Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Wednesday, February 10, 2021
 
 

shadow (5)

Name

shadow - shadow password file

Description

/etc/shadow is an access-restricted ASCII system file that stores users’ hashed passwords and related information. The shadow file can be used in conjunction with other shadow sources, including the NIS maps passwd.byname and passwd.byuid or password data stored on an LDAP server. Programs use the getspnam(3C) routines to access this information. Shell scripts use the getent(8) command to access this information.

Unlike the /etc/passwd file, /etc/shadow does not have general read permission.

The fields for each user entry are separated by colons. Each user is separated from the next by a newline. Each entry in the shadow file is a single line of the form:

username:password
:lastchg:min:
max:warn:inactive:
expire:flag

The fields are defined as follows:

username

The user’s login name (UID).

password

A cryptographically hashed password for the user generated by crypt(3C) or pwhash(1), a lock string to indicate that the login is not accessible, or no string, which shows that there is no password for the login.

The lock string is defined as *LK* in the first four characters of the password field if the account was manually locked, or *AL* if the account was automatically locked due to the number of authentication failures reaching the configured maximum allowed. See policy.conf(5) and user_attr(5).

lastchg

The number of days between January 1, 1970, and the date that the password was last modified. The lastchg value is a decimal number, as interpreted by strtol(3C).

min

The minimum number of days required between password changes. This field must be set to 0 or above to enable password aging.

max

The maximum number of days the password is valid.

warn

The number of days before password expires that the user is warned.

inactive

The number of days of inactivity allowed for that user. This is counted on a per-machine basis; the information about the last login is taken from the machine’s lastlog file.

expire

An absolute date expressed as the number of days since the Unix Epoch (January 1, 1970). When this number is reached the login can no longer be used. For example, an expire value of 17410 specifies a login expiration of September 1, 2017.

flag

Reserved. May be set to arbitrary values. Traditionally, the low order for bits are a failed login count.

The bits in the remainder may or may not be zero. They may be used at any time for any other purposes.

A value of −1 for min, max, or warn disables password aging.

The encrypted password consists of at most CRYPT_MAXCIPHERTEXTLEN characters chosen from a 64-character alphabet (., /, 0–9, A–Z, a–z). Two additional special characters: the dollar sign ($) and the comma (,), can also be used and are defined in crypt(3C).

To update this file, use the passwd(1), useradm(8), useradd(8), usermod(8), or userdel(8) commands; the pam_chauthtok(3PAM) or usermgr-1(3rad) APIs; or the Oracle Solaris Account Management BUI.

To make system administration manageable, /etc/shadow entries should appear in exactly the same order as /etc/passwd entries.

Values for the various time-related fields are interpreted as Coordinated Universal Time (UTC).

Authorizations

The authorizations, as defined in user_attr(5), which are required to modify the various shadow fields are as follows:

Field
Operation
Authorization
password
change one's own password
none required
password
change another user's password
solaris.passwd.assign
password
delete, set no login
solaris.passwd.assign
password
set initial password for a newly created account
solaris.account.activate
password
lock, unlock existing account
solaris.account.setpolicy
min
set min days for password change
solaris.account.setpolicy
max
set max days for password change
solaris.account.setpolicy
warn
set max days for password change
solaris.account.setpolicy
inactive
set inactivity days allowed
solaris.account.setpolicy
expire
set account expiry date
solaris.account.setpolicy

Files

/etc/shadow

Shadow password file

/etc/passwd

Password file

/etc/nsswitch.conf

Name-service switch configuration file

/var/adm/lastlog

Time of last login

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Interface Stability
Committed

See Also

login(1), passwd(1), pwhash(1), strtol(3C), crypt(3C), crypt_gensalt(3C), getspnam(3C), putspent(3C), pam_chauthtok(3PAM), usermgr-1(3rad), nsswitch.conf(5), passwd(5), attributes(7), pam_unix_account(7), pam_unix_auth(7), useradm(8), useradd(8), userdel(8), usermod(8)

Managing User Accounts and User Environments in Oracle Solaris 11.4

Notes

If password aging is turned on in any name service the passwd: line in the /etc/nsswitch.conf file must have a format specified in the nsswitch.conf(5) man page.

If the /etc/nsswitch.conf passwd policy is not in one of the supported formats, logins will not be allowed upon password expiration, because the software does not know how to handle password updates under these conditions. See nsswitch.conf(5) for additional information.