On older Debian machines one could issue something like:
echo '<username>:*'|chpasswd -e
in order to change the password field of the user (<username>) to *.
Now I am aware of
passwd -d <username> && passwd -l <username>
to achieve a similar effect and set the password field to !. However, on some newer vanilla Ubuntu configurations (in particular 10.04 LTS) this leads to the user not being able to log into the machine anymore (for example via SSH and key) - with: Your account has expired; please contact your system administrator. - even though passwd(1) "warns" that this is possible.
Now that's exactly what I want to achieve, though. Manually changing the field in the /etc/shadow file from ! to * fixes the issue, but there seems to be no scriptable way to achieve the same without directly fiddling with the shadow file (e.g. with sed). chpasswd -e used to be a convenient alternative, but that has been obviously removed.
So what I am looking for is either a variation of passwd -l that lets me choose the token that gets written into the file or any other kind of replacement for the exact functionality that chpasswd -e offered.
NB: * is already used for system accounts alright, and there seems to be a semantic difference to PAM or whatever between ! and * in the password field.
Also note: on Debian 5 and 6 chpasswd -e works. So the functionality must have gotten stripped deliberately in Ubuntu. I tested Ubuntu 9.10, 10.04 (they don't have it), 11.04 and 11.10 have chpasswd -e.
Use a simple script like this one I just wrote:
The use of the script is at own risk.