/etc/shadow

QNX SDP8.0User's GuideUser

This file stores hashed passwords and other account and password information.

You can generate hashed password entries using the mkshadow utility. This utility adds entries to the password shadow file, /etc/shadow. Each line in this file is in the following format:
username:password:last_change:min_age:max_age:warning:inactivity:expiry:reserved
username
The user's login name. It must be a valid username that exists on the system.
password
The user's hashed password.

If the password field contains a string that is not a valid hash of the password, the user cannot log in.

This field can be empty. When it is empty, it may be possible to log in as the corresponding user without specifying a password, depending on the application that performs the authentication or on the configuration of the PAM module that performs the authentication.

If the password field starts with an exclamation mark, the password is locked. The characters that follow the exclamation mark are the password hash before the password was locked.

The password is captured in one of the following formats:
  • @digest@hash@salt
  • @digest,iterations@hash@salt
where:

digest is a single character that indicates which digest function was used to hash the password. The following values are currently allowed: s (sha256), S (sha512).

iterations is the number of iterations to perform during key derivation. If not specified, the default value of 4096 is used.

hash is the Base64-encoded hashed password.

salt is the Base64-encoded salt value.
  • A salt is a randomly generated sequence of bytes that can be used to change the output of a cryptographic function. In practice, every password saved in /etc/shadow is hashed with a different salt, which makes it more difficult for an attacker to crack the password.
last_change
The date of the last password change, expressed as the number of seconds since the start of the Unix Epoch.
min_age
The minimum number of days users must wait after changing their password before they can change it again.

An empty field or 0 specifies that no wait time is required.

max_age
When this number of days has passed after a password change, users must change their password again. After this number of days has passed, users are prompted to change the password the next time they log in.

An empty field or a value of 0 specifies that there is no maximum number of days after which users must change their password.

warning
The number of days before a password is set to expire that users are warned that they must change their password.

An empty field or a value of 0 specifies that no warning is given.

inactivity
The password expiration date. Not currently implemented.
expiry
The account expiration date, expressed as the number of seconds since the start of the Unix Epoch.

An empty field or a value of 0 specifies that the account never expires.

reserved
Reserved for future use.
Page updated: