NAME
shadow — shadow password file
DESCRIPTION
The
/etc/shadow
file is created from the
/etc/passwd
file by the
pwconv
command.
It is readable only by a privileged user.
It can be modified by the
passwd,
useradd,
usermod,
and
userdel
commands.
Programs may use the interfaces described in the
getspent(3C)
manpage to access this information.
These functions return a pointer to an
spwd
structure, which is defined in the
<shadow.h>
header file.
Fields
The
/etc/shadow
file is an ASCII file consisting of any number of user entries
separated by newlines.
Each user entry line consists of the following fields
separated by colons:
- login name
Each
login name
must match a login name in
/etc/passwd.
pwconv
puts the user entries in
/etc/shadow
in the same order as the
/etc/passwd
entries.
- encrypted password
The
password
field of each
/etc/passwd
entry contains an `x', and the actual encrypted passwords reside in
/etc/shadow.
The
encrypted password
field consists of 13 characters chosen from a
64-character set of "digits".
The characters used to represent "digits" are
.
for 0,
/
for 1,
0
through
9
for 2 through 11,
A
through
Z
for 12 through 37, and
a
through
z
for 38 through 63.
If this field is null,
then there is no password and no password is demanded on login.
Login can be prevented by entering a character that is not a
part of the set of digits (such as *).
- last change
The number of days since January 1, 1970 that
the password was last modified.
- min days
The minimum period in days that must expire before the password
can be changed.
See also
PASSWORD_MINDAYS
in
security(4)
and the
passwd -n
command in
passwd(1).
- max days
The maximum number of days for which a password is valid.
A user who attempts to login after his password has expired
is forced to supply a new one.
If
min days
and
max days
are both zero, the user is forced to change his password the
next time he logs in.
If
min days
is greater than
max days,
then the password cannot be changed.
These restrictions do not apply to the superuser.
See also
PASSWORD_MAXDAYS
in
security(4)
and the
passwd -x
command in
passwd(1).
- warn days
The number of days the user is warned before his password expires.
See also
PASSWORD_WARNDAYS
in
security(4)
and the
passwd -w
command in
passwd(1).
- inactivity
The maximum number of days of inactivity allowed.
This field is set with the
-f
option of either the
useradd
or
usermod
command.
If this value is greater than zero, then the account
is locked if there have been no logins to the account
for at least the specified number of days.
If this value is less than or equal to zero,
the value is determined by the
INACTIVITY_MAXDAYS
attribute.
See the description of
INACTIVITY_MAXDAYS
in
security(4).
- expiration
The absolute number of days since Jan 1, 1970 after which the
account is no longer valid.
A value of zero in this field indicates that the account
is locked.
- reserved
The
reserved
field is always zero and is reserved for future use.
Notes
The
/etc/shadow
file is not applicable to a system which has been converted to
a trusted system.
WARNINGS
HP-UX 11i Version 3 is the last release to support
trusted systems functionality.
FILES
- /etc/passwd
system password file
- /etc/shadow
shadow password file
SEE ALSO
login(1),
passwd(1),
pwconv(1M),
pwunconv(1M),
useradd(1M),
userdel(1M),
usermod(1M),
crypt(3C),
getspent(3C),
putspent(3C),
nsswitch.conf(4),
passwd(4),
security(4).