/etc/shadow File in Linux Explained

In this tutorial, we will understand how the file /etc/shadow formated and why it is used for. The file /etc/shadow can be read-only by the system user ‘root’.

In Linux, when you create a user (using useradd command) the account information such as username, UID, GID etc are stored in a system file /etc/passwd and secure account information such as encrypted password, last changed, expire date etc are stored in another file called /etc/shadow.

Each system user will have an entry in /etc/shadow file. There are 8 fields per line each separated by a “colon :”. A sample entry is as follows.

test:$1$CQoPk7Zh$370xDLmeGD9m4aF/ciIlC.:14425:0:99999:7:::

/etc/shadow file Format

Originally, the encrypted password was stored in /etc/passwd which had to be world readable so that the system could map user-ids to user names, and so that users could find out information about each other and then people realized that this was a security problem.  So a new file /etc/shadow was created to store the encrypted password which is readable only by root and also contains other information that the /etc/passwd file did not support related to the user's account and password, e.g. when the password was last changed and when it will expire. This file hides the hashes from normal users of the system while keeping them available for user authentication purposes. Look below

$ cat /etc/shadow
cat: /etc/shadow: Permission denied

You can see that we are unable to see the content of the file as normal user. You need to have privileges to see its contents. As /etc/passwd file, it also contains some lines and uses colons (:) to separate the fields where each line represents a specific user.

# cat /etc/shadow
root:$6$Q0FVxjNp$ZS7ilmu2ILfZApk1mJz4f48X6m:17262:0:14600:14::: 
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
linoadmin:!!:17289:0:99999:7:::

/etc/shadow file has nine field which can be represented as below

shadow file linux

Below the details of each field:

  • Username or login: This first field denotes the username that should be used while logging in to the system.
  • Password: The second field stores the password in encrypted format. the $xx$ initial ($6$ for the example above) just after the first field (root:) indicates the type of encryption. As noted above, the asterisk * signifies that this account cannot be used to log in and the !! means that the user doesn't have a password so he has been created without password.
  • date of last Password Change (lastchanged): The third field indicates the date of the last password change, expressed as the number of days since Jan 1, 1970. The 0 value means that the user should change his password the next time he will log in the system.
  • Minimum days: This fourth field stores the minimum number of days after which a user can change his password. You won’t be able to change the password before that.
  • Maximum days: This fifth field indicates the maximum number of days the password is valid. After that, the user is forced to change his password.
  • Warning password period: The sixth field denotes the number of days before which the user will receive a warning notification about the password expiry and must be changed.
  • Inactivity period: The seventh field indicates the number of days after the password expiration after which the account will be disabled. When empty, this field indicates that there are no enforcement of an inactivity period.
  • Expiration date: The eighth field indicates the days since Jan 1, 1970 that account is disabled
  • Reserved: the ninth field is reserved for future use.

/etc/shadow file permission

This is the second important file on Linux because it store password so its access and modification can be very critical. This why its permission are 400 which gives only read permission to the owner. It is also to prevent mistaken modifications. You can see the default permissions of this file below:

# ls -l /etc/shadow
-r-------- 1 root root 1078 May 12 23:55 /etc/shadow

The password could be encrypted using different methods, which is recognized by the id present after first character which is the $ symbol. Below you can have the value of the id and the corresponding encryption technique it indicates:

  • 1: MD5
  • 2a: Blowfish
  • 5: SHA-256
  • 6: SHA-512

How the encrypted password works

The algorithm used to encrypt the password field is technically referred to as a one way hash function. This is an algorithm that is easy to compute in one direction, but very difficult to calculate in the reverse direction.

When a user is provided a password, it is encoded with a randomly generated value called the salt. This means that any particular password could be stored in 4096 different ways. The salt value is then stored with the encrypted password.

When a user logs in and supplies a password, the salt is first retrieved from the stored encrypted password. Then the supplied password is encoded with the salt value, and then compared with the encrypted password. If the passwords match, then the user is authenticated.

So, it is always recommended to select passwords which is strong- contains a mixing of alphabets, digits and special symbols and avoid selecting dictionary words.

Leave a Comment