Understanding the /etc/shadow file in Linux

Home > Search
  by

The /etc/shadow is a colon separated list of attributes of a user account. A very similar file is /etc/passwd. The /etc/shadow file has the following fields. 

  • Field 1 = username
  • Field 2 = password
  • Field 3 = Date password changed
  • Field 4 = Minimum number days password change
  • Field 5 = Maximum number days password change
  • Field 6 = Warning
  • Field 7 = Inactive
  • Field 8 = Expiration date

 

The cat command can be used to view the /etc/shadow file.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 

The usermod, passwd, and chage commands can be used to modify the /etc/shadow file.


Field 1 (Username)

The first field of the /etc/shadow file is username. In this example, the username is user1.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 


Field 2 (Password)

The second field of the /etc/shadow file is password. If only an exclamation point is displayed, the user account is not secured with a password.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 

If a random string of data is displayed, the username is secured with an encrypted password.

[root@server1 ~]# cat /etc/shadow
user1:$6HV7FH3HVNFH7X8DJ1MDHC8SA7J1M388E8SJSJDMD71J37A:1002:1002::/home/user1:
. . .

 

If there is an exclamation point followed by a random string of data, the users password has expired or the user account is locked. Use the usermod command to unlock the account.

[root@server1 ~]# cat /etc/shadow
user1:!$6HV7FH3HVNFH7X8DJ1MDHC8SA7J1M388E8SJSJDMD71J37A:1002:1002::/home/user1:
. . .

 


Field 3 (Date password changed)

The third field in the /etc/shadow file is the date the password was changed (17014 in this example). This is the number of days that have elapsed since Jan 1, 1970 until the date that the password was changed.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 


Field 4 (Minimum password days)

The fourth field in the /etc/shadow file is the minimum number of days that must elapse between password changes. For example, if set to 1, 24 hours must elapse between password changes. If set to 0, minimum password days is disabled.

Minimum days can also be viewed and changed using the chage (change age) command.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 


Field 5 (Maximum password days)

The fifth field in the /etc/shadow file is the maximum number of days that can elapse between password changes. For example, if set to 365, the password must be changed once a year. If set to 99999, maximum password days is disabled.

Maximum days can also be viewed and changed using the chage (change age) command.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 


Field 6 (Warning)

The sixth field in the /etc/shadow file is number of days that before a password is expired that a user will be warned that their password must be changed (7 in this example).

Warning days can also be viewed and changed using the chage (change age) command.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 


Field 7 (Inactive)

The seventh field in the /etc/shadow file is number of days that can elapse after a password has expired yet the account can still be used (empty in this example). 

Inactive days can also be viewed and changed using the chage (change age) command.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 

 


Field 8 (Expiration Date)

The eigth field in the /etc/shadow file is date the user account will expire (empty in this example). By default, user accounts are set to never expire.

[root@server1 ~]# cat /etc/shadow
user1:!:17014:0:99999:7::18350:
. . .

 

Expiration date can also be viewed and changed using the chage (change age) command.

The maximum number of days for an account to expire is 999 days. Setting an account expiration date many years in the future will default to 999 days.

Setting an account to expire in 99999 days is the same as setting the account to never expire.

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments