Search

The Linux password database (/etc/shadow) file

Traditional Unix systems store user account information, including one-way encrypted passwords, in user database file "/etc/passwd". This file is world-readable and hence storing password in this file is not secure.
Another method of storing account information is the shadow password format. This method stores account information in the /etc/passwd file, but the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called "/etc/shadow", contains encrypted password and other information related with password.  The "/etc/shadow" file is readable only by the root account.

The following are the advantages shadow passwords over the traditional way of storing passwords on UNIX-based systems.

• Improves system security by moving encrypted password hashes from the world-readable /etc/passwd file to /etc/shadow, which is readable only by the root user.

• Stores information about password aging.

• Allows the use the /etc/login.defs file to enforce security policies.

A sample /etc/shadow configuration file is copied below.

root:$1$CQoPk7Zh$370xDLmeGD9m4aF/ciIlC.:14425:0:99999:7:::
bin:*:14425:0:99999:7:::
daemon:*:14425:0:99999:7:::
adm:*:14425:0:99999:7:::
lp:*:14425:0:99999:7:::
sync:*:14425:0:99999:7:::
shutdown:*:14425:0:99999:7:::
halt:*:14425:0:99999:7:::
mail:*:14425:0:99999:7:::
news:*:14425:0:99999:7:::
uucp:*:14425:0:99999:7:::
operator:*:14425:0:99999:7:::
games:*:14425:0:99999:7:::
gopher:*:14425:0:99999:7:::
ftp:*:14425:0:99999:7:::
nobody:*:14425:0:99999:7:::
rpm:!!:14425:0:99999:7:::
dbus:!!:14425:0:99999:7:::
avahi:!!:14425:0:99999:7:::
mailnull:!!:14425:0:99999:7:::
smmsp:!!:14425:0:99999:7:::
nscd:!!:14425:0:99999:7:::
vcsa:!!:14425:0:99999:7:::
haldaemon:!!:14425:0:99999:7:::
rpc:!!:14425:0:99999:7:::
rpcuser:!!:14425:0:99999:7:::
nfsnobody:!!:14425:0:99999:7:::
sshd:!!:14425:0:99999:7:::
pcap:!!:14425:0:99999:7:::
ntp:!!:14425:0:99999:7:::
gdm:!!:14425:0:99999:7:::
xfs:!!:14425:0:99999:7:::
sabayon:!!:14425:0:99999:7:::
tintin:$1$wKAP1RyH$JeCAcEGhSGVlD0J7.AMg.0:14396:2:5:7:30::

 

 Column

Field

Description

1

Username

Username

2

Password

Encrypted password; requires an x in the second column of /etc/passwd

3

Password history

Date of the last password change, in number of days after January 1, 1970 (Unix epoch)

4

mindays

Minimum number of days that you must keep a password (-m)

5

maxdays

Maximum number of days after which a password must be changed (-M)

6

warndays

Number of days before password expiration when a warning is given (-W)

7

 

inactive

Number of days after password expiration when an account is made inactive (-I)

8

disabled

The number of days since January 1, 1970 (Unix epoch) that an account has been disabled (-E)

9

Reserved

Currently not in use

Related Tutorials
• Introduction to Linux user administration
• How to add a user in Linux using useradd command
• How to use passwd command to manage user passwords
• How to modify a Linux user using usermod command
• How to set Linux password aging using chage command
• How to remove user from Linux using userdel command
• The Linux user database (/etc/passwd)
• Introduction to Linux User Group
• How to create a new group in Linux using groupadd command
• Linux Group Database (/etc/group) file
• How to manage Linux user group