Section 6.7. I Lost the Root Password

6.7. I Lost the Root Password

As Linux geeks, we have a responsibility to set a good example and avoid easy passwords. However, if you have to change your password frequently, there's a chance that you'll forget it.

6.7.1. Single-User Mode

If you've misplaced your root password but can reboot your system, recovery is simple:

1. Boot your computer into single-user mode, which logs you in as the root user, without network connections or server services.

2. Linux mounts only the root filesystem (the / directory) in single-user mode, but you can mount other filesystems manually with the mount command if you need them.

3. Use the passwd command to reset the root password.

This useful workaround unfortunately allows a cracker with physical access to your system to get access to the root account. In the next section, I'll show you what you can do to at least slow a cracker in his attempts to break into your system.

To boot your computer in single-user mode, you need to access the kernel command line from your Linux bootloader. I'll show you how you can add your option to the kernel command line in Red Hat/Fedora and SUSE shortly.

The Debian Linux boot menus include a "recovery mode" option, which automatically boots the system in single-user mode. The SUSE "recovery mode" boots into runlevel 3, which normally includes full functionality without the GUI.

Any of the following commands, if added to the kernel command line, boot into single-user mode:

 single s 1 

These three options boot Linux into runlevel 1, which is associated with single-user mode.

Some distributions, however, require the root password in order to boot into single-user mode. So the options just shown won't help you if you don't know the root password. However, another option you can add to the kernel command line bypasses the password check, along with all other activities associated with the init process, and immediately puts you into a shell in single-user mode:

 init=/bin/sh 

Red Hat distributions do not require the root password to log in using the single, s, or 1 options. I consider this a security hazard, and therefore an annoyance. SUSE and Debian both require the root password to log in using these commands. However, the root password is not required if you boot with init=/bin/sh.

When you boot with init=/bin/sh, the passwd command is disabled by default. But it's easy to get around this. Just remount your root directory (/). For example, if /dev/hda2 is mounted on /, run the following command:

 mount -o remount /dev/hda2 / 

You can then change the root account password with the passwd command. While some might consider this to be a flaw, you'll be grateful to know it when you forget a root password or have to do emergency administration on a system where you haven't been told the root password.

6.7.2. Protecting Single-User Mode

Because it's possible to change the root password on our major Linux distributions via single-user mode, additional security is wise. You can take the following steps to further secure your system:

Set a BIOS password

Modern BIOS systems support passwords, which can keep a cracker from bypassing your bootloader with a boot disk. One drawback is that there are methods to reset a BIOS password. Some of these methods require removing the BIOS battery, which requires opening up a computer case. That may be enough to discourage an attack. For details, see the documentation for your BIOS.

Set a password on your bootloader

The GRUB and LILO bootloaders also support passwords, which can prevent single-user-mode logins.

Keep the timeout on your bootloader to a minimum

If you have a minimal timeout on your bootloader, it can prevent a cracker from starting your system in single-user mode, where he or she can then change your root account password.

Password protection for the bootloader may not be enough. If a cracker has access to the reset button and can set your BIOS to boot from a CD/DVD or floppy drive, she can insert a boot disk or even a Knoppix CD to crack your system. We'll describe some of the physical methods you can use to prevent this crack in "The Boss Told Me to Secure the Server Without Locking the Room," at the end of this chapter.

6.7.2.1. Password-protecting GRUB

You can add encrypted passwords to GRUB with the grub-md5-crypt command, as follows:

1. As root, run grub-md5-crypt.

2. At the command prompts, type the password you want to use to log in, and confirm.

3. With your mouse, highlight the encrypted password printed by grub-md5-crypt and paste it into the GRUB configuration file. There are two places where you can paste the GRUB password:

   • If you want to protect the GRUB menu from changes, enter the password as the first line in the GRUB configuration file.

   • If you want to protect a specific boot option, paste it after the title line of the stanza.

   In either case, the password directive will appear as follows; the --md5 switch tells password to expect an MD5-encrypted password.

    password --md5 $1$cg36g0$HgArcGTyynzZhPidnlTe.0 

   
   

6.7.2.2. Password-protecting LILO

You can add a password to the LILO bootloader to protect the menu or specific operating-system options. Unfortunately, LILO does not support encrypted passwords; you'll have to enter the password of your choice in clear text. Be aware of the security risk. The directive that you'll add to lilo.conf is straightforward:

     password=mysecret 

As with GRUB, if you want to protect the LILO menu, place the password directive in the first part of lilo.conf. If you want to protect a specific boot option, place the password command after the label directive in the associated stanza.