Format of passwd and shadow files

Format of the /etc/passwd file

A non-shadowed /etc/passwd file has the following format:

username:passwd:UID:GID:full_name:directory:shell
Where:
username

The user (login) name

passwd

The encoded password

UID

Numerical user ID

GID

Numerical default group ID

full_name

The user's full name - Actually this field is called the GECOS (General Electric Comprehensive Operating System) field and can store information other than just the full name. The Shadow commands and manual pages refer to this field as the comment field.

directory

User's home directory (Full pathname)

shell

User's login shell (Full Pathname)

For example:
username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh
Where Np is the salt and ge08pfz4wuk is the encoded password. The encoded salt/password could just as easily have been kbeMVnZM0oL7I and the two are exactly the same password. There are 4096 possible encodings for the same password. (The example password in this case is 'password', a really bad password).

Once the shadow suite is installed, the /etc/passwd file would instead contain:

username:x:503:100:Full Name:/home/username:/bin/sh
The x in the second field in this case is now just a place holder. The format of the /etc/passwd file really didn't change, it just no longer contains the encoded password. This means that any program that reads the /etc/passwd file but does not actually need to verify passwords will still operate correctly.

The passwords are now relocated to the shadow file (usually /etc/shadow file).

Format of the shadow file

The /etc/shadow file contains the following information:

username:passwd:last:may:must:warn:expire:disable:reserved
Where:
username

The User Name

passwd

The Encoded password

last

Days since Jan 1, 1970 that password was last changed

may

Days before password may be changed

must

Days after which password must be changed

warn

Days before password is to expire that user is warned

expire

Days after password expires that account is disabled

disable

Days since Jan 1, 1970 that account is disabled

reserved

A reserved field

The previous example might then be:
username:Npge08pfz4wuk:9479:0:10000::::

Comments

Popular posts from this blog

How to configure proxy for common linux apps

How to add a disk to LVM

How to migrate MediaWiki?