URL:
Reporter RHNID: mikephillips1973
Section: -
Language: en-US (English)||||||||
Workaround:

Description: In chapter 10, the information for "Resetting the Root Password" (ch10s03) seems to basically be the same information from the RHEL 7 version of the course. While there are many ways in which the root password can be reset, I would argue that passing "systemd.debug-shell" to grub at boot has to be one of the easiest methods. I don't believe this was possible in RHEL 7.0 (which the RHCE-track still uses), but it became available in one of the 7.x releases.

After passing this argument to grub, the student could wait for the machine to boot normally and then switch to tty9 (Ctrl+Alt+F9). A root shell is open where the student can set root's password. Once done, switch back to tty1 (Ctrl+Alt+F1) and log in as root (no reboot or SELinux relabel required). At this point, stop the debug-shell service with: systemctl stop debug-shell

I'm sure there will be a reluctance to change this, but I hope that it is considered. Even if using the debug-shell.service isn't demonstrated as a way to recover root's password, I believe the "Enabling the Early Debug Shell" section of ch10s03 should show how the debug-shell.service can be started from GRUB. This allows students to be able to start the debug-shell on demand when they need it the most (typically when they are having a problem at boot).

If we do change this, some additional security concerns could come up which used to be addressed in RHEL 6 and earlier classes (item 1 below) as well as in RH413 (both items):
1. How do we set a grub password?
2. How to you prevent someone from walking up to a machine and rebooting it with Ctrl+Alt+Del? This one is easy:

1. ln -s /dev/null /etc/systemd/system/ctrl-alt-del.target