Administration
pwunconv
Convert shadow passwords back to traditional format.
userspasswordsshadowconversionsecurity
Additional Notes
pwunconv reverses the shadow password conversion performed by pwconv. It moves password hashes from /etc/shadow back into /etc/passwd and removes the shadow file or disables its use.
This is the inverse of pwconv and is rarely used on modern systems, as storing password hashes in the world-readable /etc/passwd file is a significant security risk. It may be used in legacy migration scenarios, recovery from shadow file corruption, or when transitioning to non-shadow authentication systems.
Syntax
pwunconv [options]
Options
-R root: Apply changes in a chroot directory.--help: Show help and exit.--version: Show version information.
Parameters
options: Flags that change howpwunconvbehaves.target: Optional file, device, interface, user, service, or command target when the command supports one.
Examples
pwunconv
Move all password hashes from /etc/shadow to /etc/passwd.
pwunconv -R /mnt/chroot
Reverse shadow conversion within a chroot environment.
Practical Notes
- Running
pwunconvmakes all password hashes world-readable. Only use in controlled environments or legacy compatibility scenarios. - Modern Linux distributions always use shadow passwords. Run
pwconvafterpwunconvto restore shadow protection. - The
grpunconvcompanion tool does the same for group passwords (/etc/gshadowto/etc/group). - Some authentication systems (e.g., LDAP, SSSD, or NIS) do not use
/etc/shadowat all.pwunconvdoes not affect these. - Only root can run
pwunconv. - After running
pwunconv, verify that/etc/passwdnow contains the password hashes in the second colon-delimited field.