Comment 8 for bug 296841

A disabled empty root password (ie '*' in /etc/shadow) works fine. Eg, using the below 'test.sh' script:

#!/bin/sh -e
for i in nullok nonull ; do
    echo -n "$i: "
    if printf '!\0' | unix_chkpwd root $i ; then
        echo "matched"
    else
        echo "did not match"
    fi
done

$ sudo head -1 /etc/shadow
root:*:14215:0:99999:7:::
$ sudo ./test.sh
nullok: did not match
nonull: did not match

What will match with nullok but not nonull is an enabled empty root password:
$ sudo head -1 /etc/shadow
root::14215:0:99999:7:::

Of course, an enabled empty root password allows passwordless root login via ssh and the console which is not at all needed for ssh keys logins.