0
0
Linux CLIscripting~15 mins

/etc/passwd and /etc/shadow in Linux CLI - Deep Dive

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Overview - /etc/passwd and /etc/shadow
What is it?
/etc/passwd and /etc/shadow are two important files on Linux systems that store user account information. /etc/passwd holds basic user details like username and user ID, while /etc/shadow stores encrypted passwords and related security data. These files work together to manage user authentication safely.
Why it matters
Without these files, the system would not know who the users are or how to verify their passwords securely. If passwords were stored openly, anyone could easily steal them, risking system security. These files help keep user data organized and protect sensitive password information.
Where it fits
Before learning about these files, you should understand basic Linux file system structure and user accounts. After this, you can explore user management commands and security practices like password policies and sudo privileges.
Mental Model
Core Idea
/etc/passwd lists user details openly, while /etc/shadow keeps passwords hidden and secure, together enabling safe user login.
Think of it like...
Think of /etc/passwd as a phone book listing names and addresses, and /etc/shadow as a locked safe holding the secret keys (passwords) to those addresses.
┌─────────────┐       ┌───────────────┐
│ /etc/passwd │──────▶│ User info     │
│ (public)    │       │ username, UID │
└─────────────┘       └───────────────┘
       │
       │
       ▼
┌─────────────┐       ┌───────────────┐
│ /etc/shadow │──────▶│ Password data │
│ (restricted)│       │ encrypted pwd │
└─────────────┘       └───────────────┘
Build-Up - 7 Steps
1
FoundationUnderstanding /etc/passwd Basics
🤔
Concept: Learn what /etc/passwd contains and its format.
The /etc/passwd file lists all user accounts. Each line represents one user with fields separated by colons (:). The fields include username, user ID (UID), group ID (GID), user description, home directory, and default shell. Passwords used to be stored here but are now replaced by an 'x' for security.
Result
You can read /etc/passwd to see all users and their basic info, but you won't see actual passwords here.
Knowing that /etc/passwd is readable by everyone but does not contain real passwords helps understand why password security needs a separate file.
2
FoundationIntroduction to /etc/shadow File
🤔
Concept: Discover how /etc/shadow stores encrypted passwords securely.
/etc/shadow contains password hashes and related security info like password expiry. It is only readable by the root user to protect sensitive data. Each line corresponds to a user and includes the username, encrypted password, last password change date, and password expiration details.
Result
Passwords are stored here in a way that normal users cannot read, improving system security.
Separating password hashes from public user info prevents attackers from easily accessing password data.
3
IntermediateReading and Interpreting /etc/passwd Fields
🤔Before reading on: do you think the password field in /etc/passwd contains actual passwords or placeholders? Commit to your answer.
Concept: Understand each field in /etc/passwd and what it represents.
A typical /etc/passwd line looks like: 'alice:x:1001:1001:Alice User:/home/alice:/bin/bash'. The fields are: username (alice), password placeholder (x), UID (1001), GID (1001), user description (Alice User), home directory (/home/alice), and shell (/bin/bash). The 'x' means the real password is in /etc/shadow.
Result
You can identify user details and know that passwords are not stored here.
Recognizing the 'x' placeholder is key to understanding the split between public user info and private password data.
4
IntermediateUnderstanding /etc/shadow Password Hashes
🤔Before reading on: do you think the password hashes in /etc/shadow can be reversed to get the original password? Commit to your answer.
Concept: Learn how passwords are stored as hashes and what the fields mean.
In /etc/shadow, the password field contains a hash like '$6$randomsalt$encryptedstring'. This is a one-way encrypted version of the password using algorithms like SHA-512. Other fields include last password change date and password expiration info. Hashes cannot be reversed to get the original password.
Result
Passwords are stored securely so even if someone reads /etc/shadow, they cannot easily find the real password.
Understanding hashing explains why storing passwords in /etc/shadow is safer than plain text.
5
IntermediateFile Permissions and Security Roles
🤔
Concept: Explore why /etc/shadow has restricted permissions and /etc/passwd does not.
/etc/passwd is world-readable because many programs need user info. /etc/shadow is readable only by root to protect password hashes. Permissions look like: '-rw-r--r--' for /etc/passwd and '-rw-r-----' for /etc/shadow. This separation limits who can access sensitive data.
Result
Only privileged users can read password hashes, reducing risk of password theft.
Knowing file permissions is crucial to understanding Linux security design.
6
AdvancedHow Authentication Uses These Files
🤔Before reading on: do you think the login process reads /etc/passwd or /etc/shadow first? Commit to your answer.
Concept: Understand the login process interaction with these files.
When a user logs in, the system checks /etc/passwd to find the user and then reads /etc/shadow to get the password hash. It hashes the entered password and compares it to the stored hash. If they match, access is granted. This two-step process ensures user info and password verification are handled securely.
Result
User authentication is both efficient and secure by splitting data between two files.
Understanding this flow clarifies why both files are needed and how they work together.
7
ExpertSecurity Risks and Hardening Techniques
🤔Before reading on: do you think simply restricting /etc/shadow permissions is enough to secure passwords? Commit to your answer.
Concept: Explore advanced security considerations and protections around these files.
While restricting /etc/shadow access is vital, other risks exist like brute-force attacks on password hashes. Techniques like using strong hashing algorithms (SHA-512), salting hashes, and enforcing password policies help. Tools like PAM modules and SELinux add layers of protection. Backup and monitoring of these files are also critical.
Result
Systems become more resilient against password theft and unauthorized access.
Knowing the limits of file permissions and the need for layered security prevents common vulnerabilities.
Under the Hood
/etc/passwd is a plain text file listing user account info accessible to all users. /etc/shadow stores password hashes with restricted access. When a user logs in, the system reads /etc/passwd to verify the username exists, then accesses /etc/shadow to retrieve the hashed password. The entered password is hashed using the same algorithm and compared. This separation allows programs to get user info without exposing password hashes.
Why designed this way?
Originally, passwords were stored in /etc/passwd, but this exposed them to all users, risking security. To fix this, /etc/shadow was introduced to separate sensitive password data and restrict access. This design balances usability (public user info) and security (private password hashes). Alternatives like storing passwords in databases were less common or practical at the time.
┌─────────────┐       ┌───────────────┐       ┌───────────────┐
│ User Login  │──────▶│ /etc/passwd   │──────▶│ Verify User   │
│ Prompt      │       │ (public info) │       │ Exists        │
└─────────────┘       └───────────────┘       └───────────────┘
                                         │
                                         ▼
                               ┌─────────────────┐
                               │ /etc/shadow     │
                               │ (password hash) │
                               └─────────────────┘
                                         │
                                         ▼
                               ┌─────────────────┐
                               │ Hash Input Pass │
                               │ Compare Hashes  │
                               └─────────────────┘
Myth Busters - 4 Common Misconceptions
Quick: Is the password field in /etc/passwd the actual password? Commit to yes or no.
Common Belief:The password field in /etc/passwd contains the user's real password.
Tap to reveal reality
Reality:The password field in /etc/passwd usually contains an 'x' placeholder; the real password hash is stored in /etc/shadow.
Why it matters:Believing passwords are in /etc/passwd leads to misunderstanding system security and may cause unsafe handling of user data.
Quick: Can password hashes in /etc/shadow be reversed to get the original password? Commit to yes or no.
Common Belief:Password hashes in /etc/shadow can be decrypted to reveal the original password.
Tap to reveal reality
Reality:Password hashes are one-way encrypted and cannot be reversed; only matching hashes prove password correctness.
Why it matters:Thinking hashes are reversible can cause false confidence in password security or misuse of password storage methods.
Quick: Does restricting /etc/shadow permissions fully secure user passwords? Commit to yes or no.
Common Belief:Restricting /etc/shadow file permissions is enough to secure all password data.
Tap to reveal reality
Reality:While necessary, permission restrictions alone are not enough; weak passwords or outdated hashing algorithms can still be exploited.
Why it matters:Overreliance on file permissions can lead to vulnerabilities if other security layers are ignored.
Quick: Is /etc/passwd writable by normal users? Commit to yes or no.
Common Belief:/etc/passwd can be edited by any user to change account details.
Tap to reveal reality
Reality:/etc/passwd is writable only by root or privileged users to prevent unauthorized changes.
Why it matters:Misunderstanding file permissions can lead to incorrect assumptions about system security and user management.
Expert Zone
1
The order and format of fields in /etc/passwd and /etc/shadow are critical; even small formatting errors can lock users out.
2
Some systems use shadow-like mechanisms in other files or databases, but the principle of separating user info and password hashes remains.
3
Password aging and expiration fields in /etc/shadow allow automated enforcement of security policies without extra tools.
When NOT to use
For very large or distributed systems, relying solely on /etc/passwd and /etc/shadow is limiting; centralized authentication systems like LDAP or Kerberos are better alternatives.
Production Patterns
In production, /etc/shadow is often managed by PAM modules that enforce password policies and integrate with multi-factor authentication. Backup and monitoring of these files are automated to detect unauthorized changes.
Connections
Hash Functions
Builds-on
Understanding how hash functions work is essential to grasp why passwords are stored securely in /etc/shadow and cannot be reversed.
Access Control and File Permissions
Same pattern
The permission model protecting /etc/shadow illustrates the broader principle of access control in operating systems.
Physical Security Safes
Analogy to security
Just like a safe protects valuables from unauthorized access, /etc/shadow protects password hashes, showing how physical security concepts apply to digital security.
Common Pitfalls
#1Trying to read /etc/shadow as a normal user to find passwords.
Wrong approach:cat /etc/shadow
Correct approach:sudo cat /etc/shadow
Root cause:Misunderstanding file permissions and security restrictions on sensitive files.
#2Editing /etc/passwd or /etc/shadow manually without proper tools.
Wrong approach:nano /etc/passwd
Correct approach:Use usermod, passwd, or vipw commands to safely edit user info.
Root cause:Not knowing the risks of corrupting critical system files and the existence of safer management tools.
#3Storing plain text passwords in /etc/passwd or other files.
Wrong approach:Replacing 'x' in /etc/passwd with actual password text.
Correct approach:Use password hashing tools and let /etc/shadow store encrypted passwords.
Root cause:Lack of understanding of password hashing and security best practices.
Key Takeaways
/etc/passwd and /etc/shadow work together to manage user accounts and secure passwords on Linux.
/etc/passwd is publicly readable and holds user info without real passwords; /etc/shadow is restricted and stores encrypted passwords.
Password hashes in /etc/shadow are one-way encrypted and cannot be reversed to reveal the original password.
File permissions and hashing algorithms are both critical to protecting user credentials.
Proper tools and security practices must be used to manage these files safely in production.