Torizon 7 root login

roedy · December 11, 2025, 6:06pm

I recently upgraded from Torizon 6.8 to 7.4, and I’ve noticed that the root login no password doesn’t work anymore.

I’ve analyzed the following files and found almost the exact same configuration between the scarthgap and kirkstone builds

/etc/[shadow,passwd]
/usr/lib/[shadow,passwd]
/etc/nsswitch.conf
/etc/pam.d/[login, common-auth, common-password, common-session]

I’ve explicitly added the following to my image

IMAGE_FEATURES:append = " debug-tweaks allow-root-login allow-empty-password empty-root-password"

It does appear that the root entry is locked in scarthgap

#kirkstone
root@verdin-imx8mp-scu-15207788:~# passwd -S root
root NP never 0 99999 7 -1

#scarthgap
torizon@verdin-imx8mp-scu-15289166:~$ sudo passwd -S root                                                                                                                                                        
root L never -1 -1 -1 -1

Yocto Documentation looks the same for the two versions, so I’m guess there is some configuration in a torizon layer that changed this behavior.

I’ve also tried to explicitly add root entries into the /etc/[passwd, group, shadow] files and it still shows up as locked.

I understand that y’all are attempting to deliver a production ready operating system, and that an empty root login is absolutely innapropriate for a production build, but it has proven extremely useful and a real time saver while doing development. Is there any way you can help me get this back?

ToradexAI · December 11, 2025, 6:07pm

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

The information sources I have available don’t contain specific details about root login configuration changes between Torizon OS 6.8 and 7.4, or instructions for enabling empty root passwords in Torizon OS 7.x.

However, I can provide some relevant context from the documentation about authentication in Torizon OS:

Default Authentication Configuration

According to the SSH documentation, the default user configuration varies by platform (1):

Torizon embedded Linux BSP has default SSH user configured as torizon and password torizon as well (1)
The torizon user has root privileges and you can execute sudo and su just like on a regular desktop Linux distro (1)

Password Authentication Settings

For SSH connections, the system’s user password can be changed by using passwd, and to keep being able to login as a user, make sure the following ssh daemon configurations are set (in /etc/ssh/sshd_config) (1):

PasswordAuthentication yes  
#PermitEmptyPasswords yes

Root Filesystem Protection Impact

One significant change in Torizon OS 7.x is the introduction of root filesystem protection with composefs integration. This makes the /etc directory volatile, meaning any changes made at runtime are lost on system reboot (2). This could potentially affect password configurations if they’re being modified at runtime.

Recommendation

Since the specific root login configuration changes between versions aren’t covered in my available sources, I’d recommend checking the release notes for Torizon OS 7.4 or contacting Toradex support for detailed information about this change and the recommended approach for development environments.

For development purposes, you might want to continue using the default torizon user with sudo privileges, which provides similar functionality while maintaining the intended security model.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

eric.tx · December 11, 2025, 10:02pm

Hey @roedy ,

*edit, still looking for a solution. Will report back when i find more/have an answer.

-Eric

eric.tx · December 17, 2025, 4:29pm

Hey @roedy,

How are you doing with this?

Is there a specific reason you’d like to have the root user be available on Torizon OS?? Something specific for development? I assume you are working within a containerize application? Are you familiar with our IDE extension?

-Eric

roedy · December 19, 2025, 7:02pm

It’s purely for ease of development. We often need to SSH into our boards to exchange files and test out new features. It just really eases up the workflow to not have to type in a password to login, and then another password to get a root shell for things like checking the dmesg or journalctl

We can certainly work around it, I was just under the assumption there was an simple configuration option that I missed.

jon.tx · December 19, 2025, 7:45pm

I’m not sure why those IMAGE_FEATURES:appends aren’t working–I’m curious about that too, I didn’t find anything obvious that changed in Torizon–but I could suggest a workaround. Please take this with all the caution it deserves; you should never do this on anything but a test image, etc.

You could enable passwordless sudo for the torizon user or group, then set up your .ssh/config (or a shell alias, or whatever) to run ssh -t torizon@host 'sudo bash -l' when you ssh to the board. So, on the board do sudo echo '%torizon ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers (or do the equivalent in your development build yocto recipe), and then something like this in your .ssh/config (or set up an alias, etc.):

Host yourtorizonboard
  RequestTTY force
  RemoteCommand sudo bash -l

Not a perfect substitute, but it might help with the convenience side of things.