M Parent topic: M

mkshadow

Updated: April 19, 2023

Create entries for QNX Neutrino shadow files

Syntax:

mkshadow -u username [-d hash] [-e expiry] [-I inactivity]
        [-i iteration] [-k KDF] [-l last_change] [-m min_age]
        [-o path] [-P prompt] [-p password] [-s salt]
        [-u username] [-v verbosity] [-w warning] [-x max_age]

Runs on:

Linux, Mac, Microsoft Windows

Options

-d hash
Hash function to use in key derivation.

Supported values: sha256, sha512 (the default).

-e expiry
Account expiration date. Default is no expiry (0).

Example: 2029-12-31T23:59:59

-I inactivity
Deactivate the account this number of days after the password expires. Not currently enforced by QNX Neutrino.
-i iteration
The number of iterations of the hash function to use for key derivation. Default is 4096.
-k KDF
The key derivation function (KDF) to use.

Supported value: pbkdf2 (the default).

-l last_change
Date of last password change. The default value is the current timestamp.

Example: 2019-08-27T09:30:00

-m min_age
The minimum number of days users must wait after changing their password before they can change it again. Default is no minimum (0).
-o path
Path to output file. If not specified, data is written to stdout.
-P prompt
Prompt the user for the password. See the examples below for an example of specifying the prompt.
-p password
Password for shadow file entry. Default is an asterisk (*) character, which disables the password for the user account. Disabling the password for an account prevents anyone from logging in to that account using a password.
-s salt
Custom cryptographic salt. Must be 16 bytes represented in hex format. If this option is not specified, the salt is generated randomly.

Example: C53253F1E9FCC1B5A90DA6A0A3E9A11C

-u username
Username for shadow file entry.
-v verbosity
Increase verbosity.
-w warning
The number of days before the password is set to expire that users are warned that they must change their password. By default, no warning is given (0).
-x max_age
The maximum number of days a password remains valid. Default is no maximum (0).

For information on the individual fields in a shadow file, see /etc/shadow in the QNX Neutrino User's Guide.

Description

The mkshadow host-side utility is used to create entries for QNX Neutrino shadow files.

By default, mkshadow creates a shadow file entry with the password disabled, which prevents users from logging into the account using a password. To set the password for an account, use either -p or -P.

Examples

Create a shadow file entry for the user qnxuser. Because no password options are specified, the password is disabled for this user:

mkshadow -u qnxuser

Create a shadow file entry with the password qnxuser:

mkshadow -u qnxuser -p qnxuser

Create a shadow file entry with a password that is specified by prompting the user for a value:

mkshadow -u qnxuser -P
Password:
Confirm Password:

Create a shadow file entry whose password hash is stretched to 8192 iterations (instead of the default 4096 iterations):

mkshadow -u qnxuser -p qnxuser -i 8192

Create a shadow file entry with the custom cryptographic salt 9BBA04C71AC554C5CEB08FF237BC93AB:

mkshadow -u qnxuser -p qnxuser -s 9BBA04C71AC554C5CEB08FF237BC93AB
Related concepts
Systems without passwords (System Security Guide)
Parent topic: M