Specifically, the current status means that on stretch systems, any accounts relying on the default pam_unix nullok_secure to allow null- password accounts to log in from local terminals only are open to access by anyone who ssh's in and happens to get get pts/0 or pts/1.