PAM: Should nullok removed from password also?

[pyllyukko]

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services#sect-Security_Guide-Workstation_Security-Account_Locking:

To disable the nullok option, remove the nullok string from configuration files in the /etc/pam.d/ directory, such as /etc/pam.d/system-auth or /etc/pam.d/password-auth.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pam_configuration_files#Sample_PAM_Configuration_Files:

The argument nullok instructs the module to allow the user to change their password from a blank password, otherwise a null password is treated as an account lock.

[pyllyukko]

https://www.linuxquestions.org/questions/slackware-14/user-without-a-password-4175675708/#post6126043

[pyllyukko]

PAM_UNIX(8) has an example with password:

password   required   pam_unix.so use_authtok nullok yescrypt

https://github.com/linux-pam/linux-pam/blob/cf2fc5ff7b4a8555fda2a5ebe5f6ab0e45c22996/modules/pam_unix/pam_unix_passwd.c#L562-L564 complains that "No password has been supplied."