Hi, In the current stable version (0.79-5), the bug still exits, but I think in the testing version (0.99.7) it doesn't (I'm not completely sure).
Anyway, it should be reviewed. Look at _unix_read_password function in
/modules/pam_unix/support.c:
...
if (resp[0] != NULL && resp[replies-1] != NULL) {
/* interpret the response */
if (retval == PAM_SUCCESS) { /* a good conversation */
token = resp[0];
if (token != NULL) { // ALWAYS TRUE !!
...
