The /etc/shadow file is used to securely store encrypted user passwords and password aging information.
While /etc/passwd stores general user information (like UIDs and home directories), it is world-readable (anyone can look at it). For security reasons, the actual passwords were moved to /etc/shadow, which is strictly protected.
Key Purposes:
- Security (Password Hiding): Only the
rootuser (or users withsudo) can read this file. This prevents regular users from even seeing the encrypted hashes of other people's passwords, making "offline" cracking attempts much harder. - Encrypted Passwords: It stores the password in a "hashed" format (usually using strong algorithms like SHA-512).
- Password Aging Policy: It stores metadata about the password, such as:
- When the password was last changed.
- The minimum/maximum number of days before a password must be changed.
- When the account will expire.
- Warning periods before a password expires.
Comparison:
| Feature | /etc/passwd |
/etc/shadow |
|---|---|---|
| Visibility | Readable by everyone | Readable only by root/sudo |
| Content | User account details | Encrypted passwords & aging |
| Password field | Shows an x |
Shows the actual hash |
If you try to view it as a normal user with cat /etc/shadow, you will get a "Permission denied" error. You must use sudo cat /etc/shadow to see its contents!
