How to Reset the Root Password on a Vultr Cloud Server

Updated on February 22, 2022
How to Reset the Root Password on a Vultr Cloud Server header image

Introduction

If you have lost access to the root account, you can reset the password in single-user mode. This guide explains how to connect to the web console, reboot into single-user mode, and then reset the root password.

Getting Started

You must connect to the web console to gain access to single-user mode. Follow these steps before the steps for your operating system.

  1. Click the Server Restart icon in the Vultr customer portal.

    Server Restart

  2. Open the web console.

    Vultr Web Console

    You can also reboot the server from inside the web console. See the Web Console FAQ for more information.

  3. Next, follow the steps for your operating system to regain access to the server.

AlmaLinux

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, press E to edit the first boot option.
  3. Find the kernel line starting with linux.
  4. Change ro to rw init=/sysroot/bin/sh.
  5. Press Ctrl+X or F10 to boot into single user mode.
  6. Access the system with the command: chroot /sysroot.
  7. Type passwd and follow the prompts to change the root password.
  8. Run touch /.autorelabel to force file system relabeling. This is required for systems with SELinux. When you reboot the system, it will relabel the filesystem for SElinux. The reboot may take extra time during this process.
  9. Run exit.
  10. Run logout.
  11. Run reboot to reboot the server.

Arch Linux

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.

  2. At the GRUB boot prompt, press E to edit the first boot option.

  3. Find the kernel line starting with linux /boot/.

  4. Add a space and the text init=/bin/bash to the end of the line.

  5. Press Ctrl+X or F10 to boot into single-user mode.

  6. The system will boot, and you will see the root prompt.

  7. Run clear if your prompt is obscured with console text.

  8. Run mount -o remount,rw / to mount the system volume.

  9. Run passwd and follow the prompts to change the root password.

  10. Reboot the server.

     # exec /sbin/init

CentOS 6

  1. As the system boots, GRUB prompts you to press any key to stop the boot process. Press a key quickly; you only have a few seconds. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB prompt, type A to append to the boot command.
  3. Add a space and the text single to the end of the line.
  4. Press Enter.
  5. The system will boot, and you will see the root prompt.
  6. Type passwd and follow the prompts to change the root password.
  7. Run reboot to reboot the server.

CentOS 7

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, press E to edit the first boot option.
  3. Find the kernel line starting with linux16.
  4. Change ro to rw init=/sysroot/bin/sh.
  5. Press Ctrl+X or F10 to boot into single user mode.
  6. Access the system with the command: chroot /sysroot.
  7. Type passwd and follow the prompts to change the root password.
  8. Run touch /.autorelabel to force file system relabeling. This is required for systems with SELinux. When you reboot the system, it will relabel the filesystem for SElinux. The reboot may take extra time during this process.
  9. Run exit.
  10. Run reboot -f to reboot the server.

CentOS 8 & CentOS 8 Stream

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, press E to edit the first boot option.
  3. Find the kernel line starting with linux.
  4. Change ro to rw init=/sysroot/bin/sh.
  5. Press Ctrl+X or F10 to boot into single user mode.
  6. Access the system with the command: chroot /sysroot.
  7. Type passwd and follow the prompts to change the root password.
  8. Run touch /.autorelabel to force file system relabeling. This is required for systems with SELinux. When you reboot the system, it will relabel the filesystem for SElinux. The reboot may take extra time during this process.
  9. Run exit.
  10. Run logout.
  11. Run reboot to reboot the server.

CentOS 9 Stream

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, use the arrow keys to highlight one of the rescue kernels and press E to edit the boot options.
  3. Find the kernel line starting with linux.
  4. Change ro to rw init=/sysroot/bin/sh.
  5. Press Ctrl+X or F10 to boot into single user mode.
  6. Press Enter to enter maintenance mode.
  7. Access the system with the command: chroot /sysroot.
  8. Type passwd and follow the prompts to change the root password.
  9. Run touch /.autorelabel to force file system relabeling. This is required for systems with SELinux. When you reboot the system, it will relabel the filesystem for SElinux. The reboot may take extra time during this process.
  10. Run exit.
  11. Run reboot to reboot the server.

CoreOS

Vultr creates CoreOS instances with a root user and password. The core user has sudo access and may log in with an SSH Key, if the key was selected when the instance was created. If you can log in as core with the SSH key, reset the root login by executing sudo passwd as core. If you lost your SSH key, you can log in as core by editing the GRUB loader.

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, press E to edit the first boot option.
  3. Find the kernel line starting with linux$.
  4. Add a space and the text coreos.autologin=tty1 to the end of the line.
  5. Press Ctrl+X or F10 to boot.
  6. You will be logged in as core when the system boots.
  7. Run sudo passwd and follow the prompts to change the root password.
  8. Reboot the server.

Debian

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.

  2. At the GRUB boot prompt, press E to edit the first boot option.

  3. Find the kernel line starting with linux /boot/.

  4. Add a space and the text init=/bin/bash to the end of the line.

  5. Press Ctrl+X or F10 to boot into single-user mode.

  6. The system will boot, and you will see the root prompt.

  7. Run clear if your prompt is obscured with console text.

  8. Run mount -o remount,rw / to mount the system volume.

  9. Run passwd and follow the prompts to change the root password.

  10. Reboot the server.

     # exec /sbin/init

Fedora 29 through 33

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, press E to edit the first boot option.
  3. Find the kernel line starting with linux
  4. Change ro to rw init=/sysroot/bin/sh.
  5. Press Ctrl+X or F10 to boot into single-user mode.
  6. Access the system with the command: chroot /sysroot.
  7. The system will boot, and you will see the root prompt.
  8. Run passwd to change the root password.
  9. Run touch /.autorelabel to force file system relabeling.
  10. Run exit.
  11. Run logout.
  12. Run reboot to reboot the server.

Fedora 34 & 35

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, use the arrow keys to highlight one of the rescue kernels and press E to edit the boot options.
  3. Find the kernel line starting with linux.
  4. Change ro to rw init=/sysroot/bin/sh.
  5. Press Ctrl+X or F10 to boot into single-user mode.
  6. Press Enter to enter maintenance mode.
  7. Access the system with the command: chroot /sysroot.
  8. Type passwd and follow the prompts to change the root password.
  9. Run touch /.autorelabel to force file system relabeling. This is required for systems with SELinux. When you reboot the system, it will relabel the filesystem for SElinux. The reboot may take extra time during this process.
  10. Run exit.
  11. Run reboot to reboot the server.

Fedora CoreOS

  1. As the system boots, press E to edit the GRUB boot options. This happens quickly, you have approximately one second to intercept the boot process. If you miss the prompt, restart the server and try again.

  2. Find the kernel line starting with linux.

  3. Remove the console option that reads console=ttyts0,115200n8.

    Remove_Console

  4. Add single to the end of the kernel line.

  5. Press Ctrl+X to start.

    Single

  6. The system will boot to rescue mode. Press Enter for single-user (maintenance) mode.

    RescuePrompt

Change the Core User Password

  1. As root, use the passwd utility to change the core user password.

     # passwd core
     Changing password for user core.
     New password:
     Retype new password:
     passwd: all authentication tokens updated successfully.
  2. Reboot the system:

     # /sbin/reboot -f

Change the Core User SSH key

  1. Log in with the web console as core with the new password.

  2. Add a new public key to ~/.ssh/authorized_keys.d/. Choose a logical filename for the key.

    統 Note: The web console does not support copy and paste. The easiest method is to upload the key to a public site, then use curl. Delete the key from the website when finished.

     $ curl https://example.com/id_rsa.pub >> ~/.ssh/authorized_keys.d/new_public_key
  3. Set the permissions for the new public key.

     $ chmod 600 ~/.ssh/authorized_keys.d/new_public_key
  4. Recommended: Lock the core user password.

     $ sudo passwd -l core
     passwd: success
  5. Log out of the web console.

  6. Log in as core via SSH with your new key.

FreeBSD

  1. At the boot menu, press 2 for single-user mode. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the root prompt, type mount -u -a -o rw to remount the disk RW.
  3. Type passwd to change the root password.
  4. Reboot the server.

OpenBSD

The "Send CtrlAltDel" button in the web console does not work for OpenBSD. You must perform steps 1 and 2 quickly before the boot proceeds.

  1. Click the Server Restart icon in the Vultr customer portal.

    Server Restart

  2. Open the web console.

    Vultr Web Console

    See the Web Console FAQ for more information.

  3. The second stage boot loader pauses for a few seconds to give you a chance to provide parameters to the kernel. Pass the -s flag to boot:

     >> OpenBSD/amd64 BOOT 3.47
     boot> boot -s

    If you miss the prompt, you need to restart the server from the control panel and try again.

  4. Enter the pathname of your shell or press Enter for sh.

  5. Mount the root filesystem read-write.

     # fsck -p / && mount -uw /
  6. Change the root password.

     # passwd
  7. Type CtrlD to restart the server in multiuser mode.

Rocky Linux

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, press E to edit the first boot option.
  3. Find the kernel line starting with linux.
  4. Change ro to rw init=/sysroot/bin/sh.
  5. Press Ctrl+X or F10 to boot into single user mode.
  6. Access the system with the command: chroot /sysroot.
  7. Type passwd and follow the prompts to change the root password.
  8. Run touch /.autorelabel to force file system relabeling. This is required for systems with SELinux. When you reboot the system, it will relabel the filesystem for SElinux. The reboot may take extra time during this process.
  9. Run exit.
  10. Run logout.
  11. Run reboot to reboot the server.

Ubuntu

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.

  2. At the GRUB boot prompt, press E to edit the first boot option.

  3. Find the kernel line starting with linux /boot/.

  4. Add a space and the text init=/bin/bash to the end of the line.

  5. Press Ctrl+X or F10 to boot into single-user mode.

  6. The system will boot and you will see the root prompt.

  7. Run mount -o remount,rw / to mount the system volume.

  8. Run passwd and follow the prompts to change the root password.

  9. Reboot the server.

     # exec /sbin/init

VzLinux

  1. As the system boots, press Esc to bring up the GRUB boot prompt. The prompt happens early in the boot process. If you miss the prompt, you need to restart the server from the control panel and try again.
  2. At the GRUB boot prompt, press E to edit the first boot option.
  3. Find the kernel line starting with linux.
  4. Change ro to rw init=/sysroot/bin/sh.
  5. Press Ctrl+X or F10 to boot into single user mode.
  6. Access the system with the command: chroot /sysroot.
  7. Type passwd and follow the prompts to change the root password.
  8. Run touch /.autorelabel to force file system relabeling. This is required for systems with SELinux. When you reboot the system, it will relabel the filesystem for SElinux. The reboot may take extra time during this process.
  9. Run exit.
  10. Run logout.
  11. Run reboot to reboot the server.

Windows Server

You need to use a bootable rescue ISO if the Windows administrator account password is locked or forgotten. This tutorial is a step-by-step guide to unlock administrator on Windows Server with SystemRescue x64, a self-contained Linux ISO used for many maintenance and rescue tasks.

Perform a Clean Shutdown

If possible, perform a clean Windows shutdown. When we mount the rescue ISO, you'll reboot the server through the customer portal. If Windows isn't already powered down, you may have issues mounting the disk later in SystemRescue.

Make a Backup

Before attempting any rescue, back up your VPS. Vultr offers manual snapshots and automated backups for VPS instances. If you do not have automatic backups enabled, make a manual snapshot. Attempting to rescue a server without a backup is reckless. There is no substitute for a sound backup strategy. You can create a server snapshot in a few clicks in the customer portal.

You are responsible to back up all your mission-critical data, following your local laws and organizational policies. Vultr does not maintain additional backups outside your customer portal.

Mount SystemRescue

Navigate to the Server Information page in the customer portal. Select Settings > Custom ISO. Select the SystemRescue ISO, then click Attach ISO and Reboot.

Attach ISO

The server will reboot from the ISO. Connect to the server with the web console to perform the rescue steps. It may take a few moments for you to be able to view your instance console while the server reboots.

BootSRCD

Select "Boot SystemRescue using default options" and press Enter. Wait for the ISO to boot to a root prompt.

Mount the Windows Device

  1. Locate the correct Windows device with fdisk. Look for the main Windows system device. Normally, this will be the NTFS type device with a similar size to the VPS disk. For this tutorial, use /dev/vda2, the 79.5 GB NTFS device.

     # fdisk -l
    
     Device     Boot   Start       End   Sectors  Size Id Type
     /dev/vda1  *       2048   1126399   1124352  549M  7 HPFS/NTFS/exFAT
     /dev/vda2       1126400 167770111 166643712 79.5G  7 HPFS/NTFS/exFAT
  2. Make a mount point folder.

     # mkdir /mnt/win
  3. Attempt to mount the Windows system disk.

     # mount /dev/vda2 /mnt/win

    If mount succeeded, skip to the next section. Mount might encounter errors if the system wasn't shut down cleanly in step one.

     The disk contains an unclean file system (0, 0).
     Metadata kept in Windows cache, refused to mount.
     Falling back to read-only mount because the NTFS
     partition is in an unsafe state. Please resume and
     shutdown Windows fully (no hibernation or fast
     restarting.)
  4. If mount encounters errors, as shown above, the Windows device will be mounted read-only. Before we can correct the error, unmount the drive.

     # umount /dev/vda2
  5. With the drive unmounted, run ntfsfix resolve the dirty shutdown error. Replace /dev/vda2 with your partition.

     # ntfsfix /dev/vda2
    
     ...
     NTFS partition /dev/vda2 was processed successfully.
  6. After ntfsfix completes, attempt to mount the device.

     # mount /dev/vda2 /mnt/win

Unlock the Account

  1. Navigate to the C:\Windows\System32\config folder, which is now mounted in SystemRescue under /mnt/win.

     # cd /mnt/win/Windows/System32/config/
  2. Launch chntpw in interactive mode, using the default Security Account Management (SAM) database.

     # chntpw -i SAM
    
     1 - Edit user data and passwords
     2 - List groups
         - - -
     9 - Registry editor, now with full write support!
     q - Quit (you will be asked if there is something to save)
  3. Enter 1 + Enter to edit user passwords. A user list will appear.

     | RID -|---------- Username ------------| Admin? |- Lock? --|
     | 01f4 | Administrator                  | ADMIN  |          |
     | 01f7 | DefaultAccount                 |        | dis/lock |
     | 01f5 | Guest                          |        | dis/lock |
     | 01f8 | WDAGUtilityAccount             |        | dis/lock |
    
     Please enter user number (RID) or 0 to exit: [1f4]
  4. Enter the RID number for the account you'd like to edit.

        - - - - User Edit Menu:
        1 - Clear (blank) user password
        (2 - Unlock and enable user account) [seems unlocked already]
        3 - Promote user (make user an administrator)
        4 - Add user to a group
        5 - Remove user from a group
        q - Quit editing user, back to user select
        Select: [q] > 1
  5. Choose an option from the menu. For this tutorial, choose 1 to clear the password.

     Password cleared!
  6. Enter Q to exit the user menu.

  7. Enter Q to exit chntpw.

     Hives that have changed:
     #  Name
     0  <SAM>
     Write hive files? (y/n) [n] : y
  8. Enter Y to save the SAM hive.

Unmount the Windows Device

  1. Change to the root directory.

     # cd /
  2. Unmount the Windows device.

     # umount /dev/vda2

Remove ISO and Reboot

  1. Navigate to the Server Information page in the Customer Portal.
  2. Click Settings.
  3. Click Custom ISO.
  4. Click the large Remove ISO button, which will spawn a popup.
  5. To confirm removal and reboot the VPS, click the Remove ISO button on the popup.

Remove ISO

8. Log in and Set a Strong Password

You must log in to the server through the web console to set a new password. Remote Desktop Protocol (RDP) does not allow login with blank passwords.

  1. Log in with your username, and leave the password field empty. The password reset procedure with SystemRescue completely removes the password.
  2. Click the Send CtrlAltDel button, located in the upper-right of the web console.
  3. Enter a new, strong password for your user account in Windows.