LLMpediaThe first transparent, open encyclopedia generated by LLMs

/etc/shadow

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: XDM (display manager) Hop 4
Expansion Funnel Raw 91 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted91
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
/etc/shadow
/etc/shadow
Software: Shadow developers (https://github.com/shadow-maint/shadow/)Screenshot: · Public domain · source
Name/etc/shadow
Typesystem file
Location/etc
Formattext
Ownerroot

/etc/shadow

/etc/shadow is a Unix and Unix-like operating system file that stores user authentication information, notably encrypted password data, account aging, and expiration metadata. It complements passwd (file), integrates with authentication frameworks such as PAM (Pluggable Authentication Modules), and is referenced by utilities originating in projects like GNU Project, Debian, Red Hat, Ubuntu, and Gentoo. Administrators on systems derived from AT&T Unix, BSD (operating system), and System V use /etc/shadow to centralize credential handling for services such as SSH, sudo, and cron.

Overview

The file segregates sensitive authentication attributes from publicly readable identity data found in passwd (file), following design choices from Unix stewardship and implementations by organizations including Sun Microsystems and IBM. It is read by authentication libraries in glibc and components of systemd on systems from vendors like Canonical (company) and Red Hat, Inc.. System administrators and security teams at institutions such as National Institute of Standards and Technology and companies leveraging LDAP or Kerberos may interoperate /etc/shadow with centralized directories and single sign-on solutions.

File Format and Fields

Each line corresponds to a local account and is delimited by colon-separated fields designed in consensus across implementations by projects like POSIX committees and influenced by specifications from FreeBSD, OpenBSD, and NetBSD. Typical fields include the account name, encrypted password, last password change date, minimum and maximum password ages, warning period, inactivity period, account expiration date, and reserved fields. Tools such as vipw and vigr are commonly used to edit related files to avoid corruption; configuration management systems like Ansible (software), Puppet (software), and Chef (software) automate consistent field values across fleets.

Password Hashing and Encryption

Password hashes in this file use algorithms standardized or popularized by projects and standards bodies including IETF and implementations from OpenSSL and libcrypt. Common schemes include MD5-based variants from Solaris (operating system), SHA-256 and SHA-512 introduced in Linux distributions like Fedora (operating system), and bcrypt originating with work by Niels Provos and David Mazières. Modern systems reference guidance from NIST publications and adopt iterative hashing schemes with salts to mitigate attacks modeled by researchers such as Ronald Rivest, Whitfield Diffie, and Martin Hellman. Attackers use tools developed in communities around John the Ripper and hashcat; defenders respond with policies and parameters encoded in /etc/shadow lines.

Access Control and Permissions

Access to the file is restricted to prevent disclosure; typical permissions set ownership to root and group to shadow or root, with mode bits like 0400 or 0640 enforced by installers from distributions such as Debian and Arch Linux. System utilities including passwd (Unix), chage, and su (Unix) interact with the file under controlled capabilities tied to kernel mechanisms in projects like Linux kernel and privilege frameworks exemplified by sudo. Enterprise identity systems at organizations including Microsoft (when interoperating with Samba (software)) or Oracle enforce additional directory and file-level ACLs integrated with SELinux and AppArmor mediation.

Management and Tools

Utilities and libraries managing /etc/shadow include shadow-utils from the shadow (suite) project, pam_unix from PAM (Pluggable Authentication Modules), and administrative programs like usermod, useradd, userdel, and chage. Configuration management tools from Red Hat Satellite, SUSE Manager, and open-source projects such as Salt (software) orchestrate changes. Backup and auditing integrate with solutions from Tripwire, Auditd (part of Linux Audit Daemon), and enterprise suites from Splunk or ELK Stack.

Security Considerations

Compromise of the file enables offline password-cracking attacks described in research from Moxie Marlinspike and threat reports by CERT Coordination Center and US-CERT. Best practices from OWASP and guidelines by NIST recommend strong hashing (e.g., SHA-512, bcrypt), per-account salts, rate limiting via fail2ban, and migration to federated authentication such as Kerberos or LDAP and multi-factor authentication standards like those promoted by FIDO Alliance and IETF. Incident response groups from CERT/CC, SANS Institute, and ENISA discuss containment steps, while patching and supply-chain controls advocated by CISA and ISO/IEC standards reduce exposure.

History and Variants

The split between identity and credential storage traces to early Unix evolutions and administrative practices codified in histories by vendors like AT&T and later expanded by BSD (operating system) variants. Implementations diverged across GNU/Linux distributions and BSD projects, spawning related formats and mechanisms such as shadowed password schemes in HP-UX, AIX, and Solaris (operating system), and replacements or supplements like LDAP directories used by Red Hat Enterprise Linux and SUSE Linux Enterprise Server. Research on authentication formats by figures like Clifford Stoll and standards bodies such as IETF influenced the adoption of stronger hashing and the emergence of complementary systems like sssd and PAM modules.

Category:Unix files