On Mon, Nov 19, 2018 at 07:28:15AM +0000, Michael Howard wrote:
> Don't get too hung up on it all.
>
> If the account needs login access then give it. Create or use an account
> with a shell of your choice and a secure password. You don't need to
> remember the password, as you are using keys, so it can be ridiculously
> secure.
If you're only going to login to the account using ssh keys, you don't
need to give it a valid password hash at all. Just put a string of
rubbish (English words qualify) in the hash field of /etc/shadow.
According to shadow(5):
If the password field contains some string that is not a valid
result of crypt(3), for instance ! or *, the user will not be able
to use a unix password to log in (but the user may log in the
system by other means).
[...]
A password field which starts with an exclamation mark means that
the password is locked. The remaining characters on the line
represent the password field before the password was locked.
So, just make sure you don't start it with a bang, and you should be OK.
