Linux in Action: Resetting the root Password on RHEL (RHEL 9 & 10)

Introduction

Losing administrative access happens: a sudoers misconfiguration, a rotated vault secret that wasn’t propagated, or an offboarding gone wrong. On RHEL 9/10 systems, you can recover by booting into a minimal environment, remounting the system read‑write, and resetting the root password safely.

⚠️ Only perform these steps on systems you are authorized to administer. For production servers, use an approved change window and capture evidence for audit.

This article follows your mapping:

• Method A → RHEL 9 using rd.break (dracut emergency shell)
• Method B → RHEL 10 using init=/bin/bash (single‑user shell)

It also includes cloud/secure‑boot notes, a security checklist, troubleshooting, and a real‑world business scenario.

---

Table of Contents

• Prerequisites
• Method A: rd.break (RHEL 9)
• Method B: init=/bin/bash (RHEL 10)
• Cloud/Virtual Machines & Locked GRUB
• Post‑Reset Tasks (Security & SELinux)
• Troubleshooting
• Conclusion

---

Prerequisites

• Console access (local KVM/iLO/DRAC, VM console, or cloud serial console).
• If full‑disk encryption is enabled, you still need the LUKS passphrase at boot.
• Systems with a GRUB password or Secure Boot policies may require an approved break‑glass procedure.
• SELinux is typically enforcing on RHEL—plan an autorelabel step or the login may fail after reset.

---

Method A: rd.break(RHEL 9)

This method uses the dracut emergency target and a chroot into the installed system.

1. Reboot the server. When the GRUB menu appears, select the default kernel entry and press e to edit.
2. On the line beginning with linux (or linuxefi), append a space and:

   rd.break

1. Press Ctrl+X (or F10) to boot.
2. You will land at a dracut shell with the root filesystem mounted under /sysroot read‑only. Remount it read‑write:

   mount -o remount rw /sysroot

1. Chroot into the installed system:

   chroot /sysroot

1. Reset the root password:

   passwd

Enter and confirm the new password.

1. Trigger SELinux relabel so contexts match the new shadow entries:

   touch /.autorelabel

1. Exit the chroot and the emergency shell:

   exit
   exit

The system will continue boot or reboot. The relabel may take several minutes.

---

Method B: init=/bin/bash(RHEL 10)

This method boots directly into a single‑user shell without systemd.

1. Reboot, press e on the GRUB entry, and on the linux line append:

   init=/bin/bash

1. Press Ctrl+X (or F10) to boot into a bash shell.
2. Remount the root filesystem read‑write:

   mount -o remount rw /

1. Reset the root password:

   passwd

1. SELinux relabel on next boot:

   touch /.autorelabel

1. Continue the normal boot sequence:

   exec /sbin/init

---

Cloud/Virtual Machines & Locked GRUB

• GRUB password or UEFI Secure Boot: you may be prompted before you can edit the boot line. Engage your break‑glass procedure or use an attached rescue ISO.
• Cloud providers (AWS, Azure, GCP): use the serial/console feature. If GRUB editing is blocked, detach the disk and attach it to a rescue VM to edit /etc/shadow or set the password via chroot.

---

Post‑Reset Tasks (Security & SELinux)

After you confirm the new password works:

• Re‑enable policy: If your environment normally disables direct root login, lock the account again and rely on sudo:

  passwd -l root

• Audit: Record the change ticket, timestamp, and the reason. Update your runbook.
• Rotate credentials in your password vault and notify on‑call/SOC if required.
• Check SELinux status and relabel result:

  sestatus
  ausearch -m USER_LOGIN -ts recent || true

---

Troubleshooting

• Permission denied / read‑only: You likely forgot the remount step. Use mount -o remount rw / or for Method A mount -o remount rw /sysroot then chroot /sysroot.
• Login still fails: Ensure you ran touch /.autorelabel (inside the chroot for Method A) and allowed the relabel to complete.
• Encrypted volumes: You must still supply the LUKS passphrase at boot.
• GRUB changes ignored: Verify you edited the correct linux line and booted with Ctrl+X/F10.

---

Conclusion

You now have two procedures mapped to your environment to reset the root password on RHEL 9 and RHEL 10, plus guardrails for cloud and secure‑booted hosts. Practice both flows in a lab so you’re ready when a break‑glass event hits.

Connect with me on LinkedIn for further discussions and networking opportunities.