Article to understand fields, formats of /etc/shadow file. Learn each field in detail and how it can be modified.
We have written about /etc/passwd file in the past. In this article, we will see /etc/shadow
file, its format, its content, its importance for the Linux system. /etc/shadow
file (henceforth referred to as shadow file in this article) is one of the crucial files on system and counterpart of /etc/passwd
file.
Unlike the password file, the shadow file is not world-readable. It can be read by the root user only. Shadow file permissions are 400 i.e. -r--------
and ownership is root:root
. This means it can be only read and by root users only. The reason for such security is password related information that is being stored in this file.
Typical /etc/shadow
file looks like :
# cat /etc/shadow
root:$1$UFnkhP.mzcMyajdD9OEY1P80:17413:0:99999:7:::
bin:*:15069:0:99999:7:::
daemon:*:15069:0:99999:7:::
adm:*:15069:0:99999:7:::
testuser:$1$FrWa$ZCMQ5zpEG61e/wI45N8Zw.:17413:0:33:7:::
Since its normal text file, commands like cat, more will work without any issue on it.
/etc/shadow
file has different fields separated by a colon. There are a total of 8 fields in the shadow file. They are –
- Username
- Encrypted password
- Last password change
- Min days
- Max days
- Warn days
- Inactive days
- Expiry
Lets walk through all these fields one by one.
Username
Username is the user’s login name. Its created on the system whenever the user is created using useradd command.
Encrypted password
Its user’s password in encrypted format.
Last password change
Its number of days since 1 Jan 1970, that password was last changed. For example in the above sample testuser’s last password change value is 17413 days. Means count 17413 days since 1 Jan 1970 which comes to 4 Sept 2017! That means testuser last changed his password on 4 Sept 2017.
You can easily add/subtract dates using scripts or online tools.
Min days
Its minimum number of days between two password changes of that account. That means the user can not change his password again unless min days have passed after his last password change. This field can be tweaked using chage command. This is set to 7 days generally but can be 1 too depends on your organization’s security norms.
Max days
Its maximum number of days for which the user password is valid. Once this period exhausted, the user is forced to change his/her password. This value can be altered using chage command. It is generally set to 30 days but value differs as per your security demands.
Warn days
Its number of days before password expiry, the user will start seeing a warning about his password expiration after login. Generally it is set to 7 but it’s up to you or your organization to decide this value as per organizational security policies.
Inactive days
A number of days after password expiry, the account will be disabled. This means if the user doesn’t log in to the system after his/her password expiry (so he doesn’t change the password) then after these many days account will be disabled. Once the account is disabled, the system admin needs to unlock it.
Expiry
Its number of days since 1 Jan 1970, the account is disabled. Calculations we already saw in the ‘last password change’ section.
Except for the first 2 fields, the rest of all fields are related to password aging/password policies.