pwconv Command in Linux
The pwconv command in Linux creates or updates the shadow file using the passwd file. It ensures that password hashes are moved from the /etc/passwd file to the /etc/shadow file for better security.
In older Unix systems, password hashes were stored in the /etc/passwd file, which is world-readable. This posed a security risk because password hashes could be accessed and cracked. Modern systems store these hashes in the /etc/shadow file, which is only readable by privileged users.
The pwconv command automates the migration process. It updates the shadow file, ensuring password hashes are not left in the /etc/passwd file.
Table of Contents
Here is a comprehensive guide to the options available with the pwconv command â
- Syntax of pwconv Command
- Important Considerations Before Using pwconv Command
- Example of pwconv Command in Linux
- Enabling the Legacy Format
Syntax of pwconv Command
The syntax of the pwconv command in Linux is as follows:
pwconv
The pwconv command does not require additional arguments. It is designed to perform a single task without the need for customization.
Important Considerations Before Using pwconv Command
Before using the pwconv command, backup both /etc/passwd or /etc/shadow files using the following commands −
sudo cp /etc/passwd /etc/passwd.bak sudo cp /etc/shadow /etc/shadow.bak
Make sure the permissions of the /etc/shadow file are read only by the root user.
ls -l /etc/shadow
Example of Using pwconv Command in Linux
The main purpose of the pwconv command is to enhance system security by synchronizing the /etc/passwd file with the /etc/shadow file, ensuring that password hashes are stored securely in the /etc/shadow file instead of the publicly readable /etc/passwd file.
To synchronize the /etc/passwd and /etc/shadow files, use the pwconv command with sudo. For example, the following /etc/passwd file contains users along with password hashes, as shown in the image below −
Now, execute the pwconv command.
sudo pwconv
The pwconv command creates a shadow file in the /etc directory, removes the password hashes from the /etc/passwd file, and replaces it with an x as shown in the image below −
A shadow file will also be created, which will contain the password hashes of all users, as shown in the image below −
Enabling the Legacy Format
The legacy format for the /etc/passwd file refers to the format where user account information, including the password hash, is stored directly in the /etc/passwd file.
To enable the shadowless format, use the pwunconv command. It will remove the shadow file and add the password hashes of all users to the passwd file.
sudo pwunconv
Note − The legacy or shadowless format is not recommended due to security risks.
Conclusion
The pwconv command in Linux improves system security by transferring password hashes from the world-readable /etc/passwd file to the more secure /etc/shadow file, which is accessible only to privileged users. This process mitigates the risk of password hashes being exposed or cracked. Running pwconv with administrative privileges updates the shadow file and ensures proper synchronization with the /etc/passwd file.
Before using the command, it is essential to back up both files and verify proper shadow file permissions. While the pwunconv command can revert to the standard format, it is not recommended due to potential security vulnerabilities.