new user with authorized_keys: how to NOT ask for the old password when setting one?

Question

when I create a user in the system with Chef, I always upload its public key to .ssh/authorized_keys. When user logs in for the first time, he is required to "change" his password. For that a stub password is used, so he can enter the "current" password. This is how it looks like now:

ssh user@host 
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Connection to host closed.

Current password is well-known (I'll tell you a secret: initial), which is useless anyway. How can I avoid asking for the current password for the first time? (To stress it more, it is safe, because user already authenticated with his public key).

Answer 1

A user's password can be deleted with:

passwd -d <user> 

(as root / with sudo).

SSH key based auth will still work, but a password will not be required to set a new one. I have tested this on Ubuntu just now.

tom@slappy:~▶ ssh foo@shell
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.35.4-rscloud x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Sun Jan 15 12:10:44 2012 from 12deee6f.bb.sky.com
foo@shell:~$ passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
foo@shell:~$

As for safety: I don't see why it should be an issue. Anyone who has the private key is going to be able to connect and do harm regardless of if a password is set or not. Knowing the password once they have connected may enable them to do more harm if your sudoers config is a bit lacking, but that indicates that you have bigger security problems anyway in my opinion.