8

I have my SSH servers setup to use only Public Key authentication with password authentication disabled.

When adding users through puppet I would like to disable user passwords.

So far I have came up with this, which seems to work, but I am not sure how secure is this:

user { 'john':
    ensure     => 'present',
    comment    => 'John Smith',
    groups     => ['adm','sudo','wheel','users'],
    home       => '/home/john',
    managehome => true,
    shell      => '/bin/bash',
    password   => '*',
}

Is using password => '*' definition considered safe for disabling user password?

ek9
  • 2,093
  • 4
  • 19
  • 23

1 Answers1

9

The shadow(5) man pages says

If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).

So yes it is safe to use a *. The ! a the first character of an encrypted password is used by passwd(1) to indicate that a password is locked (passwd -l) and this can be unlocked (passwd -u).

user9517
  • 115,471
  • 20
  • 215
  • 297