Related Articles
There are many authentication schemes that can be used on Linux systems. The standard and most commonly used schemes are for validating /etc/passwdand /etc/shadow.
/etc/shadow It is a text file that contains information about a system user’s password. The /etc/shadow file belongs to the root and shadow group and has 640 permissions.
Coordinate /etc/shadow
Files /etc/shadow It contains one entry per line, each representing a user account. You can view the contents of the file using a text editor or other commands such as commands cat:
sudo cat /etc/shadow
Typically, the first line represents root user, followed by system and regular user accounts. New entries are added at the end of the file.
Every line of files /etc/shadow It contains nine comma-separated fields:
budi:$6$.n.:17736:0:99999:7::: [--] [----] [---] - [---] ---- | | | | | |||+-----------> 9. This field ignored | | | | | ||+------------> 8. Expiration date | | | | | |+-------------> 7. Inactivity Period | | | | | +--------------> 6. Warning period | | | | +------------------> 5. Maximum Password Age | | | +----------------------> 4. Minimum Password Age | | +--------------------------> 3. Last password changed | +---------------------------------> 2. Encrypted Password +----------------------------------------> 1. Username
- user name. The string that you write when logging into the system. Or user accounts on the system.
- Encrypted password. Password that uses a file
$type$salt$hashed. $ type is a cryptographic hash algorithm method and can contain the following values:$1$MD5$2a$Blowfish$2y$– Eksblowfish$5$SHA-256$6$SHA-512
If the password field contains an asterisk (
*) Or exclamation mark (!), Users will not be able to log into the system with password authentication. Other sign-in methods like key-based authentication or switching to another user are still allowed.On older Linux systems, encrypted user passwords were stored in a file
/etc/passwd. - Last password change. This is the date that the password was last changed. The number of days was counted from January 1, 1970.
- Minimum password age. The number of days that must pass before a user’s password can be changed. It is usually set to zero, which means there is no minimum age for passwords.
- Maximum password age. The number of days after which a user’s password must be changed. By default, this number is set to 99999.
- The period of notice. The number of days before the password expires and the user is warned that it must be changed.
- Period of inactivity. The number of days after a user’s password expires before a user’s account is deactivated. Usually this field is empty.
- Expiration date. The date on which the account was deactivated. It is represented as a date in the era-date format.
- Not used or ignore it. This is reserved for future use.
Files /etc/shadow It shouldn’t be manually edited unless you know what you’re doing. Always use commands designed for this purpose.
For example, to change a user’s password, use the command passwd, And to change the password length, use the command chage.
Examples of entries and formats /etc/shadow
Let’s look at an example:
linuxid: $6$zHvrHYa5Y690dseQ$z5zdL...:18009:0:120:7:14::
The above entry contains information about the “linuxid” user’s password:
- Passwords are encrypted with SHA-512 (the password is cut to make it easier to read).
- The password was last changed on April 23, 2019 – 18009.
- There is no minimum password age (0).
- Passwords must be changed at least every time 120 day.
- The user will receive a warning message Seven Days before the password expires.
- If the user does not try to log into the system 14 Days after the password expires, the account will be deactivated.
- There is no expiration date for the account.
Conclusion
Files /etc/shadow It stores encrypted user password information, along with other password related information.
.
Originally posted 2020-11-18 05:11:02.