Viewing and Reading /etc/shadow Entries

• The /etc/shadow file can be overwhelming to read at first, but once you understand the format, it can be easy to read and understand.

• An average shadow file entry follows this format:

  • username:$algorithm_id$hash_salt$hashed_password:Last_Password_Change:min_btwn_passchanges:max_btwn_passchanges:days_b4_warn:days_b4_account_disabled_after_passexpires:days_to_account_expire```
    • A $ is used to separate each field
  • An example shadow entry with that format is galadriel:$6$poPWvLT/CfA/sxS/$lHbu1oMqRV2aM18fkFPbJw25U2.POqhonSmaUpbzPIPVKl2IxS86Qq8q9v3fYu5Y6qlWwbmqekbL3g1vtPmlQ/:19143:0:99999:7:::
  • In this entry:
    • galadriel: is the user
    • 6: is the hashing algorithm id
    • poPWvLT/CfA/sxS/: is the salt
    • lHbu1oMqRV2aM18fkFPbJw25U2.POqhonSmaUpbzPIPVKl2IxS86Qq8q9v3fYu5Y6qlWwbmqekbL3g1vtPmlQ/: is the hashed password
    • 19143: is the days since the last password change
    • 0: is the minimum number of days between password changes
    • 99999: is the maximum days between password changes
    • 7: is the number if days before the password expires that the user will be warned

• Other fields can be added to a shadow entry

• For example the "rounds" field can be added, which says how many rounds were used when hashing the password.

• The following entry shows the same shadow entry with the rounds field included: galadriel:$6$rounds=1000$poPWvLT/CfA/sxS/$lHbu1oMqRV2aM18fkFPbJw25U2.POqhonSmaUpbzPIPVKl2IxS86Qq8q9v3fYu5Y6qlWwbmqekbL3g1vtPmlQ/:19143:0:99999:7:::

Hashing Algorithm IDs

• $1$: is MD5
• $2a$: is Blowfish
• $2y$: is Blowfish
• $5$: is SHA-256
• $6$: is SHA-512