Andrew Brown <atatat@atatdot.net> writes:
> >understand.  So today I got rsa authorization to work, and realized
> >I don't need a password anymore (this particular user never logs
> >in via the console, only remotely via ssh).  I did vipw as root and
> >replaced the password string with '*' as it seemed like it would make
> >things only that more secure for users like that.

> that's a perfectly reasonable thing to do, except it means you can't
> tell the disabled accounts from the accounts people are using from the
> system accounts, etc.

That's why you should use the the *SSH convention for the
password. /etc/security will complain about a '*'ed out account but
not a \*[A-z-]'ed account for exactly this reason -- so you can have
no password field but document why.

Perry