YouTube Icon

Code Playground.

Understanding the /etc/shadow File


Understanding the /etc/shadow File

There are a few diverse confirmation conspires that can be utilized on Linux frameworks. The most regularly utilized and standard plan is to perform confirmation against the/and so on/passwd and/and so on/shadow documents. 

/and so on/shadow is a book record that contains data about the framework's clients' passwords. It is possessed by client root and gathering shadow, and has 640 authorizations . 

/etc/shadow Format

The/and so on/shadow record contains one section for every line, each speaking to a client account. You can see the substance of the record, with a word processor or an order, for example, feline : 

sudo cat /etc/shadow

Commonly, the main line depicts the root client, trailed by the framework and ordinary client accounts. New sections are affixed toward the finish of the record. 

Each line of the/and so on/shadow record contains nine comma-isolated fields: 

[--] [----] [---] - [---] ----
|      |      |   |   |   |||+-----------> 9. Unused
|      |      |   |   |   ||+------------> 8. Expiration date
|      |      |   |   |   |+-------------> 7. Inactivity period
|      |      |   |   |   +--------------> 6. Warning period
|      |      |   |   +------------------> 5. Maximum password age
|      |      |   +----------------------> 4. Minimum password age
|      |      +--------------------------> 3. Last password change
|      +---------------------------------> 2. Encrypted Password
+----------------------------------------> 1. Username

Username. The string you type when you sign into the framework. The client account that exist on the framework. 

Encoded Password. The secret key is utilizing the $type$salt$hashed design. $type is the strategy cryptographic hash calculation and can have the accompanying qualities: 

  • $1$ – MD5
  • $2a$ – Blowfish
  • $2y$ – Eksblowfish
  • $5$ – SHA-256
  • $6$ – SHA-512

In the event that the secret word field contains a reference bullet (*) or shout point (!), the client won't have the option to login to the framework utilizing secret key verification. Other login strategies like key-based validation or changing to the client are still permitted. 

In more established Linux frameworks, the client's scrambled secret word was put away in the/and so on/passwd document. 

Last secret word change. This is the date when the secret phrase was last changed. The umber of days is tallied since January 1, 1970 (age date). 

Least secret word age. The quantity of days that must pass before the client secret phrase can be changed. Regularly it is set to zero, which implies that there is no base secret word age. 

Most extreme secret phrase age. The quantity of days after the client secret key must be changed. Naturally, this number is set to 99999. 

Cautioning period. The quantity of days before the secret word terminates during which the client is cautioned that the secret key must be changed. 

Dormancy period. The quantity of days after the client secret word terminates before the client account is handicapped. Commonly this field is unfilled. 

Termination date. The date when the record was handicapped. It is spoken to as an age date. 

Unused. This field is disregarded. It is saved for sometime later. 

The/and so on/shadow document ought not be altered by hand except if you comprehend what you are doing. Continuously utilize an order that is intended for the reason. For instance, to change a client secret phrase, utilize the passwd order, and to change the secret phrase maturing data, utilize the chage order. 

Example Entry

How about we investigate the accompanying model: 


The section above contains data about the client "linuxize" secret phrase: 

  • The secret phrase is scrambled with SHA-512 (the secret key is shortened for better comprehensibility). 
  • The secret phrase was keep going changed on April 23, 2019 - 18009. 
  • There is no base secret word age. 
  • The secret phrase must be changed something like clockwork. 
  • The client will get an admonition message seven days before the secret phrase lapse date. 
  • On the off chance that the client doesn't endeavor to login to the framework 14 days after the secret phrase is terminated, the record will be debilitated. 
  • There is no record lapse date. 


The/and so forth/shadow document keeps records about encoded clients' passwords, just as different passwords related data. 

On the off chance that you have any inquiries or criticism, don't hesitate to leave a remark.