6.7. I Lost the Root PasswordAs Linux geeks, we have a responsibility to set a good example and avoid easy passwords. However, if you have to change your password frequently, there's a chance that you'll forget it. 6.7.1. Single-User ModeIf you've misplaced your root password but can reboot your system, recovery is simple:
This useful workaround unfortunately allows a cracker with physical access to your system to get access to the root account. In the next section, I'll show you what you can do to at least slow a cracker in his attempts to break into your system. To boot your computer in single-user mode, you need to access the kernel command line from your Linux bootloader. I'll show you how you can add your option to the kernel command line in Red Hat/Fedora and SUSE shortly.
Any of the following commands, if added to the kernel command line, boot into single-user mode: single s 1 These three options boot Linux into runlevel 1, which is associated with single-user mode. Some distributions, however, require the root password in order to boot into single-user mode. So the options just shown won't help you if you don't know the root password. However, another option you can add to the kernel command line bypasses the password check, along with all other activities associated with the init process, and immediately puts you into a shell in single-user mode: init=/bin/sh
When you boot with init=/bin/sh, the passwd command is disabled by default. But it's easy to get around this. Just remount your root directory (/). For example, if /dev/hda2 is mounted on /, run the following command: mount -o remount /dev/hda2 / You can then change the root account password with the passwd command. While some might consider this to be a flaw, you'll be grateful to know it when you forget a root password or have to do emergency administration on a system where you haven't been told the root password. 6.7.2. Protecting Single-User ModeBecause it's possible to change the root password on our major Linux distributions via single-user mode, additional security is wise. You can take the following steps to further secure your system:
Password protection for the bootloader may not be enough. If a cracker has access to the reset button and can set your BIOS to boot from a CD/DVD or floppy drive, she can insert a boot disk or even a Knoppix CD to crack your system. We'll describe some of the physical methods you can use to prevent this crack in "The Boss Told Me to Secure the Server Without Locking the Room," at the end of this chapter. 6.7.2.1. Password-protecting GRUBYou can add encrypted passwords to GRUB with the grub-md5-crypt command, as follows:
6.7.2.2. Password-protecting LILOYou can add a password to the LILO bootloader to protect the menu or specific operating-system options. Unfortunately, LILO does not support encrypted passwords; you'll have to enter the password of your choice in clear text. Be aware of the security risk. The directive that you'll add to lilo.conf is straightforward: password=mysecret As with GRUB, if you want to protect the LILO menu, place the password directive in the first part of lilo.conf. If you want to protect a specific boot option, place the password command after the label directive in the associated stanza. |