Forcing RHEL to prompt for password in Single User mode
For security reasons, one may want to force system to prompt for root password even when in Single User mode
By default, RHEL systems do not ask for a password and we are given root shell directly. Single-User mode can usually be used to reset the root password
Note: After modifying the RHEL configuration, if you forget your root password, you will have to boot the system in rescue mode
to revert configuration in order to be able to change root password in Single User mode.
The following procedures have been created for RHEL 5, 6 and RHEL 7.
In RHEL 5
To force users to enter password in Single User mode, add ~:S:respawn:/sbin/sulogin
; to /etc/inittab
:
# vi /etc/inittab [...] ~:S:respawn:/sbin/sulogin
The changes to this file takes effect after a system reboot.
To make init
re-read the /etc/inittab
without rebooting the system, type the command:
# /sbin/init q
For RHEL 6
Edit /etc/inittab
and add "su:S:wait:/sbin/sulogin" before 'initdefault
' line:
# vi /etc/inittab [...] su:S:wait:/sbin/sulogin id:3:initdefault:
Edit /etc/sysconfig/init
and replace "SINGLE=/sbin/sushell" with "SINGLE=/sbin/sulogin":
# vi /etc/sysconfig/init [...] # Set to '/sbin/sulogin' to prompt for password on single-user mode # Set to '/sbin/sushell' otherwise SINGLE=/sbin/sulogin
Under RHEL 7
By default, Single User mode is password protected by the root password under RHEL 7:
# cat /usr/lib/systemd/system/rescue.service [...] [Service] Environment=HOME=/root WorkingDirectory=/root ExecStartPre=-/bin/plymouth quit ExecStartPre=-/bin/echo -e 'Welcome to emergency mode! After logging in, type [...] ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"