SHADOW(5) Standards, Environments, and Macros SHADOW(5)


shadow - shadow password file


/etc/shadow is an access-restricted ASCII system file that stores users'
encrypted passwords and related information. The shadow file can be used
in conjunction with other shadow sources, including the NIS maps
passwd.byname and passwd.byuid. Programs use the getspnam(3C) routines
to access this information.

The fields for each user entry are separated by colons. Each user is
separated from the next by a newline. Unlike the /etc/passwd file,
/etc/shadow does not have general read permission.

Each entry in the shadow file has the form:


The fields are defined as follows:

The user's login name (UID).

An encrypted password for the user generated by crypt(3C), a
lock string to indicate that the login is not accessible, or
no string, which shows that there is no password for the

The lock string is defined as *LK* in the first four
characters of the password field.

The number of days between January 1, 1970, and the date that
the password was last modified. The lastchg value is a
decimal number, as interpreted by strtol(3C).

The minimum number of days required between password changes.
This field must be set to 0 or above to enable password

The maximum number of days the password is valid.

The number of days before password expires that the user is

The number of days of inactivity allowed for that user. This
is counted on a per-machine basis; the information about the
last login is taken from the machine's lastlog file.

An absolute date expressed as the number of days since the
Unix Epoch (January 1, 1970). When this number is reached the
login can no longer be used. For example, an expire value of
13514 specifies a login expiration of January 1, 2007.

Failed login count in low order four bits; remainder reserved
for future use, set to zero.

A value of -1 for min, max, or warn disables password aging.

The encrypted password consists of at most CRYPT_MAXCIPHERTEXTLEN
characters chosen from a 64-character alphabet (., /, 0-9, A-Z, a-z). Two
additional special characters, "$" and ",", can also be used and are
defined in crypt(3C). To update this file, use the passwd(1), useradd(8),
usermod(8), or userdel(8) commands.

In order to make system administration manageable, /etc/shadow entries
should appear in exactly the same order as /etc/passwd entries; this
includes ``+'' and ``-'' entries if the compat source is being used (see

Values for the various time-related fields are interpreted as Greenwich
Mean Time.


shadow password file

password file

name-service switch configuration file

time of last login


See attributes(7) for descriptions of the following attributes:

|Interface Stability | Stable |


login(1), passwd(1), crypt(3C), crypt_gensalt(3C), getspnam(3C),
putspent(3C), strtol(3C), nsswitch.conf(5), passwd(5), attributes(7),
pam_unix_account(7), pam_unix_auth(7), useradd(8), userdel(8), usermod(8)


If password aging is turned on in any name service the passwd: line in
the /etc/nsswitch.conf file must have a format specified in the
nsswitch.conf(5) man page.

If the /etc/nsswitch.conf passwd policy is not in one of the supported
formats, logins will not be allowed upon password expiration, because the
software does not know how to handle password updates under these
conditions. See nsswitch.conf(5) for additional information.

February 25, 2017 SHADOW(5)