/etc/shadow

Dennis L. Mumaugh dlm at cuuxb.ATT.COM
Sat Nov 12 07:33:37 AEST 1988 

In article <8861 at smoke.BRL.MIL> gwyn at brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>) writes:
>It would be a great service to the community if specifications for
>this feature were posted or at least sent to developers who want
>to enable a similar feature on their (typically BSD-based) systems.
>For example, what is the shadow file called, what is its format,
>what sort of stuff is left in the password field in /etc/passwd,
>what facilities are there to validate a password against the
>shadow encrypted password file?

The documentation is scattered in the Release Notes for System V
Release 3.2.  Of course they don't have a page shadow(4) but:

The file is /etc/shadow and is owned by root and mode 400.
It contains one line per login.  Fields are separated by colons:
	username \- users login name
	password \- A 13 character encrypted password or a lock string to
		    indicater the login is not accessible
	lastchanged \- number of days since January 1, 1970 that the password
	               has been modified
	min \- the number of days required between password changes
	max \- the maximum number of days the password is valid.

Routines to work with /etc/shadow:
	#include <shadow.h>
	struct spwd *getspent();
	struct spwd *getspnam(char * name);
	void setspent();
	void endspent();
	struct spwd *fgetspent(FILE *fp);
	int putspent(struct spwd *p,FILE *fp);

Programs allied with this are 
	pwconv \- install and/or update /etc/shadow with information
		  from /etc/passwd
	pwunconv \- restore /etc/password from /etc/shadown 
 
Programs like login, su and passwd work with  either  /etc/passwd
ONLY  or  with  the  added  /etc/shadow.  If there is no entry in
/etc/shadow we accept the /etc/passwd as gospel [in case  someone
forgot to run /usr/lib/pwconv after adding a user.]

Also /usr/include/shadow.h:

struct spwd {
	char	*sp_namp; /* users login name */
	char	*sp_pwdp; /* encrypted password */
	long	sp_lstchg; /* number of days since January 1, 1970 
			      that the password has been modified */
	int	sp_max; /* the number of days required between password changes */
	int	sp_min; /* the maximum number of days the password is valid. */
}
#define  SHADOW "/etc/shadow"

ATT doesn't provide any of the functions or the  header  file  as
part  of  its  product.  It  is in the source but not the binary.
Thus developers who need the  routines  must  contact  their  ATT
person [not me!] to obtain the shadow password security library
-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{att,lll-crg}!cuuxb!dlm  OR cuuxb!dlm at arpa.att.com

More information about the Comp.unix.wizards mailing list