shadow(4)                                                            shadow(4)


NAME
     shadow - shadow password file

DESCRIPTION
     /etc/shadow is an access-restricted ASCII system file.  The fields for
     each user entry are separated by colons.  Each user is separated from the
     next by a newline.  Unlike the /etc/passwd file, /etc/shadow does not
     have general read permission.  To create /etc/shadow from /etc/passwd use
     the pwconv command (see pwconv(1M)).

     Here are the fields in /etc/shadow:

     username    The user's login name (ID).

     password    A 13-character encrypted password for the user, a lock string
                 to indicate that the login is not accessible, or no string to
                 show that there is no password for the login.

     lastchanged The number of days between January 1, 1970 and the date that
                 the password was last modified.

     minimum     The minimum number of days required between password changes.
                 This field is set by passwd -n.

     maximum     The maximum number of days the password is valid.  This field
                 is set by passwd -m.

     warn        The number of days before that password expires that the user
                 is warned.  This field is set by passwd -w.

     inactive    The number of days of inactivity allowed for that user.  This
                 field is set by passmgmt -f days.

     expire      An absolute date when the login can no longer be used,
                 specified in days since the epoch (January 1, 1970). This
                 field is set by passmgmt -e when, where the when argument is
                 used as an input string to getdate(3).  passmgmt converts
                 this to the days since the epoch value.

     flag        Reserved for future use; set to zero.  Currently not used.

     The encrypted password consists of 13 characters chosen from a 64-
     character alphabet (., /, 0-9, A-Z, a-z).

     To update this file, use the passwd command.

     One way of determining the number of days since the epoch:

          % perl -e 'print int(time/(60*60*24))'


FILES
     /etc/shadow

SEE ALSO
     login(1), passmgmt(1M), passwd(1), pwconv(1M), getspent(3C),
     putspent(3C), passwd(4).

NOTES
     The shadow file can be served through NIS but that should only be done if
     the appropriate attributes in nsd are set correctly for that map:  the
     nis_secure attribute (see nisserv(7)) should be turned on and the mode
     attribute (see nsd(1M)) should be set to 0700. Failing to do so
     introduces a security hole by allowing any user to view entries from the
     shadow file.  This map is not built by default in mdbm_parse.  Ypmake
     needs to be called with the explicit map name shadow.  Also a line would
     need to be added to the servers nsswitch.conf file to allow serving the
     shadow map.

     An administrator should configure /etc/securenets (see securenets(4)) to
     list only those hosts that are intended to be NIS clients.


                                                                        Page 2