Linux: Recovering Deleted /etc/shadow Password File

by on December 21, 2005 · 22 comments· LAST UPDATED June 7, 2012

in , ,

You may delete a file called /etc/shadow. If you try to boot into a single user mode, system will ask for the maintenance root password. Now imagine this, you do not have a backup of /etc/shadow file. How do you fix such problem in a production environment where time is a critical factor? I will explain how to recover a deleted /etc/shadow file in five easy steps.

It all started when one of our client accidentally deleted a file called /etc/shadow from co-located Debian Linux server. As a result, all account login (sftp/ssh) got disabled. However, ftp was working fine because proftpd was build using MySQL database.

#1: Boot server into a single user mode

First, reboot the server.

When you see grub-boot loader screen. Select Recovery mode version of the kernel that you wish to boot and type e for edit. Select the line that starts with kernel and type e to edit the line.

Go to the end of the line and type init=/bin/bash as a separate one word (press the spacebar and then type init=/bin/bash). Press enter key to exit edit mode.
init=/bin/bash

At the GRUB screen, type b to boot into a single user mode. This causes the system to boot the kernel and run /bin/bash instead of its standard init. This allowed us to gain root privileges and a root shell.

Step #2: Make sure you can access the system partition

By default / file system will be mounted in a read-only mode and many disk partitions have not been mounted yet, you must do the following to have a reasonably functioning system. To mount partitions in read write mode, enter:
# mount -rw -o remount /
Note: Do not forget to (re)mount your rest of all your partitions in read/write (rw) mode such as /usr, /var, /home, /tmp etc.

Step #3: Rebuild /etc/shadow file from /etc/passwd

You need to use the pwconv command. It creates /etc/shadow from /etc/passwd and an optionally existing shadow.
# pwconv

Next, use the passwd command to set a new root user account password, enter:
# passwd
You need to type the same password twice. If you have an admin account, then setup password for that account too. On most production servers direct root login is disabled. In our situation, admin was the only account allowed to use su and sudo command:
# passwd admin

Finally, reboot the system, enter:
# sync
# reboot

Step # 4 Block all non-root login

Block all non-root (normal) users until you fix all password related problems. Since rest of account do not have any password, it is necessary to prevent non-root users from logging into the system. You need to create a file called /etc/nologin. It will allow access only to root. Other users will be shown the contents of this file and their logins will denied or refused.

1) Login as root user (terminal login only)

2) Create a file called /etc/nologin enter:
cat > /etc/nologin
System is down due to temporary problem. We will restore your access
within 30 minutes time. If you have any questions please contact tech
support at XXX-XXXX-ZZZZ or ts@it.example.com

Tip: Update all users password in a batch mode

Create a random password for each non-root user using chpasswd utility. It update passwords in batch mode. The chpasswd command reads a list of user name and password pairs from file and uses this information to update a group of existing users. Each line has the following format:

user_name:password

Remember by default the supplied password must be in clear-text format. This command is intended to be used in a large system environment where many accounts are created at a single time or in an emergency situation. First, you need to find out all non-root accounts using the awk command:
awk -F: '{ if ( $3 >1000 ) print $1}' /etc/passwd > /root/tmp.pass

Make sure /root/tmp.pass file contains non-root usernames only.

Next, create a random password with pwgen command:
By default, pwgen utility is not installed so you can install it with the help of apt-get or yum command, enter:
# apt-get install pwgen
OR
# yum -y install pwgen
The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. For example, the following command print the generated password:
# pwgen -1 -n 8
Sample outputs:

yeico5AV

Download complete working script that updates user password in a batch mode. Execute the script batch-update-password.sh:
# chmod +x batch-update-password.sh
# ./batch-update-password.sh

Now update user passwords with the chpasswd command, by default script creates file in /root/batch.passwd file:
# chpasswd

Email new passwords to server admin and/or to all end users. You can write a script to email password to end users.

Your system is ready to accept login, just remove a file called /etc/nologin, enter:
# rm /etc/nologin

There are other ways to recover /etc/shadow file, depend upon your setup and backup frequency you can use any one of the following method too:

  • By default, your /etc/passwd and /etc/shadow file are backup to /var/backups under Debian Linux. You can just copy shadow.bak file after step # 1:
    # cp /var/backups/shadow.bak /etc/shadow
  • Some time /etc/shadow- file can be use to replace the /etc/shadow file.
  • If you have a backup of /etc/shadow on tape or cdrom, restore /etc/shadow file after step #1.
  • Undelete /etc/shadow file using debugfs command
  • Another, option is PhotoRec software. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. PhotoRec is free - this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again.

See also:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 22 comments… read them below or add one }

1 Anonymous December 22, 2005 at 6:46 pm

What I would do instead of generating all new passwords is simply restore /etc/shadow from the nightly backup tape. This procedure would be good if you aren’t doing backups, but if you aren’t, shame on you!

2 Anonymous December 24, 2005 at 3:04 pm

You should block user logins *before* you reboot in multiuser mode. That is, swap steps #3 and #4.

3 Anonymous December 27, 2005 at 3:05 am

And where did you recover the deleted shadow?

4 nixcraft December 27, 2005 at 3:32 am

>And where did you recover the deleted shadow?
Read Step # 3 : Rebuild /etc/shadow file from /etc/passwd, as soon as you type command pwconv, your file will be back.
# pwconv

5 nixcraft December 27, 2005 at 3:33 am

>You should block user logins *before* you reboot in multiuser mode. That is, swap steps #3 and #4.
I guess you can go both ways

6 Anonymous December 27, 2005 at 2:22 pm

Use LDAP for system authentication, and you don’t need to recover the shadow file …

7 monk December 27, 2005 at 4:59 pm

I’m aware of OpenLDAP and other directory authentication services. On the other hand they are good for big setup (more than 3-4 servers). This was customers managed single server. Therefore, I cannot go and suggest them ;) thanks for your suggestion.

8 Alejandro December 28, 2005 at 8:19 am

You’re regenerating /etc/shadow, not recovering it from a delete. You don’t (becuase you can’t) recover user passwords.

And, just as a question, which is the probability of losing only /etc/shadow and not your whole disk?

And a question 2: if a user as root deleted /etc/shadow, which is the probability that he do
dd if=/dev/zero of=/dev/sda??

9 monk December 28, 2005 at 11:21 am

>Alejandro said…
>You’re regenerating /etc/shadow, not recovering it from a delete. You don’t (becuase you can’t) recover user passwords. And, just as a question, which is the probability of losing only /etc/shadow and not your whole disk?

Yup it is regenerating or it creates /etc/shadow from /etc/passwd and an optionally existing shadow. As I said earlier, file deleted by mistake.

>And a question 2: if a user as root deleted /etc/shadow, which is the probability that he do dd if=/dev/zero of=/dev/sda??

I am sorry but I am not getting your point here. Sure root can run dd and destroy entire disk. That is what I said at the bottom, “I guess it explains the important of regular backup of both data and key files.”. Since this server was 3rd party hosted in our IDC. It is not managed by us. Customer itself managing the server and they did not have a backup copy of /etc/shadow file; all they got was backup of mysql and ftp server. Moreover, ftpserver was working fine because proftpd was build using MySQL database for authentication and quota management. Therefore, I had to restore /etc/shadow file :)

I hope this clears picture.

10 rajesh September 17, 2007 at 10:26 am

Guys,
I have different problem. I accidentally deleted /etc/passwd file. Now i am not able to login to any user mode. My operating system is SCO Unix. Please Help me.

regards,
Rajesh

11 nils March 25, 2008 at 4:06 pm

If the file /etc/shadow is deleted, but the computer is still running and you still have root access, it might be possible to regenerate it from memory similar to the following approach:

cat /proc/kcore | strings | egrep "^([^:]*:){8}[^:]*$" > /tmp/kcore-dump

Now you have a file which might include the contents of the deleted /etc/shadow. Now you have to take a text editor and extract the correct lines. Special care has to be taken because the contents might be incomplete or even wrong.

12 Ajeet Singh May 26, 2008 at 6:57 am

I followed above doc
and ran :

1. Rebooted
2. Edit Recovery Mode : with init=/bin/bash
3. mount -rw -o remount /
4. Edited /etc/passwd file(Surprisingly nano editor was working but vi dint)
5. Moved passwd- to passwd and moved shadow- to shadow.
6. Forcibly rebooted.

Now it seems to work. But it displays:

I have no name!@micex:~$

Why it is displaying so??

13 Ajeet August 28, 2008 at 11:34 am

I dint see any pwconv command on my system now.
Can Anyone please help me with this long stucked issue?

14 Furthur December 12, 2008 at 4:48 pm

Thank you very much! Very helpful.

I would however put the last bit about recovering from your backup *before* the batch generation. For smaller system it is seems alot easier to simple cp back the shadow file.

thanks again!

15 red March 27, 2009 at 1:17 am

Hi,
This command didn’t worked for SME 7.
cat /proc/kcore | strings | egrep “^([^:]*:){8}[^:]*$” >
/tmp/kcore-dump

I accidentally deleted /etc/samba/passwd file. I don’t have any backup for this file and I don’t know how to recover it.

Please help.

Thanks!

16 hitmars September 4, 2009 at 9:24 am

Hi, erery1:
I followed to step 3, and then I touch a file named shadow in /etc, then edit it as follow:
root::12823:0:99999:7:::
does it mean that everyone can modify the password of root and get the privildge?

17 Anonymous May 19, 2010 at 4:45 pm

Thumbsup m8 works like a charm now :D

18 hassin May 22, 2010 at 6:46 pm

pwconv

19 charles September 9, 2011 at 4:40 pm

i mistakenly deleted just the root_passwd line in the /etc/shadow file.from your explanation how do i recover the passwd i deleted not the entire file.

20 xman September 23, 2011 at 5:19 pm

thank you very much.
i have a same problem.
you helped me.
thank you again.

21 Erasel February 28, 2012 at 9:11 pm

Hey,
this is a restore of the file. I wont edit about 200 Users. So you can boot from a rescue cd or something else and just do a ->grep -b -A 200 “^root:” /dev/sda1 >mytmpshadow<- (I hope i didn't mistyped anything).
This will scan your HDD (in my case /dev/sda1) like a textfile (where it is possible) and find ^root: and all 200 following lines. After this you just have to edit the file "mythmshadow" a litle bit with vi…

More explanation:
http://www.cyberciti.biz/tips/linuxunix-recover-deleted-files.html

22 Jonathan June 7, 2012 at 1:38 am

Dude, you have no idea how much you just helped me and potentially thousands of other Raspberry Pi users. Because of your tips I now have RedSleeve Linux running on my Pi. If you lived near me I would definitely buy you a beer or three. :) Thanks again, bro.

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , ,

Previous post:

Next post: