Understanding the /etc/shadow File
Introduction
On Linux systems, there are various alternative authentication mechanisms that can be employed. The most frequent and conventional technique is to use the /etc/passwd
and /etc/shadow
files for authentication.
The /etc/shadow
file is a critical component of user account security in Linux-based operating systems. It stores encrypted user passwords and other account-related information, allowing for secure authentication and protection against unauthorized access.
In this tutorial, you will understand the /etc/shadow File. We will also address a few FAQs on /etc/shadow File.
/etc/shadow
Format
Each user account is represented by one item per line in the /etc/shadow
file. A text editor or a command like cat can be used to view the contents of the file.
sudo cat /etc/shadow
The root user is usually described first, followed by the system and standard user accounts. At the conclusion of the file, new items are appended.
The /etc/shadow
file has nine comma-separated fields on each line:
mark:$6$.n.:17736:0:99999:7:::
[--] [----] [---] - [---] ----
| | | | | |||+-----------> 9. Unused
| | | | | ||+------------> 8. Expiration date
| | | | | |+-------------> 7. Inactivity period
| | | | | +--------------> 6. Warning period
| | | | +------------------> 5. Maximum password age
| | | +----------------------> 4. Minimum password age
| | +--------------------------> 3. Last password change
| +---------------------------------> 2. Encrypted Password
+----------------------------------------> 1. Username
- Username. When you log into the system, you type this string. The system's existing user account.
- Encrypted Password.
$type$salt$hashed
format is used for the password. The cryptographic hash algorithm method$type
can take the following values:
$1$
– MD5$2a$
– Blowfish$2y$
– Eksblowfish$5$
– SHA-256$6$
– SHA-512
The user will not be able to login to the system using password authentication if the password field contains an asterisk (*
) or an exclamation point (!
). Other means of authentication, such as key-based authentication or switching to the user, are still permitted.
The user's encrypted password was stored in the /etc/passwd
file on older Linux systems.
3. Last password change. This is the most recent time the password was updated. Since January 1, 1970, the number of days has been counted (epoch date).
4. Minimum password age. The number of days that must elapse before changing a user's password. It's usually set to zero, which means there's no minimum password age requirement.
5. Maximum password age. The number of days that have passed after the user's password has been changed. This number is set to 99999 by default.
6. Warning period. The number of days before a password expires that the user is notified that it needs to be updated.
7. Inactivity period. The number of days before a user's account is disabled once their password expires. This field is usually left blank.
8. Expiration date. When the account was disabled, this was the date. An epoch date is used to represent it.
9. Unused. This field is unimportant. It has been set aside for future usage.
If you don't know what you're doing, don't alter the /etc/shadow
file by hand. Always use a command that is specifically intended for the task at hand. Use the passwd
command to change a user's password, and the chage
command to alter the password aging information.
Example Entry
Take a look at the following scenario:
vegastack:$6$zHvrJMa5Y690smbQ$z5zdL...:18009:0:120:7:14::
The following is information about the password for the user "vegastack":
- SHA-512 is used to encrypt the password (the password is truncated for better readability).
- On April 23, 2019 -
18009
, the password was last changed. - There is no such thing as a minimum password age.
- At least once every 120 days, the password must be changed.
- A warning message will be sent to the user seven days before the password expiration date.
- The account will be disabled if the user does not attempt to login to the system for 14 days after the password has expired.
- There is no time limit on the account.
FAQs for Understanding the /etc/shadow File
Where is the /etc/shadow
file located?
The /etc/shadow
file is located in the /etc
directory in Linux-based operating systems.
Who can access the /etc/shadow
file?
By default, only the root user and users with administrative privileges can read and modify the /etc/shadow
file.
What are the fields stored in the /etc/shadow
file?
The fields in the /etc/shadow
file typically include the username, encrypted password, password last change date, password minimum age, password maximum age, password warning period, account expiration date, and more.
How are passwords stored in the /etc/shadow
file?
Passwords in the /etc/shadow
file are stored in an encrypted or hashed format using various algorithms like MD5, SHA-256, or bcrypt.
What happens when the /etc/shadow
file is compromised?
If the /etc/shadow
file is compromised, an attacker can potentially retrieve encrypted passwords. It is essential to safeguard this file with proper permissions and security measures.
How can I view the contents of the /etc/shadow
file?
Only privileged users can view the contents of the /etc/shadow
file using commands such as sudo cat /etc/shadow
or sudo less /etc/shadow
.
Can the /etc/shadow
file be edited manually?
Editing the /etc/shadow
file manually is generally not recommended. Instead, use proper commands (e.g., passwd
) to modify user password information, as they handle the necessary encryption and validation.
How can I restore a corrupted /etc/shadow
file?
If the /etc/shadow
file becomes corrupted, restoring it from a backup is the best course of action. If a backup is not available, manual reconstruction of the file may be required using the available authentication credentials.
Conclusion
The /etc/shadow
file keeps track of encrypted user passwords as well as other password-related data.
If you have any queries, please leave a comment below and we’ll be happy to respond to them.