SHADOW(5) File Formats and Configurations SHADOW(5)
NAME
shadow - shadow password file
DESCRIPTION
/etc/shadow is an access-restricted ASCII system file that stores
users' encrypted passwords and related information. The shadow file
can be used in conjunction with other shadow sources, including the
NIS maps
passwd.byname and
passwd.byuid. Programs use the
getspnam(3C) routines to access this information.
The fields for each user entry are separated by colons. Each user is
separated from the next by a newline. Unlike the
/etc/passwd file,
/etc/shadow does not have general read permission.
Each entry in the shadow file has the form:
username:
password:
lastchg:
min:
max:
warn:
inactive:
expire:
flag The fields are defined as follows:
username The user's login name (UID).
password An encrypted password for the user generated by
crypt(3C), a
lock string to indicate that the login is
not accessible, or no string, which shows that there is
no password for the login.
The lock string is defined as
*LK* in the first four
characters of the password field.
lastchg The number of days between January 1, 1970, and the date
that the password was last modified. The
lastchg value is
a decimal number, as interpreted by
strtol(3C).
min The minimum number of days required between password
changes. This field must be set to 0 or above to enable
password aging.
max The maximum number of days the password is valid.
warn The number of days before password expires that the user
is warned.
inactive The number of days of inactivity allowed for that user.
This is counted on a per-machine basis; the information
about the last login is taken from the machine's
lastlog file.
expire An absolute date expressed as the number of days since
the Unix Epoch (January 1, 1970). When this number is
reached the login can no longer be used. For example, an
expire value of
13514 specifies a login expiration of
January 1, 2007.
flag Failed login count in low order four bits; remainder
reserved for future use, set to zero.
A value of
-1 for
min,
max, or
warn disables password aging.
The encrypted password consists of at most
CRYPT_MAXCIPHERTEXTLEN characters chosen from a 64-character alphabet (
.,
/,
0-9,
A-Z,
a-z).
Two additional special characters, "$" and ",", can also be used and
are defined in
crypt(3C). To update this file, use the
passwd(1),
useradd(8),
usermod(8), or
userdel(8) commands.
In order to make system administration manageable,
/etc/shadow entries should appear in exactly the same order as
/etc/passwd entries; this includes ``+'' and ``-'' entries if the
compat source
is being used (see
nsswitch.conf(5)).
Values for the various time-related fields are interpreted as
Greenwich Mean Time.
FILES
/etc/shadow shadow password file
/etc/passwd password file
/etc/nsswitch.conf name-service switch configuration file
/var/adm/lastlog time of last login
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Stable |
+--------------------+-----------------+
SEE ALSO
login(1),
passwd(1),
crypt(3C),
crypt_gensalt(3C),
getspnam(3C),
putspent(3C),
strtol(3C),
nsswitch.conf(5),
passwd(5),
attributes(7),
pam_unix_account(7),
pam_unix_auth(7),
useradd(8),
userdel(8),
usermod(8)NOTES
If password aging is turned on in any name service the
passwd: line
in the
/etc/nsswitch.conf file must have a format specified in the
nsswitch.conf(5) man page.
If the
/etc/nsswitch.conf passwd policy is not in one of the
supported formats, logins will not be allowed upon password
expiration, because the software does not know how to handle password
updates under these conditions. See
nsswitch.conf(5) for additional
information.
February 25, 2017 SHADOW(5)
