/etc/shadow File in Linux

In this article, we explain what the /etc/shadow file is in Linux, its format and the meaning of the fields contained in each line of the file.

What is Linux?

Linux is a family of open-source operating systems based on the Linux kernel. The first Linux system kernel was released on September 17, 1991, by Linus Torvalds.

I think Linux is a great thing, in the big picture. It’s a great hacker’s tool, and it has a lot of potential to become something more.

Jamie Zawinski

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

/etc/shadow File in Linux

In Linux, /etc/shadow is a plain text file that stores the encrypted passwords of the users and a set of properties related to the passwords contained. As an essential system file, /etc/shadow file is owned by the root user and it has 640 permissions, i.e., the root account can modify its content while only the users defined in the shadow group are allowed to read it.

To display access permissions on the the /etc/shadow file, you can use the ls command in Linux, as described below.

$ ls -la /etc/shadow

/etc/shadow File Format

The /etc/shadow file contains one entry per line that defines the user passwords and the associated parameters for them. Each line of entry is represented by 9 fields that are separated (delimited) by a colon symbol. An example /etc/shadow file entry and the meaning of its contents are depicted in Figure 2.

Explanation of the Fields in the /etc/shadow File

1. Username: A unique string on a machine that is used to log into the system. More detailed information on the usernames defined in the system can be found in the /etc/password file.
2. Password: The second field contains 3 different sections delimited by the $ signs.
   • The first section, which starts and ends with the $ sign, defines the encryption (hashing) format. Following is a list of the hashing algorithms and their corresponding ids that you may encounter in the /etc/shadow files.
     • $1$ : MD5
     • $2a$ : Blowfish
     • $2y$ : EKSBlowfish
     • $5$ : SHA-256
     • $6$ : SHA-512
   • The second section in between the $ signs is the salt being used to hash the actual password with the algorithm defined in the first section.
   • And the last section that follows the third $ sign is the hashed representation of the password. For some users, the password field contains an asterisk (*) or exclamation point (!) to denote that the user will not be allowed to login to the system using the password authentication.
3. Last Password Change: The date when the password was last changed. Represented by days since January 1, 1970.
4. Minimum Password Age: The minimum number of days that must pass before a users is allowed to change the password. Typically it is set to zero, meaning there is no minimum password age.
5. Maximum Password Age: The number of days after which the password expires, i.e., the user must change the password. By default, this value is set to 99999.
6. Warning Period: The number of days before the password expires. During this period, the user is warned to change the current password.
7. Inactivity Period: The number of days after password expires. At the end of this period, the user account is disabled.
8. Expiration Date: The date when the account was disabled. Represented by days since January 1, 1970.
9. Unused: This field is reserved for future use.

Displaying the /etc/shadow File

To display the content of the /etc/shadow file, you can use the cat command in Linux, as described below.

$ cat /etc/shadow

To filter the output of the pervious cat /etc/shadow command by specifying a search pattern, such as a username, you can use the grep command command in Linux, as shown below.

$ cat /etc/passwd | grep kali

To learn more on Linux, you could also visit our Linux Resources Page.