pwconv

pwconv [options]

-r, --root CHROOT_DIR
    Apply changes in the specified CHROOT_DIR directory. This allows the command to operate on a different root file system, useful in recovery or container environments.

-h, --help
    Display a brief help message and exit. This option provides a quick overview of the command's usage and available options.

The pwconv command is used to convert traditional Linux password and group files (/etc/passwd and /etc/group) into their more secure shadow counterparts (/etc/shadow and /etc/gshadow). This process moves the encrypted password hashes from the publicly readable /etc/passwd and /etc/group files to the root-only readable /etc/shadow and /etc/gshadow files respectively.

After conversion, the password fields in /etc/passwd and /etc/group are replaced with an 'x' placeholder, indicating that the actual password information is stored in the shadow files. This significantly enhances system security by preventing unprivileged users from accessing encrypted password hashes, thereby mitigating brute-force and dictionary attacks.

pwconv intelligently handles existing shadow files by updating them with new entries or merging information. It also creates backup copies of the original files (e.g., /etc/passwd-, /etc/shadow-) before making any modifications, ensuring a safe rollback if needed. This command is a crucial step in setting up a secure Linux system, typically run during initial system configuration or migration from older systems.

Converting to shadow passwords is a significant system change and should be done with caution.

• Requires superuser (root) privileges to execute.
• Modifies critical system authentication files; ensure backups are in place.
• Once converted, systems generally rely on shadow files for password authentication. Reverting requires the pwunconv command.
• Does not handle network authentication systems like NIS/YP; it only affects local user and group authentication.
• If the system files are manually edited incorrectly, pwconv might not correctly handle the inconsistencies.

pwconv interacts with and modifies the following system files:

• /etc/passwd: The main user account information file.
• /etc/shadow: The shadow password file, storing encrypted password hashes and password expiration information.
• /etc/group: The main group information file.
• /etc/gshadow: The shadow group file, storing encrypted group passwords and group administration information.
• /etc/passwd-, /etc/shadow-, /etc/group-, /etc/gshadow-: Backup copies of the original files created before modification.

The pwconv command returns an exit status of 0 upon successful execution. Any non-zero exit status indicates that an error occurred during the conversion process.

The concept of shadow passwords emerged as a security enhancement in Unix-like systems. Historically, user password hashes were stored in the publicly readable /etc/passwd file. This posed a security risk as it made encrypted passwords vulnerable to offline brute-force attacks. The introduction of shadow password files (/etc/shadow), readable only by the root user, addressed this vulnerability by separating the password hashes from the public user information.

The pwconv command is part of the shadow-utils package, which provides a suite of tools for managing user and group accounts and their authentication information. It was developed to facilitate the transition from older systems that stored password hashes directly in /etc/passwd to the more secure shadow password system, making it an essential utility for modern Linux security practices.

chage(1), group(5), gshadow(5), passwd(1), passwd(5), pwunconv(8), shadow(5)