I had another look at the netatalk3 port and came up with the following patch. It works for me but that's not a thorough test (and only for dhx2). It's a more invasive patch than my previous one, but if this is better I can apply the same to net/netatalk.
I looked for the SHADOWPW ifdefs and added an additional getpwnam_shadow(3) call in front of the crypt(3) calls (and one additional one to the clear text pw check). I also memset the pw_passwd fields to 0 and added check for crypt(3) returning NULL. FWIW, here's the patch: diff -x CVS -rNu net/netatalk3.orig/Makefile net/netatalk3/Makefile --- net/netatalk3.orig/Makefile Sun Mar 20 17:12:25 2016 +++ net/netatalk3/Makefile Thu Jun 9 16:14:06 2016 @@ -3,7 +3,7 @@ COMMENT= AFP file and print services for IP networks V= 3.1.8 -REVISION= 0 +REVISION= 1 DISTNAME= netatalk-${V} EXTRACT_SUFX= .tar.bz2 PKGSPEC = netatalk->=3,<4 diff -x CVS -rNu net/netatalk3.orig/patches/patch-etc_uams_uams_dhx2_passwd_c net/netatalk3/patches/patch-etc_uams_uams_dhx2_passwd_c --- net/netatalk3.orig/patches/patch-etc_uams_uams_dhx2_passwd_c Thu Jan 1 01:00:00 1970 +++ net/netatalk3/patches/patch-etc_uams_uams_dhx2_passwd_c Thu Jun 9 16:08:04 2016 @@ -0,0 +1,26 @@ +$OpenBSD$ +--- etc/uams/uams_dhx2_passwd.c.orig Thu Jun 9 15:55:58 2016 ++++ etc/uams/uams_dhx2_passwd.c Thu Jun 9 15:59:50 2016 +@@ -545,12 +545,21 @@ static int logincont2(void *obj _U_, struct passwd **u + /* ---- Start authentication --- */ + ret = AFPERR_NOTAUTH; + ++ if ((dhxpwd = getpwnam_shadow(dhxpwd->pw_name)) == NULL) { ++ LOG(log_info, logtype_uams, ++ "could not get shadow passwd for %s", dhxpwd->pw_name); ++ ret = AFPERR_NOTAUTH; ++ goto exit; ++ } ++ + p = crypt( ibuf, dhxpwd->pw_passwd ); + memset(ibuf, 0, 255); +- if ( strcmp( p, dhxpwd->pw_passwd ) == 0 ) { ++ if ( (p != NULL) && (strcmp( p, dhxpwd->pw_passwd ) == 0) ) { ++ memset(dhxpwd->pw_passwd, 0, strlen(dhxpwd->pw_passwd)); + *uam_pwd = dhxpwd; + ret = AFP_OK; + } ++ memset(dhxpwd->pw_passwd, 0, strlen(dhxpwd->pw_passwd)); + + #ifdef SHADOWPW + if (( sp = getspnam( dhxpwd->pw_name )) == NULL ) { diff -x CVS -rNu net/netatalk3.orig/patches/patch-etc_uams_uams_dhx_passwd_c net/netatalk3/patches/patch-etc_uams_uams_dhx_passwd_c --- net/netatalk3.orig/patches/patch-etc_uams_uams_dhx_passwd_c Thu Jan 1 01:00:00 1970 +++ net/netatalk3/patches/patch-etc_uams_uams_dhx_passwd_c Thu Jun 9 16:11:20 2016 @@ -0,0 +1,25 @@ +$OpenBSD$ +--- etc/uams/uams_dhx_passwd.c.orig Thu Jun 9 15:59:59 2016 ++++ etc/uams/uams_dhx_passwd.c Thu Jun 9 16:11:14 2016 +@@ -342,12 +342,20 @@ static int passwd_logincont(void *obj, struct passwd * + return AFP_OK; + } + #else /* TRU64 */ ++ if ((dhxpwd = getpwnam_shadow(dhxpwd->pw_name)) == NULL) { ++ LOG(log_info, logtype_uams, ++ "could not get shadow passwd for %s", dhxpwd->pw_name); ++ return (AFPERR_NOTAUTH); ++ } ++ + p = crypt( rbuf, dhxpwd->pw_passwd ); + memset(rbuf, 0, PASSWDLEN); +- if ( strcmp( p, dhxpwd->pw_passwd ) == 0 ) { ++ if ( (p != NULL) && (strcmp( p, dhxpwd->pw_passwd ) == 0) ) { ++ memset(dhxpwd->pw_passwd, 0, strlen(dhxpwd->pw_passwd)); + *uam_pwd = dhxpwd; + err = AFP_OK; + } ++ memset(dhxpwd->pw_passwd, 0, strlen(dhxpwd->pw_passwd)); + #ifdef SHADOWPW + if (( sp = getspnam( dhxpwd->pw_name )) == NULL ) { + LOG(log_info, logtype_uams, "no shadow passwd entry for %s", dhxpwd->pw_name); diff -x CVS -rNu net/netatalk3.orig/patches/patch-etc_uams_uams_passwd_c net/netatalk3/patches/patch-etc_uams_uams_passwd_c --- net/netatalk3.orig/patches/patch-etc_uams_uams_passwd_c Thu Jan 1 01:00:00 1970 +++ net/netatalk3/patches/patch-etc_uams_uams_passwd_c Thu Jun 9 16:29:47 2016 @@ -0,0 +1,37 @@ +$OpenBSD$ +--- etc/uams/uams_passwd.c.orig Thu Dec 11 12:27:44 2014 ++++ etc/uams/uams_passwd.c Thu Jun 9 16:29:16 2016 +@@ -229,11 +229,19 @@ static int passwd_changepw(void *obj, char *username, + pwd->pw_passwd = sp->sp_pwdp; + #endif /* SHADOWPW */ + ++ if ((pwd = getpwnam_shadow(pwd->pw_name)) == NULL) { ++ LOG(log_info, logtype_uams, ++ "could not get shadow passwd for %s", pwd->pw_name); ++ ret = AFPERR_NOTAUTH; ++ goto exit; ++ } ++ + p = crypt(pw, pwd->pw_passwd ); +- if (strcmp( p, pwd->pw_passwd )) { ++ if ((p != NULL) && strcmp( p, pwd->pw_passwd ))) { + memset(pw, 0, sizeof(pw)); + return AFPERR_NOTAUTH; + } ++ memset(pwd->pw_passwd, 0, strlen(pwd->pw_passwd)); + + /* new password */ + ibuf += PASSWDLEN; +@@ -329,6 +337,12 @@ static int passwd_printer(char *start, char *stop, cha + } + + #endif /* SHADOWPW */ ++ ++ if ((pwd = getpwnam_shadow(pwd->pw_name)) == NULL) { ++ LOG(log_info, logtype_uams, ++ "could not get shadow passwd for %s", pwd->pw_name); ++ return(-1); ++ } + + if (!pwd->pw_passwd) { + LOG(log_info, logtype_uams, "Bad Login ClearTxtUAM: no password for %s",