Sunday, 2 August 2015

/etc/shadow file format in Linux Explained

In one of the recent articles we've published, we've learned the file format of /etc/passwd file, which stores one line entry for each user that can access the system. As one of the fields in each line of the /etc/passwd denotes whether the password for that user is stored in /etc/shadow file or not, it can easily be depicted that the actual passwords (of course, in the encrypted form) are stored in the /etc/shadow file. This article will help you learn more about /etc/shadow file format in more detail.

/etc/shadow File Permission

To begin with, let us observe and compare the file permissions on both /etc/passwd and /etc/shadow files:

MyLinuxBox root ~ > ll /etc/passwd
-rw-r--r--. 1 root root 1725 Jul 31 23:02 /etc/passwd

MyLinuxBox root ~ > ll /etc/shadow
-rw-------. 1 root root 1187 Jul 16 09:10 /etc/shadow
Things are pretty clear- /etc/passwd is world readable and /etc/shadow can only be read by the root user. This is because, had the password were stored in /etc/passwd file, even in encrypted format, anyone could see, decrypt and use them pretty easily. Thus, passwords are actually stored in /etc/shadow file which can only be accessed by root or superuser and not made open to the entire world, as there is a huge risk factor involved in it.

/etc/shadow File Contents

/etc/shadow file is the text file that holds the information about User password, the hash algorithm used to create hash, the salt value used to create hash and some details related to password expiry. Each line in this file is used to store the information about one user, delimited with a colon (:), and the file looks like:

To study the file in more detail, let us consider the entry for the user 'mandar' as below:

mandar  :  $6$5H0QpwprRiJQR19Y$bXGOh7dIfOWpUb/Tuqr7yQVCqL3UkrJns9.7msfvMg4ZO/PsFC5Tbt32PXAw9qRFEBs1254aLimFeNM8YsYOv.  :  16431  :  0  :  99999  :  7  :   :   :
For better understanding, I've divided the line entry across each colon(:) to create 8 fields, which are explained as below:
  1. Username field: This field denotes the username (or the user account name), that should be used while logging in to the system.
  2. Password field: This field stores the password in encrypted format (explained in detail below).
  3. Last Password Change: This field denotes the number of days, since UNIX time (1-Jan-1970), the last password change happened.
  4. Minimum days between password changes: This field denotes the minimum number of days after which a user can change his password.
  5. Password validity: This field denoted the maximum number of days for which password is valid. After that, the password will expire and the user will have to change the password.
  6. Warning threshold: This field denotes the number of days before which the user will receive a warning notification about the password expiry.
  7. Account inactive: This field denotes the number of days after which the account will be disabled, when the password is expired.
  8. Time since account is disabled: This field denotes the number of days, from UNIX time, since which the account is disabled.

The Encrypted Password

The field #2 in each line entry is the encrypted password, as we just learned. But, how this password is generated, we'll learn in this portion of the article. Let's just rewrite the encrypted password here-


Let's break this encrypted password in some parts, across the dollar ($) sign, to understand it better.

1. Hash Algorithm: This field denotes the hashing algorithm used to create the hashed password. The digit 6 describes that, SHA-512 algorithm is used, in this case. Some more of them are enlisted below:

| 1  | MD5         |
| 2  | Blowfish    |
| 2a | eksBlowfish |
| 5  | SHA-256     |
| 6  | SHA-512     |
2. Salt Value: Salt values are used to make the hash value stronger. These are the random type of data that is used to combine with the original password and then the hashed version of that is used as the encrypted password.
3. Password: This field stores the hashed version of the combination of original password and salt value.

To verify this, we would try to generate the hash value using SHA-512 algorithm along with the salt value (5H0QpwprRiJQR19Y) and the original password (mandar) and match it with the hash value mentioned in the /etc/shadow file.

Syntax of the command is as below:

perl -e 'print crypt("<PASSWORD>","\$<HASH-ALGO>\$<SALT-VALUE>\$") . "\n"'
In our case,
<PASSWORD> = mandar
Expected Output = $6$5H0QpwprRiJQR19Y$bXGOh7dIfOWpUb/Tuqr7yQVCqL3UkrJns9.7msfvMg4ZOPsFC5Tbt32PXAw9qRFEBs1254aLimFeNM8YsYOv.

Lets run the command now.

MyLinuxBox root ~ > perl -e 'print crypt("mandar","\$6\$5H0QpwprRiJQR19Y\$") . "\n"'
Both the hash values match. That's why, this file is not world-readable and passwords are not saved in /etc/passwd (it being world-readable).

That's all for this article, stay tuned for more of them.


  1. Short sweet and concise. Very good

  2. If the password field of etc shadow file contains an x, then does it imply that account is locked ?

    1. That means the hashed password is saved in the shadow file.

    2. how to access shadow file then to see encrypted passwd

  3. reading crypt's man page ( I think the hash algorithm is always SHA-512. In this case the salt is the full string "$6$5H0QpwprRiJQR19Y$" (that is the "$6$" is part of salt itself).
    Isn't so?