In this answer, is was suggested that the UNIX way of adding a ! in front of the password field would work. I claim that this is not a clean solution. It will not make logins impossible, but merely it changes the password to the literal content of the password field (of which the first character is !).
For example, assume the password field now looks like this:
!{CRYPT}$6$rounds=1000000$xxx$yyy
Here, xxx stands for the salt, and yyy for the hash.
That string will now be the user's password. For many practical purposes, this means the user cannot log in anymore, since she does not know her salt. But, in theory, by guessing the salt, login is still possible. Even worse, if an attacker obtains the LDAP database, he can now easily log in to this "locked" account, since hashing apparently is no longer used.
How can it be done instead?
Best Answer
Change the password field to the following:
Or the following:
According to my tests, this makes password authentication impossible.
It does not, however, cover other ways of authentication, for example with an SSH key. In order to cover those, at least the shell should be set to
/bin/false. I strongly recommend to combine this with another measure. In the comments, it was suggested to disable~/.ssh/authorized_keys. A probably safer way is to change the primary group of the user to a group that is not allowed to SSH into the machine (theDenyGroupsorAllowGroupsfeature of SSHD can be used for this).