Poking around in your Linux system files, you might have come across a file in the /etc directory named shadow. It may sound creepy, but it's really a safe, necessary, and useful file for system administration.
Today we'll take a closer look at the contents of the /etc/shadow file and what it can tell you about your system.
What Is /etc/shadow?
Mysterious as it sounds, the file's function is quite straightforward. The /etc/shadow file contains information about a Linux system's users, their passwords, and time regulations for their passwords.
When you create or change a password in Linux, the system hashes and stores it in the shadow file. Any password rules assigned by the administrator, like expiration dates and inactivity periods, will also remain here. The shadow file can then tell authentication protocols whether a user's password is correct, for example, or when it's expired.
You should never edit the shadow file directly. It's maintained by automated processes and not meant for regular users to modify. Nonetheless, the information it contains can be valuable to you, so it's worth a look.
What's in the Linux shadow File?
To see the shadow file's contents, open a terminal and issue the cat command on it:
sudo cat /etc/shadow
You'll see a prompt asking you for your password. Assuming you have administrative permissions, you'll see a printout of strings of text that look similar to this (ellipses mark where the string was clipped to fit your screen):
muo1:$6$IK2...$20a...:18731:0:99999:7:::
It looks cryptic, and indeed, some of it is encrypted text. The string follows a particular construction, however, and houses specific bits of information, delineated by the colon (:) character.
Here's a complete layout of the string:
[username]:[password]:[date of last password change]:[minimum password age]:[maximum password age]:[warning period]:[inactivity period]:[expiration date]:[unused]
Let's take a closer look at each of these fields:
1. Username
Everything that follows in the string is associated with this username.
2. Password
The password field consists of three additional fields, delineated by dollar signs: $id$salt$hash.
- id: This defines the encryption algorithm used to encrypt your password. Values may be 1 (MD5), 2a (Blowfish), 2y (Eksblowfish), 5 (SHA-256), or 6 (SHA-512).
- salt: This is the salt used in encrypting and authenticating the password.
- hash: This is the user's password as it appears after hashing. The shadow file keeps a hashed version of your password so system can check against any attempt to enter your password.
Sometimes the password field contains only an asterisk (*) or exclamation point (!). That means the system has disabled the user's account, or the user must authenticate through means other than a password. This is often the case for system processes (also known as pseudo-users) that you're likely to find in the shadow file as well.
3. Date of Last Password Change
Here you'll find the last time this user changed their password. Note that the system displays the date in Unix time format.
4. Minimum Password Age
You'll find here the number of days the user must wait after changing their password before changing it again.
If the minimum is not set, the value here will be 0.
5. Maximum Password Age
This defines how long a user can go without changing their password. Frequently changing your password has its benefits, but by default, the value will be set at a generous 99,999 days. That's close to 275 years.
6. Warning Period
This field determines the number of days before a password has reached its maximum age, during which the user will receive reminders to change their password.
7. Inactivity Period
This is the number of days that can pass after the user's password has reached its maximum age before the system disables the account. Think of this as a "grace period" during which the user has a second chance to change their password, even though it's technically expired.
8. Expiration Date
This date is the end of the inactivity period when the system will automatically disable the user's account. Once disabled, the user will be unable to login until an administrator enables it again.
This field will be empty if not set, and if it is set, the date will appear in epoch time.
9. Unused
This field currently serves no purpose and is reserved for potential future use.
The shadow File Explained
The shadow file really isn't mysterious at all. Remember, however, that if you want to change passwords and password rules, you should avoid editing the shadow file directly and instead opt to use tools designated for that purpose.
Whenever you add a new user to your Linux system, the /etc/shadow file is automatically modified to store the authentication information about the user.