Request an explanation to: /etc/gshadow + /etc/shadow etc

Hello!

Need an explanation to: /etc/gshadow + /etc/shadow.

If I have read and understood correctly on the Internet means:

  • = password prompt?
    ! = account? disabled? Or no password request necessary?

As an example:
/etc/shadow:

root:blabla-password-hash:19160:0:99999:7::: (root account active?)
or:
root:!:19160:0:99999:7::: (root account disabled?)

What is the difference with?
*
!

Example @ Ubuntu Mate LIVE DVD 22.04 LTS:

In /etc/shadow file all entries have the *
In /etc/gshadow file the entries have different values * / !

I would be very grateful if someone of you has a short time and it understandable in a simple way explains what it has to do with * / !

Hi mate2go :slight_smile:

Here is a quote from the site 'Quora'


Gergely Mészáros

[ Linux System Administrator, Programmer (1998–present) ]

TLDR: ! means locked, * means no valid password (shouldn’t log in).

Historically you can lock any account in Linux by putting a ! mark before the password hash. The user will not be able to log in, but you can easily “unlock” it by removing the ! mark. (This is what passwd -l does)

From the manpage: “A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked. […] If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).”

You don’t have to use ! or *, other invalid characters like % would do the trick. The accounts having * passwd field are never intended to be normal login accounts, the ones with ! could be used, but locked by default. I’m not sure how modern distributions are honoring this tradition though

really, I wouldn't be able to describe it as good as he does :slight_smile:

For a general overview about how the /etc/shadow file is organized,
open a terminal and type:
man 5 shadow

Idem for the /etc/gshadow file:
man 5 gshadow

Idem for the /etc/passwd file:
man 5 passwd

1 Like

thanks @ tkn! :slight_smile:

That already helps me a little bit.

I think i know where your confusion stems from.

The computer doesn't care at all whether the character is either a '!' or '*' or '%'
it all means the same: 'disable password login'

The difference is there only for the convenience of the sysadmin.
(and for some tools, but i come back to that later)
sysadmins agreed on the use of this symbols to communicate with one another:

'!' to remind himself and his collegues that he disabled the login on pupose
'*' to remind himself and his collegues that a login would make no sense to have on this account (because it belongs to a daemon c.q. system service).

Again, the computer couldn't care less. Both symbols have exactly the same meaning for the computer, both just disable passwordlogin and nothing more.
:slight_smile:

Try this for yourself:
The admintool passwd -l, explicitly uses the '!' to disable/enable login of users
this tool is pretty singleminded and braindead about it.
Let's see what it does on daemons which already have disabled passwordlogin
Let's use it, for instance, on the avahi-daemon:

avahi:*:18667:0:99999:7:::

sudo passwd -l avahi
and it leads to this

avahi:!*:18667:0:99999:7:::

Yes, very straightforward indeed :joy:
As you can see, it it not even critical. The system doesn't care at all

repeat the command to get it back to what it was

avahi:*:18667:0:99999:7:::

( b.t.w. What we immediately can learn from this is that passwd -l can never enable passwordlogin for a daemon because it only manipulates the '!' but leaves the rest intact )

Oh, btw, the many '!' in the /etc/gshadow file are blocked group-logins (you can set them with 'gpasswd').
Long ago , the system designers thougt that group logins would be a pretty neat idea but it turned out to be not very useful.
Group passwords are also security wise a bad idea (because sharing passwords is not really a smart move)
They are still there for legacy reasons but nobody cares, let alone use them.