Q. Can you explain /etc/shadow file used under Linux or UNIX?
A. /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file Generally, shadow file entry looks as follows (click to enlarge image):
/etc/shadow file fields
(Fig.01: /etc/shadow file fields)
- User name : It is your login name
- Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
- Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
- Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
- Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
- Warn : The number of days before password is to expire that user is warned that his/her password must be changed
- Inactive : The number of days after password expires that account is disabled
- Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
The last 6 fields provides password aging and account lockout features (you need to use chage command to setup password aging). According to man page of shadow - the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used.
- Email FAQ to a friend
- Printable version
- Rss Feed
- Last Updated: 6-3-08
{ 27 comments… read them below or add one }
What does a symbol of ! or * indicate when placed before this after the user login name . . . after typing cat /etc/shadow?
! or * indicate that the user will not be able to use a unix/linux password to log in. In other words user login will be disabled.
HTH
Nice to get this information here, couldn’t understand it when our teacher taught it in class
If a user changes his password (using passwd command), how is the shadow file updated to include the new passwd? I mean, doesn’t the root/admin only have write permissions to this file?
passwd command has SUID (Saved User ID) enabled. When passwd command executed the effective user id (EUID) that is in force at the time is copied to the saved user id (i.e. root). Using this technique a normal user can update his/her password.
username:!!: …. or
username:!!$1$MvGJq5Nq$ersjw/IaU90l.n5sB/FFP1: …
I tried this on Linux machine and !! appeared after passwd -l username command – locking password.
After passwd -u username – unlock, !! disappeared again.
So this means that user cannot log in, so it is blocked, but I am not sure about all those rpm, nscd, nfsnobody and so on users.. they have only :!!: in password field in ect/shadow file. These users cannot log in, but are they entirely blocked?
The root user can still access accounts with blocked passwords, using su, but only if those accounts have a shell enabled in /etc/passwd (if the shell is /sbin/nologin, even root cannot access the account). I don’t know if there’s a difference between !! and * in the password field of the shadow file, though.
Is it possible to have etc/shadow file where all the passwords are encrypted however one password is simply a recognizable word?
one password is simply a recognizable word?
Noop.
can any one make answer more clear how passwd changes the password although /etc/shadow has permissions ‘r——–’ with root as owner.
If there is an account in the etc/shadow file and the account does not have an equivalent in the etc/passwd file? Will the account work for login?
@sunil
heya mate. the passwd command can only be run by root or as a root (using sudo). The root can access (including read and write) to any file even if he doesnt have the permissions. Thats why as a root, the /etc/shadow can be changed.
You can call it perks of the job…
HTH
sunil-
passwd command can be run by any user. when root runs it, they dont need to specify an old password to change it.
Hey guys,
Can you please tell me if
1. \”!!\” means that the password is expired and the user will not be able to login?
2. \”*\” means that the userid is locked?
the passd command is both SUID and SGID — these stand for Set User ID and Set Group ID. See permissions below;
% ls -l /usr/bin/passwd
54 -r-sr-sr-x 1 root sys 27228 Aug 16 2007 /usr/bin/passwd
Just to clarify the perms –
* user perms (root) – read, setuid on execute
* group perms (sys) – read, setgid on execute
* anyone perms – read and execute
So, when anyone runs the passwd command, they will effectively be running it as the root user and the sys group.
Although the permissions of passwd are read (no write), root does have the ability to force write on any file on a UNIX system (locally mounted).
That is why when you run the passwd command, you effectively become root and the shadow file is updated.
Hope that helps.
username:Kz5iZvRZAyXkQ:14132::::90::
I use the passwd -x -1 [username] command to remove the expirations, etc., but that 90 keeps showing up. How the hell do I get rid of that damn number short of vi’ing the shadow file?
Does anyone know how to set a madatory minimum length for the root password. I typed in PASSWORD=14 in the ../etc/default/passwd file, but that only ALLOWS a 14 charachter password. It doesn’t require it.
Thanks,
David
@David,
To improve security, you need to use longer password. It can be enforced using Pluggable Authentication Module (PAM).
“/etc/shadow file stores actual password in encrypted format”
I don’t think so, I’m pretty sure that /etc/shadow stores a hashed output from the users password, by default using ‘crypt’ in solaris and therefore limited to checking the first 8 chars of a password. You can invoke MD5 or SHA-1 instead, for better password checking. /etc/default/passwd contains the hints…..
Is it possible to add an root entry to the /etc/passwd and /etc/shadow where there is no password, so that we can create a root that doesn’t have a password? thanks for the help
hi,
can one access /etc/shadow file even if one does not have root permissions…
Hey what is the mode of encryption in this shadow file?
its ok but password means nothing could be done on it……….
hi my linux friends
i m student of bannerjee sir plz help me about how to convert /etc/shadow file’s passwd into our normal form simply haching
its very easy langauage even fresher can understand explation is given briefly
Thanks a lot .. got hell lot of information
If I insert # comment lines, blank lines, or if I sort the contents differently, will this screw anything up? Will the system clobber comments, blank lines, or sort order? I could get the answer by experiment, but the risk of disaster is too high.