shadowconfig

shadowconfig {on|off|enable|disable|status}

on
    Enables shadow password and group functionality. This moves password hashes to /etc/shadow and /etc/gshadow.

off
    Disables shadow password and group functionality. This moves password hashes back to /etc/passwd and /etc/group. This action is highly discouraged for security reasons.

enable
    An alias for the 'on' argument.

disable
    An alias for the 'off' argument.

status
    Displays the current status of shadow password and group functionality (enabled or disabled).

shadowconfig is a command-line utility used to enable or disable the use of shadow password and group files on a Linux system.

When shadow passwords are enabled, user password hashes are stored in the more secure /etc/shadow file instead of /etc/passwd. Similarly, group password hashes (if used) are stored in /etc/gshadow instead of /etc/group. This separation significantly enhances security by making the password hashes unreadable to non-root users, even if they have read access to /etc/passwd or /etc/group. The shadowconfig command typically modifies system configuration to reflect this state, often by updating PAM configurations or other authentication-related settings.

While fundamental to Linux security, shadowconfig itself is often deprecated or superseded in modern distributions by more comprehensive authentication configuration tools like authconfig or authselect, which provide a broader range of authentication-related setup options. Its core purpose, however, remains crucial for system security.

This command is often deprecated or replaced by more comprehensive authentication configuration tools such as authconfig(8) or authselect(8) in modern Linux distributions. Its exact behavior and availability can vary significantly.

Disabling shadow passwords (using off or disable) is a severe security risk. It exposes password hashes in world-readable files (/etc/passwd and /etc/group), making the system vulnerable to brute-force attacks and unauthorized access. This action is strongly discouraged for production systems.

Disabling shadow passwords (via shadowconfig off or disable) exposes hashed passwords directly in /etc/passwd and /etc/group. These files are typically world-readable, meaning any user on the system could potentially access and attempt to crack the password hashes. This drastically reduces the security posture of the system and is strongly discouraged for any environment requiring even minimal security.

The concept of shadow passwords emerged to enhance security in Unix-like systems by separating sensitive password hashes from publicly readable user and group files. The shadowconfig command was historically part of the shadow-utils package, providing a simple interface to manage this crucial security feature.

As Linux distributions evolved, the need for more centralized and flexible authentication management led to the development of tools like authconfig and later authselect. These tools often absorbed or superseded the specific functionality of shadowconfig, making it a less common standalone command in newer environments, though its underlying security principle remains fundamental.

passwd(1), groupadd(8), useradd(8), shadow(5), gshadow(5), authconfig(8), authselect(8), login.defs(5), pam(8)