Shadow password file in Linux

The shadow file is probably one of the most important files on your Linux system, and that’s because it stores the actual encrypted passwords for everything on your system. The shadow file is located in / etc / shadow and is only accessible to the root user. In fact, it has 640 permission, which grants the owner read / write permission and the group read permission. In this tutorial, we’ll take a look at a shadow file.

The shadow file contains colon-separated information. So it would look something like this:

In our case, we’re going to select one of the users (user = kalyani) to use as an example.

kalyani:$6$uUSXwCvO$Ic9kN9dS0BHN.NU.5h7rAcEQbtjPjqWpej5o5y7JlrQK0hdQrzKBZ

B1V6CowHhCpk25PaieLcJEqC6e02ExYA.:18917:0:99999:7:::

There are nine colon-separated fields!

1. The first field is the username itself. In my case it is hookahs, but in your case it will be your username. 2. The second field contains the encrypted password.

($ 6 $ uUSXwCvO $ Ic9kN9dS0BHN.NU.5h7rAcEQbtjPjqWpej5o5y7JlrQK0hdQrzKBZB1V6CowHhCpk25PaieLcJEqC6e02ExYA.). There are three dollar signs here. The encryption type is indicated between the first and second dollar signs; between the second and third dollar signs is a salt, and after the third dollar sign is the hash itself.

You can see $ 6 $ here, which means the encryption type is SHA-512.

Other types of encryption:

  1. 1 $ – MD5
  2. $ 2 $ – Blowfish
  3. $ 3 $ – Blowfish
  4. $ 5 $ – SHA-256
  5. $ 6 $ – SHA-512

After that comes uUSXwCvO, salt. To make the hash more unique, we add what is called a salt. The salt itself is a random sequence of characters. This random sequence of characters is attached to the password during hash computation.

If you’d like to try it out for yourself, you can do it with the whois package. First, install the whois package:

$ sudo apt-get install whois

Then, after installing the whois package, you can enter the following:

$ mkpasswd -m sha-512 PASSWORD [SALT]

In the latter case, replace PASSWORD with the desired password and SALT with the desired salt.

For example:

$ mkpasswd -m sha-512 toor  uUSXwCvO

The last part of the encrypted password, or the content after the third dollar sign, is the actual hash.

3. The third field is the date of the last password change. The number is calculated by epoch (January 1, 1970). This means the number is calculated based on the date of the epoch. In my case, the number is 18917. If this field is blank, it means that password aging features are not enabled. A 0 in this field means that the user must change his password the next time he logs in.

4. The fourth field is the minimum age for the password. The minimum password age is the time, in days, that must elapse before the user is allowed to make changes to the password again. A value of 0 means that there is no minimum password age. In my case it is 0. This means that there is no minimum password age on my system.

5. The fifth field is the maximum password age. The maximum password age is the time, in days, within which the user will be required to change the password. A blank value in this field means that there is no maximum password age. In my case, it is 99999.

6. The sixth field is the password warning period. The user will be warned a few days before the password expires, this is the password warning period. In my case, it is 7.

7. The seventh field is the password inactivity period. The password inactivity period is the time in days during which an expired password is still accepted. After this period has expired and the password has expired, you will not be able to log in to the system. In my case, the field is empty, which means there is no password inactivity period.

8. The eighth field is the expiration date of the account. The account expiration date is exactly what it sounds like, the day the account expires. This number has been expressed since the epoch (January 1, 1970).

9. The ninth field is a reserved field. This field is reserved for the future and is not currently used.

Change Password

All this means that the password must be regularly updated or changed. The next question is how to change the current password and avoid all kinds of password aging problems? You must be root to change your password!

$ sudo passwd {USERNAME}

Replace {USERNAME} with your own username for which you want to change the password. You will be prompted for your current password. Once you enter it, it will ask you to enter a new password and you can enter it too. That’s all!

Change user password expiration information

Another piece of information that could be changed is password expiration information. This is where chage comes in handy!

Just in case, you can use it with the following:

chage [options]

  • -d, –lastday. This is the date of the last change of the password from the epoch. It is spelled YYYY-MM-DD.
  • -E, –expiredate. This sets the date on which the account will be disabled. The date itself is expressed as YYYY-MM-DD, starting with the epoch. If you pass -1, there will be no account expiration date.
  • -h, –help. This will display help.
  • -I, -inactive. This sets the password inactivity period. If you put -1 in an inactive field, then there will be no information about inactivity.
  • -l, –list. This displays information about password expiration.
  • -m, –mindays. This sets the number of days between password changes. If you put 0, it means that the user can change their password at any time.
  • -M, –maxdays. This sets the maximum number of days that the current password is active. If -1 is passed, this will remove the password validation check.
  • -W, –warndays. This sets the password warning period.

The shadow file is by far the most important file on your Linux system. Previously, the passwd file contained all the passwords, but nowadays the passwd file is a simple text file containing user information, and the shadow file instead contains all the password information! And since it contains password information, it is both superuser-locked and hashed (encrypted).

The shadow file has one-line fields containing nine colon-separated fields, each expressing password information or password expiration information. In any case, the shadow file must be protected and locked!

Related Posts