How to Reset the Root Password

  • 24/11/2025
  • 4 minute read

When the root password is lost or normal login becomes impossible, Rescue Mode provides a practical way to restore access without reinstalling the operating system. The steps below follow a typical RHEL-based rescue workflow and work on CentOS, AlmaLinux, and Rocky Linux for both new and experienced administrators.

Why Rescue Mode Is Used

Rescue Mode is used when a system cannot boot normally or when login credentials are unavailable. Common scenarios include:

  • Forgotten root password
  • Broken SSH access or misconfigured SSH keys
  • SELinux preventing normal login
  • Corrupted authentication files or misconfigured PAM

In these cases, booting into a rescue environment lets you mount the existing system, chroot into it, and safely reset the root password.

Steps to reset the root password

Step 1 – Detect Disks and Partitions

First, identify the disks, partitions, and LVM volumes detected by the rescue environment. This helps you find which logical volume is used as the root filesystem (for example, cl-root, rl-root, or myvg-root).

lsblk
df -khT

Make a note of the volume group (VG) and logical volume (LV) names that contain your root filesystem, as you will need them in the next steps.

Step 2 – Activate LVM Volumes

Next, activate all available LVM volume groups so that the logical volumes become accessible under /dev/mapper/:

vgchange -ay

If the command is successful, you should see output similar to “N logical volume(s) in volume group <vgname> now active”.

Step 3 – Mount the Root Filesystem

Mount the logical volume that contains the root filesystem to /mnt. Replace vgname-root with the actual LV name from your system, such as cl-root or rl-root:

mount /dev/mapper/vgname-root /mnt
Info: Make sure your LVM volume is correctly mounted under /mnt before running the chroot command in later steps.

If the mount fails or is read-only when you need to write changes, you can later remount it as read-write with:

mount -o remount,rw /mnt

Step 4 – Bind Mount Necessary Directories

Bind system directories required for a functional chroot environment. This allows commands like passwd and SELinux operations to work properly inside the chroot:

for i in /dev /dev/pts /proc /sys /run; do mount --bind $i /mnt$i; done

After this step, the chroot environment under /mnt will have access to devices, processes, and system information, just like a normally running system.

Step 5 – Enter Chroot and Reset the Root Password

Now you can switch into the installed system and reset the root password.

Warning: Make sure /mnt contains your real system root filesystem. If you run chroot on the wrong directory, you may end up editing the rescue environment instead of your actual server.
chroot /mnt
passwd root

When prompted, enter the new root password twice. After a successful change, you should see a message similar to “all authentication tokens updated successfully”.

Success: If you see the confirmation about updated authentication tokens, your root password has been changed successfully. You will be able to log in with this new password after the reboot.

Step 6 – Trigger SELinux Relabeling

On systems where SELinux is enabled, file contexts may need to be updated after a password reset performed in rescue mode. To force a relabel on the next boot, create the .autorelabel file:

touch /.autorelabel 
exit

This command is run inside the chroot (still under /mnt). When the system boots normally, SELinux will relabel files based on the current policy, which can take a little time.

Step 7 – Unmount All Paths and Reboot

After resetting the password and preparing SELinux relabeling, exit the chroot and cleanly unmount everything in the reverse order:

for i in /run /sys /proc /dev/pts /dev; do umount /mnt$i; done
umount /mnt
reboot

The system will reboot from the local disk. If SELinux relabeling is required, the first boot may take a few minutes before the login prompt appears. This is normal.

Additional Notes and Troubleshooting

Depending on your disk layout, you may need a few extra steps before or during the procedure.

Non-LVM Systems

If your system does not use LVM, mount the root partition directly instead of a logical volume:

mount /dev/sda2 /mnt

RAID Systems

On software RAID setups, assemble the arrays before activating LVM:

mdadm --assemble --scan
vgchange -ay

UEFI Systems

For UEFI-based systems, you may also want to mount the /boot and /boot/efi partitions inside the chroot, especially if you later need to reinstall the bootloader:

mount /dev/sda1 /mnt/boot
mount /dev/sda2 /mnt/boot/efi

Encrypted (LUKS) Systems

If the root filesystem is encrypted, unlock it first, then proceed with LVM activation and mounting:

cryptsetup luksOpen /dev/sdaX cryptroot
vgchange -ay
mount /dev/mapper/vgname-root /mnt
Error: If your LVM volumes are missing in rescue mode, you may need to assemble software RAID or unlock LUKS devices first. Only after that will vgchange -ay be able to activate the volume groups.

Read-only Filesystem Fix

If the root filesystem is mounted read-only and you cannot change the password, remount it as read-write:

mount -o remount,rw /mnt

Once all steps are complete and the system has rebooted, you should be able to log in as root using the newly set password.

You May Also Like
CCentOS
AlmaLinux extend disk LVM step-by-step guide
Read More
  • 5 minute read

Linux Disk Extend

  • 09/11/2025
Extending an LVM Disk on AlmaLinux (Step-by-Step Guide) When a server starts to run out of disk space,…
LLinux
Iptables – basic examples
Read More
  • 2 minute read

Iptables – basic examples

  • 10/11/2023
iptables is a powerful tool used for configuring and managing the Linux kernel’s netfilter firewall. It allows you…