Root password not working after moving to Rocky Linux from CentOS

Hey guys,

I moved one of the test CentOS 7.9 server to Rocky Linux.

However since moving over to Rocky, same root password doesn’t work anymore via SSH.

I went and tried few things to reset root password but that didn’t work.
Tried below ones.

Then I realised that username is “admin” and not “root”. Tried to login as admin as well but can’t go beyond password as I can’t get any password to work. Tried no password after trying to login as admin as well.

Is there any trick to this now?

Would hate to break a non-test production server while moving from CentOS to Rocky.

Any ideas or suggest please?

I followed this process to migrate while fixing any issues along the way.

This above link doesn’t mention anything to say that password may not work after moving to Rocky. Am i missing something obvious here??

The process documented there is unsupported. We do not support major version upgrades.

I will assume your migration went ok, however.

Did you create the admin account? There is no account with that name by default.

On Rocky Linux 9 (and other enterprise linux distributions), root SSH passwords are disabled. The default setting is prohibit-password. If you want to allow root passwords again, you would need to modify sshd_config or create a conf file under /etc/ssh/sshd_config.d that says PermitRootLogin yes.

I would verify all settings under /etc/ssh/sshd_config and sshd_config.d.

The interactive installer of el9 does have a checkbox for “allow root ssh with pw”. If selected,
the installer creates file /etc/ssh/sshd_config.d/01-permitrootlogin.conf
with PermitRootLogin yes in it.
This overrides the default (PermitRootLogin prohibit-password).

@Garyzzz Authentication with ssh keypair is enabled and recommended over password authentication.


The in-place conversion (ELevate) does not add such custom config. What does it even do for sshd_config on conversion to el9? (I have never even looked at that script, let alone use it.)

I’m aware of how the installer works and what it does. If you read the rest of my reply, I note the default setting. And this post is specifically about an upgrade, not a clean installation, hence why I stated root ssh passwords are disabled, the default setting, and to verify all configuration items in /etc/ssh.

My reply was mainly for @Garyzzz

Now I realize that there is a detail worthy of note. The default sshd_config on el9 is minimal:

# grep "^[^#]" /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
AuthorizedKeysFile	.ssh/authorized_keys
Subsystem	sftp	/usr/libexec/openssh/sftp-server

Most of (non-default) config is from the included files. (The sshd did not have Include option before el9.)

If the config files of the openssh-server were unmodified, then they have been replaced. Were “defaults”, are (new) “defaults”. However, update of packages tends to keep modified config files, so it could have the old sshd_config that does not have the Include. (There could also be openssh-server.rpmsave or openssh-server.rpmnew file.)

If I can’t login to the machine, I am not sure how can I check these mentioned settings or files. Not even sure if I should try root username and password as admin is not even available unless configured.

/etc/ssh/sshd_config and sshd_config.d

I have migrated to Rocky Linux 8.10 with Kernel version 4.18.0-553.16.e18_10.x86_64 if that helps.

Thank you

Sounds like this is the way to go. Is this what I should follow?

How to exactly login is the main issue for me. To create admin account or check any config or files I still need to login right. If root is not supposed to work or used, using SSH Keys is the way before changing config so if I want to use root or admin account, I can use it? As it’s just test server I won’t mind using root account or admin account over SSH. Thank you

There are local and remote logins. The local is available if you have keyboard and monitor on the machine. (KVM switch or virtual console on iDRAC/iLO count as local even when accessible over network.) An ssh connection is remote.

If the machine has accounts “root” and “admin”, you should be able to login to both locally just like you did before with CentOS. Isn’t the idea of (ELevate) “upgrade” to keep the existing accounts and passwords?

Remote login with ssh should work for “admin” as before. Only for “root” the ssh no longer accepts password.

Yes. Since you cannot ssh to root, deploying the “public key” has to be done manually.

For example, login locally and download from somewhere. Or, (ssh) login as admin, then become root (e.g. sudo) and add the key’s text to /root/.ssh/authorized_keys.


For production server (that is still CentOS or Rocky 8) you should be able to ssh-copy-id, so you can start using keypair authentication before you convert the system into el9.

Have you tried using your standard User Account to SSH into the Server, then use sudo to do tasks that require root access, or su to to change to root after you have SSH’d in?

What’s the default password for admin? also what’s this rockstar account as I can’t login with that either.

I am baffled with this upgrade now as this is a virtual machine and I don’t have local access to it. Only remote access and nothing seems to be working so far.

I would refrain from any more “upgrades” to “migration” until I am confident.

When I try admin account with username just admin, I just get access denied same way I get it for root account. I did take vmware snapshot for this VM before starting this process, I feel like reverting to previous snapshot now.

That’s what I thought. But clearly isn’t the case. If I can’t migrate from CentOs 7.9 to Rocky 8, then not sure exact recommended path is. @nazunalika said “we do not support major version upgrades”. I didn’t try going to Rocky 9, but just version 8. Even that’s created issues.

I think this is it then. As root isn’t working. admin wasn’t created before i migrated to Rocky, I suppose this below process which i followed to upgrade to version 8, is not meant to work then. So basically this means rolling back is only option left.

I have reversed to snap taken before starting this process. I will dig around to see best way to move away from CentOs to Rocky

CentOS 7 was one of the “el7” distros. Rocky 8 is one of the “el8” distros. Rocky 9 is one of the “el9” distros. Three distinct “major versions”. In-place conversion between them is not supported. A side-grade, e.g. CentOS 8 → Rocky 8, is supported as it is el8 → el8; sufficiently similar distros.


As said, a procedure like ELevate should not remove or add accounts, nor change their passwords. Install of a package may create system account for a service provided by the package. For example, munge.service requires group munge and account munge.

Where and how did you see the admin account?


An installed system has roughly three things: system files, config, and user data.

  • System files are “easy”, a list of packages to install. However, the lists in CentOS 7 and Rocky are not identical; one has to figure out equivalent packages.
  • Config is for the packages. Its details can change. E.g. replacing OpenLDAP server with 389ds cannot keep old config verbatim, and even config of sshd evolves. (List of accounts is config.)
  • User data is “easy”; just copy over. Well, if the data was in MariaDB 5 and new system has MariaDB 10.5, then the databases probably need some “migration”. Likewise, user’s customizations for DE (e.g. Gnome) are likely to require tweaking.

What I use for “fresh installs” is kickstart and Ansible playbooks. The kickstart is minimal. Its main action is to deploy ssh public key for root account. I have gathered the list of packages and config into “plays” that Ansible deploys into the new system. The plays are also a copy, a backup, of the config. Rocky has packages ansible-core and rhel-system-roles. Red Hat has documentation about the use of System Roles.

I have reinstalled same machine multiple times before I got by kickstart and plays to achieve what I want. Now I can reinstall many machines with those plays “hands down”.

What SSH client are you using?
On RockyLinux9 (and RHEL9 as well), RSA/SHA1 login is not available by default.
What are the results when you try logging in with other modern SSH clients such as putty, teraterm, etc.?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.