DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

How to Reset a Forgotten Root Password on CentOS/RHEL 7

— ny_wk

How to Reset a Forgotten Root Password on CentOS/RHEL 7

Locked out of root on a CentOS or RHEL 7 box? You don't need a reinstall. The method has barely changed in years — the only twists on RHEL 7 are that it uses systemd and SELinux, which add one important relabel step people forget. Here's the full, safe procedure.

The plan

  1. Edit the GRUB2 boot entry to drop into an emergency shell.
  2. Remount the root filesystem read-write.
  3. Reset the root password.
  4. Flag the system for an SELinux relabel.
  5. Reboot.

Step 1 — Interrupt GRUB and edit the boot entry

Reboot the machine. At the GRUB2 menu, highlight your kernel and press e to edit. Find the line starting with linux16 (the kernel line), go to its end, and append:

rd.break

Then press Ctrl-X to boot. You'll land in the initramfs emergency shell.

Step 2 — Remount root read-write

At this point the real root is mounted read-only under /sysroot. Make it writable and switch into it:

mount -o remount,rw /sysroot
chroot /sysroot

Step 3 — Reset the password

passwd root

Type the new password twice. Done.

Step 4 — The SELinux step everyone forgets

Because you changed /etc/shadow from an unusual context, SELinux can block login until the filesystem is relabeled. Trigger a relabel on next boot:

touch /.autorelabel

Skip this and you may still be unable to log in even with the new password.

Step 5 — Exit and reboot

exit (leave chroot), exit again (leave the emergency shell). The system reboots, relabels SELinux (this can take a minute), and reboots once more. Log in as root with your new password.

Key takeaways

  • Append rd.break to the GRUB2 kernel line to reach the emergency shell.
  • Remount /sysroot read-write and chroot into it before changing the password.
  • Always run touch /.autorelabel — the SELinux relabel is what makes login work afterward.
  • Two reboots happen; the relabel one is normal.

Frequently asked questions

Why can't I log in even after resetting the password?

You almost certainly skipped the SELinux relabel. Boot back in, touch /.autorelabel, and reboot.

What does rd.break do?

It breaks the boot early into the initramfs shell, before the real root is fully mounted — giving you a recovery prompt.

Is physical/console access required?

Yes — you need to edit the GRUB menu at boot, so console or out-of-band (iLO/iDRAC) access is needed. This is also why securing GRUB matters.

Does this work on RHEL/CentOS 8?

The approach is the same idea; minor command details differ. For 7 specifically, the steps above apply.

Five steps, one easily-missed SELinux relabel — and a forgotten root password goes from panic to a five-minute fix.