Understanding /etc/shadow file fields and format

Basically, the /etc/shadow file stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file. Generally, shadow file entry looks as follows (click to enlarge image):

/etc/shadow file format

/etc/shadow file format (click to enlarge)

As with the /etc/passwd, each field in the shadow file is also separated with “:” colon characters as follows:


  1. Username : A valid account name, which exist on the system.
  2. Password : Your encrypted password is in hash format. The password should be minimum 15-20 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm prefix used On GNU/Linux as follows
    1. $1$ is MD5
    2. $2a$ is Blowfish
    3. $2y$ is Blowfish
    4. $5$ is SHA-256
    5. $6$ is SHA-512
    6. $y$ is yescrypt
  3. Last password change (lastchanged) : The date of the last password change, expressed as the number of days since Jan 1, 1970 (Unix time). The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system. An empty field means that password aging features are disabled.
  4. Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change her password again. An empty field and value 0 mean that there are no minimum password age.
  5. Maximum : The maximum number of days the password is valid, after that user is forced to change her password again.
  6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  7. Inactive : The number of days after password expires that account is disabled.
  8. Expire : The date of expiration of the account, expressed as the number of days since Jan 1, 1970.

Linux Administrator Tips

Find all file with permission to run if belong to wheel or sudo group. Bit suid active

find / -perm /u+s 2>/dev/null

The denied access is not visualized with 2>/del/null

Command to show who has access to a file or folder : lsof <file/folder name>

Is possible to use the command  fuser <file name>


sudo visudo manage the user permission

id user for check the groups

ulimit -a check the limit and set it for single user

to set the limit in global level user : /etc/security/limits.conf

How to check current linux connections

quante tipi di connessioni da un dato ip
netstat -nat | grep | awk ‘{print $6}’ | sort | uniq -c | sort -n

quante porte usate da un dato ip
netstat -nat | grep | awk ‘{print $4}’ | sort | uniq -c | sort -n

numero di connessioni presenti per indirizzo ip
netstat -atun | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ |sort | uniq -c | sort -n

numero totale di connessioni
netstat -nat | awk ‘{ print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq | wc -l

numero porte utilizzate
netstat -nat | awk ‘{print $4}’| cut -d: -f2 | sort | uniq -c | sort -n

lsof -ni | egrep -i “10\.0\.8|193\.170”