shadow(4) File Formats shadow(4)
shadow - shadow password file
/etc/shadow is an access-restricted ASCII system file that stores
users' encrypted passwords and related information. The shadow file can
be used in conjunction with other shadow sources, including the NIS
maps passwd.byname and passwd.byuid and the NIS+ table passwd. Programs
use the getspnam(3C) routines to access this information.
The fields for each user entry are separated by colons. Each user is
separated from the next by a newline. Unlike the /etc/passwd file,
/etc/shadow does not have general read permission.
Each entry in the shadow file has the form:
The fields are defined as follows:
username The user's login name (UID).
password An encrypted password for the user generated by
crypt(3C), a lock string to indicate that the login is
not accessible, or no string, which shows that there is
no password for the login.
The lock string is defined as *LK* in the first four
characters of the password field.
lastchg The number of days between January 1, 1970, and the
date that the password was last modified.
min The minimum number of days required between password
changes. This field must be set to 0 or above to enable
max The maximum number of days the password is valid.
warn The number of days before password expires that the
user is warned.
inactive The number of days of inactivity allowed for that user.
This is counted on a per-machine basis; the information
about the last login is taken from the machine's last-
expire An absolute date specifying when the login may no
longer be used.
flag Failed login count in low order four bits; remainder
reserved for future use, set to zero.
The encrypted password consists of at most CRYPT_MAXCIPHERTEXTLEN char-
acters chosen from a 64-character alphabet (., /, 0-9, A-Z, a-z). Two
additional special characters, "$" and ",", can also be used and are
defined in crypt(3C). To update this file, use the passwd(1), user-
add(1M), usermod(1M), or userdel(1M) commands.
In order to make system administration manageable, /etc/shadow entries
should appear in exactly the same order as /etc/passwd entries; this
includes ``+'' and ``-'' entries if the compat source is being used
/etc/shadow shadow password file
/etc/passwd password file
/etc/nsswitch.conf name-service switch configuration file
/var/adm/lastlog time of last login
login(1), passwd(1), useradd(1M), userdel(1M), usermod(1M), crypt(3C),
crypt_gensalt(3C), getspnam(3C), putspent(3C), nsswitch.conf(4),
passwd(4), pam_unix_account(5), pam_unix_auth(5)
If password aging is turned on in any name service the passwd: line in
the /etc/nsswitch.conf file must have a format specified in the nss-
witch.conf(4) man page.
If the /etc/nsswitch.conf passwd policy is not in one of the supported
formats, logins will not be allowed upon password expiration because
the software does not know how to handle password updates under these
conditions. See nsswitch.conf(4) for additional information.
SunOS 5.10 10 Mar 2004 shadow(4)