How to audit, convert and control shadowed passwords for secure local authentication. 08.12.2025 | reading time: 2 min Local Linux authentication stores hashed secrets in /etc/shadow to keep them away from world-readable /etc/passwd; this short guide shows how to inspect, convert and control shadow passwords so the administrator can secure accounts without guessing. Locked account scenario Imagine an engineer must lock an account and confirm the hashed secret moved into /etc/shadow; commands: ```bash sudo pwconv && sudo passwd -l alice && getent shadow alice ``` and an example single-line output might look like: ```alice:!$6$abc123$XyZ...:18765:0:99999:7::: ``` which shows a locked account (leading "!") and the hashed password field now stored in the shadow database. Quick repair and checks If entries are missing or permissions are wrong, run `sudo pwck -r` to detect issues, use `sudo pwconv` to create a shadow file from passwd, or `sudo pwunconv` to reverse the conversion; always keep `/etc/shadow` owned by root and mode 640 and verify with `ls -l /etc/shadow` and fix with `sudo chown root:shadow /etc/shadow && sudo chmod 640 /etc/shadow`. Policy and lifecycle controls Manage password aging and expirations with `chage` and `passwd -l`/`-u`, automate mass password changes with `chpasswd` or configuration management, and integrate with PAM to enforce complexity and lockout rules so the administrator controls both storage and policy. Tools that complement shadow management Useful commands include `getent` to query NSS, `vipw -s` to safely edit shadow entries, `pwck`/`grpck` for consistency checks, and `authselect`/PAM utilities to tie shadow storage into system authentication and centralized backends. Wrap-up and next steps Shadow management is a small, critical part of a broader authentication picture: learn to inspect, fix and automate shadow-related tasks and then expand into PAM, LDAP or SSSD for scalable authentication; consider formal study like CompTIA Linux+ or LPIC-1 and intensive exam preparation at bitsandbytes.academy to deepen mastery. Join Bits & Bytes Academy First class LINUX exam preparation. security filesystem utilities scripting
