diff -up Linux-PAM-1.3.1/modules/pam_unix/passverify.c.pam-unix-shadow-password Linux-PAM-1.3.1/modules/pam_unix/passverify.c
--- Linux-PAM-1.3.1/modules/pam_unix/passverify.c.pam-unix-shadow-password	2024-11-05 13:02:14.637785962 +0100
+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c	2024-11-05 13:02:14.643785975 +0100
@@ -73,9 +73,13 @@ verify_pwd_hash(const char *p, char *has
 
 	strip_hpux_aging(hash);
 	hash_len = strlen(hash);
-	if (!hash_len) {
+
+	if (p && p[0] == '\0' && !nullok) {
+		/* The passed password is empty */
+		retval = PAM_AUTH_ERR;
+	} else if (!hash_len) {
 		/* the stored password is NULL */
-		if (nullok) { /* this means we've succeeded */
+		if (p && p[0] == '\0' && nullok) { /* this means we've succeeded */
 			D(("user has empty password - access granted"));
 			retval = PAM_SUCCESS;
 		} else {
@@ -192,17 +196,21 @@ PAMH_ARG_DECL(int get_account_info,
 			return PAM_UNIX_RUN_HELPER;
 #endif
 		} else if (is_pwd_shadowed(*pwd)) {
+#ifdef HELPER_COMPILE
 			/*
-			 * ...and shadow password file entry for this user,
+			 * shadow password file entry for this user,
 			 * if shadowing is enabled
 			 */
-#ifndef HELPER_COMPILE
-			if (geteuid() || SELINUX_ENABLED)
-				return PAM_UNIX_RUN_HELPER;
-#endif
-			*spwdent = pam_modutil_getspnam(pamh, name);
+			*spwdent = getspnam(name);
 			if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
 				return PAM_AUTHINFO_UNAVAIL;
+#else
+			/*
+			 * The helper has to be invoked to deal with
+			 * the shadow password file entry.
+			 */
+			return PAM_UNIX_RUN_HELPER;
+#endif
 		}
 	} else {
 		return PAM_USER_UNKNOWN;