Monday, December 21, 2009

/etc/passwd and /etc/shadow file in UNIX

With shadow passwords, the ``/etc/passwd'' file contains account information, and looks like this:

devenv:x:571:571:verma deven:/home/devenv:/bin/bash

Each field in a passwd entry is separated with ":" colon characters, and are as follows:

* Username, up to 8 characters. Case-sensitive, usually all lowercase

*An "x" in the password field. Passwords are stored in the ``/etc/shadow'' file.

*Numeric user id. This is assigned by the ``adduser'' script. Unix uses this
field, plus the following group field, to identify which files belong to the user.
*Numeric group id. Red Hat uses group id's in a fairly unique manner for enhanced file security. Usually the group id will match the user id.

* Full name of user. I'm not sure what the maximum length for this field is, but try to keep it reasonable (under 30 characters).

* User's home directory. Usually /home/username (eg. /home/smithj). All user's personal files, web pages, mail forwarding, etc. will be stored here.

* User's "shell account". Often set to ``/bin/bash'' to provide access to the bash shell (my personal favorite shell).


The ``/etc/shadow'' file contains password and account expiration information for users, and looks like this:

devenv:Ep6mckrOLChF.:10063:0:99999:7:::

As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows:

* Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.

* Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.

*The number of days (since January 1, 1970) since the password was last changed.

* The number of days before password may be changed (0 indicates it may be changed at any time)

*The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)

* The number of days to warn user of an expiring password (7 for a full week)

* The number of days after password expires that account is disabled

* The number of days since January 1, 1970 that an account has been disabled

* A reserved field for possible future use
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)