Article to understand fields, formats of /etc/shadow file. Learn each fields in detail and how it can be modified.
We have written about /etc/passwd file in past. In this article we will see
/etc/shadow file, its format, its content, its importance for Linux system.
/etc/shadow file (henceforth referred as shadow file in this article) is one of the crucial file on system and counterpart of
Unlike password file, shadow file is not world readable. It can be read by root user only. Shadow file permissions are 400 i.e.
-r-------- and ownership is
root:root. Means it can be only read and by root users only. Reason for such security is password related information which is being stored in this file.
/etc/shadow file looks like :
# cat /etc/shadow
Since its normal text file, commands like cat, more will work without any issue on it.
/etc/shadow file has different fields separated by colon. There are total of 8 fields in shadow file. They are –
- Encrypted password
- Last password change
- Min days
- Max days
- Warn days
- Inactive days
Lets walk through all these fields one by one.
Username is user’s login name. Its created on system whenever user is created using useradd command.
Its user’s password in encrypted format.
Last password change
Its number of days since 1 Jan 1970, that password was last changed. For example in above sample testuser’s last password change value is 17413 days. Means count 17413 days since 1 Jan 1970 which comes to 4 Sept 2017! That means testuser last changed his password on 4 Sept 2017.
You can easily add/subtract dates using scripts or online tools.
Its minimum number of days between two password changes of that account. That means user can not change his password again unless min days has passed after his last password change. This field can be tweaked using chage command. This is set to 7 days generally but can be 1 too depends on your organization security norms.
Its maximum number of days for which user password is valid. Once this period exausted, user is forced to change his/her password. This value can be altered using chage command. It is generally set to 30 days but value differ as per your security demands.
Its number of days before password expiry, user will start seeing warning about his password expiration after login. Generally it is set to 7 but its upto you or your organisation to decide this value as per organizational security policies.
Number of days after password expiry, account will be disabled. Means if user dont login to system after his/her password expiry (so he doesnt change the password) then after these many days account will be disabled. Once account is disabled system admin needs to unlock it.
Its number of days since 1 Jan 1970, account is disabled. Calculations we already seen in ‘last password change’ section.
Except first 2 fields, rest all fields are related to password aging / password policies.