“Effective Root Password Recovery in RHEL 9: Comparing Init=/bin/bash and rd.break Methods”

Updated RHEL 9 Password Reset Process (due to changes in dracut):

1. Press e to edit the GRUB boot options:
   • This step allows you to modify the boot options temporarily.

2. In the linux line, change ro to rw (this is just before crashkernel):

• The root filesystem is mounted as read-only (ro) by default. Changing it to rw ensures that the root filesystem is mounted as read-write, allowing you to make changes such as modifying the root password.
• Find the line starting with linux or linuxefi, then modify ro to rw.

3. Press Ctrl + e to go to the end of the linux line and add /init=/bin/bash:

This bypasses the default system initialization process and brings you directly into a Bash shell in the root environment, allowing you to troubleshoot or reset the password.

This method is a substitute for the traditional rd.break approach.

4. Press Ctrl + x to boot:

• This boots the system with the modified GRUB configuration

5. Run passwd to change the root password:

• After booting into the Bash shell, you can now change the root password by running the passwd command. Be sure to enter the new password twice as prompted.

Run touch /.autorelabel:

• This command ensures that the SELinux contexts are properly relabeled upon the next boot, preventing issues with SELinux that might arise due to modified files like /etc/shadow.

• Without this step, SELinux might block processes because of incorrect contexts, especially in enforcing mode.

Run exec /sbin/init:

• This command will replace the current Bash shell with the system’s initialization process (/sbin/init), resuming the normal boot process.

• The system will continue to boot normally, and on the next boot, SELinux will perform the relabeling as indicated by the .autorelabel file.

• Dracut Changes: RHEL 9 now uses dracut differently compared to previous versions, which no longer includes sulogin by default during the boot process when rd.break is used. Therefore, booting into a shell using init=/bin/bash is an alternative method.
• Importance of .autorelabel: The SELinux relabeling process ensures that after modifying the password or other system files, SELinux labels are corrected, avoiding potential boot failures or security issues caused by incorrect SELinux contexts.

Additional Considerations for the Video/Slides:

• Highlight SELinux Impact: Make sure to emphasize why the touch /.autorelabel step is crucial, especially for viewers who might be unfamiliar with SELinux.
• Ensure clear explanation of init=/bin/bash: Explain that this method is a workaround for the changes in RHEL 9’s boot process due to the absence of sulogin in dracut.

This approach ensures compatibility with the updated boot mechanism in RHEL 9 and provides an effective way to reset the root password.

Once got booted you are taken into your login interface.

Method A with init=/bin/bash seems to be the more straightforward and future-proof solution in RHEL 9

A method:

1. Grub > e
2. init=/bin/bash (Remove rhgb and quiet tags if necessary) > Ctrl+x
3. /usr/sbin/load_policy -i
4. mount -o remount,rw /
5. passwd root or passwd
6. mount -o remount,ro /

B method:

1. Grub > e
2. rd.break > Ctrl+x
3. mount -o remount,rw /sysroot/
4. chroot /sysroot/
5. passwd root or passwd
6. touch /.autorelabel

---

Also refer Official Redhat docs:

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/assembly_making-temporary-changes-to-the-grub-menu_managing-monitoring-and-updating-the-kernel#proc_resetting-the-root-password-using-rd-break_assembly_making-temporary-changes-to-the-grub-menu