What is /etc/shadow file and various fields in /etc/shadow

After understanding /etc/passwd file in previous post, let us understand another important configuration file related to user management i.e /etc/shadow. As earlier explained in the /etc/passwd file that second field written as (x), means shadowing is enabled and encrypted password exists for that user in another file “/etc/shadow”. Encrypted passwords can be stored in /etc/passwd file but that is not recommended as there is security risk due to world readable permissions on the /etc/passwd, that is why it is a good practice to have encrypted passwords stored in separate /etc/shadow file.
One-Liner Definition:
/etc/shadow file stores the encrypted password and other passwords related information and policies like expiration etc for the user’s accounts.

Contents of /etc/shadow file

Below is the format of /etc/shadow file.

/etc/shadow file linux
Fig: /etc/shadow fields

Following are the different fields of /etc/shadow file.
  1. Username or Login name: First field of /etc/shadow file is the username or login name. In the above example, John is our username.
  2. Encrypted Password Hash: Second field of /etc/shadow file contains the encrypted password. For encryption, SHA512 algorithm is used. A blank entry (::) means no password is required to login for that user, while a (*) entry means that account of that user has been disabled.
  3. Last Password Change: Third fields give the number of days since January 1, 1970, that last password was changed. 
  4. Minimum number of days between password change:  Minimum number of days you must keep a password. (0 in the fourth field means password can be changed anytime)
  5. Maximum number of days password is valid: Maximum number of days password is valid and after which password expires and the user is forced to change the password.
  6. Warning: Number of days before password expiration, the warning message will be given to user regarding an expiring password.
  7. Account Disabled: The seventh field specifies the number of days after the password expiration, the account will be disabled, Once the given days in this field are elapsed, the account will be inactive/disabled.
  8.  Account expiration duration in days since epoch: Number of days since January 1, 1970 since the account has been disabled.
  9. Not used or reserved for future use.
What is Shadowing ?
Earlier the passwords of users were stored in encrypted format in second field of /etc/passwd. Since /etc/passwd file is world readable that means any user can see the contents of it, so there is security risk. To overcome this problem, passwords were kept in a separate file /etc/shadow along with other password related information.
By default, shadowing is enabled on Linux System. To disable shadowing use #pwunconv command and to enable it back use #pwconv command.
Sample /etc/shadow file looks like:

Permissions on /etc/shadow file

---------- 1 root root 1144 Aug 16 15:41 /etc/shadow

Earlier versions of RHEL have 600 permissions on /etc/shadow. Above are the permissions (000) of  /etc/shadow file  on a RHEL 7 machine, Normal users can not read this file, it is owned by user root and group root, hence file is only accessible to root user, If you try to modify this file as root, you will get a warning ” You are trying to modify a read-only file”
That’s all for this tutorial, i hope you must have understood /etc/shadow file if you have any doubts or questions, feel free to comment below.