>The more I use ssh, the more I like it, but the more I find I don't
>understand.  So today I got rsa authorization to work, and realized
>I don't need a password anymore (this particular user never logs
>in via the console, only remotely via ssh).  I did vipw as root and
>replaced the password string with '*' as it seemed like it would make
>things only that more secure for users like that.
>
>Question1: will that cause trouble in some unforeseen way?  Question2:
>is there a "better" or more "standard" way of blocking logins with a plain
>password?  TIA  

Question 1): Yes. You are creating your own syntax in passwd that shadow 
will likely barf on. x is the standard.
Question 2): Be more specific here? I can see a multi-layerd solution, but 
it may not do what you want. For a system where there are Internet 
services running, such as web, ftp and mail, I do the following:

-Create/use /bin/nologin to allow untrusted users only mailserver usage, 
not shell or ftp access on the system at all, including console access.
-Use sshd to allow trusted remote users shell access if they are not 
denied shell access as above.
-Deny remote logins using any other system but sshd using tcp_wrappers.
-Configure sshd_config to disallow rhosts authentication except from the 
local network. Sshd should not be considered 100% secure.

-- 
Keith Mastin       BeechTree Information Technology Services Inc.
137 Laird Drive    Toronto    M4G 3V5     http://www.beechtree.ca
  (416)696-6070      Fax(416)696-6072      kmastin@beechtree.ca