Friday, 9 September 2011

Linux Shadow File in detail


surendra:$6$1aEszVo.gsdPEr:15107:22:99999:207:205:105345 :
       1              2         3            4        5    6        7        8   9

1) User login name: This field gives details for user-login

2) Encrypted password: The password is in encryption form8) No of days from Jan 1, 1970 the account was disabled: and its MD5 encrypted form. This field may contain following things
!! or ! indicates account is present but there is no password set for it. So user can not login if second field set to this values
:*: indicates the account was disable.
:: indicates that user can login with out password. in other words we can say password removed
$6$b93VXzq0$kI55QxFMpXv This example encrypted form indicates password is present and encrypted.

3) Last password change: Indicates when was the last time the password changed?. This is the number of days from 1st Jan 1970. To get this number to convert to human readable format please have a look in to our other post how to convert this number.



4) Minimum days need for a password change: This is to make user to change the password only after some days. Suppose if this value is “0″, he can change the password at any time. If this value is 15, then the user can change the password only after 15 days. What will happen if he tried to change the password today it self tho this value set to 15?

We will get following error$ passwd temp1 Changing password for temp1. (current) UNIX password: You must wait longer to change your password passwd: Authentication token manipulation error passwd: password unchanged


5) Maximum days the password is valid: This is the days after which the password should change. If the value is 99999 then you no need to change the password, if this value is set to some 45 then you have to change the password after 45 days completion.

6) Password expiry advanced warning days:This value is to warn the user that his password is going to expire in so and so days.. For example if this value is set to 10 days, then system will prompt to the user at every login that his password will expire in 10 days.

7) No of days after password expired, account was disabled: This is to block unwanted access to an account once its password was expired.

No of days from Jan 1, 1970 the account was disabled: This is to show when the account was disabled. Do you want to find all the accounts which were disabled

9) Reserved for future purpose:Not used

Some FAQ’s:

How can I get encrypted password in /etc/passwd back from /etc/shadow file?

use pwunconv command to revert back your encrypted passwords stored in shadow file.

Why we need shadow file?

As /etc/passwd file is world readable and can seen by any one. This is security loophole, so Linux machines moved encrypted password from /etc/passwd to /etc/shadow file. So even encrypted password is not seen by any normal user expect superuser(root).

No comments:

Post a Comment

Twitter Bird Gadget