Description of problem: Pam documentation states in section 6.19.4 "Authentication component" The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default. It is not entirely clear to which component this section refers but apparently to "auth". In any case in /etc/pam.d/system-auth 'nullok' does show up on lines with "auth sufficient" and "password sufficient". Still any attempt to ssh to an account with a null password is suddenly rejected with something like: "... sshd(pam_unix)[5643]: authentication failure; ..." in /var/log/messages. An attempt to change "a paranoid setting" for 'other' to something else does not help nor adding 'nullok' in various places in /etc/pam.d/sshd. In any case 'service=system-auth' is supposedly taking care of that, right? It is hard to figure out what really may happened especially that adding 'debug' parameters does not seem to have any discernible effect. I do appreciate secure defaults but trying to save me from myself is way too much. I have my reasons to want what I want. Version-Release number of selected component (if applicable): pam-0.77-56
If you looked at the documentation closely you would note that section 6.19 is about module pam_pwdb. This module isn't used in the current Fedora Core distros. However the pam_unix module has the same option nullok which enables empty passwords. And this option is included in the system-auth file and works well. SSH doesn't accept empty password, because by default it has not enabled PermitEmptyPasswords option in /etc/ssh/sshd_config.
A confusion arised because a time of the last sshd change was 2004/Sep/04 and giving whatever for a password on an account with no password did work until pam was updated on 2004/Sep/18. So some behaviour of pam definitely did change. Maybe for better; but this was not sshd responsible here (as shown in quoted fragments of "authentication failure" messages from pam_unix). As far as I can tell 'pam_unix' does have 'nullok' present via /etc/pam.d/system-auth which was always at default.
Ah, yes of course, because the old behaviour of ignoring the PermitEmptyPasswords option was actually a bug in pam which was fixed in the 0.77-56 release. See bug 127054