Forcing RHEL to prompt for password in Single User mode

For security reasons, one may want to force system to prompt for root password even when in Single User mode

By default, RHEL systems do not ask for a password and we are given root shell directly. Single-User mode can usually be used to reset the root password

Note: After modifying the RHEL configuration, if you forget your root password, you will have to boot the system in rescue mode to revert configuration in order to be able to change root password in Single User mode.

The following procedures have been created for RHEL 5, 6 and RHEL 7.

In RHEL 5

To force users to enter password in Single User mode, add ~:S:respawn:/sbin/sulogin; to /etc/inittab:

# vi /etc/inittab
[...]
~:S:respawn:/sbin/sulogin

The changes to this file takes effect after a system reboot.

To make init re-read the /etc/inittab without rebooting the system, type the command:

# /sbin/init q

For RHEL 6

Edit /etc/inittab and add "su:S:wait:/sbin/sulogin" before 'initdefault' line:

# vi /etc/inittab
[...]
su:S:wait:/sbin/sulogin
id:3:initdefault:

Edit /etc/sysconfig/init and replace "SINGLE=/sbin/sushell" with "SINGLE=/sbin/sulogin":

# vi /etc/sysconfig/init
[...]
# Set to '/sbin/sulogin' to prompt for password on single-user mode
# Set to '/sbin/sushell' otherwise
SINGLE=/sbin/sulogin

Under RHEL 7

By default, Single User mode is password protected by the root password under RHEL 7:

# cat /usr/lib/systemd/system/rescue.service
[...]

[Service]
Environment=HOME=/root
WorkingDirectory=/root
ExecStartPre=-/bin/plymouth quit
ExecStartPre=-/bin/echo -e 'Welcome to emergency mode! After logging in, type [...]
ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"