[Next] [Previous] [Up] [Top] [Contents]

12.1.1 Registration

12.1.1.3 Shadow file - /etc/shadow (SunOS 5.X, IRIX 5.X)

SunOS 5.X uses additional security measures over the older OS. One of these is the shadow password scheme, which is used by default. The encrypted password is not kept in /etc/passwd, but rather in /etc/shadow. /etc/passwd has a placeholder, x, in this field. passwd is readable by everyone, whereas shadow is readable only by root. The shadow file also contains password aging controls.

/etc/shadow contains 9 fields, each separated by a ":", in the form:

login-id:password:lastchg:min:max:warn:inactive:expire:flag

where these fields represents:

The encrypted password field might also contain the entries:

NP for no password is valid

*LK* meaning the account is locked until the superuser sets a password

A typical /etc/shadow file might be:

root:st44wfkgx33qX:::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
smtp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::

The shadow password file is updated using the commands:

If you presently have an /etc/passwd file under SunOS 4.X that you want to use with SunOS 5.X, you can use the pwconv command to convert the passwd file to the new style and create the /etc/shadow file.

The /etc/shadow file has specific fields to keep track of the last password change, the minimum and maximum time in days that the password is valid, the number of inactive days allowed between uses before the login ID is declared invalid, and an expiration date for the account. You can edit /etc/shadow and set these values, or use the useradd command to set limits on the account.

Sun recommends that you use the admintool or solstice utilities or the useradd command to add new users, rather than editing the passwd file. If you do edit the passwd file you'll want to use pwconv to update the passwd changes to the shadow file. The use of vipw is no longer recommended. It's included with the compatibility package, as /usr/ucb/vipw, and you can still use it, but it does not update the shadow file, though it does remind you to do so.


Unix System Administration - 8 AUG 1996
[Next] [Previous] [Up] [Top] [Contents]