Jun 8, 2018

Linux Password & Shadow File

Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be world-readable. Consequentally, this can be somewhat of a security risk.

Another method of storing account information, one that I always use, is with the shadow password format. As with the traditional method, this method stores account information in the /etc/passwd file in a compatible format. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.

With shadow passwords, the ``/etc/passwd'' file contains account information, and looks like this:

Each field in a passwd entry is separated with ":" colon characters, and are as follows:

Username, up to 8 characters. Case-sensitive, usually all lowercase

An "x" in the password field. Passwords are stored in the ``/etc/shadow'' file.