Storing passwords inside the /etc/passwd file is prone to system insecurity. The file permissions for the Shadow file are set to either 640 or 400.
What Will We Cover?
In this article, we will explore the Shadow file in Linux.
Why Do We Need the Shadow File?
The passwd file in Linux is readable for everyone and for this reason, the encrypted passwords have been transferred to a different file called the shadow file. It is only readable by root. The shadow file is also located inside the /etc folder at /etc/shadow.
Much like the passwd file, the first field in the shadow file contains the account name and uses a colon to separate different fields. Having a separate file containing encrypted passwords also facilitates adding new parameters for an account. Furthermore, this aids in controlling an account and also controls password aging.
The shadow file is kept read-protected to protect the encrypted passwords. This is an important security measure because anyone who has read access to the file can try to break the encrypted password.
Security Aspects of the Shadow File
The shadow file is a good tool to reset the root password of a Linux system. We can locate the account entry for the root user and manipulate some settings to recover our root password. However, the process of recovering passwords from the Shadow file is off-topic for now.
As mentioned earlier, the shadow file is readable by only the root. If a miscreant account holder tries to hack into the other system accounts, he is just going to hit his head against a wall. If somehow, a person gets access to the password, the time to crack it depends on the encryption algorithm used. Although, that’s not so easy as it can take a few minutes to years to crack an encrypted password.
Syntax of the Shadow File
The syntax of the shadow file is as:
The fields in the above line are represented in days. The lastchange and expiration are date fields. The time in these fields is taken from the date of the start of Unix time i.e., Jan 1, 1970.
Explanation for the Fields in the Shadow File
There are nine fields in this file that are delimited by colons’:’
Let me explain each field here:
login: Every line in a Shadow file starts with a username. The username links entries in the Shadow file from those found in /etc/passwd.
encryptedpassword: It is the placeholder for the encrypted password. So there is obviously no resemblance of it with the real password. If a * or ! is placed here, this means the account has no password.
lastchange date – It is basically a date in terms of the number of days taken from the beginning of Unix time. This is the time that gives the date when the password was last modified. If this value is 0, this means the password must be changed the next time when a user logins.
minage – This field says the password can only be changed when the date value is minage+lastage. If this field is empty, it means the password can be altered at any time.
maxage – This field says the password must be changed when the date value is maxage+lastage. It is actually the date when the password expires. For empty passwords, the expiration date is senseless and it is therefore maxage, warning, and inactivity fields are not required.
warning – This gives a warning to a user for changing the password when the date becomes lastchange+maxage-warning or the warning period of the password has started. If this value is 0 or blank(empty), this means there is no warning period.
inactivity – When the password has expired, the user can still alter their passwords until the inactivity days. If this field is not filled, there is no inactivity period.
expiration date – It is the date when the user account will expire. From this date onwards, the account will not be available for login. If this field is empty, the account will never expire. Also, do not use a ‘0’ value here.
Special flag: This place is normally not used and has been put for future use.
Now let’s take an example to clarify our understanding of the above fields. Take, for example, the below sample entry from the shadow file:
Let’s break down each field step by step:
1. linuxhint is the name of the user.
2. The next field is the encrypted password of the user. It is a long password. However, we have slightly truncated it for the sake of brevity.
3. The user has modified his password 12825 days or 35 Years, 1 Month and 11 days which is 11 Feb 2005 since Unix epoch time i.e. Jan 1, 1970.
4. The minimum time after which the user can change their password is 14 days. To make the password changeable at any time, set this field to 0.
5. The password will need to be reset after every 45 days.
6. The warning for resetting the password will appear 10 days before the date of changing it.
7. If the password expires and no login action is performed for 30 days, the user account will be disabled.
8. After 13096 days from Unix epoch time or 9 Nov 2005, the account will expire.
Conclusion
Shadow file is a very secure place to store your account information. There are security concerns in strong user passwords inside the passwd file. Making the Shadow file readable by root only eliminates the chances of password exploitation by miscreant users and attackers.