ANS

ISACA CISM

Huawei

Palo Alto

Aruba

Juniper

Comptia

Fortinet

Microsoft

F5

GCIH

Oracle

Itil-v4

CWNA

Opengroup

Password Recovery on BIG-IP 11.x–14.0

Applies to: BIG-IP 11.x, 12.x, 13.x, 14.0
Bootloader: GRUB 0.97 or GRUB2

Reboot into Single-User Mode

  1. Reboot the system via console.
  2. At the GRUB menu:
    • GRUB2 platforms: highlight your kernel entry, press e, append single (or single fastboot to skip fsck), then Ctrl-x to boot.
    • GRUB0.97 platforms: press e twice to edit the kernel line, append single, then press b to boot.

Note: If you’re uncertain which GRUB version your appliance uses, refer to F5’s K14658 KB article.

Reset the Root Password

Once you reach a prompt like switch_root:/#:

shell
mount -a
passwd root
  • mount -a ensures all filesystems from /etc/fstab are mounted (including / as read-write).
  • passwd root invokes the password-set utility—enter and confirm your new strong password.
  • Type exit or reboot to continue normal boot.

After reboot, you can log in with your new root password.

Password Recovery on BIG-IP 14.0 and Later

F5 revised its architecture in 14.x, leveraging RD.BREAK to interrupt the boot process more cleanly.

Enter RD.BREAK Mode

  1. Reboot and, at the GRUB menu, highlight the kernel entry.
  2. Press e to edit; on the kernel line, append rd.break.
  3. Press Ctrl-x (or b) to boot into the minimal shell.

Identify Your Logical Volumes

shell
mount | grep /dev/mapper/vg–db

Typical output:

bash
/dev/mapper/vg–db–sda-set.2.root   on /sysroot
/dev/mapper/vg–db–sda-set.2._usr   on /sysroot/usr

If you see vda instead of sda, substitute accordingly.

Remount Filesystems Read-Write

shell
mount -o remount,rw /sysroot
mount -o remount,rw /sysroot/usr

Mount Config & Var Volumes

Based on your “set” number (e.g., set.2):

shell
mount /dev/mapper/vg–db–sda-set.2._config  /sysroot/config
mount /dev/mapper/vg–db–sda-set.2._var     /sysroot/var

Verify all are rw:

shell
mount | grep /dev/mapper/vg–db

Chroot & Reset

shell
chroot /sysroot
passwd root

Set your new root password when prompted.

Ensure SELinux Relabeling

shell
touch /.autorelabel

This flags the filesystem for relabel on next boot.

Exit & Reboot

shell
exit   # from chroot
exit   # from switch_root shell

System boots normally, and you can log in as root with your new password.

VIPRION Multi-Blade Note: On chassis with multiple blades, repeat the password change on the primary blade. After reboot, log into secondary and SSH via ssh primary (key-auth) to propagate the change.

Special Cases & Considerations

RAID vs. Non-RAID on 14.1.0+

  • Non-RAID platforms (14.1+): refer to KB K35811337.
  • RAID-capable platforms (14.1+): refer to KB K23220345.

These outline slight variations in volume mappings when using hardware RAID controllers.

vCMP Guests

For BIG-IP instances running as vCMP guests, follow KB K14581 for single-user mode nuances.

Skipping FSCK

If forced filesystem checks prompt for passwords, append single fastboot instead of single for GRUB2 boots to skip checks.

Admin/User Password Recovery on rSeries

On F5 rSeries appliances (F5OS), “root” and “admin” reside in separate partitions and use a systemd-based boot:

  • Reboot to the F5OS bootloader; at the boot menu, press e on the default image.
  • On the linuxefi line, append rd.break.
  • Press Ctrl-x to continue into the maintenance shell.
  • Remount overlays as read-write: bash
mount -o remount,rw /sysroot && mount -o remount,rw /sysroot/sysroot
chroot /sysroot
  • Change the admin (or root) password:
passwd admin   # or passwd root
  • Reload SELinux policy & restore contexts:
load_policy -i
restorecon -v /etc/shadow
  • Update shadow tracker if needed (rSeries-specific):
awk -F: '/^admin:/{print "admin admin", $2, $3}' /etc/shadow >> /etc/libnss-udr/shadow.tracker
  • Exit twice to continue boot; log in with your new credentials.

Please follow and like us:
Last modified: May 26, 2025

Author

Comments

Write a Reply or Comment

Your email address will not be published.