shadow/man/shadow.5.xml

291 lines
8.8 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!--
SPDX-FileCopyrightText: 1989 - 1990, Julianne Frances Haugh
SPDX-FileCopyrightText: 2007 - 2009, Nicolas François
SPDX-License-Identifier: BSD-3-Clause
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='shadow.5'>
<!-- $Id$ -->
<refentryinfo>
<author>
<firstname>Julianne Frances</firstname>
<surname>Haugh</surname>
<contrib>Creation, 1989</contrib>
</author>
<author>
<firstname>Thomas</firstname>
<surname>Kłoczko</surname>
<email>kloczek@pld.org.pl</email>
<contrib>shadow-utils maintainer, 2000 - 2007</contrib>
</author>
<author>
<firstname>Nicolas</firstname>
<surname>François</surname>
<email>nicolas.francois@centraliens.net</email>
<contrib>shadow-utils maintainer, 2007 - now</contrib>
</author>
</refentryinfo>
<refmeta>
<refentrytitle>shadow</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
<refmiscinfo class="source">shadow-utils</refmiscinfo>
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>shadow</refname>
<refpurpose>shadowed password file</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
<filename>shadow</filename> is a file which contains the password
information for the system's accounts and optional aging
information.
</para>
<para>
This file must not be readable by regular users if password security
is to be maintained.
</para>
<para>
Each line of this file contains 9 fields, separated by colons
(<quote>:</quote>), in the following order:
</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">login name</emphasis></term>
<listitem>
<para>
It must be a valid account name, which exist on the system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">encrypted password</emphasis></term>
<listitem>
<para>
This field may be empty, in which case no passwords are
required to authenticate as the specified login name.
However, some applications which read the
<filename>/etc/shadow</filename> file may decide not to permit
any access at all if the password field is empty.
</para>
<para>
2016-08-05 22:20:51 +05:30
A password field which starts with an exclamation mark means
that the password is locked. The remaining characters on the
line represent the password field before the password was
locked.
</para>
<para>
Refer to <citerefentry><refentrytitle>crypt</refentrytitle>
<manvolnum>3</manvolnum></citerefentry> for details on how
this string is interpreted.
</para>
<para>
If the password field contains some string that is not a valid
result of <citerefentry><refentrytitle>crypt</refentrytitle>
<manvolnum>3</manvolnum></citerefentry>, for instance ! or *,
the user will not be able to use a unix password to log in
(but the user may log in the system by other means).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis role="bold">date of last password change</emphasis>
</term>
<listitem>
<para>
The date of the last password change, expressed as the number
of days since Jan 1, 1970 00:00 UTC.
</para>
<para>
The value 0 has a special meaning, which is that the user
should change her password the next time she will log in the
system.
</para>
<para>
An empty field means that password aging features are
disabled.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">minimum password age</emphasis></term>
<listitem>
<para>
The minimum password age is the number of days the user will
have to wait before she will be allowed to change her password
again.
</para>
<para>
2020-06-05 08:59:15 +05:30
An empty field and value 0 mean that there is no minimum
password age.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">maximum password age</emphasis></term>
<listitem>
<para>
The maximum password age is the number of days after which the
user will have to change her password.
</para>
<para>
After this number of days is elapsed, the password may still
be valid. The user should be asked to change her password the
next time she will log in.
</para>
<para>
An empty field means that there are no maximum password age,
no password warning period, and no password inactivity period
(see below).
</para>
<para>
If the maximum password age is lower than the minimum password
age, the user cannot change her password.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis role="bold">password warning period</emphasis>
</term>
<listitem>
<para>
The number of days before a password is going to expire (see
the maximum password age above) during which the user should
be warned.
</para>
<para>
An empty field and value 0 mean that there are no password
warning period.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis role="bold">password inactivity period</emphasis>
</term>
<listitem>
<para>
The number of days after a password has expired (see the
maximum password age above) during which the password should
still be accepted (and the user should update her password
during the next login).
</para>
<para>
After expiration of the password and this expiration period is
elapsed, no login is possible for the user. The user should contact
her administrator.
</para>
<para>
An empty field means that there are no enforcement of an
inactivity period.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis role="bold">account expiration date</emphasis>
</term>
<listitem>
<para>
The date of expiration of the account, expressed as the number
of days since Jan 1, 1970 00:00 UTC.
</para>
<para>
Note that an account expiration differs from a password
expiration. In case of an account expiration, the user shall
not be allowed to login. In case of a password expiration,
the user is not allowed to login using her password.
</para>
<para>
An empty field means that the account will never expire.
</para>
<para>
The value 0 should not be used as it is interpreted as either
an account with no expiration, or as an expiration on Jan 1,
1970.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reserved field</emphasis></term>
<listitem>
<para>This field is reserved for future use.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='files'>
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/passwd</filename></term>
<listitem>
<para>User account information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/shadow</filename></term>
<listitem>
<para>Secure user account information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/shadow-</filename></term>
<listitem>
<para>Backup file for /etc/shadow.</para>
<para>
Note that this file is used by the tools of the shadow
toolsuite, but not by all user and password management tools.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>chage</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pwck</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pwconv</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pwunconv</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>sulogin</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refentry>