On Sat, Feb 21, 2026 at 2:31 AM Eric Johnson <726960+openbsd0631@pm.me> wrote:
What I have done in the past was create passwords with:
openssl rand -hex 60
for user accounts that are intended to only be used via ssh with ssh keys. No need to memorize them or write them down at all. That way, if I or someone else made a mistake with /etc/ssh/sshd_config and accidentally allowed ssh access via passwords, the odds of someone guessing the password within the next few billion years would be minimal.
It is straightforward to create users with password logins disabled:
$ doas useradd -p "*************" -c usercomment -m username
The -p option takes an already-encrypted password (so there's no danger from the password appearing in ps output). If the already-encrypted password is 13 asterisks that means the account can't use password authentication but other methods (e.g. ssh keys) are permitted. See the man page for master.passwd(5).
-ken
No comments:
Post a Comment