12.1.1 Registration

12.1.1.3 Shadow file - /etc/shadow (SunOS 5.X, IRIX 5.X)

SunOS 5.X uses additional security measures over the older OS. One of these is the shadow password scheme, which is used by default. The encrypted password is not kept in /etc/passwd, but rather in /etc/shadow. /etc/passwd has a placeholder, x, in this field. passwd is readable by everyone, whereas shadow is readable only by root. The shadow file also contains password aging controls.

/etc/shadow contains 9 fields, each separated by a ":", in the form:

where these fields represents:

login-id login name
password 13 character encrypted password
lastchg number of days from Jan 1, 1970 to the last password change
min minimum number of days required between password changes
max maximum number of days the password is valid
warn number of days before expiring the password that the user is warned
inactive number of days of inactivity allowed for the user
expire absolute date after which the login may no longer be used
flag currently not used

The encrypted password field might also contain the entries:

NP for no password is valid

*LK* meaning the account is locked until the superuser sets a password

A typical /etc/shadow file might be:

root:st44wfkgx33qX:::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
smtp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::

The shadow password file is updated using the commands:

passwd change the password and password attributes
useradd add a new user
usermod modify a user's login information
userdel delete a user's login entry

If you presently have an /etc/passwd file under SunOS 4.X that you want to use with SunOS 5.X, you can use the pwconv command to convert the passwd file to the new style and create the /etc/shadow file.

The /etc/shadow file has specific fields to keep track of the last password change, the minimum and maximum time in days that the password is valid, the number of inactive days allowed between uses before the login ID is declared invalid, and an expiration date for the account. You can edit /etc/shadow and set these values, or use the useradd command to set limits on the account.

Sun recommends that you use the admintool or solstice utilities or the useradd command to add new users, rather than editing the passwd file. If you do edit the passwd file you'll want to use pwconv to update the passwd changes to the shadow file. The use of vipw is no longer recommended. It's included with the compatibility package, as /usr/ucb/vipw, and you can still use it, but it does not update the shadow file, though it does remind you to do so.

Unix System Administration - 8 AUG 1996

[Next] [Previous] [Up] [Top] [Contents]