shadow - shadow password file
/etc/shadow is an access-restricted ASCII system file. The fields for
each user entry are separated by colons. Each user is separated from the
next by a newline. Unlike the /etc/passwd file, /etc/shadow does not
have general read permission. To create /etc/shadow from /etc/passwd use
the pwconv command (see pwconv(1M)).
Here are the fields in /etc/shadow:
username The user's login name (ID).
password A 13-character encrypted password for the user, a lock string
to indicate that the login is not accessible, or no string to
show that there is no password for the login.
lastchanged The number of days between January 1, 1970 and the date that
the password was last modified.
minimum The minimum number of days required between password changes.
This field is set by passwd -n.
maximum The maximum number of days the password is valid. This field
is set by passwd -m.
warn The number of days before that password expires that the user
is warned. This field is set by passwd -w.
inactive The number of days of inactivity allowed for that user. This
field is set by passmgmt -f days.
expire An absolute date when the login can no longer be used,
specified in days since the epoch (January 1, 1970). This
field is set by passmgmt -e when, where the when argument is
used as an input string to getdate(3). passmgmt converts
this to the days since the epoch value.
flag Reserved for future use; set to zero. Currently not used.
The encrypted password consists of 13 characters chosen from a 64-
character alphabet (., /, 0-9, A-Z, a-z).
To update this file, use the passwd command.
One way of determining the number of days since the epoch:
% perl -e 'print int(time/(60*60*24))'
login(1), passmgmt(1M), passwd(1), pwconv(1M), getspent(3C),
The shadow file can be served through NIS but that should only be done if
the appropriate attributes in nsd are set correctly for that map: the
nis_secure attribute (see nisserv(7)) should be turned on and the mode
attribute (see nsd(1M)) should be set to 0700. Failing to do so
introduces a security hole by allowing any user to view entries from the
shadow file. This map is not built by default in mdbm_parse. Ypmake
needs to be called with the explicit map name shadow. Also a line would
need to be added to the servers nsswitch.conf file to allow serving the
PPPPaaaaggggeeee 2222 [ Back ]