Shadow Passwords

6.5. Shadow Passwords

In multiuser environments it is very important to use shadow passwords (provided by the shadow-utils package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default.

The following is a list of advantages shadow passwords have over the traditional way of storing passwords on UNIX-based systems.

  • Improves system security by moving encrypted password hashes from the world-readable /etc/passwd file to /etc/shadow, which is readable only by the root user.

  • Stores information about password aging.

  • Allows the use the /etc/login.defs file to enforce security policies.

Most utilities provided by the shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow file, any commands which create or modify password aging information do not work.

Below is a list of commands which do not work without first enabling shadow passwords:

  • chage

  • gpasswd

  • /usr/sbin/usermod -e or -f options

  • /usr/sbin/useradd -e or -f options