Marked public as the issue was already reported upstream (although it was closed due to some mistakes by the reporter: <https://sourceforge.net/tracker/?func=detail&aid=925424&group_id=5741&atid=305741>).
I've researched the issue and made a quick patch for pam_mysql.c, I'm linking the branch I made to this report. ** Bug watch added: SourceForge.net Tracker #925424 http://sourceforge.net/support/tracker.php?aid=925424 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/943507 Title: libpam-mysql lets you log in with any password when crypt=1 is set and the password field contains an empty string in the user record. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/943507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
