How do I reset the password for my EC2 Mac instance?

6 minute read
0

I don't know the password for my Amazon Elastic Compute Cloud (Amazon EC2) Mac instance, and I need to reset the password. Or, I need to reset the password for ec2-user.

Short description

If an EC2 Mac instance user doesn't know the password for an ec2-user that uses a secure token, then you might encounter issues. To reset a forgotten password for a user with a secure token, you must also be a user that has a secure token.

When you set the first user password in a EC2 Mac instance, a secure token is issued to the user by default. To issue a secure token for the ec2-user user, you must set the password for ec2-user first. For more information, see Use secure token, bootstrap token, and volume ownership in deployments on the Apple website. Because of its complexity, it's not a best practice to use another secure token user to update the password for the ec2-user.

Instead, create a rescue instance as a non-secure token user. Then, attach the original instance's root volume as a secondary volume on the rescue instance and migrate your data.

Resolution

Complete the following steps:

  1. Create a snapshot of the root Amazon Elastic Block Store (Amazon EBS) volume of your EC2 Mac instance.

  2. Launch a new EC2 Mac instance.

  3. Create an Amazon EBS volume from the root volume snapshot in the same Availability Zone as the new instance.

  4. Attach the EBS volume as a secondary volume to the new instance.

  5. Use SSH to open the new instance, and then attach the secondary volume to the instance.

  6. To list all the physical disks, partitions, Apple File System (APFS) containers, and volumes on the new instance, run the following command:

    diskutil list

    Example output:

    diskutil list
    
    /dev/disk0 (internal, physical):
    #: TYPE NAME SIZE IDENTIFIER
    0: GUID_partition_scheme *251.0 GB disk0
    1: Apple_APFS_ISC Container disk1 524.3 MB disk0s1
    2: Apple_APFS Container disk3 245.1 GB disk0s2
    3: Apple_APFS_Recovery Container disk2 5.4 GB disk0s3
    
    /dev/disk3 (synthesized):
    #: TYPE NAME SIZE IDENTIFIER
    0: APFS Container Scheme - +245.1 GB disk3
    Physical Store disk0s2
    1: APFS Volume InternalDisk 10.3 GB disk3s1
    2: APFS Volume Preboot 5.3 GB disk3s2
    3: APFS Volume Recovery 919.3 MB disk3s3
    4: APFS Volume Data 779.2 MB disk3s5
    5: APFS Volume VM 20.5 KB disk3s6
    
    /dev/disk4 (external, physical):
    #: TYPE NAME SIZE IDENTIFIER
    0: GUID_partition_scheme *107.4 GB disk4
    1: EFI EFI 209.7 MB disk4s1
    2: Apple_APFS Container disk5 107.2 GB disk4s2
    
    /dev/disk5 (synthesized):
    #: TYPE NAME SIZE IDENTIFIER
    0: APFS Container Scheme - +107.2 GB disk5
    Physical Store disk4s2
    1: APFS Volume Macintosh HD - Data 4.8 GB disk5s1
    2: APFS Volume Macintosh HD 9.3 GB disk5s2
    3: APFS Snapshot com.apple.os.update-... 9.3 GB disk5s2s1
    4: APFS Volume Preboot 5.4 GB disk5s3
    5: APFS Volume Recovery 754.6 MB disk5s4
    6: APFS Volume VM 20.5 KB disk5s5
    
    /dev/disk6 (external, physical):
    #: TYPE NAME SIZE IDENTIFIER
    0: GUID_partition_scheme *107.4 GB disk6
    1: EFI EFI 209.7 MB disk6s1
    2: Apple_APFS Container disk7 107.2 GB disk6s2
    
    /dev/disk7 (synthesized):
    #: TYPE NAME SIZE IDENTIFIER
    0: APFS Container Scheme - +107.2 GB disk7
    Physical Store disk6s2
    1: APFS Volume Macintosh HD - Data 9.4 GB disk7s1
    2: APFS Volume Macintosh HD 9.3 GB disk7s2
    3: APFS Volume Preboot 5.4 GB disk7s3
    4: APFS Volume Recovery 754.6 MB disk7s4
    5: APFS Volume VM 20.5 KB disk7s5

    Note: Replace dev/disk7 with the name of your secondary volume.

  7. To verify that you correctly identified the secondary volume, run the following command:

    diskutil info disk7

    Note: Replace dev/disk7 with the name of your secondary volume.
    For the secondary volume, the Device/Media Name value must be Amazon Elastic Block Store.
    Example output:

    $ diskutil info disk7 | Grep Device
    Device Identifier: disk7
    Device Node: /dev/disk7
    Device / Media Name: Amazon Elastic Block Store
    Device Block Size: 4096 Bytes
    Device Location: External
  8. To mount the secondary volume on the operating system (OS), run the following command:

    $ sudo diskutil mount /dev/disk7s1

    Note: Replace dev/disk7 with the name of your secondary volume

  9. To verify that the disk is mounted, run the df -h command:

    df -h
    Filesystem Size Used Avail Capacity iused ifree %iused Mounted on
    /dev/disk5s2s1 100Gi 8.7Gi 81Gi 10% 356840 846823560 0% /
    devfs 228Ki 228Ki 0Bi 100% 788 0 100% /dev
    /dev/disk5s5 100Gi 20Ki 81Gi 1% 0 846823560 0% /System/Volumes/VM
    /dev/disk5s3 100Gi 5.0Gi 81Gi 6% 941 846823560 0% /System/Volumes/Preboot
    /dev/disk1s2 500Mi 6.0Mi 392Mi 2% 1 4010720 0% /System/Volumes/xarts
    /dev/disk1s1 500Mi 52Mi 392Mi 12% 53 4010720 0% /System/Volumes/iSCPreboot
    /dev/disk1s3 500Mi 636Ki 392Mi 1% 51 4010720 0% /System/Volumes/Hardware
    /dev/disk5s1 100Gi 4.5Gi 81Gi 6% 160213 846823560 0% /System/Volumes/Data
    /dev/disk3s4 228Gi 108Ki 212Gi 1% 17 2223298800 0% /private/tmp/tmp-mount-K1ov0m
    map auto_home 0Bi 0Bi 0Bi 100% 0 0 100% /System/Volumes/Data/home
    /dev/disk7s1 100Gi 8.8Gi 77Gi 11% 204661 802361480 0% /Volumes/Macintosh HD - Data

    Note: Replace dev/disk7 with the name of your secondary volume.

  10. Run the following command to open the mount point directory to access the volume's data:

    cd /Volumes/Macintosh\ HD\ -\ Data

    Note: Replace /Volumes/Macintosh/HD - Data with your mount point directory file path.

  11. To copy the data from the secondary volume to the root volume of your new instance, run the following rsync command:

    brew install rsync
  12. Run the following commands so that the secure token isn't activated for the ec2-user in the future:

    sudo dscl . -append /Users/ec2-user AuthenticationAuthority ";DisabledTags;SecureToken"
    sudo /usr/bin/dscl . -passwd /Users/ec2-user

    If you receive errors when you run the preceding passwd command, then run the following command:

    sudo passwd ec2-user

    Note: Replace ec2-user with your Amazon EC2 username.

  13. To verify that the user doesn't have a secure token, run the following command:

    sysadminctl -secureTokenStatus ec2-user

    Note: Replace ec2-user with your Amazon EC2 username.

  14. To show all users, run the following command:

    for user in $(ls /Users); do echo $user; sysadminctl -secureTokenStatus $user; doneUse secure token, bootstrap token, and volume ownership in deployments
AWS OFFICIAL
AWS OFFICIALUpdated a month ago