If we consider the scenario where you want to grant only remote access to an account (e.g. user) and know you will only do this via SSH and using key-based authentication, it makes sense to lock the user account for any other kind of access. Now in Debian (4.x and 5.x) you were able to say (as root):
passwd -d user && passwd -l user
… which effectively took care of this by removing the password and locking the account. However, it is still happily logging you into your account via SSH as long as all other things (key and restrictions in the SSH server configuration) allow so.
Sadly in Ubuntu, despite being a Debian derivative, this is not possible as any attempt to log on will be aborted with the message Your account has expired; please contact your system administrator. Now I presume there is some way to tune this in /etc/pam.d, but it is kind of annoying this way. What it basically does is to force you to set a password, even though only locally, in order to get SSH authentication running.
Update: through all the ranting I forgot that there is a solution. If you ever looked into /etc/shadow, you’ll have noticed entries where the password field was set to ! (locked) or * (???) and the hash form of the password. Now the second form allows you to log on even without password, while at the same time making it impossible to log on with password. Thus you say (as root):
echo user:*|chpasswd -e
… which translates to: set the encrypted form of the password to be * (i.e. copy the verbatim value * there). Please don’t fiddle around in the shadow file itself. That’s what those tools are for.
// Oliver
PS: man shadow says:
If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7).