90 lines
2.8 KiB
Groff
90 lines
2.8 KiB
Groff
.\" Copyright 1991 UNIX System Laboratories, Inc.
|
|
.\" Copyright 1989, 1990 AT&T
|
|
.nr X
|
|
.if \nX=0 .ds x} shadow 4 "" "\&"
|
|
.TH \*(x}
|
|
.SH NAME
|
|
\f4shadow\f1 \- shadow password file
|
|
.SH DESCRIPTION
|
|
\f4/etc/shadow\f1
|
|
is an access-restricted ASCII system file.
|
|
The fields for each user entry are separated by colons.
|
|
Each user is separated from the next by a newline.
|
|
Unlike the \f4/etc/passwd\f1 file, \f4/etc/shadow\f1 does
|
|
not have general read permission.
|
|
To create \f4/etc/shadow\f1
|
|
from \f4/etc/passwd\f1 use the \f4pwconv\f1 command (see \f4pwconv\f1(1M)).
|
|
.PP
|
|
Here are the fields in \f4/etc/shadow\fP:
|
|
.TP 12
|
|
\f2username\f1
|
|
The user's login name (ID).
|
|
.TP
|
|
\f2password\f1
|
|
A 13-character encrypted password for the user, a \f2lock\f1 string
|
|
to indicate that the login is not accessible, or no string to show
|
|
that there is no password for the login.
|
|
.TP
|
|
\f2lastchanged\f1
|
|
The number of days between January 1, 1970 and the date that the
|
|
password was last modified.
|
|
.TP
|
|
\f2minimum\f1
|
|
The minimum number of days required between password changes.
|
|
This field is set by \f4passwd -n\fP.
|
|
.TP
|
|
\f2maximum\f1
|
|
The maximum number of days the password is valid.
|
|
This field is set by \f4passwd -m\fP.
|
|
.TP
|
|
\f2warn\f1
|
|
The number of days before that password expires that the user is warned.
|
|
This field is set by \f4passwd -w\fP.
|
|
.TP
|
|
\f2inactive\f1
|
|
The number of days of inactivity allowed for that user.
|
|
This field is set by \f4passmgmt -f days\fP.
|
|
.TP
|
|
\f2expire\f1
|
|
An absolute date when the login can no longer be used,
|
|
specified in \f2days\f1 since the epoch (January 1, 1970).
|
|
This field is set by \f4passmgmt -e when\fP, where the \f4when\fP argument
|
|
is used as an input string to \f4getdate\fP(3). \f4passmgmt\fP converts
|
|
this to the days since the epoch value.
|
|
.TP
|
|
\f2flag\f1
|
|
Reserved for future use; set to zero.
|
|
Currently not used.
|
|
.PP
|
|
The encrypted password consists of 13 characters chosen from a 64-character
|
|
alphabet
|
|
\f1(\f4.\f1, \f4/\f1,
|
|
\f40\-9\f1, \f4A\-Z\f1, \f4a\-z\f1).
|
|
.PP
|
|
To update this file, use the \f4passwd\f1 command.
|
|
.PP
|
|
One way of determining the number of days since the epoch:
|
|
.RS
|
|
.sp
|
|
% perl -e 'print int(time/(60*60*24))'
|
|
.SH FILES
|
|
\f4/etc/shadow\fP
|
|
.SH "SEE ALSO"
|
|
login(1),
|
|
passmgmt(1M),
|
|
passwd(1),
|
|
pwconv(1M),
|
|
getspent(3C),
|
|
putspent(3C),
|
|
passwd(4).
|
|
.SH NOTES
|
|
The shadow file can be served through NIS but that should only be done
|
|
if the appropriate attributes in \fBnsd\fP are set correctly for that map:
|
|
the \fBnis_secure\fP attribute (see \fBnisserv(7)\fP) should be turned
|
|
on and the \fBmode\fP attribute (see \fBnsd(1M)\fP) should be set to
|
|
0700. Failing to do so introduces a security hole by allowing any user
|
|
to view entries from the shadow file. This map is not built by default
|
|
in mdbm_parse. Ypmake needs to be called with the explicite map name
|
|
\fBshadow\fP. Also a line would need to be added to the servers nsswitch.conf
|
|
file to allow serving the shadow map.
|