Recover access to your Sophos UTM in the event of password loss

  • Article ID: 115346
  • Rating:
  • 124 customers rated this article 4.4 out of 6
  • Updated: 28 Sep 2015

If you have forgotten all passwords for accessing the WebAdmin (i.e., the 'admin' account) and/or the UTM console user accounts (i.e., 'loginuser' and root) there is still a way to regain access.

This article explains how you can regain access to the WebAdmin if you have been locked out or go further and fully reset the different console users' passwords.

Applies to the following Sophos product(s) and version(s)
Sophos UTM

Operating systems
V7, V8, V9

What To Do

Reset WebAdmin password

If you cannot login to the WebAdmin with the 'admin' account but you know the password for root and have either direct access to the UTM or can connect to the UTM with SSH follow steps one to five below.  Otherwise see the section 'Reset all passwords' below.

  1. Either go to the actual UTM or connect via SSH.
  2. Login using the root account/su to root.
  3. Type: cc
  4. Type: RAW
  5. Type: system_password_reset

The next attempt to access the WebAdmin will show the 'Admin password setup' screen where you can enter a new password for the 'admin' account as show in the screenshot below.

Note: performing the above steps will also reset both the loginuser and root SSH passwords. To reset them, you'll have to browse to Management > System Settings > Shell Access > Shell user passwords, or if you're still logged into the console (as root), enter:

passwd loginuser

password root

Reset all passwords

Important note: due to a known issue with USB keyboard drivers not being loaded correctly when accessing the bash recovery environment, the steps in this section after step 10 are not possible with certain firmware versions. Please ensure your UTM is updated to the latest firmware version to prevent being affected by this issue.

Known affected versions: 9.104-9.111, 9.205-9.209, 9.300-9.307 (for SG-series UTMs)
Known unaffected versions: 9.112, 9.210, 9.308+

Another workaround:

  1. Connect a PC to the UTM via serial cable.
  2. Configure PuTTY on the PC and connect to Serial / COM1 with baud 38400.
  3. Following the procedure below again until step 8.
  4. On step 8, the string to be added will be: init=/bin/bash console=ttyS0,38400
  5. Follow the procedure until step 11 (reboot unit) and you should see the console output on the PC, in the PuTTY window.
  6. Continue the reset procedure from the PC using PuTTY.

On UTM hardware appliances, or software appliances where it is not possible to login to the console (when the passwords are missing), it is still possible to reset the passwords if you have direct physical access to the UTM.

Note: On a hardware appliance you must connect a keyboard and monitor to the UTM in order to interrupt the boot sequence.

  1. Shutdown the UTM.
  2. Ensure both a monitor and a keyboard are connected the UTM.
  3. Power on the UTM, wait until the GRUB boot loader starts...

    ...and then press the ‘Esc’ key before the short timeout expires.
  4. Highlight (do not press enter/return and use only the arrow keys) the version of software the UTM is running that does not mention either 'previous' or 'rescue'. In the screenshot below the 'Sophos UTM 9.1' item is highlighted.
  5. Press the 'e' key on the keyboard.
  6. Highlight (again do not press enter) the second option in the list shown on screen that starts with the word 'kernel'.
  7. Press the 'e' key on the keyboard.
  8. Type: init=/bin/bash
  9. Press enter and wait for the screen to reload.
  10. Press the 'b' key on the keyboard. The UTM will boot up.
  11. Type: passwd loginuser
  12. Enter and re-enter a new password for the 'loginuser' account.
  13. Type: passwd root
  14. Enter and re-enter a new password for the root account.
    Note: Steps 11 to 14 are shown in the screenshot below.
  15. Press Ctrl+Alt+Del on the keyboard. The UTM will reboot.
  16. Login as root with the newly set password and reset the password for the WebAdmin's 'admin' account as shown below.
  17. Connect to the WebAdmin as normal (refresh the browser to clear any previous connection if required).
  18. Set a new password for the 'admin' account.

You now have access to the WebAdmin and have reset the console user accounts' passwords.

Local network is missing in the 'allowed networks' of the WebAdmin

If you cannot reach the WebAdmin login page, the allowed networks may have changed.  You can reset the allowed networks for WebAdmin via the following commands.

  1. Type: cc
  2. Type: webadmin
  3. Type: allowed_networks@
  4. Type: =['REF_NetworkAny']


Note For High Availability Systems

If you encounter any problems with resetting the password while both units are online, it may be necessary to power down the secondary unit(s), then reset the password on the master unit, once that is working, power the other unit(s) back on and they should sync the updated passwords as well.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent