Support setting the new variable PASSWDSKIP in /etc/daily.local to prevent

security(8) from complaining about specific accounts that have no password,
typically used for services like anoncvs and gotd.

In addition to improving support for gotd, this also improves security
for everyone because the exception will now only exist on machines
where the admin explicitly enables it.

Based on an idea from stsp@; OK stsp@.
(Actually, sthen@ also mentioned a similar idea in 2009, and afresh1@
 indicated potential support for the general direction in 2024.)

Author: ischwarze

Diff for: etc/daily

@@ -1,5 +1,5 @@
 #
-#	$OpenBSD: daily,v 1.100 2024/07/04 05:06:58 bket Exp $
+#	$OpenBSD: daily,v 1.101 2025/03/31 17:35:28 schwarze Exp $
 #	From: @(#)daily	8.2 (Berkeley) 1/25/94
 #
 # For local additions, create the file /etc/daily.local.
@@ -173,7 +173,7 @@ MAINOUT=/var/log/security.out
 install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
 
 start_part "Running security(8):"
-export SUIDSKIP
+export PASSWDSKIP SUIDSKIP
 /usr/libexec/security
 end_part
 rm -f $PARTOUT

Diff for: libexec/security/security

@@ -1,6 +1,6 @@
 #!/usr/bin/perl -T
 
-# $OpenBSD: security,v 1.47 2025/03/09 20:10:17 phessler Exp $
+# $OpenBSD: security,v 1.48 2025/03/31 17:35:28 schwarze Exp $
 #
 # Copyright (c) 2011, 2012, 2014, 2015 Ingo Schwarze <schwarze@openbsd.org>
 # Copyright (c) 2011 Andrew Fresh <andrew@afresh1.com>
@@ -75,7 +75,9 @@ sub check_passwd {
 	my $filename = '/etc/master.passwd';
 	$check_title = "Checking the $filename file:";
 	nag !(open my $fh, '<', $filename), "open: $filename: $!" and return;
-	my (%logins, %uids);
+	my (%logins, %uids, %skip);
+	%skip = map { $_ => 1 } split ' ', $ENV{PASSWDSKIP}
+	    if $ENV{PASSWDSKIP};
 	while (my $line = <$fh>) {
 		chomp $line;
 		nag $line !~ /\S/,
@@ -96,8 +98,7 @@ sub check_passwd {
 		}
 		nag length $name > 31,
 		    "Login $name has more than 31 characters.";
-		nag $pwd eq '' && !($name eq 'anoncvs' &&
-				    $shell =~ /\/anoncvssh$/),
+		nag $pwd eq '' && !$skip{"$name:$shell"},
 		    "Login $name has no password.";
 		if ($pwd ne '' &&
 		    $pwd ne 'skey' &&

Diff for: share/man/man8/security.8

@@ -1,8 +1,8 @@
-.\" $OpenBSD: security.8,v 1.27 2024/12/24 17:08:50 krw Exp $
+.\" $OpenBSD: security.8,v 1.28 2025/03/31 17:35:28 schwarze Exp $
 .\"
 .\" David Leonard, 2001. Public Domain.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: March 31 2025 $
 .Dt SECURITY 8
 .Os
 .Sh NAME
@@ -113,7 +113,18 @@ script is to point out some obvious holes to the system administrator.
 The following variables can be set in
 .Pa /etc/daily.local :
 .Pp
-.Bl -tag -width "SUIDSKIP" -compact
+.Bl -tag -width "PASSWDSKIP" -compact
+.It Ev PASSWDSKIP
+A whitespace-separated list of
+.Ar name : Ns Ar shell
+pairs allowed to have empty passwords.
+For example, a machine running both CVS and gotd for anonymous access
+might set:
+.Bd -literal -offset indent
+PASSWDSKIP="anoncvs:/usr/local/bin/anoncvssh
+            anonymous:/usr/local/bin/gotsh"
+.Ed
+.Pp
 .It Ev SUIDSKIP
 A whitespace-separated list of absolute paths to be skipped
 in setuid/setgid file checks and in device special file checks.