Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What do "!" and "*" mean in the password section in /etc/shadow? [closed]

In a /etc/shadow file, it looks like as follows.

root:!:15764:0:99999:7:::
daemon:*:15749:0:99999:7:::

What do these characters ("!" and "*") mean in the password section?

like image 841
Denis Weerasiri Avatar asked Jun 08 '14 11:06

Denis Weerasiri


2 Answers

man shadow

   If the password field contains some string that is not a valid
   result of crypt(3), for instance ! or *, the user will not be able
   to use a unix password to log in (but the user may log in the
   system by other means).

   This field may be empty, in which case no passwords are required to
   authenticate as the specified login name. However, some
   applications which read the /etc/shadow file may decide not to
   permit any access at all if the password field is empty.

   A password field which starts with a exclamation mark means that
   the password is locked. The remaining characters on the line
   represent the password field before the password was locked.

So * means no password can be used to access the account, and ! means its locked

like image 125
exussum Avatar answered Nov 07 '22 18:11

exussum


From the manual page shadow(5):

encrypted password
Refer to crypt(3) for details on how this string is interpreted.

If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).

This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the password field is empty.

This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the password field is empty.

Also, the program passwd (see passwd(1)) can be locked to create these locked accounts by prefixing the password with !:

-l, --lock
Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password).

like image 41
Lekensteyn Avatar answered Nov 07 '22 17:11

Lekensteyn