This is similar to bug report 6599 I run a script to install users on multiple RedHat linux and other machines at my site. I do not use Shadow or MD5. I run YP modified to handle a passwd database not at the standard path location. I create a passwd database entry with an empty passwd field and write it to the normal database. I run 'passwd' to add a password for the user and the 'passwd' program reports that the passwd is properly updated. On inspection, there is no change in the passwd database. The password record in the passwd database is then distributed to a number of systems where our users get accounts. Some of these accounts are not on Linux nodes and will allow login to an account with an empty passwd field. Because of this bug (and my poor checking) I ran some accounts for several days where no-passwrd access was allowed to an account that was supposed to be passwd protected. This bug in passwd is a change from 6.0, explicitly misreports what has happened, and can have security implications in a working computer environment. I consider it a severe error.
assigned to nalin
Please check to see if this bug has been fixed in the latest releases (Red Hat Linux 7.3 or 8.0). There have been several changes to the code that could have hiddenly fixed it.
Bug has been listed as closed for several releases.