We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Set or Reset your Password If You Are Locked Out of a FreeBSD Droplet

PostedJanuary 14, 2015 33.3k views DigitalOcean FAQ FreeBSD

Introduction

The primary method for authenticating to FreeBSD servers on the DigitalOcean platform is with SSH keys. You can learn how to create and embed an SSH public key into new Droplet instances by following this guide.

While logging in with SSH keys provides a number of security advantages over password-based authentication, situations can occur that effectively lock you out of your own server. In these cases, it may be necessary to set up a password so that you can log into your server using the DigitalOcean web console.

In this guide, we will demonstrate how to set a password for your FreeBSD Droplet if you ever get locked out of your server.

The Basic Plan

When you include an SSH key in your Droplet during the creation process, for security reasons, the user account on your server is not configured with a password.

However, there are some situations where you will have to log in using unconventional means. For instance, if your SSH key is lost or destroyed or if your server's internal network settings are misconfigured, you will not be able to authenticate using SSH keys.

With most operating systems offered by DigitalOcean, if this happens, users will create a password for the Droplet in the DigitalOcean control panel by clicking on "Access" and then "Reset Root Password" in the Droplet's administration page:

DigitalOcean reset root pass

For most operating systems, this will generate a new password and email it to you. You can then use this password with SSH or through the DigitalOcean web console, which provides out-of-band access if your Droplet's networking is not working correctly.

However, this feature is not available for FreeBSD and a different procedure is necessary.

To set or reset a password for a user account in FreeBSD, we will be rebooting the Droplet from the DigitalOcean control panel. We will then be switching over to the virtual web console in order to boot the server into single-user mode. Here, we can mount the filesystem and set a password for our account.

The rest of the guide will outline the step-by-step process needed to set or reset a password for your FreeBSD server. These steps can be taken if you are ever locked out of your server.

Powering Off your DigitalOcean Droplet

The first step in setting or resetting your FreeBSD password is to power off your server. The problem with this requirement is that, most of the time, you will not have command line access to your server if you are attempting this procedure.

If, for some reason you do have command line access to your server, initiating a shutdown from the command line is the best way to turn off your server:

sudo shutdown -p now

If, like most users in this situation, you do not have command line access to your Droplet, you should shut down your system through the "Power Off" button in the DigitalOcean control panel.

This button is located in the Power link on the left menu by clicking the Power Off button:

DigitalOcean power off

This button will attempt to gracefully shut down your Droplet as if you had issued the command we mentioned above. If this does not work, a hard power down will be issued.

Either way, your server should be off, allowing us to move on to the next step.

Power the Server Back On and Switch to Single-User Mode

The DigitalOcean web console is a virtual console interface that emulates a physical connection to your server. Because of this, you can login to your Droplet even if the server's networking is misconfigured.

Another advantage of the virtual console configuration is that it presents a boot menu when we turn the server on. By taking advantage of this, we can boot into single-user mode.

Single-user mode is a special administrative mode that can only be accessed with a physical connection to the server. It allows the root user to log in without a password. External networking, non-essential services, and additional logins are all disabled. Since the DigitalOcean web console emulates a physical connection, we can boot into single-user mode.

The procedure we will be using requires you to quickly perform a few sequential actions. You must:

  • Power on your server using the control panel button
  • Click on the Console Access button to access the virtual web console
  • Press the "2" key on your keyboard to select the second boot option (single-user mode) before the boot menu times out

You will have to complete the above procedure in a few seconds, so be sure you know what to do before you begin.

First, go to your Droplet's page in the control panel. Choose Power from the left menu, and then click the Power On button.

DigitalOcean power on

Next, choose Access from the left menu, and then click the Console Access button.

DigitalOcean console access

You will then be taken to the virtual web console, where your Droplet should be reaching the boot menu. When the boot menu loads, quickly press "2" to select single-user mode. Your server will begin to boot into the restricted, single-user administration mode.

Re-Mounting the Filesystem

You will see messages scroll past as FreeBSD boots into single-user mode. At the end, you will see a message like this:

DigitalOcean drop to shell

Press "ENTER" at the prompt to start up a shell session.

At this point, you have access to a limited shell environment. However, the filesystem that contains the password information is mounted read-only, meaning that we cannot adjust the passwords.

We can remount the root filesystem in read/write mode by typing:

mount -u /

This will give us access to the system's password database, allowing us to set a new password.

Note: If this command fails with a message stating "Filesystem is not clean", your server was not able to shut down correctly. If this is the case, skip down to the section titled "Troubleshooting: Cleaning Up the Filesystem after an Improper Shutdown".

If the above command succeeded, we can then tell FreeBSD to remount all filesystems, which will give us synchronous access:

mount -a

With this procedure complete, we can now reset the passwords for our server.

Set or Reset the Server Passwords

Once our filesystem is mounted, we can set or reset any of the account passwords on the system using the passwd command.

To set or reset a password for the default freebsd user account, you can type:

passwd freebsd

You will be asked to select and confirm a new password for the account. This account is set up with sudo privileges by default, so typically, this is the only password you need to set.

If, instead, you need to set a password for the root user account, you can do so by typing:

passwd

Again, you will need to select and confirm the password in order for this operation to succeed.

Once you have set the passwords you need, you can exit the single-user environment by typing:

exit

FreeBSD will leave single-user mode and take your server through the rest of the normal boot process. At this point, you can continue to log in using the password you configured with the console, or you can log in using SSH (assuming you have not restricted password logins for SSH sessions).

If this procedure worked for you, then you can finish this guide here. If you were unable to mount the filesystem in read/write mode earlier, continue on to the next section.

Troubleshooting: Cleaning Up the Filesystem after an Improper Shutdown

Sometimes, when you power your Droplet off from the DigitalOcean control panel, the graceful shutdown procedure fails. This can occur for a variety of reasons, most often due to conditions within the server itself.

If this happens, a hard power off is run instead. This can lead to an inconsistent disk state that prevents normal mounting. When you attempt to mount the filesystem in read/write mode, you will see an error like this:

DigitalOcean fsck needed

In order to fix the filesystem, you must run the fsck command.

Note: Running the fsck command can occasionally result in data corruption when used on active disks. For this reason, we are initiating an fsck on an unmounted filesystem to minimize this risk. Problems can still occur in scenarios where there was significant data being written to disk at the time of the power off event. Most users will not experience any issues, but it is always a possibility when a hard power off occurs.

In order to fix the inconsistency, we can attempt to automatically correct the errors by typing:

fsck

The system will check the filesystem, at times requiring you to type "y" to accept a suggested action. It is typically best to accept these solutions, as there is not much in the way of an alternative for fixing these disk issues.

Once the filesystem check completes, it will be marked as clean:

DigitalOcean filesystem marked clean

At this point, you can continue with the procedure outlined above as normal. The condensed steps that you need to take are below.

Mount the filesystem:

mount -u /
mount -a

Set the password for the accounts you need:

# To set the freebsd user account password, type:
passwd freebsd
# To set the root user password, type:
passwd

After setting passwords for the required accounts, exit single-user mode to resume the normal boot sequence:

exit

Conclusion

Hopefully, you will not run into many situations where you are required to set passwords using the above method. While the procedure for FreeBSD is different from that of some of the other operating systems supported by DigitalOcean, it should yield similar results. If you run into any issues while completing the process, open a support ticket through the DigitalOcean control panel to request assistance.

2 Comments

Creative Commons License