Systemd.debug_shell

Last night I accidentally nuked user and root passwords and got locked out. I recovered by booting the ISO and using nixos-enter and resetting the passwords but I was curious why I couldn’t get the systemd.debug_shell to show up at tty9? I had read this was a way to get a root shell. But despite adding the line to the kernel params at boot menu I was unable to get to tty9 (the default is 7 ttys, I think). I’m assuming there’s something special with NixOS that got in the way of this. Is there a decent way to get a root shell without the ISO if something like this happens again (happened to me twice in 5ish years so it’s pretty rare :slightly_smiling_face:)

I saw this last night (not sure it was ever merged) systemd: use pure debug shell · NixOS/nixpkgs@0913e30 · GitHub but I’m assuming it couldn’t find bash

edit: oh, maybe I should try systemd.crash_shell=1 − nah, that didn’t work either

Sorta answering my own question here: NixOS 23.11 manual | Nix & NixOS boot.debug1devices et al (haven’t tried it to reset a forgotten password but at least I know how to get a debug shell)

So that’s a little bit different. Most of those cmdline options are for stage 1, aka initrd. You’ll be dropped into a debug shell before the OS has actually been loaded, so things like changing a password probably won’t be easy.

NixOS currently just doesn’t include the debug-shell.service unit. You can add it yourself to your system with systemd.additionalUpstreamSystemUnits = ["debug-shell.service"];, and then the systemd.debug_shell cmdline option will work as expected. I think it would be fine for this to be added to the default upstream units. The service only starts if you enable it on the cmdline, and the cmdline can already do init=/bin/sh anyway, so there’s no additional security risk as far as I can tell. I didn’t even know this service existed; it seems useful.

2 Likes

this worked but I had to login to get to tty9 (sddm starts and tty9 isn’t accessible) so I’m not sure the debug shell is a way to reset a password without the ISO nor is /bin/sh−but I’ve learned about some cool systemd stuff anyway and I can get into a debug shell so thank you!

Why is that? Does sddm do a physlock or something?

edit - nvm, I just had to switch to tty1 (to get away from the graphical login manager) and then to tty9 and it works like a charm. Thanks again.