwd
New password: LinuxRocks
Retype new password: LinuxRocks

passwd: password update successfully

# Replace the current shell process with init
exec /sbin/init

💡Tip: You can skip this remount process if you change the ro to rw in the kernel parameters above.

Once you hit that final enter to invoke init, you will be presented by a login shell.

Cleanup

When done exploring the environment, we can clean up by removing the vagrant virtual machine.

# Move to project directory
cd $HOME\projects\debian

# Delete the Virtual Machine
vagrant destory -f

# Remove the project directory
Remove-Item -Path $HOME\projects\debian -Recurse

Closing thoughts

In conclusion, having a clear grasp of the boot process can prove highly advantageous when dealing with system troubleshooting and maintenance tasks. I look forward to hearing your insights in the comments section. Until we meet again, thank you for taking the time to read.