Linux: Recovering Deleted /etc/shadow Password File

You may delete a file called /etc/shadow. If you try to boot into a single user mode, system will ask for the maintenance root password. Now imagine this, you do not have a backup of /etc/shadow file. How do you fix such problem in a production environment where time is a critical factor? I will explain how to recover a deleted /etc/shadow file in five easy steps.

It all started when one of our client accidentally deleted a file called /etc/shadow from co-located Debian Linux server. As a result, all account login (sftp/ssh) got disabled. However, ftp was working fine because proftpd was build using MySQL database.

#1: Boot server into a single user mode

First, reboot the server.

When you see grub-boot loader screen. Select Recovery mode version of the kernel that you wish to boot and type e for edit. Select the line that starts with kernel and type e to edit the line.

Go to the end of the line and type init=/bin/bash as a separate one word (press the spacebar and then type init=/bin/bash). Press enter key to exit edit mode.

At the GRUB screen, type b to boot into a single user mode. This causes the system to boot the kernel and run /bin/bash instead of its standard init. This allowed us to gain root privileges and a root shell.

Step #2: Make sure you can access the system partition

By default / file system will be mounted in a read-only mode and many disk partitions have not been mounted yet, you must do the following to have a reasonably functioning system. To mount partitions in read write mode, enter:
# mount -rw -o remount /
Note: Do not forget to (re)mount your rest of all your partitions in read/write (rw) mode such as /usr, /var, /home, /tmp etc.

Step #3: Rebuild /etc/shadow file from /etc/passwd

You need to use the pwconv command. It creates /etc/shadow from /etc/passwd and an optionally existing shadow.
# pwconv

Next, use the passwd command to set a new root user account password, enter:
# passwd
You need to type the same password twice. If you have an admin account, then setup password for that account too. On most production servers direct root login is disabled. In our situation, admin was the only account allowed to use su and sudo command:
# passwd admin

Finally, reboot the system, enter:
# sync
# reboot

Step # 4 Block all non-root login

Block all non-root (normal) users until you fix all password related problems. Since rest of account do not have any password, it is necessary to prevent non-root users from logging into the system. You need to create a file called /etc/nologin. It will allow access only to root. Other users will be shown the contents of this file and their logins will denied or refused.

1) Login as root user (terminal login only)

2) Create a file called /etc/nologin enter:
cat > /etc/nologin
System is down due to temporary problem. We will restore your access
within 30 minutes time. If you have any questions please contact tech
support at XXX-XXXX-ZZZZ or

Tip: Update all users password in a batch mode

Create a random password for each non-root user using chpasswd utility. It update passwords in batch mode. The chpasswd command reads a list of user name and password pairs from file and uses this information to update a group of existing users. Each line has the following format:


Remember by default the supplied password must be in clear-text format. This command is intended to be used in a large system environment where many accounts are created at a single time or in an emergency situation. First, you need to find out all non-root accounts using the awk command:
awk -F: '{ if ( $3 >1000 ) print $1}' /etc/passwd > /root/tmp.pass

Make sure /root/tmp.pass file contains non-root usernames only.

Next, create a random password with pwgen command:
By default, pwgen utility is not installed so you can install it with the help of apt-get or yum command, enter:
# apt-get install pwgen
# yum -y install pwgen
The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. For example, the following command print the generated password:
# pwgen -1 -n 8
Sample outputs:


Download complete working script that updates user password in a batch mode. Execute the script
# chmod +x
# ./

Now update user passwords with the chpasswd command, by default script creates file in /root/batch.passwd file:
# chpasswd

Email new passwords to server admin and/or to all end users. You can write a script to email password to end users.

Your system is ready to accept login, just remove a file called /etc/nologin, enter:
# rm /etc/nologin

There are other ways to recover /etc/shadow file, depend upon your setup and backup frequency you can use any one of the following method too:

  • By default, your /etc/passwd and /etc/shadow file are backup to /var/backups under Debian Linux. You can just copy shadow.bak file after step # 1:
    # cp /var/backups/shadow.bak /etc/shadow
  • Some time /etc/shadow- file can be use to replace the /etc/shadow file.
  • If you have a backup of /etc/shadow on tape or cdrom, restore /etc/shadow file after step #1.
  • Undelete /etc/shadow file using debugfs command
  • Another, option is PhotoRec software. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted. PhotoRec is free – this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again.

See also:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 23 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
23 comments… add one
  • Anonymous Dec 22, 2005 @ 18:46

    What I would do instead of generating all new passwords is simply restore /etc/shadow from the nightly backup tape. This procedure would be good if you aren’t doing backups, but if you aren’t, shame on you!

  • Anonymous Dec 24, 2005 @ 15:04

    You should block user logins *before* you reboot in multiuser mode. That is, swap steps #3 and #4.

  • Anonymous Dec 27, 2005 @ 3:05

    And where did you recover the deleted shadow?

  • 🐧 nixcraft Dec 27, 2005 @ 3:32

    >And where did you recover the deleted shadow?
    Read Step # 3 : Rebuild /etc/shadow file from /etc/passwd, as soon as you type command pwconv, your file will be back.
    # pwconv

  • 🐧 nixcraft Dec 27, 2005 @ 3:33

    >You should block user logins *before* you reboot in multiuser mode. That is, swap steps #3 and #4.
    I guess you can go both ways

  • Anonymous Dec 27, 2005 @ 14:22

    Use LDAP for system authentication, and you don’t need to recover the shadow file …

  • monk Dec 27, 2005 @ 16:59

    I’m aware of OpenLDAP and other directory authentication services. On the other hand they are good for big setup (more than 3-4 servers). This was customers managed single server. Therefore, I cannot go and suggest them 😉 thanks for your suggestion.

  • Alejandro Dec 28, 2005 @ 8:19

    You’re regenerating /etc/shadow, not recovering it from a delete. You don’t (becuase you can’t) recover user passwords.

    And, just as a question, which is the probability of losing only /etc/shadow and not your whole disk?

    And a question 2: if a user as root deleted /etc/shadow, which is the probability that he do
    dd if=/dev/zero of=/dev/sda??

  • monk Dec 28, 2005 @ 11:21

    >Alejandro said…
    >You’re regenerating /etc/shadow, not recovering it from a delete. You don’t (becuase you can’t) recover user passwords. And, just as a question, which is the probability of losing only /etc/shadow and not your whole disk?

    Yup it is regenerating or it creates /etc/shadow from /etc/passwd and an optionally existing shadow. As I said earlier, file deleted by mistake.

    >And a question 2: if a user as root deleted /etc/shadow, which is the probability that he do dd if=/dev/zero of=/dev/sda??

    I am sorry but I am not getting your point here. Sure root can run dd and destroy entire disk. That is what I said at the bottom, “I guess it explains the important of regular backup of both data and key files.”. Since this server was 3rd party hosted in our IDC. It is not managed by us. Customer itself managing the server and they did not have a backup copy of /etc/shadow file; all they got was backup of mysql and ftp server. Moreover, ftpserver was working fine because proftpd was build using MySQL database for authentication and quota management. Therefore, I had to restore /etc/shadow file 🙂

    I hope this clears picture.

  • rajesh Sep 17, 2007 @ 10:26

    I have different problem. I accidentally deleted /etc/passwd file. Now i am not able to login to any user mode. My operating system is SCO Unix. Please Help me.


  • nils Mar 25, 2008 @ 16:06

    If the file /etc/shadow is deleted, but the computer is still running and you still have root access, it might be possible to regenerate it from memory similar to the following approach:

    cat /proc/kcore | strings | egrep "^([^:]*:){8}[^:]*$" > /tmp/kcore-dump

    Now you have a file which might include the contents of the deleted /etc/shadow. Now you have to take a text editor and extract the correct lines. Special care has to be taken because the contents might be incomplete or even wrong.

  • Ajeet Singh May 26, 2008 @ 6:57

    I followed above doc
    and ran :

    1. Rebooted
    2. Edit Recovery Mode : with init=/bin/bash
    3. mount -rw -o remount /
    4. Edited /etc/passwd file(Surprisingly nano editor was working but vi dint)
    5. Moved passwd- to passwd and moved shadow- to shadow.
    6. Forcibly rebooted.

    Now it seems to work. But it displays:

    I have no name!@micex:~$

    Why it is displaying so??

  • Ajeet Aug 28, 2008 @ 11:34

    I dint see any pwconv command on my system now.
    Can Anyone please help me with this long stucked issue?

  • Furthur Dec 12, 2008 @ 16:48

    Thank you very much! Very helpful.

    I would however put the last bit about recovering from your backup *before* the batch generation. For smaller system it is seems alot easier to simple cp back the shadow file.

    thanks again!

  • red Mar 27, 2009 @ 1:17

    This command didn’t worked for SME 7.
    cat /proc/kcore | strings | egrep “^([^:]*:){8}[^:]*$” >

    I accidentally deleted /etc/samba/passwd file. I don’t have any backup for this file and I don’t know how to recover it.

    Please help.


  • hitmars Sep 4, 2009 @ 9:24

    Hi, erery1:
    I followed to step 3, and then I touch a file named shadow in /etc, then edit it as follow:
    does it mean that everyone can modify the password of root and get the privildge?

  • Anonymous May 19, 2010 @ 16:45

    Thumbsup m8 works like a charm now 😀

  • hassin May 22, 2010 @ 18:46


  • charles Sep 9, 2011 @ 16:40

    i mistakenly deleted just the root_passwd line in the /etc/shadow file.from your explanation how do i recover the passwd i deleted not the entire file.

  • xman Sep 23, 2011 @ 17:19

    thank you very much.
    i have a same problem.
    you helped me.
    thank you again.

  • Erasel Feb 28, 2012 @ 21:11

    this is a restore of the file. I wont edit about 200 Users. So you can boot from a rescue cd or something else and just do a ->grep -b -A 200 “^root:” /dev/sda1 >mytmpshadow<- (I hope i didn't mistyped anything).
    This will scan your HDD (in my case /dev/sda1) like a textfile (where it is possible) and find ^root: and all 200 following lines. After this you just have to edit the file "mythmshadow" a litle bit with vi…

    More explanation:

  • Jonathan Jun 7, 2012 @ 1:38

    Dude, you have no idea how much you just helped me and potentially thousands of other Raspberry Pi users. Because of your tips I now have RedSleeve Linux running on my Pi. If you lived near me I would definitely buy you a beer or three. 🙂 Thanks again, bro.

  • Gabe Oct 18, 2014 @ 21:20

    Thanks for this post!

    It saved me many frustrating hours of toil.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum