Cannot open access to console, the root account is locked on parrotOS

Question

My parrotOS won’t boot, I didn’t change anything major on my system before this issue happened. I had nno issues restarting the system previously. I’m on parrotOS 5.2.

My fstab looks fine and I did not edit it before this issue happened.

Now when I start the computer I get an error in emergency mode:


> 
> Cannot open access to console, the root account is locked. See sulogin(8) man page for more details.



Pushing any key just repeats the message, the same thing happens in recovery mode.

I have tried editing fstab(taking out swap and non essential drives) and editing the rescue.service file to try and boot sulogin —force,) but that didn’t work. I’ve also run fsck that returned 0(no errors).

This is what I tried in the rescue.service

ExecStart=-/bin/sh -c "/sbin/sulogin --force; /bin/systemctl --job-mode=fail --no-block default"

I think this is related to a Debian bug - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211

I found the following documentation but don’t really know what to do with it, how do I set the environment variable $SYSTEMD_SULOGIN_FORCE=1  ?

systemd-sulogin-shell:

• $SYSTEMD_SULOGIN_FORCE=1 — This skips asking for the root password if the root password is not available (such as when the root account is locked). See sulogin(8) for more details.

5.2.3.  The rescue boot option is unusable without a root password With the implementation of sulogin used since buster, booting with the rescue option always requires the root password. If one has not been set, this makes the rescue mode effectively unusable. However it is still possible to boot using the kernel parameter init=/sbin/sulogin --force To configure systemd to do the equivalent of this whenever it boots into rescue mode (also known as single mode: see systemd(1)), run sudo systemctl edit rescue.service and create a file saying just: [Service] Environment=SYSTEMD_SULOGIN_FORCE=1 It might also (or instead) be useful to do this for the emergency.service unit, which is started automatically in the case of certain errors (see systemd.special(7)), or if emergency is added to the kernel command line (e.g. if the system can't be recovered by using the rescue mode). For background and a discussion on the security implications see #802211.

Answer 1

What to do if you are getting the "Cannot open access to console, the root account is locked... " message

In this situation, the OP would need to try and specify a kernel boot parameter init="/sbin/sulogin --force". Since kernel parameters are normally separated from each other by whitespace, the quotes are probably necessary.

On 2023-May-13, a patch was applied to systemd-sulogin-shell to allow specifying the SYSTEMD_SULOGIN_FORCE=1 on the kernel command line too. In other words, if you have a recent enough version of systemd, you will be able to use your bootloader to type these options into kernel boot parameters to force the system to give you rescue mode access even if the root account is locked:

SYSTEMD_SULOGIN_FORCE=1 init=/sbin/sulogin

But if your systemd is older than 2023-May-13 this will not work, unless your distribution has specifically backported this patch.

How to configure rescue.service to allow access even if the root account is locked

This is what you can do in advance when your system still boots normally.

If you want the system to automatically give you root shell on the console in rescue mode even if the root account is locked or the root password is otherwise unavailable, follow these steps:

Step 1.)

Run systemctl edit rescue.service with sudo/as root. This will open an editor that will create a /etc/systemd/system/rescue.service.d/override.conf file for you. On older versions of systemd, the editor will be initially blank; on newer versions, there will be some descriptive comments and a commented-out version of the existing rescue.service definition for your information. In both cases, just type in the following two lines:

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1

This method of adding the SYSTEMD_SULOGIN_FORCE variable will work on any version of systemd that is newer than 2018-Oct-17 or has this patch backported by your distribution.

Depending on your distribution, you might want to apply a similar modification to emergency.service too.

Step 2.)

Update your initramfs file. On Debian and related distributions, running update-initramfs -u -k all should work. Other distributions use different initramfs generators: on modern RedHat/Fedora and relatives, dracut -f should work. On Arch, the command might be mkinitcpio but I'm not sure of any options required.

Updating your initramfs ensures the SYSTEMD_SULOGIN_FORCE=1 environment variable will be in effect whenever rescue.service is invoked. It might not be strictly necessary in all possible cases, but better safe than sorry.