{
	"id": "75ac7035-ad79-41b4-88d1-ee17a5407e7c",
	"created_at": "2026-04-06T00:19:33.796161Z",
	"updated_at": "2026-04-10T13:12:24.170003Z",
	"deleted_at": null,
	"sha1_hash": "b1bb463415c4609bbad42735e21b71b90664c267",
	"title": "Linux Password \u0026 Shadow File Formats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50087,
	"plain_text": "Linux Password \u0026 Shadow File Formats\r\nArchived: 2026-04-05 13:24:46 UTC\r\nTraditional Unix systems keep user account information, including one-way encrypted passwords, in a text file\r\ncalled ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by\r\nmatching user id #'s with the user's names, the file needs to be world-readable. Consequentally, this can be\r\nsomewhat of a security risk.\r\nAnother method of storing account information, one that I always use, is with the shadow password format. As\r\nwith the traditional method, this method stores account information in the /etc/passwd file in a compatible format.\r\nHowever, the password is stored as a single \"x\" character (ie. not actually stored in this file). A second file, called\r\n``/etc/shadow'', contains encrypted password as well as other information such as account or password\r\nexpiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security\r\nrisk.\r\nWhile some other Linux distributions forces you to install the Shadow Password Suite in order to use the shadow\r\nformat, Red Hat makes it simple. To switch between the two formats, type (as root):\r\n /usr/sbin/pwconv To convert to the shadow format\r\n /usr/sbin/pwunconv To convert back to the traditional format\r\nWith shadow passwords, the ``/etc/passwd'' file contains account information, and looks like this:\r\nsmithj:x:561:561:Joe Smith:/home/smithj:/bin/bash\r\nEach field in a passwd entry is separated with \":\" colon characters, and are as follows:\r\nUsername, up to 8 characters. Case-sensitive, usually all lowercase\r\nAn \"x\" in the password field. Passwords are stored in the ``/etc/shadow'' file.\r\nNumeric user id. This is assigned by the ``adduser'' script. Unix uses this field, plus the following group\r\nfield, to identify which files belong to the user.\r\nNumeric group id. Red Hat uses group id's in a fairly unique manner for enhanced file security. Usually the\r\ngroup id will match the user id.\r\nFull name of user. I'm not sure what the maximum length for this field is, but try to keep it reasonable\r\n(under 30 characters).\r\nUser's home directory. Usually /home/username (eg. /home/smithj). All user's personal files, web pages,\r\nmail forwarding, etc. will be stored here.\r\nhttps://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html\r\nPage 1 of 2\n\nUser's \"shell account\". Often set to ``/bin/bash'' to provide access to the bash shell (my personal favorite\r\nshell).\r\nPerhaps you do not wish to provide shell accounts for your users. You could create a script file called\r\n``/bin/sorrysh'', for example, that would display some kind of error message and log the user off, and then set\r\nthis script as their default shell.\r\nNote: Note: If the account needs to provide \"FTP\" transfers to update web pages, etc. then the shell\r\naccount will need to be set to ``/bin/bash'' -- and then special permissions will need to be set up in the\r\nuser's home directory to prevent shell logins. See Section 7.1 for details on this.\r\nThe ``/etc/shadow'' file contains password and account expiration information for users, and looks like this:\r\nsmithj:Ep6mckrOLChF.:10063:0:99999:7:::\r\nAs with the passwd file, each field in the shadow file is also separated with \":\" colon characters, and are as\r\nfollows:\r\nUsername, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the\r\n/etc/passwd file.\r\nPassword, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in\r\n(usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.\r\nThe number of days (since January 1, 1970) since the password was last changed.\r\nThe number of days before password may be changed (0 indicates it may be changed at any time)\r\nThe number of days after which password must be changed (99999 indicates user can keep his or her\r\npassword unchanged for many, many years)\r\nThe number of days to warn user of an expiring password (7 for a full week)\r\nThe number of days after password expires that account is disabled\r\nThe number of days since January 1, 1970 that an account has been disabled\r\nA reserved field for possible future use\r\nSource: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html\r\nhttps://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html"
	],
	"report_names": [
		"shadow-file-formats.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434773,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1bb463415c4609bbad42735e21b71b90664c267.pdf",
		"text": "https://archive.orkl.eu/b1bb463415c4609bbad42735e21b71b90664c267.txt",
		"img": "https://archive.orkl.eu/b1bb463415c4609bbad42735e21b71b90664c267.jpg"
	}
}