A disabled empty root password (ie '*' in /etc/shadow) works fine. Eg, using the below 'test.sh' script:
#!/bin/sh -e for i in nullok nonull ; do echo -n "$i: " if printf '!\0' | unix_chkpwd root $i ; then echo "matched" else echo "did not match" fi done
$ sudo head -1 /etc/shadow root:*:14215:0:99999:7::: $ sudo ./test.sh nullok: did not match nonull: did not match
What will match with nullok but not nonull is an enabled empty root password: $ sudo head -1 /etc/shadow root::14215:0:99999:7:::
Of course, an enabled empty root password allows passwordless root login via ssh and the console which is not at all needed for ssh keys logins.
A disabled empty root password (ie '*' in /etc/shadow) works fine. Eg, using the below 'test.sh' script:
#!/bin/sh -e
for i in nullok nonull ; do
echo -n "$i: "
if printf '!\0' | unix_chkpwd root $i ; then
echo "matched"
else
echo "did not match"
fi
done
$ sudo head -1 /etc/shadow 14215:0: 99999:7: ::
root:*:
$ sudo ./test.sh
nullok: did not match
nonull: did not match
What will match with nullok but not nonull is an enabled empty root password: 0:99999: 7:::
$ sudo head -1 /etc/shadow
root::14215:
Of course, an enabled empty root password allows passwordless root login via ssh and the console which is not at all needed for ssh keys logins.