/etc/shadow file in Linux Explained with Examples

This tutorial explains the /etc/shadow file in Linux with example. Learn what is the /etc/shadow file and what does it contains. Understanding how the /etc/shadow file is formatted, helps you in managing user accounts in Linux effectively.

Historically, the /etc/passwd file used to store all login information in a standalone Linux system. Later, due to following reasons password information was moved in /etc/shadow file.

  • The /etc/passwd file has only one field for password information. Since there is only one field, besides encrypted password other password related information cannot be stored in this file.
  • For password encryption, the /etc/passwd file supports basic algorithm such as DES. A hacker can easily reveal a password encrypted with DES algorithm.
  • The /etc/passwd file is world readable. It means any local user can view the passwords stored in this file.

The /etc/shadow file addresses all above issues.

  • The /etc/shadow file has nine fields to store encrypted password and other password related information.
  • The /etc/shadow file supports all advanced algorithms and has plenty of room for further updates.
  • The /etc/shadow file is readable only by root user.

The /etc/shadow file permission

Unlike /etc/passwd file, the /etc/shadow file is not world readable. It is readable only by the root user or super user. To see this feature in action, access a root shell and run following commands.

#su [any regular user account]
$cat /etc/shadow
$exit
#cat /etc/shadow

In Ubuntu Linux, by default root account is disabled. If you are following tutorial on Ubuntu Linux, access a super user shell and run following commands.

$cat /etc/shadow
$sudo cat /etc/shadow
[sudo] password for super user

Following figure shows above commands with output.

/etc/shadow file permission

As you can see in above figure, when we tried to view the content of /etc/shadow file from a regular user account, shell denied the action. But when we performed the same action from a root user or super user account, shell allowed to it.

This security feature keeps encrypted passwords safe from unauthorized users and password cracking programs.

The /etc/shadow file format

Each line in /etc/shadow file represents an individual user account and contains following nine fields separated by colons (:).

  1. Username
  2. Encrypted password
  3. Date of last password change
  4. Minimum required days between password changes
  5. Maximum allowed days between password changes
  6. Number of days in advance to display password expiration message
  7. Number of days after password expiration to disable the account
  8. Account expiration date
  9. Reserve field

/etc/shadow file field

Let’s understand each field in detail.

Username

As we know, except password information, all other login information is stored in /etc/passwd file. This field connects /etc/shadow file with /etc/passwd file. In both files, this field represents login name and stores the exactly same information. When a new user account is created, both files are updated simultaneously.

Encrypted password

This field stores actual user password in encrypted form. For encryption it uses SHA512 algorithm. In this algorithm, a random salt is mixed with original password before encryption. If two or more users have selected the same password, due to this feature, their encrypted passwords will be different.

Controlling Login

Linux does not support blank password in login process. Any user or service which does not have a valid password or have a blank password is not allowed to login. By setting a value other than an encrypted password, this field can be used to control the user login. For example, if the value (!) or (*) is stored in this field, the account will be locked and user or service will not be allowed to login.

Both characters (! and *) represent a blank password. The difference between both characters is that, the first character, the exclamation sign (!), is used for user accounts and the second character, the asterisk sign (*), is used for service accounts. If require, a user account can be unlocked by setting a password in this field through passwd command.

Following figure shows both values in Ubuntu Linux.

/etc/shadow file password field

In Ubuntu, by default root account is locked. If you are interested in learning how to enable the root account in Ubuntu, you can check this tutorial.

How to enable root user in Ubuntu step by step

It explains how to enable the root account in Ubuntu step by step.

Date of last password change

This field records the number of days since the user’s password was last changed. To calculate the number of days, it uses 1 January 1970 as a starting day. For example, a user changed his password on 25 June 2018 then the number of days will be 17707.

In Linux, the date 1 January 1970 is known as epoch. This date is used as starting date or day in calculation by several commands and configuration files.

Linux epoch date

To convert a date in days and vice versa, we can use following commands.

date
Without any option and argument this command displays current date.
expr $(date +%s) / 86400
This command calculates the number of days from 1 January 1970 to current date.
date -d "1970-01-01 [number of days] days"

This command calculates the date from supplied days. It starts counting from 1 January 1970.

Following figure shows above commands with output.

date calcuation from epoch in linux

Minimum required days between password changes

This field sets the minimum required days that must be elapsed between password changes. Once a password is changed, a user is not allowed to change his password until the days specified in this field are elapsed. If the value is set to 0 (zero), user is allowed to change his password immediately.

Maximum allowed days between password changes

This filed sets the maximum allowed days between password changes. Once a password is changed, a user must have to change his password again before the days specified in this field are elapsed. In other word, the days specified in this field are the maximum allowed days for a user to use a password. If this field is set to blank, a user can use his password as long as he wants to use.

By default there is a grace period of seven days. A user will be forced to change his password when the days set in this field and extra seven days are passed.

Number of days in advance to display password expiration message

This field sets number of days in advance to display password expiration message. If remaining days to change a password are less than or equal to the days specified in this field, user will get a warning message to change his password.

Warning message will be display only when user will be login in command line terminal. This message will not be displayed if user is login in GUI desktop.

Number of days after password expiration to disable the account

This field sets the number of days after password expiration to disable the account. If a user does not change his password in maximum allowed days, his password will be marked as expired. A user account which password is expired will be disabled automatically once the days specified in this field are elapsed.

Account expiration date

This field sets an account expiration date. A user is not allowed to login after the date specified in this field. To specify a date, number of days starting from 1 January 1970 is used. For example, to set account expiration date to 28 June 2018, number 17710 will be used. If this field is set to blank, user account will never expire.

Reserve field

The last field is reserved for future. Since it’s a reserved field and does not store any value, usually it is skipped while formatting this file.

Understanding /etc/shadow file entries with example

An entry in /etc/shadow file looks like following.

john:$6$iTEFbMTM$CXmxPwErbEef9RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lIqavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/:17707:0:90:14:::

Following table explains this entry field by field.

Field Description
john This is the username.
$6$iTEFbMTM$CXmxPwErbEef9 RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lI qavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/ This is the encrypted password.
17707 John last changed his password on 25 June 2018.
0 If require, John can change his password immediately
90 John can use this password till 30 September 2018. (90 + 7 grace days).
10 After 15 September 2018 whenever John will login in CLI terminal, he will get a warning message to change his password.
[bank field] John account will not be disabled even if his password is expired.
[blank field] John account will never expire.
Reserve filed is omitted.

That’s all for this tutorial. If you have any feedback or suggestion about this tutorial, please mail me. If you like this tutorial, please don’t forget to share it.

ComputerNetworkingNotes RHCE 7 Study Guide /etc/shadow file in Linux Explained with Examples