Resetting a Password in Linux

Introduction

Before I begin, understand that it's illegal to break into computers without authorization. Laws vary by location, but it's at least a third degree felony in Florida, and it's a second degree felony if you cause harm. Don't do it. That said, there are plenty of legitimate reasons to reset a password, and the same approach can also be used for data recovery and making other configuration changes when normal access methods fail. I actually messed up my boot config yesterday and had to do something like this to fix it. Just don't be an idiot because you can lose data or worse - I'm not responsible for how you use this information.


Preparation

Resetting a password manually requires physical access to the computer so you can boot from a CD. You might need to change the boot order in the BIOS so it boots from the CD before the hard drive, but you shouldn't need to open the case or take the hard drive out unless the BIOS locks you out. In that case, you might need to move a jumper on the motherboard or even remove the CMOS battery to reset the BIOS so that you can change the boot order. If it's a really old system that absolutely will not boot from a CD, you might need to borrow another computer for this. Just make sure you don't boot from the hard drive on another computer - only boot from the CD.

Make sure to obtain written permission if doing this on behalf of a company - I have been told of at least one case where an IT professional was criminally charged for doing his job because it involved password "cracking".. even though weak passwords are a real security threat. You won't be cracking anything, but you can't be too careful..

Finally, if there's even a chance it is running services like SSH which allow remote logins, disconnect it from the network until all the accounts you reset - especially root - are secured. Scripted attacks happen all the time against passwordless accounts.


Changing a Password Normally

Passwords in *nix are saved in the /etc/shadow file as an encrypted hash. They're also salted, so they appear different even if everyone used the same password. This forces attackers to break into each account individually.

Passwords are easily modified by the current user with the "passwd" command or for any user with "passwd -d username". The latter requires root access, and you'll need root access to modify the /etc/shadow file using any other method.


Obtaining Access

The problem is that you probably don't have root access if you're trying to reset a password the hard way. The solution is to use another operating system to access the hard drive and modify the shadow file from it. Windows is no good because it only plays with itself. Fortunately, there are plenty of "live" Linux distributions that merely require you to boot from a CD without installing anything. They're perfect for data recovery, recovering passwords, etc, because you can access everything on a host computer without installing anything. That means the computer you boot with a live CD will boot back into the old OS once you remove the CD without any changes except those you intentionally made. There's even a forensics distribution named Helix if you want to make sure you don't modify anything:
http://www.e-fense.com/helix

I recommend Knoppix for resetting passwords (helix is based on knoppix). There are others that are more current like Mandriva One which you might have to use for newer hardware like the P35 chipset, but Knoppix has always been my favorite. You can download them here:
http://www.knoppix.net/get.php
http://www.mandriva.com/en/download/free

Note: It's nothing personal, but those are just ones I have personally used. There are many more. Of course you'll need to burn the downloaded .iso to a CD so you can boot from the CD..


Finding the Device Name for Your Hard Drive

Once booted into the live CD, /etc/shadow will be a temporary file from the CD that goes away once you power down the machine - it has nothing to do with your host computer. In other words, you can't use the live CD's "passwd" command to reset the host computer's password - you need to do it manually.

To do that, you need to find the device name representing the partition containing the etc/shadow file you're trying to modify. You then need to "mount" that device to a directory so that you can browse the contents in a normal file browser.

As a general rule, the master drive on the primary ATA channel is /dev/hda, the slave is /dev/hdb, and so on. Additional hard drive controllers could cause the lettering to start with "e" instead of "a". The root partition is usually a 1 because it's at the beginning (eg /dev/hda1), but this might not be the case for a dual-boot system. Device names without the number represent the entire drive instead of a specific partition.

In short, finding the correct device name often involves guesswork, but most live CDs create links on the desktop to automatically mount them for you. The problem is that these are usually read-only to protect users from themselves - a reasonable precaution considering how this will be many's first introduction to Linux. Don't worry about that yet because right now you just need to find the one containing the etc/shadow file. Close the file browser once you find it.

Note: It won't literally be "/etc/shadow" because that's the live CD version. Instead, it will be mounted somewhere like /mnt/hd_something#/etc/shadow. The important thing is to remember the device name from the file browser so you can mount it manually.


Enabling Write Access to Your Hard Drive

Open a command prompt and enter the command "su" by itself to make sure you're the root user. Now type "mount" and observe the results. You should see a line containing the device you had just viewed from the links on the desktop. If you're not sure, it'll look something like this:
/dev/hda1 on /mnt/hda1 type ext3 (ro)

The "ro" means that it's read only. You need to umount it and then remount it with write access. To do that, simply copy the /mnt/location and append it to the "umount" command:
umount /mnt/hda1

You can verify that it's unmounted by typing "mount" again. To mount it, copy and paste the original output to construct a command like this:
mount /dev/hda1 /mnt/hda1

You should then be able to go back to the files using the link on the desktop with full right access. See the "Problems" section at the end if you have trouble.


Resetting a Unix Password

Open the etc/shadow file from the partition links on the desktop using a text editor. You should see data that looks something like this (these are fake hashes for demonstration purposes):

root:$1$4ybTtebt$5eryry/43TWArevtebyer/:14034:0:99999:7:::
rpc:!!:13988::::::
rpcuser:!!:13988::::::
david:$1$YRkoPwXi$4y5bntTwEbvTWeW4bete0/:13988::99999::::
ntp:!!:13989::::::

In this case, david is my user account, and root is the root user account. To reset root's password, simply remove the password hash between the two colons so the line looks like this:

root::14034:0:99999:7:::

Leave the rest alone and save the file. The next time you boot into that system, it won't prompt for a password when you try to log in as root. Please remember to set new passwords using "passwd user" for each password you cleared after you reboot.

Note: Some systems don't allow a direct root login. I'm not familiar with those, but if the root user looks like the "rpc" user in that it has !! instead of a password hash, leave it alone. The exclamation point means the account is disabled, which is totally different than not having a password. These are probably set up so users run root commands using the sudo command from their own account, which means you probably have to reset their password(s) instead of root's. This is just a guess because my distribution doesn't do that.


Possible Problems

Sometimes files you click in Konqueror open as a preview in Konqueror instead of in a separate program. Make sure you right-click on the shadow file so you can open it in an external editor like kwrite.

If the mount command is giving you trouble, make sure you're really the root user by typing "su". If that doesn't help, try constructing the mount command like this, taking care to copy the correct device name from the previously mentioned "mount" output:
mount -t ext3 -o rw /dev/hda1 /mnt/hda1

Note: if it's already mounted read only (type "mount" by itself to find out), you need to unmount it first as previously mentioned. (eg "umount /mnt/hda1_or_whatever_it_is)

You should then be able to go back to the mounted files using the link on the desktop, but this time you'll have write access. If not, and "mount" shows that it's mounted with "rw" access, then try running konqueror as root by typing "su; konqueror &" from the command prompt. That tells it to switch users to root if you weren't already, and the & tells it to return the command prompt without waiting for konqueror to exit (for your convenience). I doubt you need to run it as root to bypass security restrictions against the normal user because this is a live CD, but I thought I'd mention it just in case.

Finally, if konqueror isn't on your live CD, you'll need some other way to access the file, like editing it directly with vim or another editor (paying attention to the proper /mnt/path):
vi /mnt/hda1/etc/shadow

Vim isn't the most user-friendly, but it's simple enough for this. Please read each step thoroughly before trying them:
1) Move the cursor over the characters you want to delete as previously mentioned, then press the "x" key over each until they're all gone. Be careful not to delete the : characters. If you mess up, don't try to fix it - just go to step 3 and try again.
2) When you're done, type : (hold shift and then press the : key), type the letter x, then press Enter. This saves the file and exists.
3) If you mess up, type q! instead of x, then press Enter. This tells it to quit without saving.

It's a lot easier in a graphical program like kwrite, so I recommend doing this from a GUI file browser unless you know what you're doing. Eg:
kwrite /mnt/hda1/etc/shadow

Anyway good luck - please leave comments if you found this helpful or have suggestions.