Tille's Site

Usage of the shadow file

It is very easy to set password expiration policies by hand, editing the /etc/shadow file. It contains lines, devided by semi-colons (:) into 9 fields:

1. username: from /etc/passwd
2. password: the encrypted password string
3. lastchanged: the number of days between 1970/1/1 and the date of last modification of the password.
4. min: minimum number of days required between password changes.
5. max: maximum number of days that the password can be valid.
6. warn: the number of days in advance that the user will be warned that his password will expire.
7. inactive: number of days of inactivity allowed for that user. This info is taken from the /var/adm/lastlog file, that you can probe using the last command, for instance:

   tille@slowy ~> last tille
   tille     pts/11       localhost        Tue Nov 25 07:29   still logged in
   tille     console      :0               Mon Nov 24 07:27   still logged in
   tille     console      :0               Mon Nov 24 07:23 - 07:27  (00:04)
   
   wtmp begins Thu Nov  6 09:44 
   

8. expire: number of days between 1970/1/1 and the date that the account will be blocked.
9. flag: set to zero, reserved for future use.

You can play around adding for instance 2:4:1:3 as the 4th-7th field. In order to be able to enjoy the effects immediately, you can take a couple of days off of the third field. In the example, this was the original line:

tille:FSrhBlujiYZ2M:12380::::::

And we made this out of it, so that a test would immediately work:

tille:FSrhBlujiYZ2M:12378:2:4:1:3:12417:

12417 is 2004/1/1, and we turned up the number of days that the password was left unchanged (current number of days minus 12378 instead of minus 12380), so that the following test would show results:

tille@slowy ~> ssh localhost
tille@localhost's password: 
Your password will expire in 1 day.
Last login: Tue Nov 25 07:29:11 2003 from localhost
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002