> I have a login that I want to be able to access only via ssh with a
> certificate (in ~/.ssh/authorized_keys).
>
>
> So I have disabled the password ('*') but left a valid shell. Something
> like this in /etc/master.passwd:
>
> mylogin:*:1001:1001::0:0:My login:/home/mylogin:/bin/sh
>
>
> But in this way every day a receive a mail with the following:
>
> Checking the /etc/master.passwd file:
> Login mylogin is off but still has a valid shell and alternate access
> files in home directory are still readable.
>
>
> What is the supposed way to define an account without a password but
> with a valid shell (to access via ssh with a certificate)?
>
> Thanks.
>
Set the password field to 13 asterisks to indicate that only the
password is disabled, not the account:
mylogin:*************:1001:1001::0:0:My login:/home/mylogin:/bin/sh
This is documented in passwd(5), search for "13".
Future advice: This would've been easy to figure out if you searched
for that error message in /usr/libexec/security.
This is the code that checks if logins are disabled:
if ($pwd ne '' &&
$pwd ne 'skey' &&
length $pwd != 13 &&
$pwd !~ /^\$[0-9a-f]+\$/ &&
($shell eq '' || $shell =~ /sh$/)) {
So there are a number of ways to fool it.
