Manage the password database on BSD systems


If you feel that Salt should be using this module to manage passwords on a minion, and it is using a different module (or gives an error similar to '' is not available), see here.


Returns the default hash used for unset passwords

CLI Example:

salt '*' shadow.default_hash

New in version 2015.8.2.

Delete the password from name user

CLI Example:

salt '*' shadow.del_password username
salt.modules.bsd_shadow.gen_password(password, crypt_salt=None, algorithm='sha512')

Generate hashed password


When called this function is called directly via remote-execution, the password argument may be displayed in the system's process list. This may be a security risk on certain systems.


Plaintext password to be hashed.


Crpytographic salt. If not given, a random 8-character salt will be generated.


The following hash algorithms are supported:

  • md5

  • blowfish (not in mainline glibc, only available in distros that add it)

  • sha256

  • sha512 (default)

CLI Example:

salt '*' shadow.gen_password 'I_am_password'
salt '*' shadow.gen_password 'I_am_password' crypt_salt='I_am_salt' algorithm=sha256

Return information for the specified user

CLI Example:

salt '*' someuser
salt.modules.bsd_shadow.set_change(name, change)

Sets the time at which the password expires (in seconds since the UNIX epoch). See man 8 usermod on NetBSD and OpenBSD or man 8 pw on FreeBSD.

A value of 0 sets the password to never expire.

CLI Example:

salt '*' shadow.set_change username 1419980400
salt.modules.bsd_shadow.set_expire(name, expire)

Sets the time at which the account expires (in seconds since the UNIX epoch). See man 8 usermod on NetBSD and OpenBSD or man 8 pw on FreeBSD.

A value of 0 sets the account to never expire.

CLI Example:

salt '*' shadow.set_expire username 1419980400
salt.modules.bsd_shadow.set_password(name, password)

Set the password for a named user. The password must be a properly defined hash. The password hash can be generated with this command:

python -c "import crypt; print crypt.crypt('password', ciphersalt)"


When constructing the ciphersalt string, you must escape any dollar signs, to avoid them being interpolated by the shell.

'password' is, of course, the password for which you want to generate a hash.

ciphersalt is a combination of a cipher identifier, an optional number of rounds, and the cryptographic salt. The arrangement and format of these fields depends on the cipher and which flavor of BSD you are using. For more information on this, see the manpage for crpyt(3). On NetBSD, additional information is available in passwd.conf(5).

It is important to make sure that a supported cipher is used.

CLI Example:

salt '*' shadow.set_password someuser '$1$UYCIxa628.9qXjpQCjM4a..'