If you check /etc/shadow you may notice entries like !! , *LK*, in the place where the password normally is (the second field). Here's what they mean:

  • “NP” - No password. This is different to an empty password and means that the account is locked, no user can log in to it directly, i.e. it is an administrative account.
  • “*LK*” - the account is Locked, user will be unable to log-in directly.
  • “!”, “*” , “!!” - these are set when a user is created and no password has been suppplied. It means that the account is locked and no one can log iin directly (!! is a Red Hat convention, other distros use “!” but all three are valid in linux)

Some examples

 bin:*:15138:0:99999:7:::
    
 nscd:!!:15138:0:99999:7:::      
 
 oraprod:*LK*$1$SdGGt1j7$Ya0l7mohFAm9IpbwTOxh8.:15819:0:99999:7:::

Each field (seperated by : ) has a specific meaning. Taking the oraprod entry as an example, here's what each field means:

  • oraprod - user name
  • *LK*$1$SdGGt1j7$Ya0l7mohFAm9IpbwTOxh8.- previously had a password but is now locked (*LK*)
  • 15819 - when the password was last changed, expressed as the number of days since 1st Jan 1970 (useful!!!)
  • 0 - minimum number of days that have to pass between password changes, 0 indicates it can be changed any time
  • 99999 - maximum number of days that can pass after which the password needs to be changed (a long time)
  • 7 - number of days before the password must be changed when a warning is issued
  • first blank field - number of days after the password expires when the account will be disabled (not set)
  • second blank field - an absolute number of days after 1st Jan 1970 when the account will be disabled (not set)

To lock a user, use usermod -L username

Unless you're good at maths, the password change field is particularly useful. The chage command will interpret this and the other field and present them in English, e.g.

 #chage -l oraprod   
 Last password change                                    : Apr 24, 2013   
 Password expires                                        : never   
 Password inactive                                       : never   
 Account expires                                         : never   
 Minimum number of days between password change          : 0   
 Maximum number of days between password change          : 99999   
 Number of days of warning before password expires       : 7   
 
 #chage -l root
 Last password change                                    : Dec 22, 2016   
 Password expires                                        : never   
 Password inactive                                       : never   
 Account expires                                         : never   
 Minimum number of days between password change          : 0   
 Maximum number of days between password change          : 99999   
 Number of days of warning before password expires       : 7      

A useful command for checking for errors in /etc/passwd is pwck

 #pwck   
 user adm: directory /var/adm does not exist   
 user news: directory /etc/news does not exist   
 user uucp: directory /var/spool/uucp does not exist   
 user gopher: directory /var/gopher does not exist   
 user ftp: directory /var/ftp does not exist   
 user pcap: directory /var/arpwatch does not exist   
 user oprofile: directory /home/oprofile does not exist   
 user avahi-autoipd: directory /var/lib/avahi-autoipd does not exist   
 user sabayon: directory /home/sabayon does not exist   
 pwck: no changes    
 
 Password aging and passwod length are defined in **/etc/login.defs**
 
 * **PASS_MAX_DAYS** - maximum number of days a pawword can be used
 * **PASS_MIN_DAYS** - minimum nimber of days between password changes
 * **PASS_MIN_LENGTH** - minimum password length
 * **PASS_WARN_AGE** - number of days before password expiry when a warning will be issued  

Finer tuning can be specified in /etc/pam.d/system.auth. In particular, the password lines. e.g.

password    requisite     pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 retry=3 type=
  • ucredit - specifies minimum number of capital letters in a password
  • lcredit - minimum number of lower case letters
  • dcredit - minimum number of numbers
  • ocredit - minimum number of special characters

/etc/pam.d/password-auth can be used to control the amount of login failures allowed, with the deny= parameter

Recent Changes

Contribute to this wiki

Why not help others by sharing your knowledge? Contribute something to this wiki and join out hall of fame!
Contact us for a user name and password