From: Alejandro Colomar <alx@kernel.org>
Date: Thu, 15 Jan 2026 00:11:52 +0000 (+0100)
Subject: lib/chkhash.c: is_valid_hash(): Accept an empty hash
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b67543987e3d140c86f1b8e2b5db5c10d8bc3c5;p=thirdparty%2Fshadow.git

lib/chkhash.c: is_valid_hash(): Accept an empty hash

It represents a passwordless account.
That is discouraged, but accepted.

Fixes: c44f1e096a19 (2025-07-20; "chpasswd: Check hash before write when using -e")
Link: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
Reported-by: Marc 'Zugschlus' Haber <mh+githubvisible@zugschlus.de>
Reported-by: "Serge E. Hallyn" <serge@hallyn.com>
Reported-by: Adam Williamson <awilliam@redhat.com>
Co-authored-by: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---

diff --git a/lib/chkhash.c b/lib/chkhash.c
index 71e0fb4ed..d0a8dc011 100644
--- a/lib/chkhash.c
+++ b/lib/chkhash.c
@@ -42,6 +42,10 @@ is_valid_hash(const char *hash)
 {
 	hash = strprefix(hash, "!") ?: hash;
 
+	// Passwordless account; discouraged
+	if (streq(hash, ""))
+		return true;
+
 	if (streq(hash, "*"))
 		return true;