The Linux password database (/etc/shadow) file
Traditional Unix systems store user account information, including one-way encrypted passwords, in user database file "/etc/passwd". This file is world-readable and hence storing password in this file is not secure.
Another method of storing account information is the shadow password format. This method stores account information in the /etc/passwd file, but the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called "/etc/shadow", contains encrypted password and other information related with password. The "/etc/shadow" file is readable only by the root account.
The following are the advantages shadow passwords over the traditional way of storing passwords on UNIX-based systems.
• Improves system security by moving encrypted password hashes from the world-readable /etc/passwd file to /etc/shadow, which is readable only by the root user.
• Stores information about password aging.
• Allows the use the /etc/login.defs file to enforce security policies.
A sample /etc/shadow configuration file is copied below.
root:$1$CQoPk7Zh$370xDLmeGD9m4aF/ciIlC.:14425:0:99999:7:::
bin:*:14425:0:99999:7:::
daemon:*:14425:0:99999:7:::
adm:*:14425:0:99999:7:::
lp:*:14425:0:99999:7:::
sync:*:14425:0:99999:7:::
shutdown:*:14425:0:99999:7:::
halt:*:14425:0:99999:7:::
mail:*:14425:0:99999:7:::
news:*:14425:0:99999:7:::
uucp:*:14425:0:99999:7:::
operator:*:14425:0:99999:7:::
games:*:14425:0:99999:7:::
gopher:*:14425:0:99999:7:::
ftp:*:14425:0:99999:7:::
nobody:*:14425:0:99999:7:::
rpm:!!:14425:0:99999:7:::
dbus:!!:14425:0:99999:7:::
avahi:!!:14425:0:99999:7:::
mailnull:!!:14425:0:99999:7:::
smmsp:!!:14425:0:99999:7:::
nscd:!!:14425:0:99999:7:::
vcsa:!!:14425:0:99999:7:::
haldaemon:!!:14425:0:99999:7:::
rpc:!!:14425:0:99999:7:::
rpcuser:!!:14425:0:99999:7:::
nfsnobody:!!:14425:0:99999:7:::
sshd:!!:14425:0:99999:7:::
pcap:!!:14425:0:99999:7:::
ntp:!!:14425:0:99999:7:::
gdm:!!:14425:0:99999:7:::
xfs:!!:14425:0:99999:7:::
sabayon:!!:14425:0:99999:7:::
tintin:$1$wKAP1RyH$JeCAcEGhSGVlD0J7.AMg.0:14396:2:5:7:30::
Column |
Field |
Description |
1 |
Username |
Username |
2 |
Password |
Encrypted password; requires an x in the second column of /etc/passwd |
3 |
Password history |
Date of the last password change, in number of days after January 1, 1970 (Unix epoch) |
4 |
mindays |
Minimum number of days that you must keep a password (-m) |
5 |
maxdays |
Maximum number of days after which a password must be changed (-M) |
6 |
warndays |
Number of days before password expiration when a warning is given (-W) |
7
|
inactive |
Number of days after password expiration when an account is made inactive (-I) |
8 |
disabled |
The number of days since January 1, 1970 (Unix epoch) that an account has been disabled (-E) |
9 |
Reserved |
Currently not in use |