A RedHat 9.0 system (with RedHat's openssh-server-3.5p1-6) is configured with "PermitEmptyPasswords no". An account is created with an empty password (null in /etc/shadow). The intent is to allow console logins only. This works on A RedHat 8.0 system with OpenSSH openssh-server-3.4p1-2. SSH logins with an empty password are indeed blocked (unless "PermitEmptyPasswords yes" is set). However, any random password will allow login. On RedHat 8, it won't. I notice that if I list allowed remote users in "AllowUsers" then I can block the local-only user, which provides a workaround (or may be a better solution than just blocking empty passwords)
Can you reproduce this with vanilla openssh-3.6.1p2 (eg from ftp.ca.openbsd.org ) configured --with-pam?
I think that bug #611 might be the cause of this.
RTFM, or get your distributor to: http://www.openssh.com/faq.html#3.2
As a workaround, you could give your no-password user a shell that's not listed in /etc/shells. This will cause sshd to deny the connection attempt very early in the authentication process.
There is no need for an additional workaround - one must remove the "nullok" flag in the PAM conf. Really, the bug is in PAM itself.
OK, after messing around trying 3.6.1p2 I realize I had a "DenyUsers" line in sshd_config on the RedHat 8 system which I had forgotten about. The RedHat sshd.pam does not have nullok but it is chained to system-auth which does. I guess unchaining it might work but I don't want to depart too much from the stock distro especially in things I don't really understand (like PAM) So the issue is that PermitEmptyPasswords is ignored if PAM is used. If PAM is really broken like this then maybe a note in the sshd_config manpage is in order.
Mass change of RESOLVED bugs to CLOSED