After upgrading from RedHat 5.1 to 6.1 (in any case for all core components such as kernel, initscripts, util-linux, pam) I noticed that my kids, whom I had given accounts without passwords, could no longer log in. They were still mentioned in the relevant files in /etc, with an empty string for the encrypted password, but any attempt to log in was refused. An attempt as root to give them the empty string as password (which is almost as good as no password) was refused by passwd, on the (understandable) grounds that the new password was way to short, but it would have been nice if there was some overriding mechanism. I did finally succeed in giving them empty passwords using the control-panel; somehow it must have convinced passwd to accept that. However, something must be wrong with this procedure, because the next time I wanted to become root, I found that the root password, which I never had attempted to change in any way, was no longer accepted! I had no records of the old encrypted root password, so I cannot tell if it had been altered, but I suppose it had. In any case I did manage to reset the root password by booting into single user mode, so everybody is happy again, but I surely did have quite a scare there! Maybe it was deemed to dangerous in 6.1 to allow any users without passwords, but I think that users should at least been given a chance to set one, rather than being simply refused (yes, I do realise this allows anybody else to change their password before they can themselves, but that is inevitable and no different from the situation before). And I think that in some situations, e.g., a PC at home, the risk is quite acceptable, and it should be possible to deliberately choose to have such logins.
from ridgewr1.mil (Richard Ridgeway). You will also notice that any attempt by root to alter any user whose password is set to null fails, i.e. "user1::100:20::/home/user1:/bin/tcsh". For example, when root enters the command "passwd user1", and then enters in a valid password twice as directed, the password field for user1 as shown above (::) does not change. However, if root places "junk" in the password field of the entry for user1, i.e. "user1:junk:100:20::/home/user1:/bin/tcsh", and then enters "passwd user1", and enters in a valid password twice as directed, the "junk" entry in the password field is replaced by the valid scrambled password, and all works OK. This example is from a RedHat v6.1 upgrade from 5.2 where the upgrade defaults of activating the /etc/shadow and MD5 (?) were not performed.
This should be fixed in the latest pam/pwdb pacakges in Raw Hide.