On Sat, Feb 21, 2026 at 2:31 AM Eric Johnson <[email protected]> wrote:
> What I have done in the past was create passwords with: > openssl rand -hex 60 > for user accounts that are intended to only be used via ssh with ssh > keys. No need to memorize them or write them down at all. That way, if I > or someone else made a mistake with /etc/ssh/sshd_config and accidentally > allowed ssh access via passwords, the odds of someone guessing the password > within the next few billion years would be minimal. > It is straightforward to create users with password logins disabled: $ doas useradd -p "*************" -c usercomment -m username The -p option takes an already-encrypted password (so there's no danger from the password appearing in ps output). If the already-encrypted password is 13 asterisks that means the account can't use password authentication but other methods (e.g. ssh keys) are permitted. See the man page for master.passwd(5). -ken
