With only one very minor exception, this procedure works exactly the same on both CentOS 7 and CentOS 8. Let's get started:
- Boot the virtual machine. When the boot menu comes up, interrupt the boot process by hitting the down arrow key once. Then, hit the up arrow key once to select the default boot option:
- Hit the E key to edit the kernel parameters. When the GRUB 2 configuration comes up, cursor down until you see this line:
Note that on CentOS 7, the line begins with linux16, as shown here. On CentOS 8, the line begins with linux.
- Delete the words rhgb quiet from this line and then add rd.break enforcing=0 to the end of the line. Here's what these two new options do for you:
- rd.break: This will cause the machine to boot into emergency mode, which gives you root user privileges without you having to enter a root user password. Even if the root user password hasn't been set, this still works.
- enforcing=0: When you do a password reset on an SELinux-enabled system, the security context for the /etc/shadow file will change to the wrong type. If the system is in enforcing mode when you do this, SELinux will prevent you from logging in until the shadow file is relabeled. However, relabeling during the boot process can take a very long time, especially with a large drive. By setting SELinux to permissive mode, you can wait until after you've rebooted to restore the proper security context on just the shadow file.
- When you've finished editing the kernel parameters, hit Ctrl + X to continue the boot process. This will take you to emergency mode with the switch_root command prompt:
- In emergency mode, the filesystem is mounted as read-only. You'll need to remount it as read-write and enter chroot mode before you can reset the password:
mount -o remount,rw /sysroot
chroot /sysroot
After you enter these two commands, the command prompt will change to that of a normal bash shell:
Now that you've reached this stage, you're finally ready to reset the password.
- If you want to reset the root user password, or even if you want to create a root password where none previously existed, just enter the following:
passwd
Then, enter the new desired password.
- If the system has never had a root user password and you still don't want it to have one, you can reset the password for an account that has full sudo privileges. For example, on my system, the command would look like this:
passwd donnie
- Next, remount the filesystem as read-only. Then, enter exit twice to resume rebooting:
mount -o remount,ro /
exit
exit
- The first thing you need to do after rebooting is to restore the proper SELinux security context on the /etc/shadow file. Then, put SELinux back into enforcing mode:
sudo restorecon /etc/shadow
sudo setenforce 1
Here's a before and after screenshot of the context settings for my shadow file:
Here, you can see that resetting the password changed the type of the file to unlabeled_t. Running the restorecon command changed the type back to shadow_t.
You've reached the end of this lab – congratulations!
Now, we'll look at the same procedure for Ubuntu.