32.6. Shadow Passwords
In multiuser environments it is very important to use shadow passwords (provided by the
shadow-utilspackage). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
The following lists the advantages pf shadow passwords have over the traditional way of storing passwords on UNIX-based systems:
- Improves system security by moving encrypted password hashes from the world-readable
/etc/shadow, which is readable only by the root user.
- Stores information about password aging.
- Allows the use the
/etc/login.defsfile to enforce security policies.
Most utilities provided by the
shadow-utilspackage work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the
/etc/shadowfile, any commands which create or modify password aging information do not work.
The following is a list of commands which do not work without first enabling shadow passwords: