Groups

Groups


The /etc/shadow File With most Linux distributions that use local
authentication, your users’ passwords will be stored in encrypted
format in the /etc/shadow file. This file is linked to the /etc/passwd
file we discussed previously. Each of the user accounts listed in
/etc/passwd has a corresponding entry in /etc/shadow, as shown in this
example:



openSUSE:~ # cat /etc/shadow
...
root:$2a$05$h03HfGFSi2i8GlotOYgreeBelUlHc.z/2KxyQQF7RSo./TdLOrDJa:15035::::::
sshd:*:14796:0:99999:7:::
uucp:*: 16015::::::
wwwrun:*: 16015::::::
hsaez:$6$JbgjOmU1SXu1$ON0iVUmsrzvVxd7D2AeYbriZ1gDRS/W/
xnoeXVzcBkZIeNSJMAKFWfMvl4RvWki0HIQLrfV6bkNIAk6vCEOyP0:16392:0:99999:7:::
ksanders:$2a$05$KL1DbTBqpSEMiL.2FoI3ue4bdyR.eL6GMKs7MU6.nZl5SCC7/
REUS:15043:0:99999:7:::
rtracy:$6$L58Cq/vWQJaM$u7.1.UmlGVquz6qQ0LaHXQzbTgc6kC6uc1sR/GgelNjbF/
FqJUkwmhVdxO3Qxs3HgXQJLIptYJ4HD7bvMoxbd0:16392:0:99999:7:::





As with /etc/passwd, each user account is represented by a single line
in the /etc/shadow file. Each record is composed of the following
fields, each separated by a colon:



Username:Password:Last_Modified:Min_Days:Max_Days:Days_Warn:Disabled_Days:Expire



For example, the record for ksanders is as follows:



ksanders:$2a$05$KL1DbTBqpSEMiL.2FoI3ue4bdyR.eL6GMKs7MU6.nZl5SCC7/
REUS:15043:0:99999:7:::




Here’s what each of these fields contains:



• Username 

This is the user’s login name from /etc/passwd.


• Password

This is the user’s password in encrypted format. In the
preceding example, the password for ksanders is M3linux273. However,
to prevent someone from accessing the /etc/shadow file and grabbing
the user passwords from it, it is stored in encrypted format. You may
notice that all of the system user accounts have a simple asterisk in
this field (*). This indicates that these accounts aren’t allowed to
log in to the system. For example, if I tried to log in to my system
as ftp, I would be denied access even though the ftp user account
exists.


• Last_Modified 

This field displays the number of days since January
1, 1970, that the password was last changed. In this example, it has
been 15,043 days.


• Min_Days 

This field displays the minimum number of days required
before a password can be changed. In this example, it is set to 0
days.


• Max_Days 

This field displays the maximum number of days before a
password must be changed. In this example, it is set to 99,999 days.
Effectively, this means a password change isn’t required.


• Days_Warn 

This field displays the number of days prior to password
expiration that the user will be warned of the pending expiration. In
this case, it’s set to 7 days.


• Disabled_Days 

This field displays the number of days to wait after a
password has expired to disable the account. In this example, it’s set
to a null value.


• Expire 

This field displays the number of days since January 1, 1970,
after which the account will be disabled. In this example, it is set
to a null value, indicating the account never expires.





As you can see, it is very important that these two files stay
synchronized with each other. If they get out of whack, then it’s
possible that a user may not be able to log in or a service may not be
able to access the file system correctly.



The good news is that these files usually stay in sync as they are
supposed to without any intervention on the part of the administrator.
The only times I’ve seen these two files become unsynchronized is when
the administrator decides to manually edit these files with a text
editor. I strongly discourage this practice. Your Linux system
includes a wide variety of utilities that are used to manage user
accounts and passwords on your system. (We’ll discuss how to use these
utili- ties later in this chapter.) You should always use these
utilities instead of a text editor to manage user accounts. Doing so
will ensure that both files are edited appropriately and stay
synchronized with each other.



To verify your /etc/passwd and /etc/shadow files, you can use the



pwck



command at the shell prompt. This utility will verify each line in the
two files and make sure they are valid. Any errors are reported on the
screen, as shown in this example:



openSUSE:/ # pwck
Checking '/etc/passwd'
User 'pulse': directory '/var/lib/pulseaudio' does not exist.
User 'usbmux': directory '/var/lib/usbmuxd'  does not exist.
Checking '/etc/shadow'.




As you can see, pwck found that the home directories specified for the
pulse and usbmux system user accounts don’t exist. Everything else
checked out. If, for some reason, the


/etc/passwd



and the


/etc/shadow 


files are out of synchronization, you can use the


pwconv 



command at the shell prompt to fix the files.



This utility will add any missing user accounts from /etc/passwd to /etc/shadow.









LX0-104 Exam Objectives (V and U, 323, 647 - 689)