Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!GYRE.UMD.EDU!chris
From: chris@GYRE.UMD.EDU (Chris Torek)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: shadow passwords?
Message-ID: <8811080049.AA07509@gyre.umd.edu>
Date: 8 Nov 88 00:49:20 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 17

It seems the phrase `shadow password file' is not well known, so here
is a definition:

It means the encrypted passwords themselves (and any other `sensitive'
information) is not kept in /etc/passwd, which is readable by everyone,
but rather in some other file that is not readable except by root
(and/or by other privilege of your choice).  The typical implementation
is to rename the real password file /etc/passwd as something else
(e.g., /etc/pw.shadow), and replace /etc/passwd with a copy that has
the password field replaced with something unusable (`*').  Programs
that really need a user's password run privileged, and are changed to
refer to the shadow file; others use the usual file, but have no access
to the encrypted password.  Updates must happen to both files.

(The phrase comes about from the fact that /etc/passwd is---or has,
depending on your point of view---a `shadow' thrown by another file.)

Chris