Recover forgotten root password on CentOS 7

Document created by John Snider Employee on Sep 26, 2019Last modified by John Snider Employee on Mar 30, 2020
Version 4Show Document
  • View in full screen mode

Change Note:

The attached script for changing passwords across all Netwitness hosts, has been updated due to changes in salt version in 11.4.


Normally resetting the root password is a simple task if you’re logged in already with root privileges, however if you forget the password and need to change it things become a little more difficult.

The process has changed from CentOS version 6 to 7,  (NetWitness 10.x to NetWitness 11.x) as previously you would boot into single user mode and then change the password as root. From version 7 the equivalent modes are the rescue or emergency targets, however these require the root password before you can do anything which doesn’t help us here, so this will take you through the new process to change the lost root password.


This procedure will be completed in the console of the Linux system, either with KVM connected directly to the Host, or via the iDRAC console, so be sure that you have access to this prior to beginning.

  • If your system is currently running, reboot it (Either via the NetWitness UI, via iDRAC, or using the physical power switch on the host). If it is not yet running, start it up. At the boot menu, press the ‘e’ key to edit the first boot entry.


  • If prompted for a Username/Passord for GRUB, Enter username and password : username- root / password- netwitness


  • From the grub options, find the line that starts with “linux16” and go to the end of it. Enter ‘rd.break’ without quotes at the end of this line, as shown below.
  • Press “Ctrl+x” to boot with these options. This will boot to the initramfs prompt with a root shell. 
  • At this stage, the root file system is mounted in read only mode to /sysroot and must be remounted with read/write (rw) permissions in order for us to actually make any changes. This is done with the ‘mount -o remount,rw /sysroot’ command.
  • Once the file system has been remounted, change into a chroot jail so that /sysroot is used as the root of the file system. This is required so that any further commands we run will be in regards to /sysroot. This is done by running ‘chroot /sysroot’.
  • From here the root password can be reset with the ‘passwd’ command.
  • You can now reboot, enter ‘exit’ command twice, the first one will exit the chroot jail environment while the second will exit the initramfs root shell and reboot the system.
  • Once the reboot has completed you will be able to use the root account with your newly set password.



As shown we can reset the root password in Linux CentOS/RHEL 7 by booting with the ‘rd.break’ option, remounting the file system with read/write privileges, creating a chroot jail, and executing the passwd command

When your system has booted back up you’ll be able to use the new root password.


Replicate the new password across all hosts in the NetWitness 11.x environment

If the forgotten password was used across ALL hosts in your NetWitness 11.x environment, you only need to complete the above process on the NW Server (node-zero), then you can run the attached shell script to update the password on ALL hosts via salt.

  • Copy the script to the NW Server
  • Rename to
  • Make the script executable
  • Run the script fro the "root" user:
    • ./ root
      • you will be prompted for to enter the new password twice, it will verify minimum length (default=9) and special character use is compliant with NetWitness
      • then will generate a new shadow password hash and push it to all other hosts for that acct.