[TUHS] Questions about * and ! in the password field of passwd and shadow
Erik E. Fair via TUHS
tuhs at tuhs.org
Thu Jan 8 07:43:32 AEST 2026
Fundamentally, the question is whether the cryptographic hash of an input password can produce "*" or "!" or any other arbitrary string you put in the password field of /etc/passwd, /etc/master.passwd, etc., for matching & thus authentication. If it cannot without regard to any input string given to login(1) and subsequently hashed, then the account is disabled - no special casing required.
No match, no login.
Anything else (like password comparison being bypassed if the /etc/passwd string is null) is going to be an explicit exception case found in login(1)'s source code or anything else that processes passwords for authentication (e.g., ftpd(8), pppd(8)).
Any string used for disabling accounts (other than traditional "*") could be processed by other (e.g., account management) software for its own purposes, so long as those strings cannot be produced by handing some other string to login(1) and hashed using the standard methods to produce an unwanted match (and thus unwanted successful authentication).
Erik <fair at netbsd.org>
More information about the TUHS
mailing list