Quoth Crystal Kolipe <[email protected]>:
> On Sat, Feb 21, 2026 at 07:27:54AM +0000, Eric Johnson wrote:
> > If you want random passwords, why not just use
> > openssl rand -base64 32
> > or
> > openssl rand -hex 32
> >
> > What I have done in the past was create passwords with:
> > openssl rand -hex 60
> > for user accounts that are intended to only be used via ssh with ssh keys.
>
> I'm presuming that the intention of the OP was to make a accounts with an
> unknown password, (long and random), for a purpose such as this.
>
> A very good idea would be to read the manual page for passwd(5), (so
> 'man 5 passwd').
>
> There you will find some very useful advice, specifically that accounts that
> are not intended to be logged in to are set up with a single asterisk in the
> password field.
>
I'd use 13 asterisks instead for accounts that should allow ssh access (via
vipw):
By convention, accounts that are not intended to be logged in to
(e.g. bin, daemon, sshd) only contain a single asterisk in the
password field. Note that there is nothing special about _*_, it
is just one of many characters that cannot occur in a valid
encrypted password (see crypt(3)). Similarly, login accounts not
allowing password authentication but allowing other authentication
methods, for example public key authentication, conventionally
have 13 asterisks in the password field.
This would silence errors like the following from security(8):
Login foobar is off but still has a valid shell and alternate access
files in
home directory are still readable.
> No need for random junk random passwords.
>
> > For what it's worth, my servers all permit ssh access only via IPv6. This
> > cuts down nearly all attempts to connect.
>
> It does indeed.
>
> Regarding the OP's password generation script, I'll look at it shortly and
> highlight any obvious bugs.
>
--
noodle
