/etc/shadow

QNX SDP8.0User's GuideUser

This file stores hashed passwords and other account and password information.

Each line in /etc/shadow is in the following format:

username:password:last_change:min_age:max_age:warning:inactivity:expiry:reserved

username

The user's login name. It must be a valid username that exists on the system.

password

The user's hashed password.

If the password field contains a string that is not a valid hash of the password, the user cannot log in.

This field can be empty. When it is empty, it may be possible to log in as the corresponding user without specifying a password, depending on the application that performs the authentication or the configuration of the PAM module that performs the authentication.

If the password field starts with an exclamation mark, the password is locked. The characters that follow the exclamation mark are the password hash before the password was locked.

The password is captured in one of the following formats:

@digest@hash@salt
@digest,iterations@hash@salt

where:

digest is a single character that indicates which digest function was used to hash the password. The following values are currently allowed: s (sha256), S (sha512).

iterations is the number of iterations to perform during key derivation. If not specified, the default value of 4096 is used.

hash is the Base64-encoded hashed password.

salt is the Base64-encoded salt value.

A salt is a randomly generated sequence of bytes that can be used to change the output of a cryptographic function. In practice, every password saved in /etc/shadow is hashed with a different salt, which makes it more difficult for an attacker to crack them.

last_change

The date of the last password change, expressed as the number of days since the start of the Unix Epoch.

min_age

The minimum number of days the user must wait after changing the password before he or she can change it again.

An empty field or 0 specifies that no wait time is required.

max_age

When this number of days has passed after a password change, the user must change his or her password again. After this number of days has passed, the user is prompted to change the password the next time he or she logs in.

An empty field or a value of 0 specifies that there is no maximum number of days after which the user must change his or her password.

warning

The number of days before the password is set to expire that users are warned that they must change their password.

An empty field or a value of 0 specifies that no warning is given.

inactivity

The password expiration date. Not currently implemented.

expiry

The account expiration date, expressed as the number of days since the Unix Epoch.

An empty field or a value of 0 specifies that the account never expires.

reserved

Reserved for future use.

Page updated: March 05, 2025