Understanding Linux /etc/shadow File Format

The /etc/shadow file stores actual password in encrypted format and other passwords related information such as user name, last password change date, password expiration values, etc,.

It’s a text file and readable only by the root user and is therefore less of a security risk.

The /etc/shadow file contain every user details as a single line with nine fields, each fields separated by colon :.

We had already written an article about Linux /etc/passwd file format in previous post. As earlier explained in the /etc/passwd file that second field written as (x), which means shadowing is enabled and encrypted password exists for that user in another file “/etc/shadow”.

The encrypted passwords can be stored in /etc/passwd file and the same was followed in the initial days. But it’s not recommended due to world readable permissions on the /etc/passwd file.

Also, /etc/passwd doesn’t allow to store other password related information since the /etc/passwd file has only one field for password information.

To mitigate all these issue, they had created the /etc/shadow file and allowed to store encrypted password and other password related information.

The /etc/login.defs file provides default configuration information for user account password parameters. It defines, Password ageing related information such as password Min/Max days, password warning age, etc.,

# grep PASS /etc/login.defs

#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#PASS_MIN_LEN
#PASS_MAX_LEN
# NO_PASSWORD_CONSOLE

How to Access /etc/shadow File in Linux?

As i told in the beginning of the article, it’s a text file and readable only by the root user. Use any file manipulation commands to access it.

I have trimmed the file for better understanding.

# cat /etc/shadow
root:!:17952:0:99999:7:::
daemon:*:17737:0:99999:7:::
bin:*:17737:0:99999:7:::
.
.
daygeek:$6$iU9KjTeD$5myyo4W7zppTOEdVUeP8/E6Kmjl7CtYYFqIIyes.fnNHy1fR0gJLb0q2KLhjAH6KrPpHZ0eJorBh.D74mq.vQ.:17952:0:99999:7:::
sshd:*:17952:0:99999:7:::
thanu:!:17965:0:99999:7:::
renu:$6$hvf089W7$lBhBB7DUkJZ.zU2ekY3M1AWUAXiRLO0fnxqrhPVhyIRKfp/w2NS8ZJTmzJFz5sAI3HY0OVmcVo8swGavk4Srp1:17965:0:99999:7:::
2gadmin:$6$4GhyWZ7F$gzlNBezxIkooZn6vnUVcZv3fyemo8EDSVx/Ru93cqXn6e12gKu9l.N9A6jzoUjuteCtdIfSF/zigW0aMUAdMP.:17972:0:99999:7:::
testuser:$6$r.PhJ0HG$Y.xOpTBqJbWpc3f0uri.g8ErCu4wIiUGqPYYwXdxtjGtgZxaOh7ZkStlg9kDRAITtlZrHajxmAMHfd3rnSivt1:17965:0:99999:7:::
demouser:$6$9CZpDyNz$bq5vvUP/ZI.2o43hIfjjMxfFcFgpaYAeUt5t0tntRMp7uO2NwCz/vqLoHGn.OCLJ.ZPSQXe5nOSoaos91Sf01/:17965:0:99999:7:::
sudha:$6$qnxlK8b1$.TUnwqmrDNNoPBi/1UcKMcWnQ18vrBM7jp8G1ZZOCjW3IzWtvY9/Cv06SUFuFMTuop6BcQqojabEamDZz5Eoy.:17965:0:99999:7:::
suresh:$6$FJd45FHD$nc8.lfpNTMByrrVJMc01Ax2ui6dvhzoa4tLi5qTmSJ0hznZDp2gM4b5pBUCuIkh5B5sDPF.QHmQn7ykRxfzvD0:17965:0:99999:7:::
mysql:!:17972:0:99999:7:::
ntp:*:17982:0:99999:7:::
_chrony:*:17983:0:99999:7:::
Debian-exim:!:18056:0:99999:7:::
u1:$6$hWt8cQ6t$7a.Y1P0QbpeTh2gY0uqWMvQtem2zbtQLkLXWeQ0PVsYJMYFZ/qexoV5BTNEUA0Dy3l6EynUaVr6Zm5TNPKK0v1:18058:0:99999:7:::
u2:$6$dmiZ1DNZ$bNP9zmltm2q3vUeo/1UjsAhsT6MJhcGznh3WsZKYXNXh/sOTDzLvmpUtUNVmClr26ZbrO6XwCecqfNh9/.sMV.:18058:0:99999:7:::
u3:$6$jURs3Rwk$F5sAISRA/C9YSUqgcLkylkYELubobnNbu0a1PY.16TFH.lKkqWrtSpglm9iOMgIRkxU69ndiRZU5EC1Tg8P/A1:18058:0:99999:7:::
u4:$6$GaRMSi2G$VX.iXvxxPDKVdqTV7tlWSOCHS6HQ7N4J2UtXoOD/Obs.0Nf3xfOtaRPSHeO4x.6YivafK.J4h3.DSNDREoqvE/:18058:0:99999:7:::
u5:$6$YzYrK29s$tC39cPEmFEI61WskTHSyEQsnNoEUQ6O6GubmqYDTR4RKHM8b239TBypTJobxdWb7WF9XxM1FpsSvQq4oh/C5m.:18058:0:99999:7:::
nagios:$6$LJBp6Hb4$RBLQ3S9cngte8yDmLr5T8QTMSvPWzleYltT4NLUVExqXv9SIOL.0KhTvqHiU5OxhUP5k4njgNAjUI1Ve6Ndjg0:18085:0:99999:7:::

What are the Nine Fields and it’s Details?

The /etc/shadow file contain every user password details as a single line with nine fields as described below, each fields separated by colon :.

The password field comes with following three variants.

  • Usable Encrypted Password: This allow us to login to the Linux system since it’s comes with proper password.
  • Locked Password: A password field which starts with a exclamation mark means that the password is locked.
  • (! and *) Represent Empty Password: This field may be empty, in which case no passwords are required to authenticate as the specified login name. These user will not be able to use a unix password to log in.

These are the Nine fields, which is in /etc/shadow file.

  • Username: User login name, it be a valid account name, which exist on the system.
  • Encrypted Password: Encrypted Password hash, which contains three parts like hash_algorithm, hash_salt, and hash_data.
  • Date of last password change: The date of the last password change, expressed as the number of days since Jan 1, 1970.
  • Minimum password age: The minimum password age is the number of days the user will have to wait before she will be allowed to change her password again.
  • Maximum password age: The maximum password age is the number of days after which the user will have to change her password.
  • Password warning period: The number of days before a password is going to expire (see the maximum password age above) during which the user should be warned.
  • Password inactivity period: The number of days after a password has expired during which the password should still be accepted. After expiration of the password and this expiration period is elapsed, no login is possible using the current user’s password.
  • Account expiration date: The date of expiration of the account, expressed as the number of days since Jan 1, 1970.
  • Reserved field: Not used or reserved for future use.
# grep "mageshm" /etc/shadow

mageshm:$6$sTgBhfj0$pkzz/JpVTl8ZAmk./d4SDarRyWsGSZHguljywUHQMP4DWo8/TgNzL5rMpejqNWuyxtFlISxdyIqPmpsIsyi.i1:16088:0:99999:7: : :
-------|--------------------------------------------------------------------------------------------------|-----|-|-----|-|-|-|-|
   1                                                       2                                                 3   4   5   6 7 8 9

Understanding the Password Hash Field and it’s Details?

The Password hash field contains an encrypted password instead of original password and the original password haven’t stored anywhere in system.
The encrypted password is having three fields and the field is separated by $ symbol.

These are the three fields, which is in password field.

  • hash_algorithm: This field shows which hashing algorithm used.
  • hash_salt: This field is contain encrypted password instead of actual password.
  • hash_data: This field is salted hash password.
$6$sTgBhfj0$pkzz/JpVTl8ZAmk./d4SDarRyWsGSZHguljywUHQMP4DWo8/TgNzL5rMpejqNWuyxtFlISxdyIqPmpsIsyi.i1
 - -------- --------------------------------------------------------------------------------------
 1    2                                             3

Details of hash_algorithm

Details of hash_algorithm and it’s code.

+------+------------------------+
| Code |        Algorithm       |
+------+------------------------+
|  $1  | MD5 hashing algorithm  |
|  $2  | Blowfish Algorithm     |
|  $3  | Eksblowfish Algorithm  |
|  $4  | NT hashing algorithm   |
|  $5  | SHA-256 Algorithm      |
|  $6  | SHA-512 Algorithm      |
+------+------------------------+

How to Check /etc/shadow File Permission?

Simply use ls command to check the /etc/shadow file permission.

# ls -la /etc/shadow
-rw------- 1 root root 942 Jun  1 22:14 /etc/shadow

How to View Users Password Properties in Linux?

Use chage command to check users password properties.

# chage -l daygeek
Last password change					: Feb 25, 2019
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...