diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index 526d182b3..034276224 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -18,6 +18,7 @@ package auth
 
 import (
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -123,12 +124,20 @@ func newUserPassAuth(arg string) (AuthMode, error) {
 	return mode, nil
 }
 
+// ErrNoAuth is returned when there is no configured authentication.
+var ErrNoAuth = errors.New("auth: no configured authentication")
+
 // FromConfig parses authConfig and accordingly sets up the AuthMode
 // that will be used for all upcoming authentication exchanges. The
 // supported modes are UserPass and DevAuth. UserPass requires an authConfig
 // of the kind "userpass:joe:ponies". If the CAMLI_ADVERTISED_PASSWORD
 // environment variable is defined, the mode will default to DevAuth.
+//
+// If the input string is empty, the error will be ErrNoAuth.
 func FromConfig(authConfig string) (AuthMode, error) {
+	if authConfig == "" {
+		return nil, ErrNoAuth
+	}
 	pieces := strings.SplitN(authConfig, ":", 2)
 	if len(pieces) < 1 {
 		return nil, fmt.Errorf("Invalid auth string: %q", authConfig)
diff --git a/pkg/client/config.go b/pkg/client/config.go
index 1090c8ada..c07777ae5 100644
--- a/pkg/client/config.go
+++ b/pkg/client/config.go
@@ -103,9 +103,11 @@ func (c *Client) SetupAuth() error {
 		// If using an explicit blobserver, don't use auth
 		// configured from the config file, so we don't send
 		// our password to a friend's blobserver.
-		log.Printf("Using explicit --server parameter; using auth from environment only.")
 		var err error
 		c.authMode, err = auth.FromEnv()
+		if err == auth.ErrNoAuth {
+			log.Printf("Using explicit --server parameter; not using config file auth, and no auth mode set in environment")
+		}
 		return err
 	}
 	return c.SetupAuthFromConfig(config)