Comments on: Linux: Recovering deleted /etc/shadow password file

By: hitmars

hitmars — Fri, 04 Sep 2009 09:24:49 +0000

Hi, erery1:
I followed to step 3, and then I touch a file named shadow in /etc, then edit it as follow:
root::12823:0:99999:7:::
does it mean that everyone can modify the password of root and get the privildge?

By: red

red — Fri, 27 Mar 2009 01:17:54 +0000

Hi,
This command didn’t worked for SME 7.
cat /proc/kcore | strings | egrep “^([^:]*:){8}[^:]*$” >
/tmp/kcore-dump

I accidentally deleted /etc/samba/passwd file. I don’t have any backup for this file and I don’t know how to recover it.

Please help.

Thanks!

By: Furthur

Furthur — Fri, 12 Dec 2008 16:48:17 +0000

Thank you very much! Very helpful.

I would however put the last bit about recovering from your backup *before* the batch generation. For smaller system it is seems alot easier to simple cp back the shadow file.

thanks again!

By: Ajeet

Ajeet — Thu, 28 Aug 2008 11:34:55 +0000

I dint see any pwconv command on my system now.
Can Anyone please help me with this long stucked issue?

By: Ajeet Singh

Ajeet Singh — Mon, 26 May 2008 06:57:32 +0000

I followed above doc
and ran :

1. Rebooted
2. Edit Recovery Mode : with init=/bin/bash
3. mount -rw -o remount /
4. Edited /etc/passwd file(Surprisingly nano editor was working but vi dint)
5. Moved passwd- to passwd and moved shadow- to shadow.
6. Forcibly rebooted.

Now it seems to work. But it displays:

I have no name!@micex:~$

Why it is displaying so??

By: nils

nils — Tue, 25 Mar 2008 16:06:39 +0000

If the file /etc/shadow is deleted, but the computer is still running and you still have root access, it might be possible to regenerate it from memory similar to the following approach:
cat /proc/kcore | strings | egrep "^([^:]*:){8}[^:]*$" > /tmp/kcore-dump
Now you have a file which might include the contents of the deleted /etc/shadow. Now you have to take a text editor and extract the correct lines. Special care has to be taken because the contents might be incomplete or even wrong.

By: rajesh

rajesh — Mon, 17 Sep 2007 10:26:18 +0000

Guys,
I have different problem. I accidentally deleted /etc/passwd file. Now i am not able to login to any user mode. My operating system is SCO Unix. Please Help me.

regards,
Rajesh

By: monk

monk — Wed, 28 Dec 2005 11:21:00 +0000

>Alejandro said…
>You’re regenerating /etc/shadow, not recovering it from a delete. You don’t (becuase you can’t) recover user passwords. And, just as a question, which is the probability of losing only /etc/shadow and not your whole disk?

Yup it is regenerating or it creates /etc/shadow from /etc/passwd and an optionally existing shadow. As I said earlier, file deleted by mistake.

>And a question 2: if a user as root deleted /etc/shadow, which is the probability that he do dd if=/dev/zero of=/dev/sda??

I am sorry but I am not getting your point here. Sure root can run dd and destroy entire disk. That is what I said at the bottom, “I guess it explains the important of regular backup of both data and key files.”. Since this server was 3rd party hosted in our IDC. It is not managed by us. Customer itself managing the server and they did not have a backup copy of /etc/shadow file; all they got was backup of mysql and ftp server. Moreover, ftpserver was working fine because proftpd was build using MySQL database for authentication and quota management. Therefore, I had to restore /etc/shadow file :)

I hope this clears picture.

By: Alejandro

Alejandro — Wed, 28 Dec 2005 08:19:00 +0000

You’re regenerating /etc/shadow, not recovering it from a delete. You don’t (becuase you can’t) recover user passwords.

And, just as a question, which is the probability of losing only /etc/shadow and not your whole disk?

And a question 2: if a user as root deleted /etc/shadow, which is the probability that he do
dd if=/dev/zero of=/dev/sda??

By: monk

monk — Tue, 27 Dec 2005 16:59:00 +0000

I’m aware of OpenLDAP and other directory authentication services. On the other hand they are good for big setup (more than 3-4 servers). This was customers managed single server. Therefore, I cannot go and suggest them ;) thanks for your suggestion.

By: Anonymous

Anonymous — Tue, 27 Dec 2005 14:22:00 +0000

Use LDAP for system authentication, and you don’t need to recover the shadow file …

By: nixcraft

nixcraft — Tue, 27 Dec 2005 03:33:00 +0000

>You should block user logins *before* you reboot in multiuser mode. That is, swap steps #3 and #4.
I guess you can go both ways

By: nixcraft

nixcraft — Tue, 27 Dec 2005 03:32:00 +0000

>And where did you recover the deleted shadow?
Read Step # 3 : Rebuild /etc/shadow file from /etc/passwd, as soon as you type command pwconv, your file will be back.
# pwconv

By: Anonymous

Anonymous — Tue, 27 Dec 2005 03:05:00 +0000

And where did you recover the deleted shadow?

By: Anonymous

Anonymous — Sat, 24 Dec 2005 15:04:00 +0000

You should block user logins *before* you reboot in multiuser mode. That is, swap steps #3 and #4.

By: Anonymous

Anonymous — Thu, 22 Dec 2005 18:46:00 +0000

What I would do instead of generating all new passwords is simply restore /etc/shadow from the nightly backup tape. This procedure would be good if you aren’t doing backups, but if you aren’t, shame on you!