NAME
shadow — shadow password file
DESCRIPTION
The
/etc/shadow
file is created from the
/etc/passwd
file by the
pwconv
command.
It is readable only by a privileged user.
It can be modified by the
passwd,
useradd,
usermod,
and
userdel
commands.
Programs may use the interfaces described in the
getspent(3C)
manpage to access this information.
These functions return a pointer to an
spwd
structure, which is defined in the
<shadow.h>
header file.
Fields
The
/etc/shadow
file is an ASCII file consisting of any number of user entries
separated by newlines.
Each user entry line consists of the following fields
separated by colons:
- login_name
Each
login_name
must match a login name in
/etc/passwd.
pwconv
puts the user entries in
/etc/shadow
in the same order as the
/etc/passwd
entries.
- encrypted_password
The password field of each
/etc/passwd
entry contains an "x", and the actual encrypted passwords reside in
/etc/shadow.
The
encrypted_password
field consists of 13 characters chosen from a
64-character set of "digits".
The characters used to represent "digits" are
.
for 0,
/
for 1,
0
through
9
for 2 through 11,
A
through
Z
for 12 through 37, and
a
through
z
for 38 through 63.
If the SHA product is installed, the password field may contain the prefix
$n$
, where
n
is a label identifying an alternative algorithm used for the password hash.
Using the new algorithm results in an encrypted password
field which is longer than 13 characters.
The password field will consist of digits from the same 64-character set,
as well as the additional
$
character used as a delimiter.
If this field is null,
then there is no password, and no password is demanded on login.
Login can be prevented by entering a character that is not in
the set of digits (for example, "*").
- last_change
The number of days since January 1, 1970 that
the password was last modified.
- min_days
The minimum period in days that must expire before the password
can be changed.
See also
PASSWORD_MINDAYS
in
security(4)
and the
passwd -n
command in
passwd(1).
- max_days
The maximum number of days for which a password is valid.
A user who attempts to login after his password has expired
is forced to supply a new one.
If
min_days
and
max_days
are both zero, the user is forced to change his password the
next time he logs in.
If
min_days
is greater than
max_days,
then the password cannot be changed.
These restrictions do not apply to the superuser.
See also
PASSWORD_MAXDAYS
in
security(4)
and the
passwd -x
command in
passwd(1).
- warn_days
The number of days the user is warned before his password expires.
See also
PASSWORD_WARNDAYS
in
security(4)
and the
passwd -w
command in
passwd(1).
- inactivity
The maximum number of days of inactivity allowed.
This field has meaning only if the TrustedMigration product is installed.
This field is set with the
-f
option of either the
useradd
or
usermod
command.
If this value is greater than zero, then the account
is locked if there have been no logins to the account
for at least the specified number of days.
If this value is less than or equal to zero,
the value is determined by the
INACTIVITY_MAXDAYS
attribute.
See the description of
INACTIVITY_MAXDAYS
in
security(4).
- expiration
The absolute number of days since Jan 1, 1970 after which the
account is no longer valid.
A value of zero in this field indicates that the account
is locked.
- reserved
The
reserved
field is always zero and is reserved for future use.
Notes
The
/etc/shadow
file is not applicable to a system which has been converted to
a trusted system.
FILES
- /etc/passwd
system password file
- /etc/shadow
shadow password file
SEE ALSO
login(1),
passwd(1),
pwconv(1M),
pwunconv(1M),
useradd(1M),
userdel(1M),
usermod(1M),
crypt(3C),
getspent(3C),
putspent(3C),
nsswitch.conf(4),
passwd(4),
security(4).
