1 Make IKSD authentication (using PAM) ask for a password when an
2 invalid username has been given, to avoid disclosing which account
3 names are valid. See #417247.
4 --- ckermit-211.orig/ckufio.c
5 +++ ckermit-211/ckufio.c
7 static char guestpass[GUESTPASS] = { NUL, NUL }; /* Anonymous "password" */
8 static int logged_in = 0; /* Set when user is logged in */
9 static int askpasswd = 0; /* Have OK user, must ask for passwd */
11 +extern int gotemptypasswd;
16 @@ -8043,8 +8046,12 @@
19 debug(F110,"zvpass","calling pam_authenticate",0);
25 +#endif /* CK_LOGIN */
28 if ((pam_status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
29 reply = pam_strerror(pamh, pam_status);
30 debug(F110,"zvpass PAM failure",reply,0);
31 --- ckermit-211.orig/ckuus7.c
32 +++ ckermit-211/ckuus7.c
35 extern char * k_info_dir;
39 +int gotemptypasswd = 0; /* distinguish empty passwd from none given */
41 +#endif /* CK_LOGIN */
45 extern struct mtab *mactab;
46 @@ -14656,9 +14662,9 @@
48 extern int on_recall; /* around Password prompting */
49 #endif /* CK_RECALL */
55 int rprompt = 0; /* Restore prompt */
58 @@ -14774,9 +14780,9 @@
59 debug(F111,"ckxlogin zvuser",userid,ok);
61 if (!*passwd && promptok
70 @@ -14852,6 +14858,9 @@
71 if (pflag) prompt(xxstring); /* Issue prompt if at top level */
72 cmres(); /* Reset the parser */
73 for (x = -1; x < 0;) { /* Prompt till they answer */
77 x = cmtxt("","",&s,NULL); /* Get a literal line of text */
78 if (x == -4 || x == -10) {
79 printf("\r\n%sLogin cancelled\n",
80 @@ -14861,6 +14870,10 @@
88 if (sstate) /* In case of a Kermit packet */
90 cmres(); /* Reset the parser again */
91 @@ -14895,6 +14908,12 @@
93 ok = zvpass((char *)passwd); /* Check password */
94 debug(F101,"ckxlogin zvpass","",ok);
97 + /* Fake pam password failure for nonexistent users */
99 + printf("Authentication failure\n");
103 if (ok > 0 && isguest) {