Creating a Shadow Password File

Creating a Shadow Password File

A "shadow" password file is simply a copy of the standard password file, but it is not accessible by non-privileged users. In the standard configuration, the /etc/passwd file is publicly readable. Since the /etc/passwd file contains the encrypted versions of the users' passwords, anyone can make a copy and attempt decryption of the passwords for malicious purposes. By using a shadow password file, you prevent intruders from attempting to decrypt your passwords.

The shadow password file is called /etc/shadow. Once shadow passwords have been initialized, the password field in each /etc/passwd entry is replaced by an "x" character.

To initialize /etc/shadow (and thus invoke shadow passwords), run the pwconv(1M) command. Once this command has been run, shadow passwords are in effect. All standard password tools work transparently with shadow passwords. The difference should not be noticeable to your users, except that they cannot see the encrypted passwords in the /etc/passwd file.

One difference in system operation is that older applications cannot get the proper value of pw_passwd from the getpwent(3C) and getpwnam(3C) library calls. This primarily affects "screen saver" programs, unless they have root privileges.

Note: Shadow passwords work differently with NIS. See the shadow(4) reference page for details on the use of shadow passwords with NIS.