I found some entries in a shadow file whose meaning I don't understand.
user:UP:::::::
user1:NP:::::::
What does UP and NP mean? In addition to those 2, the same shadow file has the normal hashed entry and the LK that indicates a locked account.
The machine is a Solaris 10 VM.
Best Answer
NP
in the password field of/etc/shadow
indicates that that the account cannot be logged into with a password but can be logged into with other authentication methods, such assu
down from root or cron jobs.NP
means that password authentication will always fail, but other login methods may succeed. You can set an account in this state withpasswd -N
. This differs from*LK*
(reported asLK
bypasswd -s
), which disables all logins to the account regardless of the authentication method.Confusingly, when
passwd -s
seesNP
in/etc/shadow
, it reportsNL
, whereasNP
in thepasswd -l
report indicates that the account is open to all winds: users will be authenticated without even getting a password prompt (this is indicated by an empty password field in/etc/shadow
).UP
is a documented code in thepasswd -s
output on Solaris 11 (not on Solaris 11 Express). It means that “this account has not yet been activated by the administrator and cannot be used.” If I understand the documentation correctly, its effect is similar toNP
; the intent is that the system administrator will runpasswd
later to set a password (i.e. it's the first stage in the process where the admin creates the account for a future user, then later has the user type a password when they first come on-site). The documentation doesn't indicate whetherpasswd -s
reportsUP
when it finds that in/etc/shadow
; while this is plausible, the confusion aroundNP
invites caution.Usually, anything in the password field of
/etc/shadow
(or other password database) that isn't an empty string is treated as a hashed password, and leads to a denied authentication if it doesn't match any of the valid hashed password formats. This is the case with normal password authentication on OpenSolaris, I can't speak for other versions but would be somewhat surprised if this wasn't the case.Note that if there are several entries for the same user, I think only the first one is taken into account. (At least that's the case under Linux, and I have no reason to believe that Solaris would be different in this respect.)