From https://git.joeyh.name/index.cgi/etckeeper.git/tree/update-ignore.d/01update-ignore#n110:
# Not currently ignored as admins tend to rely on these files.
#ignore "passwd-"
#ignore "group-"
#ignore "shadow-"
#ignore "gshadow-"
But I can't understand the reason, considering that ignoring these backup files justs leaves them there so admins can still use them. In the other hand, having the original files (e.g. passwd) under version control will provide admins the expected history of changes.
An admin might expect to be able to
mv passwd- passwdto undo the most recent change, and if so that might as well be supported after restoring /etc from backup.There is essentially no overhead in adding these files since they have the same content as an older commit of the passwd file.