FreeBSD - How to reset root account password

After the initial installation, the root password should be changed to a complicated enough password, then forget it. We're not suppose to use the root login & password as it might exposed to unnecessary risk. My preferred way of system administration should use sudo. It's more secure, controllable, and flexible.

But things happen. Today, I've totally forgotten root password. The box is lock out to the extend that only console access is allow. Worse of all, the regular password for the user name that I used to login for sysadmin stuff, have been "forgotten" as well too. Too Bad...

Anyway, as long as the physical box can be access, no security measures is good enough to stop the box being compromise. :P

This box is running the superior FreeBSD OS. The root password can be reset by :
  1. Boot into single user mode when FreeBSD boot menu presented.
  2. Press enter when prompted "Enter full pathname of shell or RETURN for /bin/sh:"
  3. By default, the root (/) partition is mounted as read-only, remount it to read-write mode :
    mount -o rw /
  4. Now that the file system is in read-write mode, we can reset root's password by :
  5. After changing the password, exit single user mode and start the (usual) multi user mode :

Okay, I've "re-owned" my box again. But hay, isn't that a bit to easy for "others" to access it as well??? Ya, I think so too. This calls for some digging into the FreeBSD Handbook. It has everything a Sys Admin needs to know, from installation to security and fine tuning servers. That's why I like FreeBSD, the documentation is superb !!!

Enough talking, turn to page 12, chapter 6, paragraph 2.
Oops, actually there is no such paging, I made it up, but the link is true & genuine. :)

The FreeBSD Handbook shows that the console can be secure with root password whenever single user mode is initiated. This is how to make FreeBSD server "single user mode" asking for password :
  1. Virtual terminal's configuration file is /etc/ttys, edit it :
    vim /etc/ttys
  2. Change the following line :
    console        none                            unknown off secure
    console        none                            unknown off insecure
  3. Save and quit vim.

Reboot the box and boot into single user mode, if you wanna test it.
By the way, the keyword "insecure" imply to the console is insecure and thus required root password to be authenticated before single user mode can be access. It DOES NOT mean that the console is run insecurely. Take note.

Now, the single user mode is protected with root password authentication. Does that mean that the root password cannot be reset anymore, if forgotten(again???)?

Nope, the "as long as the physical box can be access, no security measures is good enough to stop the box being compromise" still stands. This is how to reset root's password if booting single user mode requires root password, by using Fixit CD. The Fixit CD can be downloaded from FreeBSD's website, over here. By the way, check out the mirrors as well. Here's how to reset the root password using Fixit CD :
  1. Boot the box using Fixit CD.
  2. When the "sysinstall" menu is presented, select option "Fixit" then "CDROM/DVD Use the "live" filesystem CDROM/DVD".
  3. At this point, the command line shell is spawned, by Fixit CD
  4. Mount the root's partition to /mnt/ directory, e.g.
    mkdir /mnt/rootpart;mount /dev/ad0s1 /mnt/rootpart
    where "rootpart" is the root partition mount point.
  5. Change the current root into the temporary root partition (at /mnt/rootpart) :
    chroot /mnt/rootpart
  6. Change the root password by :
  7. After giving the root a new password, exit "chroot" so that we can return to Fixit spawned shell
  8. Unmount the root temporary mount point as we're going to reboot the box :
    umount /mnt/rootpart
  9. Exit the Fixit spawned shell :
  10. And the "sysinstall" menu should appear again. Exit the "sysinstall" menu and it'll reboot

Physical access to any box is as important as any security aspect (software & OS). It deserves attention. Lock your box not only using password authentication, but also using keys.

Shalom !!!

1 comment:

Unknown said...

When execute passwd command i got this message :

passwd : not found

what is the problem??help me