Linux Troubleshooting

Recover root password (single-user mode)

Practical Linux guide: recover root password (single-user mode) without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Bootloader and partition changes can render a system unbootable. Keep a live USB handy and verify changes before rebooting production machines.

What you will achieve

Reset a forgotten root or sudo user password via GRUB single-user/recovery mode on Debian/Ubuntu — physical or console access required.

1) GRUB menu

Reboot, hold Shift (BIOS) or Esc (UEFI) for GRUB. Edit the default entry with e.

2) Debian/Ubuntu recovery

Find the line starting with linux and append:

rw init=/bin/bash

Press Ctrl+X or F10 to boot. Then:

passwd root
# or for sudo user:
passwd username
exec /sbin/init

3) systemd emergency

Alternative: add systemd.unit=emergency.target to kernel cmdline, then passwd.

4) Fedora/RHEL

Interrupt GRUB → edit → append rd.break, remount sysroot rw per Red Hat docs, passwd root.

Verify

Reboot normally and log in with new password. Re-enable SELinux/AppArmor if you disabled anything during recovery.

5) Encrypted LUKS complicates recovery

Single-user mode still prompts for LUKS passphrase before root shell. Without passphrase, recovery is header backup + passphrase or data loss.

6) cloud-init and VPS

Most cloud providers offer console reset password via hypervisor — faster than GRUB edit when serial console access is awkward.

7) After reset

sudo passwd -u username
sudo faillock --user username --reset

Clear lockout from failed attempts before retrying SSH.

Physical security note

Anyone with USB access can reset passwords this way — full-disk encryption is what protects laptops at rest, not BIOS passwords alone.

8) GRUB password protection

GRUB can be password-protected — without it, physical access still allows init=/bin/bash. Pair with LUKS for real protection.

Prerequisites

Physical access, hypervisor console, or IPMI. GRUB visible at boot. LUKS passphrase if disk encrypted. Know username to reset (root vs sudo user). Single-user target understood.

Disable quiet splash for GRUB menu

Edit GRUB_TIMEOUT in /etc/default/grub if menu flashes too fast on future boots — set 5+ seconds for easier recovery access.

GRUB disable graphics

Add nomodeset when recovery shell invisible on broken GPU driver — text mode recovery works.

Azure/AWS instance reset

Cloud panels inject temporary SSH keys or run cloud-init reset — faster than GRUB when serial console is awkward. Document provider procedure alongside bare-metal GRUB method in runbook.

init=/bin/bash selinux

Fedora recovery shell may need touch /.autorelabel after passwd reset before reboot — SELinux contexts on /etc/shadow otherwise block login.

document provider console path

Runbook should list Hetzner Lish, AWS EC2 serial, Proxmox console in same section as GRUB method — on-call at 3am picks fastest path per hosting environment.

Related guides

linux password recover root

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Troubleshooting
Kernel panic basics on Linux
Practical Linux guide: kernel panic basics on Linux without the usual guesswork.
Read guide