I found the solution in the Open Directory documentation. To disable a user account in 10.4 (probably 10.3 as well), prepend ;DisabledUser; to the existing authentication_authority value (which is usually ;ShadowHash; or some variant). The old value can also be enclosed in angled brackets. For example, either of the following are valid AA values:
;DisabledUser;;ShadowHash;
;DisabledUser;<;ShadowHash;>
Once you've done so, the account no longer appears in the list of users on the login screen, nor can that user login remotely (e.g. via ssh). I haven't looked to see what other implications disabling has (e.g. whether remote files can be accessed via Samba). To re-enable the account, simply restore the original authentication_authority value by removing the ;DisabledUser; string and any angle brackets around the old value. I went ahead and cobbled up this short perl script to automate the process. Remember to make it executable (chmod a+x scriptname).
[robg adds: I haven't tested this one...]

