/etc/shadow
Table of Content
File structure
The /etc/shadow file follws the following structure:
| Position | Required | Meaning | Sample |
|---|---|---|---|
| 1 | [x] | username | root |
| 2 | [x] | encrypted PWD | $y$j9T$s4vwO2I5UHwclf5N6C5rG1$CfftTrFwZ4uqdhChK/P48VfKuIMpMAZb4gVJbhbGAS0 |
| 3 | [x] | last PWD change (sec after epoch) | 1727789676 |
| 4 | [ ] | min time to next pwd change (in days) | 0 |
| 5 | [ ] | max time pwd validity (in days) | 99999 |
| 6 | [ ] | warn user about expiering pwd (in days) | 7 |
| 7 | [ ] | days after pwd gets inactive | 7 |
| 8 | [ ] | day (after epoch) after user gets disabled | `` |
Recommended values for:
- encrypted PWD: Use the stronges possible encrpytion available on your system
- day (after epoch) after user get disabled: Do not use the value
0as this can be interpreted as:
- account will never expire
- account expiered on the 1970-01-01
Insites for:
- encrypted PWD: can be either a valide crypted string or
*or!or!!- min time to next pwd change: can stay empty or also be
0to have have no limitation- max time pwd validity: if empty there will be no max time, bust most of the time you wil see
99999for personal user accounts
Some sample lines:
root:$y$j9T$s4vwO2I5UHwclf5N6C5rG1$CfftTrFwZ4uqdhChK/P48VfKuIMpMAZb4gVJbhbGAS0:18442:0:99999:7:::
daemon:*:18442:0:99999:7:::
bin:*:18442:0:99999:7:::
lightdm:!:18442::::::
uuidd:!:18442::::::
gnome-remote-desktop:!*:18442::::::
Encrypted PWD markers
At the beginnong of the PWD string, you can identfy which kind of encryption was used
| First 3 characters | Description |
|---|---|
$1$ | Message Digest 5 (MD5) |
$2a$ | blowfish |
$5$ | 256-bit Secure Hash Algorithm (SHA-256) |
$6$ | 512-bit Secure Hash Algorithm (SHA-512) |
$y$ (or $7$) | yescrypt |