1. Overview

In Linux, the /etc/shadow file stores information about the user’s passwords on a Linux system. Moreover, it is an important file for system administration and security, as it allows the system to verify the user’s identity and enforce password policies.

In this tutorial, we’ll explain the meaning of !!! and * in the password field of the /etc/shadow file and how they affect the users’ ability to log in to the system.

We ran the code in this tutorial in Bash Shell version 5.1.16.

2. /etc/shadow

The /etc/shadow file contains one entry per line, each representing a user account. Each line consists of nine fields separated by colons:

[username]:[password]:[last change]:[min age]:[max age]:[warn]:[inactive]:[expire]:[reserved]

The first field is the username, which is the string that the user types when logging in to the system. The second field is the password field, which is the encrypted or hashed version of the user’s password. Finally, the remaining fields contain information about the password‘s age, expiration, and other parameters.

However, the password field can have different values depending on the encryption algorithm and the status of the password:

  • A string starting with $ followed by a number, a salt, and a hash
  • An exclamation point !
  • Two exclamation points !!
  • An asterisk *

Furthermore, when a string starts with $ followed by a number, a salt, and a hash appears in the password field, it means one of the supported algorithms, such as MD5 (1), SHA-256 (5), or SHA-512 (6), encrypts the password. The salt is a random string that is added to the password before hashing to prevent dictionary attacks. The hash is the result of applying the algorithm to the salted password.

3. ! in /etc/shadow’s Password Field

Firstly, let’s see a typical example of /etc/shadow‘s entry:

alice:$6$wXtY9ZoG$MzaxvKfj3Z8F9G8wKz7LU0:18736:0:99999:7:::

The entry above shows us that alice has a valid password encrypted with SHA-512 and can log in normally.

Now, let’s see an entry with the ! symbol:

meg:!$6$HqUkP9Xj$y42Tt4Y5Zz5Q8L8w3Lnj41:18736:0:99999:7:::

Here, we can see that there is ! before $6$H…41, it means meg‘s password is locked, and she can’t log in using password authentication.

However, he can still log in using methods like SSH keys or switching from another user.

4. !! in /etc/shadow’s Password Field

Another symbol that we may encounter in the password field of the /etc/shadow file is the two exclamation points. !! indicates that someone has created a user account but has not given it a password. Therefore, anyone can log in to the account without any password, which is a serious risk.

Furthermore, some Linux distributions, like Red Hat and CentOs, employ !! when we create new user accounts on them. For instance, let’s observe the following entry in the /etc/shadow file:

newuser:!!:18801:0:99999:7:::

In this case, we can see that the system generates the newuser account on the 18801st day since January 1, 1970 (the epoch date), but it has no password. Thereby, !! occupies the password field.

However, the !! symbol does not prevent the user from logging in to the system through other means, such as SSH keys or switching from another user.

5. * in /etc/shadow’s Password Field

The symbol * in the password field means no password can be used to access the account. This usually occurs in daemon accounts that an ordinary user can’t access, such as root, bin, daemon, etc. For instance, let’s see a daemon account in an /etc/shadow file below:

daemon:*:15749:0:99999:7:::

Here, we can see that there’s * in the password field. Thus, the daemon account has no password. However, we can still access it using methods like SSH key or switching from another user.

6. Modifying the Symbols !!!, and * in /etc/shadow File

As a system administrator, we might need to modify the symbols !!! and * in the /etc/shadow file to enable, disable, lock, or unlock user accounts. There are two main ways we can do this.

6.1. Using the passwd command

The passwd command is a tool that allows us to change or set the password for a user account. However, we can also use the passwd command to disable, lock, or unlock the password for a user account by using different options with it.

For example, to lock meg‘s password from the example in section 3, we can use the -L option:

$ passwd -L meg

The -L option used above is to lock meg‘s password by adding ! to the password field.

Furthermore, we can also unlock meg‘s account by using the -u option:

$ passwd -u meg

Here, we used the -u option above to unlock meg‘s password by removing ! from the password field.

We can also set a password for the newuser account in section 4 by using the passwd command only:

$ passwd newuser

After this, a new prompt will come up, and we can enter a new password for the account.

Finally, we can disable an account by adding * to the password field with the -l option of the passwd command. For example, let’s say the daemon account in section 5 is active, and we want to disable it:

$ passwd -l daemon

The -l option adds * before the password field in the /etc/shadow file. Thus, it disables the account.

6.2. Editing /etc/shadow File Manually

The /etc/shadow file is a text file that we can edit using any text editor, such as vi or nano. However, manually editing the /etc/shadow file is not recommended, as it may cause errors and inconsistencies in the file.

Therefore, we should only edit the /etc/shadow if we’re sure we can handle it and have a backup of the file. Notably, to edit the /etc/shadow file manually, we need to have root privileges or use sudo.

7. Conclusion

In this tutorial, we’ve explained the meaning of the symbols !!! and * that may appear in the password field of the /etc/shadow file on a Linux system. We also looked at how we can modify these symbols using the passwd command or editing the /etc/shadow file manually.

Moreover, these symbols are useful for system administration and security purposes, as they allow us to enable, disable, lock, or unlock user accounts ts and passwords.

Finally, we should always be careful when dealing with the /etc/shadow file and make sure that there’s a backup of the file before making any changes.