https://hackepedia.org/index.php?action=history&feed=atom&title=Shadow_passwordsShadow passwords - Revision history2026-05-08T18:07:30ZRevision history for this page on the wikiMediaWiki 1.45.3https://hackepedia.org/index.php?title=Shadow_passwords&diff=3611&oldid=prevHawson: Initial version2007-05-14T19:31:15Z<p>Initial version</p>
<p><b>New page</b></p><div>Shadow passwords are an extension to storing all account information in the <code>/etc/passwd</code> file. Originally, the encrypted passwords for all accounts were kept in the 2nd field of <code>/etc/passwd</code>. Since this file needs to be world-readable in order to obtain information about accounts (including the username, [[UID]], primary [[GID]], [[GECOS]] information, home directory, and user shell), it meant that the encrypted passwords were also viewable. This provided a very nice known-ciphertext attack vector.<br />
<br />
An extenstion was developed that addressed this insecurity, and added password and account aging abilities as well. All modern *nix distributions support shadow passwords, in addition to original method.<br />
<br />
Aside from re-writing the [[PAM]] code, the main userspace change is the addition of <code>/etc/shadow</code>, and several tools for manipulating this file. Unlike <code>/etc/passwd</code>, the <code>/etc/shadow</code> file must not be world-readable (suggested mode is 600). Of course, this means that all programs that read and write this file must be either [[setuid]], or run by the root user; this includes common "user" programs such as "passwd".<br />
<br />
This file stores the data for the following struct:<br />
<br />
<pre>struct spwd {<br />
char *sp_namp; /* user login name */<br />
char *sp_pwdp; /* encrypted password */<br />
long sp_lstchg; /* last password change */<br />
int sp_min; /* days until change allowed. */<br />
int sp_max; /* days before change required */<br />
int sp_warn; /* days warning for expiration */<br />
int sp_inact; /* days before account inactive */<br />
int sp_expire; /* date when account expires */<br />
int sp_flag; /* reserved for future use */<br />
}</pre><br />
<br />
The timing of the dates and times stored here can cause some confusion. The following timeline should help show when things occur:<br />
<br />
[[image:Shadow_pw.png|Shadow password timeline]]<br />
<br />
'''N.B.: The "account expire" date can occur anywhere, including before the password expiration, password last-change, and account inactive dates.'''</div>Hawson