FedoraRHEL Based

How To Change Root Password on Fedora 43

r00t
8 minutes read

Change Root Password on Fedora 43

Locked out of your Fedora 43 system — or simply need to update a stale root credential on a Linux server? You’re not alone. Whether you’re a developer tightening up a development box or a sysadmin rotating credentials on a production system, knowing how to change root password on Fedora 43 is a non-negotiable skill.

This guide covers three battle-tested methods: changing the root password via terminal (when you know the current credentials), resetting it through GRUB emergency mode (when you’ve forgotten it), and recovering via a Live USB (for encrypted or inaccessible systems). By the end, you’ll have a fully working root account — plus a clear understanding of why Fedora’s SELinux integration makes the process slightly different from other distros.

What Is the Root Account in Fedora 43 — and Why Does It Matter?

The root user is the superuser in any Linux system — UID 0, with unrestricted access to every file, process, and configuration on the machine. Think of it as the master key to your entire operating system.

Fedora, unlike some other distributions, disables direct root login by default during installation. Instead, it grants administrative access to the first created user via the wheel group and sudo. This is a deliberate security decision — it limits the attack surface by ensuring no one can brute-force a root login over SSH.

But the root account still exists. You can set or change its password at any time, and there are legitimate reasons to do so:

  • Rotating credentials on a shared server for compliance
  • Unlocking root access for specific automation scripts
  • Recovering access after forgetting the password
  • Hardening a new Fedora 43 setup with a strong root credential

Understanding this context helps you apply the right method below — and avoid the most common mistakes, especially around SELinux.

Prerequisites — What You Need Before You Start

Before jumping into any of the methods, make sure you have:

  • Fedora 43 installed (methods also work on Fedora 41/42)
  • A sudo-enabled user account in the wheel group (required for Method 1)
  • Physical access to the machine or console access (required for Methods 2 and 3)
  • A bootable Fedora 43 Live USB
  • Basic comfort navigating a terminal

⚠️ Security Notice: Changing a root password requires privileged access. Performing these steps on a system you do not own or administer may be illegal. Always ensure you have authorization.

How to Change Root Password on Fedora 43 via Terminal (Method 1)

This is the fastest and cleanest method — no rebooting required. Use it when you’re already logged into your Fedora 43 system and either know the current root password or have sudo access.

Step 1: Open a Terminal

Launch your terminal emulator. In GNOME (the default Fedora desktop), press Ctrl + Alt + T or search “Terminal” from the Activities menu. On a headless server, you’re already in a terminal — proceed directly.

Step 2: Elevate to Root

Run the following command to switch into a root shell:

sudo -i

This command launches an interactive root login shell — your prompt changes from $ to #, confirming you’re now operating as root.

Alternatively, if root already has a password set:

su -

The difference: sudo -i uses your sudo password and respects your user’s sudo privileges, while su - requires the root password directly. For most Fedora 43 setups, sudo -i is the right call.

Step 3: Change the Root Password

Now run:

passwd

Or, if you want to be explicit:

passwd root

Both commands are equivalent when you’re already in a root shell. Fedora will prompt you to enter the new password twice:

New password:
Retype new password:
passwd: all authentication tokens updated successfully.

💡 Why the complexity warning? Fedora 43 uses PAM (Pluggable Authentication Modules) with pam_pwquality to enforce password strength. If your password is too short or too simple, PAM will reject it with a warning. Use a minimum of 12 characters with a mix of uppercase, lowercase, numbers, and symbols.

Step 4: Verify the Change

Log out of the root shell, then test the new password:

exit
su -
id

Expected output:

uid=0(root) gid=0(root) groups=0(root)

If you see UID 0, the change worked perfectly.

Quick Reference: Method 1 Commands

sudo -i
passwd
# Enter new password twice
exit

How to Reset Root Password on Fedora 43 via GRUB Emergency Mode (Method 2)

This is the method you need when you’ve forgotten the root password and can’t log into a privileged session. It works by intercepting the boot process at the GRUB level and dropping you into a minimal bash shell before the OS fully initializes.

⚠️ This method requires physical access to the machine. That’s by design — it’s a powerful reminder that physical security is as important as software security on any Linux server.

Step 1: Reboot and Open the GRUB Menu

Restart your Fedora 43 system:

reboot

As the system powers on, press ESC repeatedly (or hold Shift on some BIOS setups) to reveal the GRUB boot menu. You’ll see a list of kernel entries — select the active Fedora 43 kernel using the arrow keys.

Step 2: Edit the Kernel Boot Parameters

With your target kernel entry highlighted, press e to open the boot editor.

Use the arrow keys to navigate to the line that begins with linux, linux16, or linuxefi — this is the kernel command line.

Move to the end of that line and add:

rw init=/bin/bash

Here’s what each parameter does:

  • rw — Mounts the root filesystem in read-write mode (the default ro is read-only, which prevents password changes)
  • init=/bin/bash — Bypasses systemd entirely and drops you directly into a bash shell as root

If your system uses disk encryption, also add plymouth.enable=0 to the same line to prevent Plymouth’s graphical splash screen from blocking the decryption prompt.

Step 3: Boot into the Emergency Shell

Press Ctrl + X or F10 to boot with your modified parameters.

After a few seconds, you’ll land at a minimal bash prompt:

bash-5.2#

You are now root — with no password required. This is a privileged shell, so proceed carefully.

Step 4: Verify the Filesystem Is Writable

Before changing the password, confirm the filesystem is mounted read-write:

mount | grep ' / '

You should see rw in the options. If you see ro instead, remount it manually:

mount -o remount,rw /

This is one of the most common places where the "Authentication token manipulation error" appears — always check this before running passwd.

Step 5: Change the Root Password

Now run the password change:

passwd

Enter your new password twice. You’ll see:

New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Step 6: Handle SELinux Relabeling — the Most Critical Step

This step is unique to Fedora (and other SELinux-enforcing distros like RHEL and CentOS). Fedora 43 runs SELinux in enforcing mode by default.

When you change /etc/shadow outside the normal OS boot flow, the file’s SELinux security context can become mismatched. If you skip this step, you will be unable to log in even though the password was changed correctly — a frustrating experience widely reported in Fedora community forums.

Fix it with one command:

touch /.autorelabel

This creates an empty file that signals the SELinux subsystem to perform a full filesystem relabeling on the next boot.

Step 7: Reboot the System

Exit the emergency shell and trigger the init system:

exec /sbin/init

Or force a hard reboot:

/sbin/reboot -f

During the next boot, Fedora will automatically relabel the SELinux filesystem. This can take a few minutes on systems with large amounts of data — this is normal. Press ESC during boot to monitor the progress.

Quick Reference: Method 2 Commands

# In GRUB editor, append to the linux line:
rw init=/bin/bash

# Once in emergency shell:
mount -o remount,rw /
passwd
touch /.autorelabel
exec /sbin/init

How to Reset Root Password on Fedora 43 via Live USB (Method 3)

Use this method when GRUB is inaccessible, the disk is encrypted in a way that blocks Method 2, or you prefer a clean recovery environment. It requires a bootable Fedora 43 Live USB.

Step 1: Boot from the Fedora 43 Live USB

Insert your Live USB and power on the machine. In your BIOS/UEFI boot menu (usually F12 or F2 depending on your hardware), select the USB device. At the Fedora 43 boot menu, choose “Try Fedora” to load the live desktop.

Step 2: Open Terminal and Switch to Root

From the live desktop, open GNOME Terminal (Activities → Terminal). The Live environment has no root password, so simply run:

su

You’ll immediately be at a root # prompt.

Step 3: Identify Your Root Partition

Use lsblk to list all block devices and identify your installed Fedora root partition:

lsblk

Expected output (example):

NAME            MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sda               8:0    0   500G  0 disk
├─sda1            8:1    0     1G  0 part /boot/efi
├─sda2            8:2    0     1G  0 part /boot
└─sda3            8:3    0   498G  0 part
  ├─fedora-root 253:0    0    70G  0 lvm
  ├─fedora-home 253:1    0   420G  0 lvm
  └─fedora-swap 253:2    0     8G  0 lvm

For most Fedora installs using LVM (the default), your root partition is /dev/fedora/root.

Step 4: Mount the Installed System

Create a mount point and mount the root partition:

mkdir -p /mnt/sysimage
mount /dev/fedora/root /mnt/sysimage

If your system also has a separate /boot partition, mount it too:

mount /dev/sda2 /mnt/sysimage/boot

For LUKS-encrypted disks, you’ll need to unlock the volume first with cryptsetup luksOpen before mounting.

Step 5: Chroot into the Installed System

chroot (change root) switches your active root directory to the mounted Fedora installation. This means all commands you run next operate inside your real system, not the Live environment:

chroot /mnt/sysimage /bin/bash

Your prompt updates to confirm you’re inside the chroot:

bash-5.2#

Step 6: Change the Root Password and Reboot

Now change the password exactly as in Method 1:

passwd

Enter the new password twice. Exit the chroot and reboot:

exit
reboot

Remove the Live USB during the reboot countdown. Your Fedora 43 system will boot normally with the new root password.

Quick Reference: Method 3 Commands

su
lsblk
mkdir -p /mnt/sysimage
mount /dev/fedora/root /mnt/sysimage
chroot /mnt/sysimage /bin/bash
passwd
exit
reboot

Troubleshooting: Common Errors and Fixes

Even with the right steps, things can go sideways. Here are the five most common issues — and how to fix them fast.

Error 1: “Authentication token manipulation error”

Cause: The root filesystem is still mounted read-only when you run passwd.

Fix: Run this before attempting the password change:

mount -o remount,rw /

Then retry passwd.

Error 2: Can’t Log In After Changing the Password

Cause: SELinux security context mismatch on /etc/shadow. This is the #1 overlooked issue on Fedora.

Fix: Boot back into GRUB emergency mode, then run:

touch /.autorelabel
exec /sbin/init

Allow the system to fully reboot and relabel.

Error 3: GRUB Menu Doesn’t Appear on Boot

Cause: GRUB timeout is set to 0 (common on fast-boot systems or VMs).

Temporary fix: Hold Shift during POST to force the menu.

Permanent fix: Once inside the system, edit the GRUB config:

sudo nano /etc/default/grub
# Set: GRUB_TIMEOUT=5
sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Error 4: System Drops Into Emergency Mode Asking for Root Password

Cause: Fedora 43 changed how rd.break works — it now requires a root password in emergency mode rather than providing a password-free shell.

Fix: Use the rw init=/bin/bash method (Method 2) instead of rd.break.

Error 5: LUKS Encrypted Disk Blocks the Process

Cause: Full disk encryption requires a passphrase before GRUB can even boot the system.

Fix: Add plymouth.enable=0 to the kernel parameters in GRUB, and enter your LUKS passphrase when prompted. Then proceed with the password change steps.

Root Password Security Best Practices on Fedora 43

Changing the password is just the start. Here’s how to keep your configure Root Password on Fedora 43 setup properly hardened:

  • Use a strong password — minimum 12 characters with mixed case, numbers, and symbols. Fedora’s pam_pwquality enforces minimum standards automatically.
  • Customize PAM policy if you need stricter rules — edit /etc/security/pwquality.conf to set minlen, dcredit, ucredit, and other quality parameters.
  • Avoid using root for daily tasks — use sudo from a wheel group user instead. This limits the blast radius of any mistake or security breach.
  • Lock root if not needed — on servers where you rely entirely on sudo, consider locking the root account:
passwd -l root
  • Disable SSH root login on any public-facing server — edit /etc/ssh/sshd_config, set PermitRootLogin no, and restart sshd.
  • Monitor for unauthorized access — check /var/log/secure or use:
journalctl -u sshd --since "24 hours ago"

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
r00t
8 minutes read
Photo of r00t

r00t

r00t is a dedicated and highly skilled Linux Systems Administrator with over a decade of progressive experience in designing, deploying, and maintaining enterprise-grade Linux infrastructure. His professional journey began in the telecommunications industry, where early exposure to Unix-based operating systems ignited a deep and enduring passion for open-source technologies and server administration.​ Throughout his career, r00t has demonstrated exceptional proficiency in managing large-scale Linux environments, overseeing more than 300 servers across development, staging, and production platforms while consistently achieving 99.9% system uptime. He holds advanced competencies in Red Hat Enterprise Linux (RHEL), Debian, and Ubuntu distributions, complemented by hands-on expertise in automation tools such as Ansible, Terraform, Bash scripting, and Python.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button