/etc/shadow file in Linux Explained with Examples

This tutorial explains /etc/shadow file in Linux. The /etc/shadow file stores users’ passwords in encrypted form along with other necessary information such as password expiry date and last password change. Learn how the /etc/shadow file is formatted in detail with examples.

Historically the /etc/passwd file used to store all login information in a standalone Linux system. Later, due to following reasons password information was moved in /etc/shadow file.

  • The /etc/passwd file has only one field for password information. Since there is only one field, besides encrypted password other password information cannot be stored in this file.
  • The /etc/passwd file supports basic algorithm such as DES for password encryption. A hacker can easily reveal a password encrypted with DES algorithm.
  • The /etc/passwd file is world readable it means any local user can view the passwords stored in this file.

If you are interested in learning how the login information is stored in /etc/passwd file, you can check this tutorial.

The /etc/passwd file explained with examples

It explains the /etc/passwd file in detail.

The /etc/shadow file addresses all above issues.

  • The /etc/shadow file has nine fields to store encrypted password and other password related information.
  • The etc/shadow file supports all advanced algorithms and has plenty of room for further updates.
  • The /etc/shadow file is readable only by root user.

The /etc/shadow file permission

Unlike /etc/passwd file, the /etc/shadow file is not world readable. It is readable only by the root or super user. To see this feature in action, access a root shell and run following commands.

#su [any regular user account]
$cat /etc/shadow
$exit
#cat /etc/shadow

In Ubuntu Linux, by default root account is disabled. If you are following tutorial on Ubuntu Linux, access a super user shell and run following commands.

$cat /etc/shadow
$sudo cat /etc/shadow
[sudo] password for super user

Following figure shows above commands with output.

/etc/shadow file permission

As you can see in above figure, when we tried to view the content of /etc/shadow file from a regular user account shell denied the action. But when we performed the same action from a root or super user account, shell allowed to it.

This security feature keeps encrypted passwords safe from unauthorized users and password cracking programs.

The /etc/shadow file format

Each line in /etc/shadow file represents an individual user account and contains following nine fields separated by colons (:).

  1. Username
  2. Encrypted password
  3. Date of last password change
  4. Minimum required days between password changes
  5. Maximum allowed days between password changes
  6. Number of days in advance to display password expiration message
  7. Number of days after password expiration to disable the account
  8. Account expiration date
  9. Reserve field

/etc/shadow file field explained

Let’s understand each field in detail.

Username

As we know, except password information, all other login information is stored in /etc/passwd. This field connects /etc/shadow file with /etc/passwd file. In both files, this field represents login name and stores the exactly same information. When a new user account is created, both files are updated simultaneously.

Encrypted password

This field stores actual user password in encrypted form. For encryption it uses SHA512 algorithm. In this algorithm, a random salt is mixed with original password before encryption. If two or more users have selected the same password, due to this feature their encrypted passwords will be different.

Controlling Login

Linux does not support blank password in login process. Any user or service which does not have a valid password or have a blank password is not allowed to login. By setting a value other than an encrypted password, this field can be used to control the user login. For example, if the value (!) or (*) is stored in this field, the account will be locked and user or service will not be allowed to login.

Both values (! and *) represent a blank password. The difference between both values is that, the first value (!) is used for user accounts and the second value (*) is used for service accounts. If require, a user account can be unlocked by setting a password in this field through passwd command.

Following figure shows both values in Ubuntu Linux.

blank password example

In Ubuntu, by default root account is locked. If you are interseted in learning how to enable the root account in Ubuntu, you can check this tutorial.

How to enable root user in Ubuntu step by step

It explains how to enable the root account in Ubuntu step by step.

Date of last password change

This field records the number of days since the user’s password was last changed. To calculate the number of days, it uses 1 January 1970 as starting day. For example, a user changed his password on 25 June 2018 then the number of days will be 17707.

In Linux, the date 1 January 1970 is known as epoch. This date is used as starting date or day in calculation by several commands and configuration files.

To convert a date in days and vice versa, you can use following commands.

date

Without any option and argument this command displays current date.

expr $(date +%s) / 86400

This command calculates the number of days from 1 January 1970 to current date.

date -d "1970-01-01 [number of days] days"

This command calculates the date from supplied days. It starts counting from 1 January 1970.

Following figure shows above commands with output.

expr command example

Minimum required days between password changes

This field sets the minimum required days that must be elapsed between password changes. Once a password is changed, a user is not allowed to change his password until the days specified in this field are elapsed. If the value is set to 0 (zero), user is allowed to change his password immediately.

Maximum allowed days between password changes

This filed sets the maximum allowed days between password changes. Once a password is changed, a user must have to change his password again before the days specified in this field are elapsed. In other word, the days specified in this field are the maximum allowed days for a user to use a password. If this field is set to blank, a user can use a password as long as he wants to use.

By default there is a grace period of seven days. A user will be forced to change his password when the days set in this field and extra seven days are passed.

Number of days in advance to display password expiration message

This field sets number of days in advance to display password expiration message. If remaining days to change a password are less than or equal to the days specified in this field, user will get a warning message to change his password.

Warning message will be display only when user will be login in command line terminal. This message will not be displayed if user is login in GUI desktop.

Number of days after password expiration to disable the account

This field sets the number of days after password expiration to disable the account. If a user does not change his password in maximum allowed days, his password will be marked as expired. A user account which password is expired will be disabled automatically once the days specified in this field are elapsed.

Account expiration date

This field sets an account expiration date. A user is not allowed to login after the date specified in this field. To specify a date, number of days starting from 1 January 1970 is used. For example, to set account expiration date to 28 June 2018, number 17710 will be used. If this field is set to blank, user account will never expire.

Reserve field

The last field is reserved for future. Since it’s a reserved field and does not store any value, usually it is skipped while formatting this file.

Understanding /etc/shadow file entries with example

An entry in /etc/shadow file looks like following.

john:$6$iTEFbMTM$CXmxPwErbEef9RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lIqavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/:17707:0:90:14:::

Following table explains this entry field by field.

Field Description
john This is the user name.
$6$iTEFbMTM$CXmxPwErbEef9 RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lI qavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/ This is the encrypted password.
17707 John last changed his password on 25 June 2018.
0 If require, John can change his password immediately
90 John can use this password till 30 September 2018. (90 + 7 grace days).
10 After 15 September 2018 whenever John will login in CLI terminal, he will get a warning message to change his password.
[bank field] John account will not be disabled even if his password is expired.
[blank field] John account will never expire.
Reserve filed is omitted.

That’s all for this tutorial. If you have any feedback or suggestion about this tutorial, please mail me. If you like this tutorial, please don’t forget to share it.

ComputerNetworkingNotes RHCE 7 Study Guide /etc/shadow file in Linux Explained with Examples