Recovering a lost Unix Root Password

DESCRIPTION This article contains information on how to recover the root password on a unix machine when there is no other way to gain root access.
HOST Written specifically for a Solaris host, but the general principle may apply to any unix/linux server

Root Password Recovery

Note: That if you happen to have a copy of the shadow file (which you normally can only read as root) then there are ways to crack the root password without going through the procedure described below.

The general principle is as follows:

Boot the server off something other than its internal disk eg CDROM
This normally gives you root access to a temporary instance of the OS.
Mount the partition containing the root password into the temporary OS instance.
Change the password.
Reboot normally.

Here’s a example:

You’ll need console access and physical access to the machine to insert a CDROM.

I used the "Solaris 8 Installation 6/00" CDROM, but any version of Solaris would have had the same effect. I also used a serial cable and SecureCRT as my terminal.

Shutdown as many applications as you can.

Insert the CDROM.

Shut the machine down – since you don’t have the root password you’ll have to just turn the power off. This in itself is a risk as you may not always be able to recover open files etc when the server comes back up.

As the server comes back up, break to the Open Boot Prom, using CTRL-Break from a console or STOP-A from a Sun keyboard.

Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 440MHz), No Keyboard

OpenBoot 3.25, 512 MB (50 ns) memory installed, Serial #13721451.

Ethernet address 8:0:20:d1:5f:6b, Host ID: 80d15f6b.

Initializing Memory /

Break into the Boot Prom at this point (CTRL-Break)

Boot from the CDROM into single user mode

ok boot cdrom -s

Boot device: /pci@1f,0/pci@1,1/ide@3/cdrom@2,0:f File and args: -s

SunOS Release 5.8 Version Generic_108528-01 64-bit

Copyright 1983-2000 Sun Microsystems, Inc. All rights reserved.

Configuring /dev and /devices

Using RPC Bootparams for network configuration information.




Search for the hard disk that contains the root partition (which also contains the /etc/shadow file)

# format

Searching for disks...done

0. c0t0d0 <ST39120A cyl 17660 alt 2 hd 16 sec 63>


Specify disk (enter its number): ^D

In this case, its easy since there is only one disk. Now mount the partition which contains the root file system. This would normally be slice 0, but could be any other slice.

# mount /dev/dsk/c0t0d0s0 /mnt

# cd /mnt

If etc is not here, you’ll need to umount /mnt and try mounting another slice.

# cd etc


# vi shadow

I don't know what kind of terminal you are on - all I have is 'unknown'.

[Using open mode]

"shadow" [Read only] 22 lines, 587 characters



We have to set our terminal so that vi works properly.

# ksh -o vi

# export TERM=vt100

Now edit the shadow file and blank out the root password.

# vi shadow

Change the entry that looks like this




close and save the file

# reboot


Eject the CDROM.

When the machine comes up, you should be able to login with no root password. Change the root password.