I am a really newbie to linux, I would like to know how to determine an account cannot login to system in any way. I found at the /etc/passwd file, if the default shell of an account is /sbin/nologin, it cannot telnet or login interactively, but like 'FTP' account, I can login through FTP Client, so can I say the 'FTP' account is locked??

Then at /etc/shadow, I found the password field of an account may contain '!!' or '*', I searched for reference know that '!!' means password is locked and '*' means password is disabled, so can an account with '!!' or '*' login to system interactively or through ways like FTP??

Thanks a lot for your information!!!

well notations like !! and * just make the password string impossible to ever match. the passwd is a sha or md5 string encrypted version of the original password, and those strings can never contain those characters, therefore the account is implictly "locked". Note that there is no formal explicit locking, i.e. there is no "Locked" field in the file, you just basically break the account in a controlled way. Locked and disabled are interchangeable, there's no difference.

As for nologin, no the account is not locked, as it is working absolutely fine, and even with nologin as your shell, you DO login, but terminate immediately due to the behaviour of the chosen (non) shell. so if you don't need a shell as the result of the authentication, you do still log in correctly. terminology aroun "FTP accounts" is very vague, sometimes they just mean an account like you are referring to, which I would say is the wrong way to describe it, as opposed to a seperate user account list held purely for the FTP server, which would be much more like a genuine "FTP Only" user.

1 members found this post helpful.

Thanks for detailed explanation, you let me have a clearer concept, thanks a lot!!!!