Q. Can you explain /etc/shadow file used under Linux or UNIX?
A. /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file Generally, shadow file entry looks as follows (click to enlarge image):
/etc/shadow file fields

(Fig.01: /etc/shadow file fields)
- User name : It is your login name
- Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
- Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
- Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
- Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
- Warn : The number of days before password is to expire that user is warned that his/her password must be changed
- Inactive : The number of days after password expires that account is disabled
- Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
The last 6 fields provides password aging and account lockout features (you need to use chage command to setup password aging). According to man page of shadow - the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- Linux: 20 Iptables Examples For New SysAdmins

- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Facebook it - Tweet it - Print it -


{ 76 comments… read them below or add one }
What does a symbol of ! or * indicate when placed before this after the user login name . . . after typing cat /etc/shadow?
! or * indicate that the user will not be able to use a unix/linux password to log in. In other words user login will be disabled.
HTH
Nice to get this information here, couldn’t understand it when our teacher taught it in class
If a user changes his password (using passwd command), how is the shadow file updated to include the new passwd? I mean, doesn’t the root/admin only have write permissions to this file?
passwd command has SUID (Saved User ID) enabled. When passwd command executed the effective user id (EUID) that is in force at the time is copied to the saved user id (i.e. root). Using this technique a normal user can update his/her password.
username:!!: …. or
username:!!$1$MvGJq5Nq$ersjw/IaU90l.n5sB/FFP1: …
I tried this on Linux machine and !! appeared after passwd -l username command – locking password.
After passwd -u username – unlock, !! disappeared again.
So this means that user cannot log in, so it is blocked, but I am not sure about all those rpm, nscd, nfsnobody and so on users.. they have only :!!: in password field in ect/shadow file. These users cannot log in, but are they entirely blocked?
The root user can still access accounts with blocked passwords, using su, but only if those accounts have a shell enabled in /etc/passwd (if the shell is /sbin/nologin, even root cannot access the account). I don’t know if there’s a difference between !! and * in the password field of the shadow file, though.
Is it possible to have etc/shadow file where all the passwords are encrypted however one password is simply a recognizable word?
one password is simply a recognizable word?
Noop.
can any one make answer more clear how passwd changes the password although /etc/shadow has permissions ‘r——–’ with root as owner.
If there is an account in the etc/shadow file and the account does not have an equivalent in the etc/passwd file? Will the account work for login?
Potentially, it can work. if there is another authentication directory other than “files” (/etc/passwd) specified in nsswitch, it can get the user info from that authentication directory, and the password info from /etc/shadow
@sunil
heya mate. the passwd command can only be run by root or as a root (using sudo). The root can access (including read and write) to any file even if he doesnt have the permissions. Thats why as a root, the /etc/shadow can be changed.
You can call it perks of the job…
HTH
sunil-
passwd command can be run by any user. when root runs it, they dont need to specify an old password to change it.
Hey guys,
Can you please tell me if
1. \”!!\” means that the password is expired and the user will not be able to login?
2. \”*\” means that the userid is locked?
the passd command is both SUID and SGID — these stand for Set User ID and Set Group ID. See permissions below;
% ls -l /usr/bin/passwd
54 -r-sr-sr-x 1 root sys 27228 Aug 16 2007 /usr/bin/passwd
Just to clarify the perms –
* user perms (root) – read, setuid on execute
* group perms (sys) – read, setgid on execute
* anyone perms – read and execute
So, when anyone runs the passwd command, they will effectively be running it as the root user and the sys group.
Although the permissions of passwd are read (no write), root does have the ability to force write on any file on a UNIX system (locally mounted).
That is why when you run the passwd command, you effectively become root and the shadow file is updated.
Hope that helps.
username:Kz5iZvRZAyXkQ:14132::::90::
I use the passwd -x -1 [username] command to remove the expirations, etc., but that 90 keeps showing up. How the hell do I get rid of that damn number short of vi’ing the shadow file?
Does anyone know how to set a madatory minimum length for the root password. I typed in PASSWORD=14 in the ../etc/default/passwd file, but that only ALLOWS a 14 charachter password. It doesn’t require it.
Thanks,
David
@David,
To improve security, you need to use longer password. It can be enforced using Pluggable Authentication Module (PAM).
“/etc/shadow file stores actual password in encrypted format”
I don’t think so, I’m pretty sure that /etc/shadow stores a hashed output from the users password, by default using ‘crypt’ in solaris and therefore limited to checking the first 8 chars of a password. You can invoke MD5 or SHA-1 instead, for better password checking. /etc/default/passwd contains the hints…..
Is it possible to add an root entry to the /etc/passwd and /etc/shadow where there is no password, so that we can create a root that doesn’t have a password? thanks for the help
edit /etc/shadow and remove the encrypted password.
vi /a/etc/shadow
An example from my lab looks like this.
root:ZW1NcbJpB8Yd6:14712:7:42:7:::
You will need to remove the section between the first colons. In this case ZW1NcbJpB8Yd6.
The new line should look like this.
root::14712:7:42:7:::
hi,
can one access /etc/shadow file even if one does not have root permissions…
Hey what is the mode of encryption in this shadow file?
its ok but password means nothing could be done on it……….
hi my linux friends
i m student of bannerjee sir plz help me about how to convert /etc/shadow file’s passwd into our normal form simply haching
its very easy langauage even fresher can understand explation is given briefly
Thanks a lot .. got hell lot of information
If I insert # comment lines, blank lines, or if I sort the contents differently, will this screw anything up? Will the system clobber comments, blank lines, or sort order? I could get the answer by experiment, but the risk of disaster is too high.
“if the shell is /sbin/nologin, even root cannot access the account”
False. Both su and sudo let you specify a shell/command, so you (not just root) can bypass what /etc/passwd says. The shell value there is only a default shell! It does NOT entirely prevent someone from logging in (very common myth)! In other words, if you have access to an account with su or sudo, you can log in to it regardless of what the default shell is set to. I do it all the time.
While it WOULD lock someone out of telnet, SSH2 allows you to specify an alternate shell to bypass /etc/passwd as well (although I’ve not had any success using this feature of SSH, so perhaps I’m misreading or not getting it right).
i am a student and i m new in linux ..can anyone please explain me the term dns resolver by taking into account:
1.how it might be used to resolve the url:breo.beds.ac.uk
2.how it compares with the hosts file
unix looks to /etc/hosts file as first point of name resolution. than /etc/resolv.conf is looked at where DNS server ip addresses are identified. The DNS server retains a database similiar to that of the /etc/hosts file. DNS server database has to be maintained with server names and ip addresses rather than system adminsitrator maintaining hundreds of /etc/hosts files on multiple machines.
can anyone xplain: what happening in the boxes areas shown in the startup script of a linux system:-
checking for hardware changes [ok]
bringing up loopback interface:[ok]
bringing up loopback interface eth0:
determining ip information for etho… done
starting snmpd:[failed]
starting cups[ok]
starting sshd:[failed]
starting sendmail:[failed]
can u explain how the /etc/shadow and /etc/passwd are used in the authentication process.why are two files used instead of one?how can i convert a system to use the /etc/shadow file to store password?
an example of absolute pathname is shown as /home/student/myprogms while a relative pathname can be shown as ../../documents can anyone discuss the differences between absolute and relative pathname and advantages.
Heyy
can anyone tell me what is the hash here?
username:$1$DKzYQ$HP9PrZA.mxe5/qviB3Kyw1:14266:0:99999:7:::
i tried to crack it with md5 but it says it’s not a valid hash. I tried different combinations but it’s the same thing.
Please help.
Thanks.
Hey Kriss,
you can’t just crack md5, since md5 is actually a cryptographic hash function and it operates only ONE way: text -> hash!
You might try the common words md5 database. Type “gdata md5 database” in your favourite search engine.
If you are (un)lucky this hash will be found in the database, and you will be able to see clear text.
you can always try john the ripper to crack the hash
Could you please tell me how to open it?
Srikanth – With any text editor. However, only root has access to it.
sir mcrypt command is is nice for encryption
that’s beautiful to use.
sir how to open shadow file if permission denied?
sir how to use algorithm for encryption.
can we make algorithm ?
in unix how to use mod(%)?
@manish bagwari:
Shadow file can only be opened by a super user (already mentioned in Keilaron comment). So sudo vi /etc/shadow (and enter password, if your username is added to sudoers), or first become super user with use of the su command (must know root password), and then open the file via vi /etc/shadow.
Mod (%) in korn shell can be used in following way: mymodulus=$(( 15 % 7 ))
If you meant something else by “unix”, please let me know.
sir i have used su command ,after giving passwd it diplayed authentication failure
sir, what to do?
And how we can koow the root passwd.
Well, without correct super user password, you can NOT read requested file!
If you truly are authorised to use the system in super user mode, someone should have provided you with the password; or created rules in sudoers configuration file.
If you installed the system by your self, and just forgot the password, you will probably have to boot it using rescue CD and then reset super user password. This procedure is well documented on the web.
how to know the root password in unix sir when i used su command then it display athentication failure (in my own system ) siir what to do?
sir , how to know root passwd.
su cmmand replys authentication failure
what to do?
I had a problem with the screensaver under Ubuntu 9.10 not taking my password. I fixed it by changing the permissions of /etc/shadow to:
-r--r----- 1 root shadow 1807 2010-03-26 00:33 /etc/shadowIn the figure the encrypted password is really shot when compared with the password field in my shadow password i cant really understand what is the type of encryption
hackme:$6$OBEzW/iiKRe/ww$vfnfEFg41l1dK4zE4YM9PiRKs7ic5lvg1WgFWgi.VF0O/MYCZPELqedCmSybFQ5.0twYbc1fU6VnXqdACqELj0:14703:0:99999:7:::can anyone pls help me understand this
cheers.
Linux learner
From my password field i can identify $6$ which indicates it as a SHA based scheme but when i converted my original password using some online converters i didn’t got the same encrypted password as that of my shadow password
geez man – its called “one way function” for a reason.
Tatineni: There’s some additional modifications that occur to the password before it is placed in the shadow file. I’m not sure what they are, but yes, it seems the hashes created by md5/sha1/ are not inserted as-is into the shadow file. I’m not sure what it is, but it’s not base64 encoding, that much I know.
I think a !! just means that acount never had a password since it was first created by the system.
what happen if you remove shadow file et all? would you able to login into?
!! measns user account has not been initialed or has not been locked.
! means group password is not available.
* means login disabled.
Hope it would be helpful
why /etc/shadow- and /etc/passwd- file ?
# ls -l /etc/passwd*
-rw-r–r– 1 root root 2230 2007-08-17 19:20 /etc/passwd
-rw-r–r– 1 root root 2187 2007-08-17 15:03 /etc/passwd-
# ls -l /etc/shadow*
-r——– 1 root root 1420 2010-02-07 03:30 /etc/shadow
-r——– 1 root root 1358 2007-08-17 15:03 /etc/shadow-
“Understanding /etc/shadow file”???
I still don’t see how the passwd string given to passwd iss converted to the string in the shadow file.
man shadow
Well Tell me any good way to by pass the shadow file when it is lock !!! ?
I’m trying to unshadow my passwd file on mac os x 10.6.7 (MBP if it helps) I can’t seem to locate the shadow file in etc/ can you help me? I’m trying to do this for use with john the ripper to test the passwords on my server, and I am new to john the ripper.
There are no /etc/shadow file on Mac OS X. All passwords are stored by a daemon (DirectoryService if i’m remember correctly) which store passwords in many hashed kinds (MD5, CRYPT-DES, SHA, LM, KRB5, …) for all services who need it. All request for changing password are redirected to this daemon who update all hashes “in-the-fly”. Same thing for authentication
PS: The first dollar sign signifies the hashing algorithm:
$1 – md5
$2a – blowfish
$6 – sha-512
Most modern linux distros use $6 in /etc/shadow for user accounts
for etc/shadow file for user accounts with ‘NP’ (no password) also means that the account is disabled? kindly advise.
by the way this is for solaris 8.
Not technically disabled, just not able to login. Account passwd has not been set but can be set by root.
HI all
can anybody help me
supose any user passwd expire so hw cn we get inforamation regarding this
we dont no wt is user name then hw cn we identify that this user’s passwd hass been expired
mail me pls
zimmyyash@gmail.com
thxx in advance
Hi…can any one tell me…is there any procedure or any scriprt or tool through which i can change the password setting..i mean when i type the password in linux nthng displayed,is there any way to change it with * symbol…so next tym instead of nthyng i will get ******** like this form….thnx in advance…
With this instance you need to break the encription layer before we can proceed to the inquiries you like. Then it time we can formulate that kind of scripting code and it depends to the one you like systems.
How do I change my password
typically you’d just login and type “passwd”, then give your old password and a new password and it would be set for you.
just do the reset password command in the unix command line.
$ User ID= Username
$ resetpassword
Hi
Can anybody tell me how to calculate the date the password has been change. I mean how to get the actual password change date.
root:ZW1NcbJpB8Yd6:14712:
according to this log password has been change on 14712- but how do i know which date, which month and which year password changed.
Thank you
Dileepa, (November 17, 2011)
On linux you can use the date command to convert the EPOCH days to the date.
The time reported back is not valid, since I am using a full day for seconds.
date -d @`echo 14712*86400|bc`
Mon Apr 12 20:00:00 EDT 2010
what is main file /etc/passwd or /etc/shadow
thankx for tell us meaning of last 2 spaces usually blank
Thanks for posting!!!