Reset Forgotten Root Password Using rd.break (GRUB Method)

Problem Overview

Losing the root password prevents administrators from performing critical system maintenance.
This commonly happens after long inactivity, team changes, or inheriting systems with unknown credentials.
Reinstalling the operating system is not acceptable in production due to data loss and downtime.
A safe recovery method is required to regain root access without impacting existing data or services.

Prerequisites

Before starting, make sure the following conditions are met:
Physical or console access to the system (VM console or server access)
Ability to access the GRUB boot menu
System uses systemd (RHEL, CentOS, Rocky Linux, AlmaLinux, Fedora)
Filesystem is not encrypted

Solution

Reboot the system

When the GRUB menu appears, Press e to edit the boot parameters

                            GRUB version 2.06
 ┌────────────────────────────────────────────────────────────────────────────────┐
 │*Red Hat Enterprise Linux (5.14.0-611.5.1.el9_7.x86_64) 9.7 (Plow)              │
 │ Red Hat Enterprise Linux (0-rescue-ef5669ef42ab466aa4e2e6e9fa8f44c1) 9.7 (>)   │
 │                                                                                │
 │                                                                                │
 │                                                                                │
 │                                                                                │
 │                                                                                │
 └────────────────────────────────────────────────────────────────────────────────┘
     Use the ↑ and ↓ keys to select which entry is highlighted.
     Press enter to boot the selected OS, 'e' to edit the commands
     before booting or 'c' for a command-line.

Go to the line which starts with linux an press Ctrl+e to go to the end of the line.

                            GRUB version 2.06
 ┌────────────────────────────────────────────────────────────────────────────┐
 │load_video                                                                  │
 │set gfxpayload=keep                                                         │
 │insmod gzio                                                                 │
 │linux ($root)/vmlinuz-5.14.0-611.5.1.el9_7.x86_64 root=/dev/mapper/rhel_10-\│
 │root ro crashkernel=1G-2G:192M,2G-64G:256M,64G-:512M resume=/dev/mapper/rhe\│
 │l_10-swap rd.lvm.lv=rhel_10/root rd.lvm.lv=rhel_10/swap rhgb quiet          │
 │initrd ($root)/initramfs-5.14.0-611.5.1.el9_7.x86_64.img $tuned_initrd      │
 │                                                                            │
 │                                                                            │
 └────────────────────────────────────────────────────────────────────────────┘
     Minimum Emacs-like screen editing is supported. TAB lists
     completions. Press Ctrl-x or F10 to boot, Ctrl-c or F2 for
     a command-line or ESC to discard edits and return to the GRUB menu.

Type rd.break at end of the like, after quiet

                            GRUB version 2.06
 ┌────────────────────────────────────────────────────────────────────────────┐
 │load_video                                                                  │
 │set gfxpayload=keep                                                         │
 │insmod gzio                                                                 │
 │linux ($root)/vmlinuz-5.14.0-611.5.1.el9_7.x86_64 root=/dev/mapper/rhel_10-\│
 │root ro crashkernel=1G-2G:192M,2G-64G:256M,64G-:512M resume=/dev/mapper/rhe\│
 │l_10-swap rd.lvm.lv=rhel_10/root rd.lvm.lv=rhel_10/swap rhgb quiet rd.break │
 │initrd ($root)/initramfs-5.14.0-611.5.1.el9_7.x86_64.img $tuned_initrd      │
 │                                                                            │
 │                                                                            │
 └────────────────────────────────────────────────────────────────────────────┘
     Minimum Emacs-like screen editing is supported. TAB lists
     completions. Press Ctrl-x or F10 to boot, Ctrl-c or F2 for
     a command-line or ESC to discard edits and return to the GRUB menu.

Press Ctrl + X (or F10) to boot
The real root filesystem is available at /sysroot but mounted read-only, so remount and change root password
- Remount /sysroot as read/write.
  - ```
  switch_root:/# mount -o remount,rw /sysroot
```
- Switch into a chroot jail, where /sysroot is treated as the root of the file-system tree.
  - ```
  switch_root:/# chroot /sysroot
```
- Validate the current user using the whoami command
  - ```
  sh-5.1# whoami
  root
```
- Set a new root password.
  - ```
  sh-5.1# passwd root
  Changing password for user root.
  New password:
  Retype new password:
  passwd: all authentication tokens updated successfully.
```
- Make sure that all unlabeled files, including /etc/shadow at this point, get relabeled during boot.
  - ```
  sh-5.1# touch /.autorelabel
```
- Type exit twice. The first command exits the chroot jail, and the second command exits the initramfs debug shell.
  - ```
  sh-5.1# exit
  exit
  switch_root:/# exit
  logout
```
The system will reboot, relabel all files for SELinux, and then apply the new password. SELinux relabeling may take a few minutes.