Shadow File

Team-Fly    

Solaris™ Operating Environment Boot Camp
By David Rhodes, Dominic Butler
Table of Contents
Chapter 3.  User Administration


Like the password file, the shadow file is an ASCII file with the fields separated by a colon (:). It is named /etc/shadow and is used to store security-related details, such as encrypted passwords and password aging information. For this reason, it is designed not to be readable by the general public.

The shadow file, as distributed, will look similar to that shown here:

 hydrogen# cat /etc/shadow root:<encrypted root password>:6445:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: smtp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: listen:*LK*::::::: nobody:NP:6445:::::: noaccess:NP:6445:::::: nobody4:NP:6445:::::: hydrogen# 

This example shows that for every entry in the password file, there should be a corresponding entry in the shadow file. See the "Checking the Files" section on page 66 for examples of commands that can be used to keep the files up-to-date. The field entries are as follows.

Field 1: Login Name

This field is for the user's login name; it matches the corresponding name in the password file. Matching on the name, rather than the UID, is required for any super-user type accounts. This is because they all share the same UID of 0 and therefore need some mechanism to allow them all to login as individual accounts. For example, we could create a user named powerdown by adding something similar to the following entry to /etc/passwd:

 powerdown:x:0:1:/export/home/powerdown:/usr/sbin/halt 

This user has a UID of 0, but will use a different password to the main root account, thereby providing the user with the ability to shut the machine down only.

Field 2: Encrypted Password

It is recommended that every user have a password to ensure that only authorized users can access the system. Note that giving users passwords does not deny anyone else from accessing their files; the system permissions can be easily altered so that access can be either granted or denied to any other user or group of users. If this field is empty, the user will not need a password to login, although passwords can be enforced by configuring a file named /etc/default/login.

The encrypted password will either be a 13-character string, "NP" to indicate no password, or "*LK*" to indicate the account is lockedin fact, any number of characters less than 13 will lock the account.

Field 3: Password Change Date

This field contains the date when the password was last changed. It is shown as the number of days from January 1, 1970, or "0" if the user has been forced to change it at the next login.

Field 4: Minimum Change Days

This field contains the minimum number of days that must pass before the user is allowed to change his or her password again.

Field 5: Maximum Valid Days

This field contains the maximum number of days users can use the password before they are forced to change it.

Field 6: Number of Warning Days

This field contains the number of days before the password expires that the system will start to warn the user.

Field 7: Number of Inactive Days

This field contains the number of days of inactivity the user is allowed.

Field 8: Expiry Date

This field contains the date the account will expire. It is shown as the number of days from January 1, 1970.

Field 9: Not Used

This field is reserved for future use, so for now it should be empty.


    Team-Fly    
    Top
     



    Solaris Operating Environment Boot Camp
    Solaris Operating Environment Boot Camp
    ISBN: 0130342874
    EAN: 2147483647
    Year: 2002
    Pages: 301

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net