Can you explain /etc/shadow file format used under Linux or UNIX-like system?
The /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file Generally, shadow file entry looks as follows (click to enlarge image):
/etc/shadow file fields
- Username : It is your login name.
- Password : It is your encrypted password. The password should be minimum 6-8 characters long including special characters/digits and more.
- Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
- Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
- Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
- Warn : The number of days before password is to expire that user is warned that his/her password must be changed
- Inactive : The number of days after password expires that account is disabled
- Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
The last 6 fields provides password aging and account lockout features. You need to use the chage command to setup password aging. According to man page of shadow - the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used. Please note that a password field which starts with a exclamation mark (!) means that the password is locked. The remaining characters on the line represent the password field before the password was locked.
How do I change the password?
Use the following syntax to change your own password:
How do I change the password for other users?
You must be root to change the password for all other users:
# passwd userNameHere
$ sudo passwd userNameHere
How do I setup password again?
To change user password expiry information use the chage command on Linux. The syntax is (again you must be root to set the password again):
chage username chage [options] username chage vivek chage -l tom
The options are as follows:
-d, --lastday LAST_DAY set date of last password change to LAST_DAY -E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -h, --help display this help message and exit -I, --inactive INACTIVE set password inactive after expiration to INACTIVE -l, --list show account aging information -m, --mindays MIN_DAYS set minimum number of days before password change to MIN_DAYS -M, --maxdays MAX_DAYS set maximim number of days before password change to MAX_DAYS -R, --root CHROOT_DIR directory to chroot into -W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
How do I verify integrity of password files?
Use the pwck command verifies the integrity of the users and authentication information. It checks that all entries in /etc/passwd and /etc/shadow have the proper format and contain valid data. The user is prompted to delete entries that are improperly formatted or which have other uncorrectable errors. The syntax is:
pwck -r /etc/passwd pwck -r /etc/shadow pwck [options] /etc/shadow
The options are as follows:
-h, --help display this help message and exit -q, --quiet report errors only -r, --read-only display errors and warnings but do not change files -R, --root CHROOT_DIR directory to chroot into -s, --sort sort entries by UID