Search This Blog

Friday, October 1, 2010

/etc/shadow file.

Hardening guidelines for /etc/shadow files are as follows.

1) It should be owned by root and have permission of 600 or more restrictive.
# ls -l /etc/shadow
-r-------- 1 root root 890 Sep 28 05:29 /etc/shadow
In above case its more restrictive i.e. 400 even root is not given write access by default.

2) Each Line must contain a unique user name and should not contain any blank line.
3) First two fields i.e username and password should not be blank.
4) Password filed should be more than 13-24 Character long.


"$1$" it means the MD5-based algorithm was used while encrypting the password.
5) Password for root account should not be assigned to any other account.
6) All locked accounts must have a single exclamation mark "!" as the first character of the Passwd field.

for example.
following are some lines from /etc/shadow file.


There counterparts in /etc/passwd file.
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

here are the status of the username.

# passwd -S vcsa
vcsa LK 2010-09-14 0 99999 7 -1 (Password locked.)
# passwd -S sshd
sshd LK 2010-09-14 0 99999 7 -1 (Password locked.)
# passwd -S ftp
ftp LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S nobody
nobody LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S bkpadmin
bkpadmin PS 2010-09-30 0 99999 7 -1 (Password set, MD5 crypt.)

statusStatus of the name:

PS = Passworded
LK = Locked
NP = No Password

as you can see.
vcsa and sshd both have ! as first character in password filed (2nd field).This is well justified using passwd -S .

7) Application accounts which are not locked must contain only an asterisk “*” in the Passwd field.
For example.


Above users are used for application and hence they are locked but Alternate authentication is used for them.
# passwd -S ftp
ftp LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S nobody
nobody LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)

More on this soon...


  1. Could you advise what is the use of /etc/passwd- and /etc/shadow-

  2. In all Unix like operating systems.
    Shadow password mechanism is used for adding more security level to password.
    when you compare both /etc/passwd and etc/shadow file.

    # ls -ltr /etc/passwd
    -rw-r--r-- 1 root root 1336 May 20 2010 /etc/passwd
    # ls -ltr /etc/shadow
    -r-------- 1 root root 888 Oct 21 11:40 /etc/shadow

    You can see only root is allowed to read the shadow file.
    if you maintain your passwords in /etc/passwd then it becomes readable by everyone.However use of shadow file only letter x is displayed in place of password and original password is maintained in shadow file in encrypted format.

    You can get more information here

  3. This comment has been removed by the author.

  4. Application accounts which are not locked must contain only an asterisk “*” in the Passwd field

    command to change accounts to '*'

  5. This comment has been removed by the author.

  6. You may like to view this.
