What means * and ! at second field of /etc/shadow?

'!' and '!!' mean essentially the same thing, but different tools use one or the other, passwd -l for instance, uses a pair of exclamation points. usermod -L on the other hand only uses one.

Usually, accounts with '*' never had a password (as in, have always been disabled for login). This is different to an account with no password hash entry at all, in which case no password is needed (and often won't even be prompted for) which is nearly always BAD!.

If it's an invalid hash (which all of '*', '!', and '!!' are) it effectively locks the account and prevents logins to that account. Often this is furthered by setting the account's shell to something like /bin/false or /sbin/nologin in the /etc/passwd file

You'll often find that if a user's account is locked after previously having a valid password set, that password hash has exclamation marks prefixed to it, this is so when the account is unlocked the password resumes working again.

Sirex

Posted 2013-07-25T01:07:42.643

Reputation: 10 321

2The answer is not 100% correct. From my experience if you have an asterisk * in that column, you can still login perfectly fine using public key authentication. Whereas a ! really blocks all logins for that user. – Michael Härtl – 2017-02-17T19:16:28.367

that depends on the setting of the "usepam" in the sshd config file. http://arlimus.github.io/articles/usepam/

– Sirex – 2017-02-18T00:22:46.453

Thanks for your detailed explanation. This is very helpful! – ironsand – 2013-07-25T04:01:18.617

2no problem. One thing i forgot to mention (but did imply) is to be careful of locking account with passwd and trying to unlock it with usermod. It'll only remove the first '!', which won't work. – Sirex – 2013-07-25T04:56:13.410

What means * and ! at second field of /etc/shadow?

Answers