shadow password

ayhopkins · 02-11-2005, 06:42 PM

What is the difference between the "!" character and the "*" character in the encrypted password field in the shadow password file.

I have both and there must be a reason, but the only information I can find is that it disables the password.

Does it really mean login?

Thanks.

sigsegv · 02-11-2005, 08:01 PM

Either of those characters in the password field in /etc/shadow would disable the login.

ayhopkins · 02-11-2005, 09:05 PM

I noticed that you can still "su" to those users.

I am just worried about user's who are reallly processes.

Is one character preferred over the other?

lanjelot · 11-15-2005, 06:17 PM

Isn't there anyone who knows what really is the difference between a '*' and a '!' ???

It seems that piece of information isn't going to be easily found.

anomie · 11-15-2005, 07:52 PM

As far as I know, the '*' is standard.

edit: I take it back. I am not sure why '!' is used in some instances. Probably something a sufficiently motivated person (read: not me) could learn about on google.

int0x80 · 11-16-2005, 01:34 AM

If you're worried about people using su to set user to a different account, set the other accounts to have the shell /dev/null. See this post -- http://www.linuxquestions.org/questi...62#post1954062

To answer your bang vs any question, my system can't tell the difference.

lanjelot · 11-16-2005, 02:12 AM

This is true that every account disabled with a '!' has /bin/false in its default shell field exept fetchmail actually (using Ubuntu linux breezy badger).
See below 2 lines from my /etc/passwd file:

fetchmail:x:104:65534::/var/run/fetchmail:/bin/sh
messagebus:x:105:109::/var/run/dbus:/bin/false

So i'm not sure whether or not i should set /bin/false to fetchmail.

Anyway this is off topic.

And i did a quick googling but i did not find anything. It seems that there is so much information for newbies that you always end up on websites that only describe the basics. But i certainly did not search well enough.

So maybe, i'll ask one of my teachers... that'd be a good test!

lanjelot · 11-16-2005, 02:43 AM

Well, I found that:

http://seclists.org/lists/security-b.../May/0107.html

I guess it resolves the topic. Moderators ?

lanjelot · 11-17-2005, 05:25 AM

* -> User cannot login by password (may login by other means like
ssh-key).
! -> User cannot login at all.

See man-page of adduser. "--disabled-password" creates '*', "--disabled-login" creates '!'.