Difference between ! vs !! vs * in /etc/shadow

The second field in the Linux /etc/shadow file represents a password. However, what we have seen is that:

  1. Some of the password fields may have a single exclamation

    <account>:!:.....
    
  2. Some of the password fields may have a double exclamation

    <account>:!!:.....
    
  3. Some of the password fields may have an asterisk sign

    <account>:*:.....
    

By some research on internet and through this thread, I can understand that * means password never established, ! means locked.

Can someone explain what does double exclamation (!!) mean? and how is it different from (!)?

Asked By: JavaTec

||

Both "!" and "!!" being present in the password field mean it is not possible to login to the account using a password.

As it can be read from the documentation of RHEL-4, the "!!" in the shadow-password field means the account of a user has been created, but not yet given a password. The documentation states (possibly erroneously) that until being given an initial password by a sysadmin, it is locked by default.

However, as others have noted, and as the man pages indicate for later versions of RHEL-7, it is possible a user may still log on to the account through other means, such as via SSH using public/private key authentication.

Answered By: Rui F Ribeiro

It may also be worth noting <account>::..... meaning that there is no password required (empty password).

If you are creating an ssh key-only user you could use <account>::0:0:99999:7::: to require that the user set their password (i.e. that they use for sudo) on their first login.

Note: key-only authentication means that a password is NOT an authentication factor.

Answered By: coolaj86
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.