67

The second field in the Linux /etc/shadow file represents a password. However, what we have seen is that:

  1. Some of the password fields may have a single exclamation 

    <account>:!:.....

  2. Some of the password fields may have a double exclamation 

    <account>:!!:.....

  3. Some of the password fields may have an asterisk sign

    <account>:*:.....

By some research on internet and through this thread, I can understand that * means password never established, ! means locked.

Can someone explain what does double exclamation (!!) mean? and how is it different from (!)?

Improve this question
4
  • Which distribution are you using? Commented Dec 28, 2015 at 23:08
  • Hi Muru, am new to Unix and trying to create a script which will run on RHEL 6.6 and HP-UX B.11.23 Commented Dec 28, 2015 at 23:35
  • 4
    "By convention, accounts that are not intended to be logged in to (e.g. bin, daemon, sshd) only contain a single asterisk in the password field. Note that there is nothing special about ‘*’, it is just one of many characters that cannot occur in a valid encrypted password (see crypt(3))." --OpenBSD man page for passwd(5). I would expect ! or !! to be no different, technically, regarding whether it is a valid passwd file, or regarding logins. However, some tools might have special support. Commented Dec 29, 2015 at 1:45
  • 2
    Don't use the BSDs' doco as references for this. Their accounts database handles things differently and does not even have an /etc/shadow file. Don't put answers into comments, either. ☺ Commented Dec 29, 2015 at 8:17

4 Answers 4

Reset to default
52

Both "!" and "!!" being present in the password field mean it is not possible to login to the account using a password.

As can be read from the documentation of RHEL-4, the "!!" in the shadow-password field means the account of a user has been created, but has not yet been given a password. The documentation states (possibly erroneously) that until being given an initial password by a sysadmin, it is locked by default.

However, as others have noted, and as the man pages indicate for later versions of RHEL-7, it is possible a user may still log on to the account through other means, such as via SSH using public/private key authentication.

Improve this answer
12
  • 8
    This maybe true on Red Hat systems, but not necessarily elsewhere - on Ubuntu or Arch Linux, a newly-created account with no password still has only !, not !!. Commented Dec 28, 2015 at 23:06
  • 3
    True indeed that I have never seen a "!!" in a Debian system. I would guess the OP is using some RH-based system, or SuSE. Commented Dec 28, 2015 at 23:09
  • 4
    @JavaTec Not necessarily: I think all unices that have a /etc/shadow have the same field but how the password field stores non-password information varies. Check the HP-UX documentation, starting with the shadow man page. Commented Dec 28, 2015 at 23:57
  • 2
    HP-UX did not even have /etc/shadow until relatively recently: before HP-UX 11.11, the options were either classic shadowless /etc/passwd or "Trusted Computing Base", that stored each user's password hashes and other account information in individual files named /tcb/files/auth/<initial>/<username>, readable only by root. In HP-UX 11.11, /etc/shadow was introduced as an optional extra, in 11.23 it was an option in the base OS, and in 11.31 the TCB was finally deprecated. Commented Jan 21, 2019 at 21:32
  • 5
    It is worth noting that an account is not actually locked in this way, it only means the user cannot use a password to authenticate and probably cannot set a password. I have tested this on both Debian and EL based distributions: login with ssh key still works with either "!" or "!!" in the password field. Commented Oct 4, 2019 at 19:40
11

It may also be worth noting <account>::..... meaning that there is no password required (empty password).

If you are creating an ssh key-only user you could use <account>::0:0:99999:7::: to require that the user set their password (i.e. that they use for sudo) on their first login.

Note: key-only authentication means that a password is NOT an authentication factor.

Improve this answer
5
  • 16
    Beware of this. An empty field means there is no password, and you just have to press ENTER to login, at least in the console. Commented May 4, 2017 at 12:28
  • 1
    From man shadow regarding encrypted password field: "This field may be empty, in which case no passwords are required to authenticate as the specified login name." <-- Leaving this field emtpy results in open account and this should indeed be avoided! Commented Oct 15, 2019 at 12:48
  • Note that many SSH implementations block login on null passworded accounts by default: sudo /usr/sbin/sshd -T| grep empty would return: "permitemptypasswords no" Commented Nov 4, 2019 at 15:58
  • Changed the answer to clarify that I meant key-only login. Commented Apr 13, 2020 at 1:26
  • Another note, why one should never use empty passwords. Think about what happens if you install any software that uses "linux-authentication"? E.g. phpMyAdmin would than allow logins without a password. This can be very dangerous. And key only users should have "!" Commented Nov 3, 2020 at 6:12
1

The difference between ! and !! is purely a convention (locked on purpose vs locked because the account is new).

When it comes to * and the rest, there is usually no difference, with a caveat. PAM treats it the same as the others, but OpenSSH does not. If you don't have UsePAM yes option in your sshd config, then the behaviour will depend on the build flags passed to OpenSSH's ./configure script at build time. By default, that means it will allow SSH logins for users with *, but disallow for users with !, !! or !*. See:

Most distros nowadays have UsePAM set to yes.

Improve this answer
0

In short: ! indicates a locked account, often used to temporarily disable an account without removing the password hash. So you can find ! together with password or or just ! without anything else if empty password. !! indicates that a password has never been set for the account, meaning the account is disabled until a password is assigned

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.