Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
shadow(4)							     shadow(4)

       shadow -	shadow password	file

       /etc/shadow  is	an  access-restricted  ASCII  system  file that	stores
       users' encrypted	passwords and related information. The shadow file can
       be  used	 in  conjunction  with other shadow sources, including the NIS
       maps passwd.byname and passwd.byuid and the NIS+	table passwd. Programs
       use the getspnam(3C) routines to	access this information.

       The  fields  for	 each user entry are separated by colons. Each user is
       separated from the next by a  newline.  Unlike  the  /etc/passwd	 file,
       /etc/shadow does	not have general read permission.

       Each entry in the shadow	file has the form:


       The fields are defined as follows:

       username	       The user's login	name (UID).

       password	       An   encrypted  password	 for  the  user	 generated  by
		       crypt(3C), a lock string	to indicate that the login  is
		       not accessible, or no string, which shows that there is
		       no password for the login.

		       The lock	string is defined as *LK* in  the  first  four
		       characters of the password field.

       lastchg	       The  number  of	days  between January 1, 1970, and the
		       date that the password was last modified.  The  lastchg
		       value is	a decimal number, as interpreted by atol(3C).

       min	       The  minimum  number  of	days required between password
		       changes.	This field must	be set to 0 or above to	enable
		       password	aging.

       max	       The maximum number of days the password is valid.

       warn	       The  number  of	days  before password expires that the
		       user is warned.

       inactive	       The number of days of inactivity	allowed	for that user.
		       This is counted on a per-machine	basis; the information
		       about the last login is taken from the machine's	 last-
		       log file.

       expire	       An  absolute date expressed as the number of days since
		       the Unix	Epoch (January 1, 1970). When this  number  is
		       reached	the  login can no longer be used. For example,
		       an expire value of 13514	specifies a  login  expiration
		       of January 1, 2007.

       flag	       Failed  login  count  in	low order four bits; remainder
		       reserved	for future use,	set to zero.

       A value of -1 for min, max, or warn disables password aging.

       The encrypted password consists of at most CRYPT_MAXCIPHERTEXTLEN char-
       acters  chosen  from a 64-character alphabet (.,	/, 0-9,	A-Z, a-z). Two
       additional special characters, "$" and ",", can also be	used  and  are
       defined	in  crypt(3C).	To  update this	file, use the passwd(1), user-
       add(1M),	usermod(1M), or	 userdel(1M) commands.

       In order	to make	system administration manageable, /etc/shadow  entries
       should  appear  in  exactly the same order as /etc/passwd entries; this
       includes	``+'' and ``-''	entries	if the compat  source  is  being  used
       (see nsswitch.conf(4)).

       Values for the various time-related fields are interpreted as Greenwich
       Mean Time.

       /etc/shadow	       shadow password file

       /etc/passwd	       password	file

       /etc/nsswitch.conf      name-service switch configuration file

       /var/adm/lastlog	       time of last login

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Interface Stability	     |Stable			   |

       login(1), passwd(1), useradd(1M), userdel(1M),  usermod(1M),  atol(3C),
       crypt(3C),    crypt_gensalt(3C),	  getspnam(3C),	  putspent(3C),	  nss-
       witch.conf(4),	 passwd(4),    attributes(5),	  pam_unix_account(5),

       If  password aging is turned on in any name service the passwd: line in
       the /etc/nsswitch.conf file must	have a format specified	 in  the  nss-
       witch.conf(4) man page.

       If  the /etc/nsswitch.conf passwd policy	is not in one of the supported
       formats,	logins will not	be allowed upon	password  expiration,  because
       the  software  does not know how	to handle password updates under these
       conditions. See nsswitch.conf(4)	for additional information.

				  15 Sep 2005			     shadow(4)


Want to link to this manual page? Use this URL:

home | help