From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020827 Description of problem: Having configured my machine to use shadow passwords, I noticed that by removing the 'x' from the password field in /etc/passwords, I can log into the associated account without any password. Version-Release number of selected component (if applicable): pwdb-0.61.2-2 How reproducible: Always Steps to Reproduce: 1. Configure for shadow passwords 2. Edit /etc/passwd, remove the 'x' from the root account passwd field 3. Log in as root sans password Actual Results: Login succeeds Expected Results: I would expect the shadow file to override the password file. However, this may be conforming to some standard that I'm unaware of. Either way, I believe this behaviour should be either documented or fixed as appropriate. It's also difficult to track down, since 'passwd' updates the shadow file correctly but does not alert the user to the error in the passwd file. Additional info: The machine in question is running 7.3 with all updates. I am guessing that pwdb is the component at fault since it's the bit concerned with talking to /etc/passwd and /etc/shadow.
Its expected unix behaviour. You can stop null being allowed like that by removing the "nullok" in the PAM configuration. See the PAM docs