How to disable user's password via puppet securely?
The shadow(5) man pages says
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
So yes it is safe to use a *
. The !
a the first character of an encrypted password is used by passwd(1) to indicate that a password is locked (passwd -l
) and this can be unlocked (passwd -u
).