Amazon Linux 2 virtual machine login & password

Updated: March 5, 2018

You may have heard of Amazon Linux 2. It's an AWS operating system, developed by Amazon. It's offered for free, and you even get virtual machine appliances for testing. Which is what I did, as I showed you in my article on this topic.

The one snag that I hit during the testing was the login. Normally, you use SSH to log into your EC2 instances. But what do you use for an essentially offline virtual machine? I could not find any root/ec2-user combo online, and the usual method of trying to change password in single mode did not work. Hence this guide. It will show you how to manually change the login credentials for your Amazon Linux 2 virtual machine, so you can begin testing. After me.

Login prompt

Well, download the image. Boot. Login. What now?

Login, what now?

Single mode

Long-time Linux users will remember the trick. Force your system into single mode, remount the root as writable, change the password, reboot. We've all done this numerous times. Alas, no longer possible.

I tried to append init=/bin/bash to the boot options in the boot menu, and the system had a kernel panic. I'm not sure if this is something in the kernel, the fact Amazon Linux uses the glorious systemd, or something else, but the old and proven method did not help.

Reading online, apart from the million bin-bash entries that yielded nothing new, I found a detailed article on how to change the password for RHEL version 7. The tutorial also mentions the more philosophical concept of a change transitioning from RHEL 6 to RHEL 7, and the fact this is part of the RHCSA exam. I mean what? Where has simplicity gone?

Anyway, I promise you a rant, but as the article states, adding rd.break to the kernel line might help, and since Amazon Linux 2 is based on RHEL, I thought let's do it. Only it did nothing. Amazon Linux blithely booted normally. This did not yield the desired results, either.

Edit boot options

Amazon has a very short and vague passage explaining how to do this. They say you should create a cloud-init configuration ISO, and then they refer you to virtualization platform documentation. Not very helpful, I'm afraid.

Mount VDI manually

We talked about this in the past. I showed you how to mount virtual machine disks and partitions as loopback devices, so you can edit the filesystem contents. We used partx to clone KVM machines. We will do the same thing here, and I'm going to show you yet another way to mount and present virtual machine image filesystems.

We need the qemu-nbd tool, which does a similar trick. This utility is available as part of the qemu-kvm package in most distributions, so you install it. Then, use the tool. If the execution fails, you may need to manually load the nbd (network block device) module into memory. So, the sequence of commands (as sudo or root):

<package manager> install qemu-kvm
modprobe nbd
qemu-nbd -c /dev/nbd0 <name of virtual machine vdi hard disk>

Locate the download the Amazon Linux 2 vdi image and map it into the command above. You do not specifically need to use /dev/nbd0, you can use any which number, but it's easier and cleaner to work sequentially.

Once the block device has been mapped, you will find its partitions under /dev/nbd0p*. The numbers will match the actual hard disk partition layout, say p1, p2, etc. Again, this is almost identical to what what we did with partx. The next step is to mount the desired partition somewhere:

mount /dev/nbd0pX /mountpoint

Once you've done this command, you now have the contents of the Amazon Linux 2 vdi filesystem (partition) exposed under your desired mountpoint (e.g. /mnt), and now we can manipulate it.

Edit the /etc/shadow file

Now we want to change the password. How we're going to do this is as follows. On our native Linux, the one actually running the virtual machine, create a new user. You can call it whatever you want. Let's say amazon. Create a password. Open the /etc/shadow file. You will notice that the password is encrypted and presented as a long hash, in between two colon delimiters. Great. This is what we need. Something like:


Now navigate to the Amazon Linux 2 filesystem mountpoint from earlier, say /mnt and open its shadow file in a text editor:

<text editor> /mnt/etc/shadow

You will notice that the default user is actually called ec2-user. Even if you did not know this, now you do. It also has some hash there for the password. I have no idea what it is, and it does not matter. Replace the hash with the one from the local amazon user. Save the file, unmount the vdi.

Vdi, shadow file

Reboot, login, work, and enjoy

Start your virtual machine again. Once you get to the login prompt, identify yourself correctly with the right user name and the password that we just planted there. You will have now logged in, and you can begin working with your virtual machine appliance. Now, we did it with Amazon Linux, but this trick applies to ALL Linux distributions and filesystems out there. If you can't run system maintenance normally, you can use this trick to get around the limitation and make necessary changes to the filesystem. This is quite useful for virtual machines. We did this with KVM and now with VirtualBox, too.

Login, successful


If you're keen on testing Amazon Linux 2 but you're hitting the login credentials snag, and you do not feel like creating your own ISO images, or trying to figure out the full, proper way to use EC2 stuff, you can use partx or qemu-nbd to mount the virtual hard disk, and manually edit the shadow file. This is a guaranteed workaround, in case booting into single mode or rescue mode or whatever does not cut it for you.

Amazon Linux 2 looks like a fun operating system with some rather interesting features, and it would be a shame to miss them because of a technical/bureaucratic bungle like the initial login/password. I mean there's no reason why there ought not to be a default set, like any which distro. Plus the generic changes in the Linux infrastructure, vis-a-vis init=/bin/bash sure do not help. Hopefully, this article provides you with the necessary technical know how and adventurous spur to start your journey. Best of all, it's distro-agnostic. Any which virtual machine appliance, any which filesystem, you'll be able to make the necessary changes for your testing. Have fun exploring.


You may also like: