The /etc/shadow file stores actual password in encrypted format (more like the hash of the password) for user’s account with additional properties related to user password. Basically, it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /e /etc/passwd file.
由于/etc/passwd必须供所有用户读取,因此为了避免密码破译,unix系统将加密后的密码存储于/etc/shadow中,仅供超级用户可读。
/etc/passwd文件的格式:
1 |
username:passwd:UID:GID:full_name:directory:shell |
Generally, shadow file entry looks as follows :
- Username : It is your login name(用户名).
- Password : It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:
- $1$ is MD5
- $2a$ is Blowfish
- $2y$ is Blowfish
- $5$ is SHA-256
- $6$ is SHA-512
- Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed(密码最后修改的天数。采用的是标准unix计时法,即从1970年1月1日起至查询日止的天数)
- Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password(不可修改密码的天数。 如果是0,则表示可以随时修改密码。如果是N,表示N天后才可修改密码。)
- Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)(密码可以维系的天数。如果设置为N,表示N天后必须更新密码。设置为99999通常表示无需更新密码。)
- Warn : The number of days before password is to expire that user is warned that his/her password must be changed(在密码必须修改前的N天,就开始提示用户需要修改密码。)
- Inactive : The number of days after password expires that account is disabled(密码过期的宽限时间。)
- Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.(帐号失效时间)
9. 保留字段。
The last 6 fields provides password aging and account lockout features. You need to use the chage command to setup password aging. According to man page of shadow – the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a “$” character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with “$1$” it means the MD5-based algorithm was used. Please note that a password field which starts with a exclamation mark (!) means that the password is locked. The remaining characters on the line represent the password field before the password was locked.