make nullok into a build time option

3 files changed, 12 insertions, 2 deletions

diff --git a/Makefile b/Makefile
index 339de62..a459fd0 100644
--- a/Makefile
+++ b/Makefile
@@ -56,6 +56,10 @@ ifeq "$(KRB5)" "yes"
 PAMFLAGS += -DHAVE_KRB5=1
 endif
 
+ifeq "$(NULLOK)" "yes"
+PAMFLAGS += -DWANT_NULLOK=1
+endif
+
 ifeq "$(SHA512)" "yes"
 PAMFLAGS += -DWANT_SHA512=1
 endif
diff --git a/basic-conf b/basic-conf
index eaa1cb0..5ab72c0 100644
--- a/basic-conf
+++ b/basic-conf
@@ -29,6 +29,12 @@
 #define LIKEAUTH
 #endif
 
+#if WANT_NULLOK
+#define NULLOK nullok
+#else
+#define NULLOK
+#endif
+
 #define KRB5_PARAMS DEBUG ignore_root try_first_pass
 
 /* By using the extended Linux-PAM syntax for this, it is possible to
diff --git a/system-auth.in b/system-auth.in
index 43df701..1f7ffbd 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -7,7 +7,7 @@ auth		sufficient	pam_ssh.so
 #if HAVE_KRB5
 auth		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
 #endif
-auth		required	pam_unix.so try_first_pass LIKEAUTH nullok DEBUG
+auth		required	pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
 auth		optional	pam_permit.so
  
@@ -27,7 +27,7 @@ password	required	pam_passwdqc.so min=8,8,8,8,8 retry=3
 #if HAVE_KRB5
 password	KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
 #endif
-password	required	pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
+password	required	pam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
 password	optional	pam_permit.so