User Management

4. /etc/shadow

The /etc/shadow file is a critical component in Linux systems for storing sensitive user authentication information. Unlike the world-readable /etc/passwd file, it requires superuser privileges to access, providing a secure location for password data.

The Role of the etc/shadow File in Linux

The primary purpose of the etc/shadow file in Linux is to store encrypted user passwords and password aging policies. By separating this sensitive data from the general user information in /etc/passwd, the system enhances security. If a non-privileged user could read the password hashes, they could attempt to crack them offline.

Viewing the File with cat /etc/shadow

To inspect the contents of this file, you must use a command with superuser privileges, such as sudo. The cat /etc/shadow command is commonly used for this purpose.

$ sudo cat /etc/shadow

root:MyEPTEa$6Nonsense:15000:0:99999:7:::

The output format of the etc shadow file is a series of colon-separated fields, with each line representing a single user.

Understanding the File Structure

Each line in /etc/shadow contains nine fields, separated by colons:

  1. Username: The user's login name.
  2. Encrypted password: The hashed user password. An asterisk (*) or exclamation mark (!) here means the account is locked.
  3. Date of last password change: The number of days since January 1, 1970, that the password was last changed. A value of 0 forces a password change at the next login.
  4. Minimum password age: The minimum number of days that must pass before the user can change their password again.
  5. Maximum password age: The maximum number of days the password is valid. After this period, the user must change it.
  6. Password warning period: The number of days before the password expires that the user will receive a warning message.
  7. Password inactivity period: The number of days after a password expires that the account is disabled.
  8. Account expiration date: An absolute date, expressed as days since January 1, 1970, when the user account will be disabled.
  9. Reserved field: This field is reserved for future use.

While the /etc/shadow file is fundamental, most modern distributions supplement it with other authentication mechanisms, such as Pluggable Authentication Modules (PAM), which offer more flexible and advanced authentication schemes.

Sign in to save your learning progress

Sign in

Exercises

Practice makes perfect! Here are some hands-on labs to reinforce your understanding of user authentication and password management in Linux:

  1. Manage Linux User Accounts with useradd, usermod, and userdel - Practice the complete lifecycle of user administration, from creating and securing new accounts with useradd and passwd to modifying and deleting them.
  2. Configure User Accounts and Sudo Privileges in Linux - Learn essential techniques for managing user accounts and sudo privileges, including enforcing password policies and securing accounts.

These labs will help you apply the concepts of user and password management in real scenarios and build confidence with Linux system administration.

Login to Practice on LabEx