Field of Secrets: The /etc/shadow File π΅οΈββοΈ
Ever wonder where your Linux password actually lives? Not in /etc/passwd. That file is for public consumption. Your real passwordβor rather, its encrypted hashβis locked down in a file called /etc/shadow. Only the root user can read it. It's the Fort Knox of your system. π°
Each line in /etc/shadow isn't just a password; it's a security profile. It's a string of nine fields separated by colons, each one a piece of your user's security puzzle:
- Username: The user's name.
-
Encrypted Password: The hashed password. A
!or*means the account is disabled. π« - Last Change: When the password was last changed. π
- Min Days: The minimum number of days before a password can be changed again. No password hot-swapping allowed. β±οΈ
- Max Days: The maximum number of days the password is valid. After this, it must be changed. β³
- Warning Days: The number of days a user is warned before their password expires. β οΈ
- Inactive Days: How long a user has to change an expired password before the account is locked. π
- Expiration Date: The date the account itself expires. π
- Reserved: Just a placeholder for now. π€·
The chage Command: You're the Boss Now π
So, you've seen the fields. How do you actually control them? With a command that sounds like what it does: chage (change-age). This is your weapon for enforcing password policies on individual users. Think of it as a personal security drill sergeant. πββοΈ
Here are a few quick ways to wield it:
-
chage -l user1: List everything. Seeuser1's entire password profile at a glance. π -
chage -M 90 user1: Forceuser1to change their password every 90 days. No excuses. ποΈ -
chage -W 14 user1: Makeuser1start seeing warnings 14 days before their password expires. π¨ -
chage -I 30 user1: Ifuser1is inactive for 30 days after their password expires, the account locks. Game over. β -
chage -E 2026-01-01 user1: Set a hard expiration date for the account. Handy for temporary users. π β‘οΈποΈ
The Global Blueprint: /etc/login.defs ποΈ
Setting policies for one user is cool, but what about the entire system? You don't want to run chage on every new user. That's where /etc/login.defs comes in. This file is the global blueprint for all new accounts. Any new user you create will inherit these rules by default. β
Your must-know parameters here are:
-
PASS_MAX_DAYS: The system-wide maximum password age. -
PASS_MIN_DAYS: The system-wide minimum password age. -
PASS_WARN_AGE: The system-wide warning period.
By configuring these once, you're setting a baseline of security that applies to everyone. It's the ultimate set-it-and-forget-it security win. π
Final Thoughts: Secure Your Stack π‘οΈ
Don't let your Linux system be the low-hanging fruit for attackers. By understanding and actively managing /etc/shadow, wielding the chage command, and setting up solid global policies in /etc/login.defs, you're not just hoping for the bestβyou're actively enforcing it.
Now, go check your users' passwords. They're probably naked right now. π§π¨
Top comments (0)