.TH shadow "" "" "System Administration"
.PC "File that holds restricted passwords"
.B /etc/shadow
.PP
\*(CO stores information in file
.BR /etc/passwd .
This file identifies each user, gives her home directory, default shell,
and base group.
It must be universally readable so that it can be used by programs like
.BR ls ,
which must translate user-identification numbers into login identifiers.
.PP
In general, this system works well; however, it does create a hole in
system security.
If users' encrypted passwords are kept in
.BR /etc/passwd ,
which is universally readable, a ``cracker''
can read the passwords, decypher some of them with brute-force methods,
and then log in as the users whose passwords she cracked.
.PP
To plug that hole in system security, \*(UN implemented the method of
``shadow'' passwords.
In this scheme, a user's login information is still kept in
.BR /etc/passwd ;
however, the encrypted passwords (plus supplemental information) is kept
in the file
.BR /etc/shadow ,
which can be read only by a process with root-level permissions.
.PP
The shadow password file contains one entry per user.
Each user identified in
.B /etc/shadow
must have an entry in
.BR /etc/passwd .
The opposite is not true, but a user described in
.B /etc/passwd
who does not have an entry in
.B /etc/shadow
cannot log into your system.
Each entry in
.B /etc/shadow
is laid out exactly the same as file
.BR /etc/passwd.
At present, the \*(CO implementation of
.B login
uses only the
.I name
and
.I password
fields.
For details, see the Lexicon entry for
.BR passwd .
.SH "Reading /etc/shadow"
\*(CO includes four functions with which a program can read the
shadow-password file
.BR /etc/shadow :
.IP \fBendspent()\fR
Close
.BR /etc/shadow
after reading from it.
.IP \fBgetspent()\fR
Read the next record from
.BR /etc/shadow .
If a process has not yet read
.BR /etc/shadow ,
it returns the first record.
.IP \fBgetspnam()\fR
Return the first record for the user with a given login identifier.
.IP \fBsetspent()\fR
Return the seek pointer for
.B /etc/shadow
to the beginning of the file.
.PP
Functions
.B getspent()
and
.B getspnam()
return a pointer to an object with structure
.BR spwd ,
which gives an analogue for each field in
.BR /etc/shadow .
This structure is defined in header file
.BR <shadow.h> .
For details on this structure, see the Lexicon entry for
.BR shadow.h .
.SH "See Also"
.Xr "Administering COHERENT," administe
.Xr "login," login
.Xr "shadow.h" shadow.h
.SH Notes
For details of how the program
.B login
uses shadow passwords, see its entry in the Lexicon.
