Forgetting the root password on a Linux server is a common situation – especially when managing dozens of machines. The recovery process involves interrupting the boot sequence, mounting the root filesystem, and resetting the password from a minimal shell. This works on physical servers, VMs, and cloud instances with console access.

This guide covers two methods to reset the root password on RHEL 10, Rocky Linux 10, AlmaLinux 10, and their 9.x releases. Both methods use GRUB2 boot parameters and require physical or console access to the server.

Prerequisites

  • Physical or console access (iDRAC, IPMI, KVM, Proxmox/VMware console, cloud serial console)
  • A working GRUB2 boot loader (the system must boot to the GRUB menu)
  • The OS must be installed and functional – only the root password is unknown

Note: RHEL-based systems since version 7 use GRUB2. The old single-user mode from RHEL 6 no longer works. You must use either the rd.break method or the init=/bin/bash method described below.

Method 1: Reset Root Password Using rd.break

This is the recommended approach. It interrupts the boot before the root filesystem is fully mounted, giving you a clean environment to change the password.

Step 1: Edit the GRUB boot entry

Reboot the server. When the GRUB2 menu appears, press e to edit the default boot entry.

Find the line that starts with linux (or linuxefi on UEFI systems). It looks something like this:

linux ($root)/vmlinuz-5.14.0-xxx.el10.x86_64 root=/dev/mapper/rl-root ro crashkernel=1G-4G:192M,4G-64G:256M resume=/dev/mapper/rl-swap rd.lvm.lv=rl/root rd.lvm.lv=rl/swap rhgb quiet

Step 2: Modify boot parameters

Remove rhgb quiet from the end of the line and append rd.break. The modified line should end with:

... rd.lvm.lv=rl/swap rd.break

Press Ctrl+x to boot with these modified parameters. The system will drop you into an emergency shell with the switch_root:/# prompt.

Step 3: Remount the filesystem as read-write

At this point, the real root filesystem is mounted read-only at /sysroot. Remount it as read-write:

# mount -o remount,rw /sysroot

Step 4: Chroot and reset the password

# chroot /sysroot
# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Step 5: Fix SELinux labels

Since you modified /etc/shadow outside the normal boot process, SELinux labels are now incorrect. If you skip this step, you will be locked out of the system after reboot. Force a full SELinux relabel on next boot:

# touch /.autorelabel

Step 6: Exit and reboot

# exit
# exit

The first exit leaves the chroot. The second exit exits the emergency shell and resumes the boot process. The SELinux relabel will run automatically – this can take several minutes depending on the filesystem size. Do not interrupt it.

RHEL root password reset from GRUB emergency shell showing chroot and passwd commands

After the relabel completes and the system reboots, log in with your new root password.

Method 2: Reset Root Password Using init=/bin/bash

This alternative method boots directly into a bash shell, bypassing the init system entirely. It’s useful when the rd.break method doesn’t work (rare, but can happen with custom initramfs configurations).

Step 1: Edit the GRUB boot entry

At the GRUB menu, press e. Find the linux line and change ro to rw, remove rhgb quiet, and append init=/bin/bash:

linux ($root)/vmlinuz-5.14.0-xxx.el10.x86_64 root=/dev/mapper/rl-root rw crashkernel=1G-4G:192M rd.lvm.lv=rl/root rd.lvm.lv=rl/swap init=/bin/bash

Press Ctrl+x to boot. You’ll land at a bash-5.x# prompt.

Step 2: Reset the password

Since we changed ro to rw, the filesystem is already writable. No need to remount or chroot:

# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Step 3: Set SELinux relabel and reboot

# touch /.autorelabel
# exec /sbin/init

The exec /sbin/init command hands off to the init system which will relabel SELinux contexts and then boot normally. Wait for the relabel to finish before logging in.

Important Notes

  • SELinux relabel is mandatory – skipping touch /.autorelabel will result in a system that boots but rejects all logins because /etc/shadow has the wrong SELinux context
  • UEFI systems – the line starts with linuxefi instead of linux. The process is identical
  • GRUB password protected – if GRUB itself is password-protected, you need the GRUB password or must boot from a rescue ISO instead
  • Encrypted disks (LUKS) – you’ll be prompted for the LUKS passphrase before reaching the emergency shell. If you don’t have it, you cannot reset the password this way
  • Cloud instances – AWS, GCP, and Azure provide serial console access. Alternatively, use virt-customize or mount the disk on another instance to reset the password

Preventing Root Password Lockouts

To avoid this situation in production:

  • Use SSH key-based authentication and manage access with Ansible across your fleet
  • Store root passwords in a password manager (HashiCorp Vault, Bitwarden, KeePass)
  • Set up sudo access for admin users so direct root login is rarely needed
  • Enable serial console access on all servers for emergency recovery

Conclusion

Both methods work on RHEL 10, Rocky Linux 10, AlmaLinux 10, and their 9.x counterparts. The rd.break method is preferred since it’s the officially documented Red Hat approach. Always remember to trigger SELinux relabeling after changing the password, or you’ll be right back where you started.

Related guides:

2 COMMENTS

  1. When I go to change the password I get the error:
    the password fails the dictionary check – you are not registered in the password file

    and when i reboot and try to log in it says:
    User not known to the underlying authentication module.

    CentOS 7 (Core)
    Kernel 3.10.0-1160.31.1.el7.x86_64

LEAVE A REPLY

Please enter your comment!
Please enter your name here