1. Introduction

Not all Linux distributions force a root or other superuser password to be set during installation. Thus, it might not be possible to log in with these accounts directly or via su. On the other hand, sometimes we just don’t want to.

In this tutorial, we explore ways to change the root password without logging in as root. First, we check a couple of tools for passphrase modification. After that, we show how a classic security tool can be combined with them for our purposes.

We tested the code in this tutorial on Debian 11 (Bullseye) with GNU Bash 5.1.4. It should work in most POSIX-compliant environments.

2. Password Changes

Password changes are important and sometimes mandatory. Because of this, users can usually modify their own passwords by default.

Let’s see a couple of commands to do that.

2.1. passwd

The POSIX standard command for user password changes is passwd:

$ passwd
Changing password for baeldung.
Current password:
New password:
Retype new password:
passwd: password updated successfully

In addition, a superuser can leverage passwd to –lock and –unlock a user from manipulating their own passphrase:

$ passwd --lock baeldung

The above prevents further password changes unless done by a superuser. We can confirm that with the –status flag:

$ passwd --status
baeldung L 02/23/2023 0 99999 7 -1

Here, L designates the user as locked.

Further, we can see the minimum (–mindays, here, 0) and maximum (–maxdays, here, 99999) days that a password remains valid. Of course, we can also choose to immediately –expire it, forcing the user to change their password the next time they log in.

Finally, to simply remove a password, we use –delete. Running passwd directly acts on the current user.

2.2. chpasswd

The chpasswd utility provides scripted access to the basic facility of passwd.

Although we can use passwd in a script, chpasswd is created for that purpose. Supplying pairs of colon-separated usernames and passphrases, the latter updates all records:

$ echo 'baeldung:baeldungPassword' | chpasswd

In addition, chpasswd provides a mechanism for selecting the input and output encryption methods:

$ echo 'baeldung:baeldungPassword' | chpasswd --crypt-method SHA256

In this case, we use the less secure SHA-256 algorithm for encrypting the output. If no encryption is supplied, the default is used.

Another benefit of chpasswd is its ability to use a chroot environment via –root. Finally, running chpasswd directly doesn’t produce any prompts.

So, what do we do if we can’t or don’t want to log in as the user we want to change the password for?

3. Change root Password Using sudo

Since sudo changes the execution context of commands, we can use it to switch the account affected by passwd, for example:

$ sudo passwd

Of course, we can explicitly specify root in the command as long as we have the sudoers privileges:

$ sudo passwd root

The same goes for chpasswd:

$ echo 'root:rootPassword' | sudo chpasswd

Actually, we can work around the passphrase altogether by simply using su –:

$ sudo su -
[sudo] password for baeldung:
#

To avoid su but still login to root without a password, we can employ a sudo flag:

$ sudo --login
[sudo] password for baeldung:
#

The –login or -i switch runs a login shell as the superuser. Since, in our scenarios, root doesn’t have a password, we’re effectively logged in with that account with only sudo authentication.

After that, we can leverage the usual methods for changing the account passphrase.

4. Summary

In this article, we talked about modifying passwords and how to do that for the root user without first using su.

In conclusion, sudo can be invaluable in a scenario like a password change that requires superuser access without an additional login.