Linux's Shadow Password File

0 0 2021-11-12T04:55:00-08:00 Edit this post

Because it keeps the real encrypted passwords for everything on your system, the shadow file is undoubtedly one of the most crucial fil...


Because it keeps the real encrypted passwords for everything on your system, the shadow file is undoubtedly one of the most crucial files on your linux system. Only the root user has access to the shadow file, which is located at /etc/shadow. In actuality, it has a permission of 640, which allows the owner to read-write and the group to read. We'll go over the shadow file in this tutorial.

The information in the shadow file is separated by a colon. So, here's what it'd look like:


In my case, I’m going to pick out one of the users (user=jacksaw) to use as an example.

  • [message]
    • jacksaw:$6$uUSXwCvO$Ic9kN9dS0BHN.NU.5h7rAcEQbtjPjqWpej5o5y7JlrQK0hdQrzKBZ
    • B1V6CowHhCpk25PaieLcJEqC6e02ExYA.:18917:0:99999:7:::
      • Here, there are nine fields separated by colons!
  1. The first field is the username itself. In my case, it’s jacksaw, however, in your case, it’d be your username.
  2. The second field contains the encrypted password

($6$uUSXwCvO$Ic9kN9dS0BHN.NU.5h7rAcEQbtjPjqWpej5o5y7JlrQK0hdQrzKBZB1V6CowHhCpk25PaieLcJEqC6e02ExYA.). Here, there are three-dollar signs. Between the first- and second-dollar sign is the type of encryption; between the second- and third-dollar sign is the salt, and after the third dollar sign is the hash itself.

Here, you can see $6$, what this means is that the encryption type is SHA-512. It’s as follows:
  1. $1$ – MD5
  2. $2$ – Blowfish
  3. $3$ – Blowfish
  4. $5$ – SHA-256
  5. $6$ – SHA-512

After that is uUSXwCvO, the salt. In order to make the hash more unique, we add what is known as a salt. The salt itself is a random sequence of characters. This random sequence of character is attached to the password while the hash is being computed.

You can use the whois package to check it yourself if you want to. Install the whois package first:

  • [message]
    • $ sudo apt-get install whois

Then, once you've installed the whois package, type the following:

  • [message]
    • $ mkpasswd -m sha-512 PASSWORD [SALT]

In the latter, replace PASSWORD with the password you want and SALT with the salt you want.

For example:

  • [message]
    • $ mkpasswd -m sha-512 toor  uUSXwCvO

The true hash is the last section of the encrypted password, or everything after the third dollar sign.


3. The date of the most recent password change is the third field. The figure is derived from the period (Jan 1st, 1970). This signifies that the number is calculated using the epoch date as a starting point. This number is 18917 in my instance. If this field is blank, the password ageing features are not turned on. If this area is blank, the user must update his or her password the next time he or she logs in.

4. The minimum password age is the fourth field. The minimum password age is the number of days that must pass before the user is allowed to change their password again. There is no minimum password age if the setting is 0. It's 0 in my instance. This means that there is no minimum password age on my machine.

5. The maximum password age is the fifth field. The maximum password age is the number of days before the user must change his or her password. If this area is blank, it means there is no maximum password age. This number is 99999 in my situation.

6. The password warning period is the sixth field. The password warning period is a few days before the password expires, during which the user will be notified. It's 7 in my instance.

7. The password inactivity period is the eighth field. The password inactive period is the number of days that a password that has expired can still be used. Logging in would be impossible after this time has passed and the password has expired. The field is empty in my situation, indicating that there is no password inactivity period.

8. The account expiration date is the ninth field. The account expiration date is precisely what it says on the tin: the date on which the account is set to expire. This value has been calculated since the beginning of time (Jan 1st, 1970).

9. The ninth field has been designated as a reserved field. This field is presently inactive and will be used in the future.

Changing the Password

All of this means that the password must be updated or changed on a frequent basis. The next question is: how can we reset the existing password and avoid all of the complications that come with password ageing? One must be root in order to change the password!

  • [message]
    • $ sudo passwd {USERNAME}

Instead of {USERNAME}, enter your own username for which you want to change the password. It will prompt you for the current password. Once you enter it, it will ask you for the new password, and you can enter that too. And that’s it!


Expiration information for the user password can be changed.

The password expiration information is another piece of information that should be changed. The chage command comes in handy in these situations!

You can use it with the following for chage:

chage [options]

-d, –lastday

This is the date of last password change since epoch. It is written as YYYY-MM-DD.

-E, –expiredate

This sets the date on which the account will be disabled. The date itself is expressed as YYYY-MM-DD, and is since epoch. If you pass -1, there will be no account expiration date.

-h, –help

This will display help.

-I, –inactive

This sets the password inactivity period. If you put -1 in the inactive field, then there will be no inactivity information.

-l, –list

This displays password aging info.

-m, –mindays

This sets the number of days between password change. If you put 0, it means that the user can change his/her password at any time.

-M, –maxdays

This sets the maximum number of days when the current password is active. If -1 is passed, it will remove the checking of the validity of the password.

-W, –warndays

This sets the password warning period.

By far the most critical file on your Linux system is the shadow file. Previously, the passwd file had all of the passwords; however, the passwd file is now just a plain text file containing user information, while the shadow file has all password information! It is also limited to the super user and scrambled because it contains password information (encrypted).

There are nine fields separated by colons in the shadow file, each of which expresses password information or password ageing information. In any case, the shadow file should be safeguarded and sealed!

Labels:

SHARE:

Twitter Facebook Google Pinterest

COMMENTS

BLOGGER
DISQUS
Name

2023,2,Ai,2,AlmaLinux 9,3,Amazon Linux,5,Apache Web Server,1,AppImage,1,Arduino IDE,1,Artificial Intelligence,2,BalenaEtcher,1,Bitcoin,1,Blockchain Data,1,Bookworm,2,Bootable USB,1,C++,1,centos,1,CentOS 8,1,CentOS Stream,1,CMake,1,CockroachDB,2,cuDNN,1,Database Security,1,Debian,2,Debian 10,2,Debian 11,2,Debian 12,9,DNS,1,Docker,1,E-commerce,1,Fail2ban,1,Fedora Linux,1,Firefox 118,1,FreeIPA Server,1,Function,1,Game Projects,1,Git,3,Google PageSpeed,1,How to,5,How to Install,9,HTTPS,1,Introduction,1,Iptables,1,ISO Image,1,KVM,1,Laravel,1,Let's Encrypt SSL,1,Linux,4,Linux 6.4,1,Linux Kernel 6.5,1,Linux Mint,1,Linux Server,1,Linux-Based Systems,1,Mageia 9,1,Magento,1,MariaDB,1,Media Server,1,ModSecurity,1,New Features,1,Nextcloud,2,NGINX,2,Nvidia CUDA,1,odoo,1,Oracles,1,Performance,1,PHP Zip Module,1,pip,1,Plex,1,Port Forwarding,1,postgresql,2,Privacy,1,Programming,1,Pylint,1,python,5,Python 3.10,2,Quantum,1,Quantum Computers,1,Remote Branch,1,Renew,1,RHEL,1,Rocky Linux 9,2,Rufus,1,Shadow Password,1,SQLite,1,SSH,1,SSH key,1,SSH Keys,1,Step-by-Step,4,SuiteCRM,1,SUSE Linux,1,Syslog,1,System,1,Testing,1,Top 10,1,Translation,1,Ubuntu,1,Ubuntu 18.04,1,Ubuntu 20.04,5,Ubuntu 22.10,1,Ubuntu 23.04,1,Ubuntu Server,1,Ubuntu Upgrade,1,unsupported,1,Up-to-Date,1,Upgrade,1,Visual Studio Code,1,Vivaldi 6.2,1,Web 3.0,1,Web Hosting Security,1,Web Security,1,Webmin,1,What's New,1,Windows 11,1,
ltr
item
Linux code EDU: Linux's Shadow Password File
Linux's Shadow Password File
https://blogger.googleusercontent.com/img/a/AVvXsEim_oLSh8sLGnQx7bzxxlw66Uk8riBoDeZk25hy-vBu9NLadqOEMjHhrh6RJIdPARg08yC1_FYlvxkIm52rgLy5QAUVDNQ8LFZQD7xJH0kG8NoV5Idhc2kU58zPP_raeSmV60kdteR7DLdU5qqeNS9MaDfTkTJRUBBJ3DR6R9fswS8Wp3MLUwsBZoKV8w=w640-h360
https://blogger.googleusercontent.com/img/a/AVvXsEim_oLSh8sLGnQx7bzxxlw66Uk8riBoDeZk25hy-vBu9NLadqOEMjHhrh6RJIdPARg08yC1_FYlvxkIm52rgLy5QAUVDNQ8LFZQD7xJH0kG8NoV5Idhc2kU58zPP_raeSmV60kdteR7DLdU5qqeNS9MaDfTkTJRUBBJ3DR6R9fswS8Wp3MLUwsBZoKV8w=s72-w640-c-h360
Linux code EDU
https://linuxcodeedu.blogspot.com/2021/11/linuxs-shadow-password-file.html
https://linuxcodeedu.blogspot.com/
https://linuxcodeedu.blogspot.com/
https://linuxcodeedu.blogspot.com/2021/11/linuxs-shadow-password-file.html
true
6096992636254302192
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content