Short Tutorial: Understanding /etc/shadow file
The /etc/shadow file stores passwords in the encrypted format of an available user account on the operating system. This blog explains the basics of the /etc/shadow file available in Linux-based operating systems.
How to check permissions of /etc/shadow file
You can check permissions of /etc/shadow by using the ls utility.
ls -l /etc/shadow
Else, you can also use stat command to know about the file.
stat /etc/shadow
/etc/shadow Format
Each line in /etc/shadow file represents a user account with an encrypted password format on the Linux system. You can view the passed file by any editor. Here, I have used the cat utility to view the shadow file. Remember, you are able to view shadow files only if you are root or sudo privilege.
sudo cat /etc/shadow
We have just taken one line below from the output to understand the format:
root:$y$j9T$q2M.jwhqYn5SkMwZ9siQv/$w1xEho.2lA40O/ejzc//7sMxWA6RDw0bv7Y3M44z2l7:18924:0:99999:7:::
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| root | $y$j9T$q2M.jwhqYn5SkMwZ9siQv/$w1xEho.2lA40O/ejzc//7sMxWA6RDw0bv7Y3M44z2l7 | 18924 | 0 | 99999 | 7 | -- | ||
| Username | Encrypted password | Last Password Change | Minimum Password Age | Maximum Password Age | Warning period | Inactivity period | Expiration date | Unused |
- Username - User's login. Must not have capital letters
- Encrypted password - It denotes the encrypted password in format $type$salt$hashed. Here, $type shows $1$ is MD5, $2a$ is Blowfish, $2y$ is Blowfish, $5$ is SHA-256 and $6$ is SHA-512.
- Last Password Change - number of days after 1 January 1970, when a password is changed.
- Minimum Password Age - minimum number of days before which password must not be changed
- Maximum Password Age - maximum number of days after which password must be changed
- Warning period - display the number of days till when you need to change the password
- Inactivity period - display the number of days post expiration since 1 January 1970. A blank field simply means that the account will never be disabled on password expiration.
- Expiration date - display the date on which the account was disabled. A blank field simply means that the account will never expire.
- Unused - reserved for future use
Can we change the password?
We can change the password by using the below command:
passwd
Should we edit /etc/shadow?
Unless you know what are you doing, till then no need to change or edit the shadow file. Read more tutorials and man page, to understand more about this command. Once you are confident enough, then only edit the shadow file.
Conclusion
The /etc/shadow file keeps monitoring all available users on the system. Generally, you need to read this file to understand the number of users who are able to log in to the system.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
