/etc/shadow question

doctore · 04-16-2015, 12:49 PM

Looking at the /etc/shadow file, for some of the system services accounts there are "*" and for others "!!" in the password field.
Searching online I have only found that !=*, i.e. prevent use for log-in, but, if true, what is the actual difference? Why not use "*" on all of them? And why double exclamation point?

veerain · 04-16-2015, 12:58 PM

Code:

man 5 shadow

Read it.

doctore · 04-16-2015, 01:20 PM

Quote:

Originally Posted by veerain

Code:

man 5 shadow

Read it.

I'm sorry, but you did not understand my question. The only thing in man about it is:

Quote:

If the password field contains some string that is not a valid
result of crypt(3), for instance ! or *, the user will not be able
to use a unix password to log in (but the user may log in the
system by other means).

Which I already found online. My question was:

Quote:

Why not use "*" on all of them? And why double exclamation point?

veerain · 04-16-2015, 01:25 PM

Quote:

Why not use "*" on all of them?

Some users of account would log in.

jpollard · 04-16-2015, 02:39 PM

The exclamation mark is used to lock the account. It may or may not have an actual hashed password following it.

You can actually put anything in the field. By convention "*" is no password, not allowed to login.

An !<password> is an administratively locked login that may be unlocked (see the manpage on the passwd command).

I think the use of !! is to prevent accidental unlocking (as it would take two unlock actions to actually unlock it).

maples · 04-16-2015, 02:45 PM

It doesn't really matter which one is used, they both mean the same thing.

On my Debian system, all the system accounts have a *. However, a "!" works just fine because the process used to turn your password into that long encrypted string will never output a "!", so putting one there garuntees that no password will ever unlock that account.

Hope this helps!