What's !* in the password field in /etc/shadow?

Question

Looking into my /etc/shadow file of a fairly new box today (running Arch), I see some passwords as * (disabled) but some others as !*, !! and as !. Presumably that means "disabled", too, but why is the value different?

Is there some convention that I haven't heard of? :-) and if so where would that be documented?

Excerpt:

root:*:14871::::::
dbus:!!:18407::::::
dnsmasq:!*:18499::::::
shepherd:!:18502:0:99999:7:::

https://unix.stackexchange.com/questions/252016/difference-between-vs-vs-in-etc-shadow — Lorem ipsum, Aug 28 '20 at 18:50
It would be nice to know just which tools implement those conventions. useradd, maybe? Also, what about `!*`? — Johannes Ernst, Aug 29 '20 at 03:37

score 3 · Answer 1 · answered Aug 28 '20 at 22:31

3

Synthesizing the Unix & Linux page regarding the /etc/shadow file

*: "By convention, accounts that are not intended to be logged in to (e.g. bin, daemon, sshd) only contain a single asterisk in the password field"
!: Both "!" and "!!" being present in the password field mean an account is locked.
!!: But "!!" in an account entry in shadow means the account of an user has been created, but not yet given a password

The strings *, ! and !! all effectively make that the user cannot login (since an encrypted password will never be 1 or 2 characters).

answered Aug 28 '20 at 22:31

Déjà vu

5,546
9
36
55

1

This isn't just a length restriction. Even if the original hash is present, adding either `*` or `!` will render them unmatchable, since neither character appears in a valid hash for all hash types commonly used in `/etc/shadow`. In this way, a user's "previous" password can be preserved, and removing the `*` or `!` can return it to service. – Royce Williams Aug 29 '20 at 18:46

What's !* in the password field in /etc/shadow?

1 Answers1