Without further ado, the following was found: Issue: put B<> on "nullok" and "nonull", maybe on "pam_unix.so" as well. "If the encrypted password, whether in I</etc/passwd> or in I</etc/shadow>, " "is an empty string, login is allowed without even asking for a password. " "Note that this functionality may be intentionally disabled in applications, " "or configurable (for example using the \"nullok\" or \"nonull\" arguments to " "pam_unix.so)."
