
Save your Linux machine – Recovering your root password and more - MartinHeinz
https://medium.com/better-programming/save-your-linux-machine-from-certain-death-24ced335d969
======
technofiend
This must be something asked of RedHat support quite a bit because it was
covered thoroughly in their UNIX sysadmin training material for Redhat 7 and
there's a published solution on their site from years ago. [1]

Redhat documentation is pretty decent and access is free via their developer
program [2]. The program gives one free bare metal license for a system with
up to 8 sockets that can host unlimited VMs. [3]

I realize HN is all about open source and free software but for people looking
to work in a corporate environment that uses RHEL, Redhat does try to make
entry at least possible for those who can self study.

[1]
[https://access.redhat.com/solutions/1192](https://access.redhat.com/solutions/1192)
[2] [https://developers.redhat.com/](https://developers.redhat.com/) [3]
[https://developers.redhat.com/articles/faqs-no-cost-red-
hat-...](https://developers.redhat.com/articles/faqs-no-cost-red-hat-
enterprise-linux/)

------
sfj
False advertising. The title says recovering your root password, but the
article only talks about bypassing having to enter one.

~~~
gerdesj
That is how you reset the root password on Linux. If you have physical access
to any computer, then you can do what you like. If you need to recover
administrator on a Windows box then you go in with a systemrescue CD and edit
the SAM database.

The choice is yours. You can deploy disc encryption, BIOS passwords etc but be
prepared for being locked out.

~~~
hawaiian
RECOVERING your password usually means retrieving the plaintext
representation. Not just "resetting" it.

~~~
zouhair
It could also mean recovering the access to root, this is just splitting hair
anyway.

~~~
eitland
> It could also mean recovering the access to root,

No! Even for me as a non native speaker this is obvious since I have worked in
the field for a few years.

A car is a vehicle but saying that "a vehicle _means_ a car is wrong".

In the same way recovering access to the root account _might_ give you the
same effect as recovering the password, but often not.

This is a situation were correct wording isn't hard and a situation where it
matters in my opinion. People come here to learn and we shouldn't mislead them
especially when the cost of fixing it is trivial.

If I recover the access to root, fine, I have access to that machine.

If I recover the root password I have access to all that the root password
gives me access to.

On systems where for example home or certain configuration files are encrypted
using the password as a key (yes, a bit simplified), this is the difference
between getting access to the data or not.

> this is just splitting hair anyway.

No. This is trying to avoid potentially costly misunderstandings.

~~~
laumars
> If I recover the access to root, fine, I have access to that machine.

> If I recover the root password I have access to all that the root password
> gives me access to.

In POSIX that's the same thing.

~~~
eitland
That might technically be true, but as far as I know, with my setup, if I
reset my Linux password and use the new password to access my account, my data
will be gone as the home folder encryption key was encrypted with my password
or something to that effect.

Now I cannot say for sure that this is possible on the root account as well -
I've hardly used the actual root account since Ubuntu taught me otherwise in
2006 - but I see no obvious reason why you shouldn't be able to encrypt roots
home folder the same way we encrypt other home folders.

I'm interested in knowing though in case I'm missing something.

~~~
laumars
If you’re encrypting your whole disk (encrypting /root doesn’t give you any
benefit) then you will need to enter your passphrase before your system gets
as far as reading /etc/shadow.

So that guide basically assumes you either already know your decryption
passphrase or you don’t have full disk encryption. In either case, changing
roots password wouldn’t lock you out of the root file system

~~~
eitland
> If you’re encrypting your whole disk

Not what I am talking about.

I'm talking about encrypted home folders.

~~~
usr1106
That's ecryptfs. It's no longer supported by newer versions of Ubuntu. The key
is not your password. It's somehow protected by a pam module I believe to
remember. I once noticed that being root allows you to su into their account,
but not decrypting their home directory. So possibly the encryption key is
encrypted using the password. One might need the old password to reencrypt the
encryption key with the new password.

I had no interest to dig deeper, so I am not sure.

~~~
yjftsjthsd-h
ecryptfs is _one_ way that encrypted home has been done, but it's also been
done with encfs and ZFS (very recently).

------
battery_cowboy
I would guess most folks here use full disk encryption, which would generally
preclude you from reading the filesystem if you don't have the password any
longer. If not, this is a good article to convince you to do so since anyone
could do something similar to your laptop with no encryption.

~~~
johnchristopher
I am scared to use full disk encryption or $HOME encryption because of
potential loss of speed, hardware failures because of fragmenting or SSD
grinding, the inability to use file recovering tools and being locked out if
anything goes wrong. I just read changing the password might lock me out if
the key is encrypted (or something).

Any tips?

~~~
yrro
Run 'cryptsetup luksHeaderBackup' and store it in a safe place. If you manage
to corrupt your LUKS header, you can restore it from the backup.

The master encryption key in the LUKS header is still encrypted by your
passphrase, so don't use this as an alternative to remembering your
passphrase!

------
bovermyer
This is good, but why not just post the original URL?
[https://martinheinz.dev/blog/22](https://martinheinz.dev/blog/22)

------
spicymaki
This is a nice write up. I was not aware of the rd.break option. Very helpful
when you have an kernel module that hangs boot trying to configure failing
hardware.

