The Shadow File - Clemson University

[Pages:2]The Shadow File

The use of the shadow password file is mandatory on all Solaris systems. The /etc/shadow file is readable only by the superuser and serves to keep encrypted passwords safe from prying eyes. It also provides account information that's not available from /etc/passwd. Both the /etc/passwd and the /etc/shadow are independent files and must be maintained by hand.

Like the /etc/passwd, the /etc/shadow file contains one line for each user. Each line contains nine fields, separated by colons:

Login name Encrypted password Data of last password change Minimum number of days between password changes Maximum number of days between password changes Number of days in advance to warn users about password expiration Number of inactive days before account expiration Account expiration date Flags

e.g. My entry on a Solaris system

grossman:rAzX2rH1EAutI:14956::::::

The only fields that are required to be nonempty are the username and password. Absolute date fields in /etc/shadow are specified in terms of days since Jan 1, 1970, which is not a standard way of reckoning time on UNIX systems. A typical shadow entry might look like:

Millert:inNO.VAsc1Wn.:11031::180:14::18627:

The login name is the same as in /etc/passwd. This field simply connects a user's passwd and shadow entries.

The encrypted password is identical in concept and execution to the one previously stored in /etc/passwd

The last change field indicates the time at which the user's password was last changed. This field is generally filled in by /bin/passwd.

The fourth field sets the number of days that must elapse between password changes. Once users change their password, they cannot change it again until the specified period has elapsed.

The fifth field sets the maximum number of days allowed between password changes. This feature allows the administrator to enforce password aging.

The sixth field sets the number of days before password expiration that the login program should begin to warn the user of the impending expiration.

The seventh field indicates the number of days the account will be disabled if the user has not logged in to his or her account.

The eight field specifies the day, in days since January 1, 1970, on which the user's account will expire. The user may not log in after this date until the field has been reset by a sysadmin. If the field is blank, the account will never expire.

The ninth field is currently always empty and is reserved for future use.

Repeating the example above

Millert:inNO.VAsc1Wn.:11031::180:14::18627:

From our example above, we know that user millert last changed her password on March 14, 2000. The password must be changed again with 180 day, and millert will receive warning messages that the password needs to be changed for the last two weeks of this period. The account expires on December 31, 2001.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download