Update the password sanity checking thusly:

1) If a password entry is of the form \*[A-z-]+, do not complain that
   the account is off but has a valid password. Thus you can do
   passwords like *ssh to indicate ssh only logins.
   We should come up with a standard scheme for what various *keywords mean.
   Note that if the field length is 13, 20 or 34 you'll still get
   bitched at.
   This code should be cleaned up. (So should the password scheme.)
2) If the entry is for "toor", don't complain that the account is off
   but has a valid shell. We ship with toor:*:, there is no point in
   complaining about it.

Part of the campaign against spurious security warning output.

etc/security

@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$NetBSD: security,v 1.58 2001/09/22 04:06:23 perry Exp $
+#	$NetBSD: security,v 1.59 2001/09/23 19:10:25 perry Exp $
 #	from: @(#)security	8.1 (Berkeley) 6/9/93
 #
 
@@ -86,7 +86,12 @@ if checkyesno check_passwd; then
 			printf "Login %s has more than "len" characters.\n", $1;
 		if ($2 == "")
 			printf "Login %s has no password.\n", $1;
-		if (length($2) != 13 && length($2) != 20 && length($2) != 34 && $2 != "") {
+		if (length($2) != 13 && 
+		    length($2) != 20 && 
+		    length($2) != 34 &&
+		    $2 != "" &&
+		    $2 !~ /^\*[A-z-]+$/ &&
+		    $1 != "toor") {
 			if ($10 == "" || shells[$10])
 		    printf "Login %s is off but still has a valid shell (%s)\n",
 				    $1, $10;