Subject: Re: now using rsa key, so zapped password; is that okay?
To: Andrew Brown <atatat@atatdot.net>
From: Perry E. Metzger <perry@piermont.com>
List: netbsd-help
Date: 09/25/2002 11:08:44
Andrew Brown <atatat@atatdot.net> writes:
> >understand. So today I got rsa authorization to work, and realized
> >I don't need a password anymore (this particular user never logs
> >in via the console, only remotely via ssh). I did vipw as root and
> >replaced the password string with '*' as it seemed like it would make
> >things only that more secure for users like that.
> that's a perfectly reasonable thing to do, except it means you can't
> tell the disabled accounts from the accounts people are using from the
> system accounts, etc.
That's why you should use the the *SSH convention for the
password. /etc/security will complain about a '*'ed out account but
not a \*[A-z-]'ed account for exactly this reason -- so you can have
no password field but document why.
Perry