>> >understand.  So today I got rsa authorization to work, and realized
>> >I don't need a password anymore (this particular user never logs
>> >in via the console, only remotely via ssh).  I did vipw as root and
>> >replaced the password string with '*' as it seemed like it would make
>> >things only that more secure for users like that.
>
>> that's a perfectly reasonable thing to do, except it means you can't
>> tell the disabled accounts from the accounts people are using from the
>> system accounts, etc.
>
>That's why you should use the the *SSH convention for the
>password. /etc/security will complain about a '*'ed out account but
>not a \*[A-z-]'ed account for exactly this reason -- so you can have
>no password field but document why.

but, since i'm doing this on machines that aren't using a security
script that'd that recent, this is perfectly backwards compatible to
the beginning of time.  or at least back to the method used when the
master.passwd syntax first started being checked (rev 1.9, released in
1.0).

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."