/etc/shadow stores actual password in encrypted format for user’s account with additional properties related to user password.
The password expiration information for a user is contained in the last 6 fields. Password expiration for a select user can be disabled by editing the /etc/shadow file
However I recommend using chage command. The chage command changes the number of days between password changes and the date of the last password change.
This information is used by the system to determine when a user must change his/her password.
To list current aging type chage command as follows:
# chage -l vivek
Last password change : August 23, 2013 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
To disable password aging / expiration for user foo, type command as follows and set:
Minimum Password Age to 0
Maximum Password Age to 99999
Password Inactive to -1
Account Expiration Date to -1
Interactive mode command:
# chage username
# chage -I -1 -m 0 -M 99999 -E -1 username
- Understanding /etc/shadow file (robdurdle.com)
A. /etc/shadow file stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information.
All fields are separated by a colon (:) symbol. It has one entry per line for each user listed in /etc/passwd file Generally, shadow file entry looks as follows:
(Fig.01: /etc/shadow file fields)
- User name : It is your login name
- Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
- Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
- Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
- Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
- Warn : The number of days before password is to expire that user is warned that his/her password must be changed
- Inactive : The number of days after password expires that account is disabled
- Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
The last 6 fields provides password aging and account lockout features (you need to use chage command to setup password aging). According to man page of shadow – the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a “$” character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with “$1$” it means the MD5-based algorithm was used.
- How Normal User Update Shadow File On Password Change (afzalkhanlinuxtalk.wordpress.com)
- Hers is Top password cracking method [H2B] INC (hack2backsec.wordpress.com)