How to reset root password of AlmaLinux 8
This guide shows you how to reset the root password on AlmaLinux 8 when you are locked out or forgot the credentials. Follow these steps to regain SSH access immediately.
You will regain root access on your AlmaLinux 8 server by booting into a recovery environment. These steps work on AlmaLinux 8 and CentOS Stream 8, which share the same package base.
Prerequisites
- Physical access to the server or a virtual console (VNC/VMware).
- Console access to the boot loader menu (GRUB).
- Root privileges to edit kernel parameters.
- Knowledge of the current root password (optional, if you can access the console).
Step 1: Boot into single-user mode
Restart the server and access the GRUB boot menu. You must edit the kernel boot parameters to enable single-user mode. This drops the system from multi-user mode to a root shell without starting the network services.
reboot
When the GRUB menu appears, highlight the default boot entry (usually the first one) and press E to edit the kernel command line.
In the text editor that opens, find the line that starts with linux or linux16. It will look something like this:
linux16 /boot/vmlinuz-4.18.0-348.el8.x86_64 root=LABEL=/ ro rootflags=... rhgb quiet
Move your cursor to the end of that line and add a space followed by rd.break. This tells the system to mount the root filesystem and drop to a shell before starting the normal init process.
linux16 /boot/vmlinuz-4.18.0-348.el8.x86_64 root=LABEL=/ ro rootflags=... rhgb quiet rd.break
Press Ctrl+X to boot with these new parameters. The system will mount the root filesystem and drop you to a (init) prompt.
Step 2: Remount the root filesystem as read-write
The root filesystem is mounted as read-only by default in recovery mode. You must remount it as read-write to change the password file. Run the following command to remount the root partition:
mount -o remount,rw /
You should see no output if the command succeeds. If you see an error about the filesystem being read-only, run the command again. The system is now ready for file modifications.
Step 3: Change the root password
Use the chroot command to switch to the target system's root directory. This ensures you are modifying the correct password file for the running system.
chroot /
Once inside the chroot environment, run the passwd command to change the root password:
passwd
Enter the new password twice when prompted. You will not see asterisks or characters as you type. This is normal security behavior. If you want to change a user password instead, replace root with the username.
Step 4: Fix SELinux context
AlmaLinux 8 uses SELinux. If you do not fix the context, the new password will be rejected on the next boot. You must relabel the target filesystem to restore the correct SELinux context.
touch /.autorelabel
This creates a marker file that tells the init system to relabel the filesystem on the next boot. Without this step, SELinux will block SSH login with "Permission denied" even after a password change.
Step 5: Reboot the system
Exit the chroot environment and reboot the server. The system will automatically relabel the filesystem because of the .autorelabel marker you created.
exit
reboot
Wait for the system to finish booting. The relabeling process can take several minutes on larger disks. You will see a progress bar during boot if the relabeling is in progress.
Verify the installation
Connect to your server using SSH with the new password to confirm the reset worked. Use the whoami command to verify you are logged in as root.
whoami
You should see the following output:
root
If you see root, the password reset was successful and you can now use your new credentials.
Troubleshooting
Error: "Permission denied" when running passwd
This happens if the root filesystem is not remounted as read-write. Run mount -o remount,rw / again before changing the password. Ensure you are in the chroot environment before running passwd.
Error: "Permission denied" after reboot
This indicates SELinux is blocking the new password. You likely missed the touch /.autorelabel step. Reboot the system and wait for the relabeling process to complete. If the marker file is missing, create it manually and reboot.
Error: "No such file or directory" for /.autorelabel
This error means the relabeling marker was not created. You must run touch /.autorelabel again inside the chroot environment before rebooting. Do not skip this step on AlmaLinux 8.
Cannot access GRUB menu
If the GRUB menu does not appear, press Shift or Esc immediately after the BIOS/UEFI screen to pause the boot process. On UEFI systems, you may need to enter the firmware settings to enable "Wait for key press" or "Boot delay" options.
Filesystem is encrypted (LUKS)
If your root filesystem is encrypted, you must unlock the LUKS container first. At the GRUB prompt, add rd.break to the kernel line. When the system drops to the shell, run cryptsetup luksOpen /dev/mapper/cryptroot root to unlock the volume. Remount the root filesystem inside the unlocked volume, change the password, and proceed as usual.
SSH service not starting
If you cannot SSH after reboot, check if the sshd service is running. Use systemctl status sshd to check the status. If the service is not running, start it with systemctl start sshd. Ensure the firewall allows SSH traffic.