How to Reset the Root Password on AlmaLinux, Rocky Linux or RHEL (GRUB2 Method)

If you have lost or forgotten the root password on your Linux VPS or server, you can reset it by interrupting the boot process through GRUB2 and entering an emergency shell. This method works on AlmaLinux 8 and 9, Rocky Linux 8 and 9, RHEL 8 and 9 and any other RHEL-based distribution using GRUB2.

You will need console access to your server — either physical access, a KVM console, IPMI/iDRAC/iLO access, or a VNC/serial console via your hosting provider's control panel.

Overview of the Process

  1. Reboot the server
  2. At the GRUB menu, edit the boot entry
  3. Add rd.break enforcing=0 to the kernel line
  4. Boot into emergency mode
  5. Remount the filesystem as read-write
  6. Chroot into your system
  7. Reset the root password
  8. Create the SELinux autorelabel file
  9. Exit and reboot

Step-by-Step Guide

Step 1 — Reboot the Server

Reboot your server and watch the console carefully. As soon as the GRUB2 boot menu appears (a list of kernel versions), you have a short window to act — usually 5 seconds before it boots automatically.

If the GRUB menu does not appear, restart again and try holding Shift (BIOS systems) or pressing Escape repeatedly (UEFI systems) immediately after POST to force the menu to show.

Step 2 — Edit the Boot Entry

Use the arrow keys to highlight the default kernel entry (usually the top one — the latest kernel version).

Press e on your keyboard to enter the GRUB editor. You will see a screen full of boot parameters.

Step 3 — Find the Kernel Line

Using the arrow keys, scroll down to find the line that starts with linux (sometimes linuxefi on UEFI systems). It will look something like this:

 
 
linux ($root)/vmlinuz-5.14.0-362.8.1.el9_3.x86_64 root=/dev/mapper/almalinux-root ro crashkernel=auto rhgb quiet

Use the End key or Ctrl+E to move your cursor to the very end of that line.

Step 4 — Add the Emergency Boot Parameters

At the end of the linux line, add a space and then type:

 
 
rd.break enforcing=0

The end of the line should now look like:

 
 
... rhgb quiet rd.break enforcing=0
  • rd.break interrupts the boot process before the system hands control to systemd, dropping you into an emergency shell
  • enforcing=0 puts SELinux into permissive mode so it does not block the password change

Step 5 — Boot into Emergency Mode

Press Ctrl+X to boot with the modified parameters.

The server will boot into an emergency shell. You will see a prompt like:

 
 
switch_root:/#

This is the dracut emergency shell. Your real root filesystem is mounted read-only at /sysroot at this point.

Step 6 — Remount the Filesystem as Read-Write

Type the following command exactly and press Enter:

 
 
bash
mount -o remount,rw /sysroot

This remounts the /sysroot filesystem with read-write permissions so you can make changes to it.

Step 7 — Chroot into Your System

Type the following and press Enter:

 
 
bash
chroot /sysroot

Your prompt will change to just #. You are now operating inside your real system as root.

Step 8 — Reset the Root Password

Type the following and press Enter:

 
 
bash
passwd

You will be prompted to enter a new password twice:

 
 
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Type your new password and press Enter. The characters will not be visible as you type — this is normal.

Step 9 — Create the SELinux Autorelabel File

This is an important step that many guides skip. Because SELinux was in permissive mode during the password change, the security labels on /etc/shadow (the file that stores passwords) may be incorrect. If you skip this step, SELinux may block your login after reboot.

Type the following and press Enter:

 
 
bash
touch /.autorelabel

This creates an empty file that tells SELinux to relabel all files on the next boot. The relabelling happens automatically and may add a few minutes to the next boot time.

Step 10 — Exit and Reboot

Type exit to leave the chroot environment:

 
 
bash
exit

Then type exit again to leave the emergency shell:

 
 
bash
exit

The server will now reboot. On the next boot SELinux will relabel the filesystem — do not interrupt this process, it may take 2–5 minutes depending on the size of your filesystem.

Step 11 — Log in With Your New Password

Once the system has fully booted, log in as root with the new password you set in Step 8.

Full Command Summary

For reference, here are all the commands in order once you are in the emergency shell:

 
 
bash
mount -o remount,rw /sysroot
chroot /sysroot
passwd
touch /.autorelabel
exit
exit

Common Problems

GRUB menu does not appear
Try holding Shift (BIOS) or tapping Escape repeatedly (UEFI) immediately after power-on. If the GRUB timeout is set to 0, you may need to boot from a rescue ISO to edit the GRUB configuration first.

"Authentication token manipulation error" when running passwd
The filesystem was not remounted as read-write correctly. Type exit to leave chroot, run mount -o remount,rw /sysroot again, then chroot /sysroot and try passwd again.

Login still fails after reboot
SELinux context may be wrong on /etc/shadow. Boot back into emergency mode and run:

 
 
bash
mount -o remount,rw /sysroot
chroot /sysroot
restorecon -v /etc/shadow
exit
exit

System asks for password at GRUB menu
Your GRUB is password-protected. You will need to boot from a rescue or live ISO to bypass this. Contact your hosting provider if you do not have ISO boot access.

Server reboots very slowly after the password reset
This is normal — SELinux is relabelling all files on the system. Do not interrupt the process. It will complete and boot normally.

Security Note

This procedure requires physical or console access to the server, which is why it is a legitimate recovery method — someone with only SSH access cannot use it. However, it is a reminder that physical console access to a server is equivalent to root access. Always ensure your hosting provider's out-of-band management (KVM, IPMI, iDRAC) is secured with a strong password.

Need Help?

If you do not have console access to your VPS or are not comfortable performing this procedure, open a support ticket at my.hostking.host and our team will assist. We are available every day from 7am to 10pm.

Related articles:

  • How to Connect to Your VPS via SSH on Windows
  • How to Install DirectAdmin on a New VPS
  • Getting Started with Your Hostking VPS

A couple of corrections from your original description worth noting:

Ctrl+X not Ctrl+E to boot — Ctrl+E moves your cursor to the end of the line in the GRUB editor, which is useful for navigating to where you add the parameters. But Ctrl+X (or F10) is what actually boots. Easy to mix up since you use Ctrl+E to get to the right spot on the line.

mount -o remount,rw /sysroot then chroot /sysroot as separate commands — the remount and chroot are two distinct steps. The mount makes the filesystem writable, then chroot switches your environment into it.

touch /.autorelabel before exiting — this is the step most people miss. Without it, SELinux in enforcing mode will reject the modified /etc/shadow file after reboot and your new password won't work.

Var dette svaret til hjelp? 0 brukere syntes dette svaret var til hjelp (0 Stemmer)

Mest populære

How to SSH into your VPS

After receiving your VPS login details, the first thing you'll want to do is log in to the VPS....
What happens when you reach your VPS bandwidth limit?

If your VPS exceeds its bandwidth limit, our system will automatically suspend the service. You...
Find All Large Files On A Linux System

We can use find to search directories for files greater than 20MB, display the path and file...
Suspicious "spamd child" Process Emails

If you have a dedicated server or VPS with the Config Server Firewall (CSF) software installed...
Recover forgotten root password on CentOS 7

Synopsis Normally resetting the root password is a simple task if you’re logged in already with...