man-pages/man5/shadow.5.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of SHADOW</TITLE>
</HEAD><BODY>
<H1>SHADOW</H1>
Section: File Formats and Conversions (5)<BR>Updated: 05/28/2020<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>





















<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

shadow - shadowed password file
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>

<P>

shadow
is a file which contains the password information for the system's accounts and optional aging information.
<P>

This file must not be readable by regular users if password security is to be maintained.
<P>

Each line of this file contains 9 fields, separated by colons (":"), in the following order:
<P>

<B>login name</B>
<DL COMPACT><DT id="1"><DD>
It must be a valid account name, which exist on the system.
</DL>

<P>

<B>encrypted password</B>
<DL COMPACT><DT id="2"><DD>
This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the
/etc/shadow
file may decide not to permit any access at all if the password field is empty.
<P>
A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.
<P>
Refer to
<B><A HREF="/cgi-bin/man/man2html?3+crypt">crypt</A></B>(3)
for details on how this string is interpreted.
<P>
If the password field contains some string that is not a valid result of
<B><A HREF="/cgi-bin/man/man2html?3+crypt">crypt</A></B>(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
</DL>

<P>

<B>date of last password change</B>
<DL COMPACT><DT id="3"><DD>
The date of the last password change, expressed as the number of days since Jan 1, 1970.
<P>
The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system.
<P>
An empty field means that password aging features are disabled.
</DL>

<P>

<B>minimum password age</B>
<DL COMPACT><DT id="4"><DD>
The minimum password age is the number of days the user will have to wait before she will be allowed to change her password again.
<P>
An empty field and value 0 mean that there are no minimum password age.
</DL>

<P>

<B>maximum password age</B>
<DL COMPACT><DT id="5"><DD>
The maximum password age is the number of days after which the user will have to change her password.
<P>
After this number of days is elapsed, the password may still be valid. The user should be asked to change her password the next time she will log in.
<P>
An empty field means that there are no maximum password age, no password warning period, and no password inactivity period (see below).
<P>
If the maximum password age is lower than the minimum password age, the user cannot change her password.
</DL>

<P>

<B>password warning period</B>
<DL COMPACT><DT id="6"><DD>
The number of days before a password is going to expire (see the maximum password age above) during which the user should be warned.
<P>
An empty field and value 0 mean that there are no password warning period.
</DL>

<P>

<B>password inactivity period</B>
<DL COMPACT><DT id="7"><DD>
The number of days after a password has expired (see the maximum password age above) during which the password should still be accepted (and the user should update her password during the next login).
<P>
After expiration of the password and this expiration period is elapsed, no login is possible using the current user's password. The user should contact her administrator.
<P>
An empty field means that there are no enforcement of an inactivity period.
</DL>

<P>

<B>account expiration date</B>
<DL COMPACT><DT id="8"><DD>
The date of expiration of the account, expressed as the number of days since Jan 1, 1970.
<P>
Note that an account expiration differs from a password expiration. In case of an account expiration, the user shall not be allowed to login. In case of a password expiration, the user is not allowed to login using her password.
<P>
An empty field means that the account will never expire.
<P>
The value 0 should not be used as it is interpreted as either an account with no expiration, or as an expiration on Jan 1, 1970.
</DL>

<P>

<B>reserved field</B>
<DL COMPACT><DT id="9"><DD>
This field is reserved for future use.
</DL>

<A NAME="lbAD">&nbsp;</A>
<H2>FILES</H2>

<P>

/etc/passwd
<DL COMPACT><DT id="10"><DD>
User account information.
</DL>

<P>

/etc/shadow
<DL COMPACT><DT id="11"><DD>
Secure user account information.
</DL>

<P>

/etc/shadow-
<DL COMPACT><DT id="12"><DD>
Backup file for /etc/shadow.
<P>
Note that this file is used by the tools of the shadow toolsuite, but not by all user and password management tools.
</DL>

<A NAME="lbAE">&nbsp;</A>
<H2>SEE ALSO</H2>

<P>

<B><A HREF="/cgi-bin/man/man2html?1+chage">chage</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?1+login">login</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?1+passwd">passwd</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?5+passwd">passwd</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?8+pwck">pwck</A></B>(8),
<B><A HREF="/cgi-bin/man/man2html?8+pwconv">pwconv</A></B>(8),
<B><A HREF="/cgi-bin/man/man2html?8+pwunconv">pwunconv</A></B>(8),
<B><A HREF="/cgi-bin/man/man2html?1+su">su</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?8+sulogin">sulogin</A></B>(8).
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="13"><A HREF="#lbAB">NAME</A><DD>
<DT id="14"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DT id="15"><A HREF="#lbAD">FILES</A><DD>
<DT id="16"><A HREF="#lbAE">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:05 GMT, March 31, 2021
</BODY>
</HTML>