There are two possibilities to store an empty password in the passwd(5)
database. We can either store an empty hash, or a hash of the empty
string.
pam_unix checked for both cases separately. The code checking for an
empty hash succeeds without prompt when empty hashes ("nullok") are
allowed, otherwise changes the hash to "*" to force authentication to
fail later. The code checking for a hash of the empty password also
immediately succeeded when empty passwords ("emptyok") are allowed, but
missed the part forcing a failure otherwise. As a result, with a hash of
the empty password stored, you could still successfully authenticate by
just hitting enter on the password prompt that appears without the
"nullok" or "emptyok" option.
Unify both code blocks to make sure they do exactly the same, enforcing
authentication with an empty password to always fail without the
"nullok" option. Remove the now redundant "emptyok" option. Update the
manpage accordingly, and also remove a warning that "nullok" could allow
authentication with any password when invoked unprivileged: This won't
happen because getpwnam(3) puts "*" in the password field in that case.