/etc/shadow File Explained

Ted LeRoy
A free video tutorial from Ted LeRoy
Enterprise Security Architect - Online Instructor
4.6 instructor rating • 3 courses • 6,946 students

Lecture description

Ubuntu Server - /etc/shadow

The /etc/password file, but itself, cannot perform the function of permitting user login on modern Linux systems. It has to be coupled with the /etc/shadow file.

The /etc/shadow File

The /etc/shadow file, paired with the /etc/passwd file, permits users to log in. The system checks the entered password against the value stored in /etc/shadow, and if it’s right, the user is permitted to log in. If not, you can try again. Only a few more times, though if an account lockout is set. 

Here’s a line from the /etc/shadow file:

lskywalker:$6$7AGLK73G$wCV11kWNLz2a/zWUZH5coRvTKP48VQOluVJo0MHN7SdmQW7JFibGfnYQxP89V3PWXHWDQR5qOmNDnpoIvCnv./:17473:0:99999:7:::

As with the /etc/passwd file, the line is a set of fields separated by colons “:”

1. Username (lskywalker). 

2. The encrypted password.

The encrypted password consists of the following fields:

a. $6 - This value could be a number from 1 to 6, and it signifies the encryption level used.

$1 = MD5

$2a = Blowfish

$2y = Blowfish - With correct handling of 8 bit characters

$4 = sha-256

$6 = sha-512

b. $7AGLK73 - This is the salt (after the $) used to create the encrypted password.

c. $wCV11kWNLz2azWUZH5coRvTKP48VQOluVJo0MHN7SdmQW7JFibGfnYQxP89V3PWXHWDQR5qOmNDnpoIvCnv./ - The encrypted password

3. Last password change date (days since 1 January 1970). Weird way to calculate it. (17473 here)

4. Minimum password age (0)

4. Maximum password age (99999) ~274 years! In effect, it never expires.

5. Number of days before password expires to warn the user. (7)

6. Normally blank, but if filled in, it will indicate the number of days after the password expires until the account is disabled.

7. Expiration - Days from 1 January 1970 that the account will be disabled on. An expiration.

If you look at the file, you’ll notice many users with an * in the password field, as in the entry below:

games:*:17379:0:99999:7:::

For those accounts, the password is not set, so that account cannot be used to log into the system.

Remember, to edit the /etc/shadow file, which you probably shouldn’t do manually anyway, give yourself a little protection by using the vipw -s command.

Learn more from the full course

Ubuntu Linux Fundamentals Linux Server Administration Basics

Updated for Ubuntu 20.04 - The Latest! Gain essential skills with Linux Server in this 11 hour Beginner's course.

11:18:00 of on-demand video • Updated March 2021

  • You will learn what Linux is
  • Installing Linux
  • Working at the command line and why the Command Line Interface is so simple yet powerful
  • Configuring and securing remote access with SSH
  • Securing your server, ufw, apt update and upgrade
  • Stopping bad guys with Fail2ban
  • Installing and securing nginx web server
  • Managing users and groups
  • How to use the Linux file system
English [Auto] So last lesson we looked at the Etsy password file. Now we're going to look at its partner. That's a shadow file as I mentioned in the last lesson. Passwords used to be stored in the second field in NC password file but that's insecure because everyone has to be able to read that's a password file. Now passwords are stored in the artsy shadow file. So let's take a look. So you can see similar fields to the Etsy password file they're still separated by colons but some entries have these long strings in them that long string is the encrypted password. And some other information which will go over in a second so I had a at a high level it has user name password last password change date looks that number doesn't look like a date because it isn't it's the number of days since January 1st 1970. It's a very strange system. I don't know what the reasoning was in order to get this number you have to know the current date or what the system thinks the current date is. So I don't know why you couldn't just I don't know why why that's like that but that's the way they chose to do it. So the next field is the minimum password age so some users do if they have to change their password periodically is just cycle through until they can get back to their old password so let's say your computer remembers the last five passwords you use if you go through that and put it in a new password six times you're back to your original you could be back to your original. So this value would make you have to wait. So if you put a one in here a person would have to wait one day to try another password so that they would have to go six days to get back to their original password. And most people don't don't go through that headache. So this is just kind of to keep people from cycling through like that maximum password age ninety nine thousand nine hundred and ninety nine here that's about two hundred seventy four years. So in effect your password never expires number of days before the password expires to warn the user. So seven days before two hundred and seventy four years this would warn you that your password is about to expire. If you have a reasonable value in here instead of nine ninety nine thousand nine hundred ninety nine if you have 90 it would warn seven days prior to expiration the next field is often blank but if it's filled in it would indicate the number of days after the password expires until the account is disabled and then the last field could be if it's in use an expiration and that is again days from January 1st 1970. So again I don't know why they do it that way. If you're using one of the programs to do this like user mod you don't have to worry about that January 1st 1970 thing. So let's go back and look at the actual encrypted password field. This whole field this isn't just the password it's actually a few items that tell you about the password as well so the first it's delimited by dollar signs. So the first Dollar Sign Dollar Sign six says we're using SHA 512 hashing algorithm SHA 512 is is pretty strong it's the lowest you probably want to use on a modern system and it's one of several possible algorithms. You can have dollar sign one would be empty five I definitely wouldn't recommend that dollar sign to a blowfish Teller sign to y blowfish with the correct handling of a big characters and dollar sign for which is SHA 256. These are all spelled out in the downloadable materials for this lesson so the first part hopefully you always see at least dollar sign six here. I don't think there's anything higher that would be in there at this time but going forward who knows the next field from this dollar sign to this dollar sign is a salt for the hashing algorithm that generated your password your encrypted password this randomly generated value is plugged into the software that actually generates the password this way. If two users have the exact same password they'll still have different hashes because these are randomly generated and that will result in a different password a different encrypted password even though the passwords may be identical. You'll also notice that many files don't have a password in them. They just have an asterisk. These are mostly system files that were created as your server was built so they can't log in. They can perform functions but they can't log in interactively like like a human user would that's pretty much it for the structure of the ADC shadow file. Please remember if you do want to modify this for some reason do not modify it by just opening this in a text editor you'd want to use V.I. P.W. minus S. And that will let you more safely edit the file it's still not a good idea unless you have to for some reason. But please please try to use the tools available like user mod and onto the next lesson.