Make IKSD authentication (using PAM) ask for a password when an
invalid username has been given, to avoid disclosing which account
names are valid. See #417247.
--- ckermit-211.orig/ckufio.c
+++ ckermit-211/ckufio.c
@@ -490,6 +490,9 @@
 static char guestpass[GUESTPASS] = { NUL, NUL }; /* Anonymous "password" */
 static int logged_in = 0;               /* Set when user is logged in */
 static int askpasswd = 0;               /* Have OK user, must ask for passwd */
+#ifdef CK_PAM
+extern int gotemptypasswd;
+#endif /* CK_PAM */
 #endif /* CK_LOGIN */
 
 #ifdef CKROOT
@@ -8043,8 +8046,12 @@
             }
         }
         debug(F110,"zvpass","calling pam_authenticate",0);
-        if (*p)
-	  pam_pw = p;
+        if (*p
+#ifdef CK_LOGIN
+	    || gotemptypasswd
+#endif /* CK_LOGIN */
+	    )
+	    pam_pw = p;
         if ((pam_status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
             reply = pam_strerror(pamh, pam_status);
             debug(F110,"zvpass PAM failure",reply,0);
--- ckermit-211.orig/ckuus7.c
+++ ckermit-211/ckuus7.c
@@ -98,6 +98,12 @@
 
 extern char * k_info_dir;
 
+#ifdef CK_LOGIN
+#ifdef CK_PAM
+int gotemptypasswd = 0;   /* distinguish empty passwd from none given */
+#endif /* CK_PAM */
+#endif /* CK_LOGIN */
+
 #ifndef NOSPL
 extern int nmac;
 extern struct mtab *mactab;
@@ -14656,9 +14662,9 @@
 #ifdef CK_RECALL
     extern int on_recall;               /* around Password prompting */
 #endif /* CK_RECALL */
-#ifdef CK_PAM
+#ifdef COMMENT
     extern int guest;
-#endif /* CK_PAM */
+#endif /* COMMENT */
     int rprompt = 0;                    /* Restore prompt */
 #ifdef CKSYSLOG
     int savlog;
@@ -14774,9 +14780,9 @@
     debug(F111,"ckxlogin zvuser",userid,ok);
 
     if (!*passwd && promptok
-#ifdef CK_PAM
+#ifdef COMMENT
         && guest
-#endif /* CK_PAM */
+#endif /* COMMENT */
         ) {
         char prmpt[80];
 
@@ -14852,6 +14858,9 @@
         if (pflag) prompt(xxstring);    /* Issue prompt if at top level */
         cmres();                        /* Reset the parser */
         for (x = -1; x < 0;) {          /* Prompt till they answer */
+#ifdef CK_PAM
+	    gotemptypasswd=0;
+#endif /* CK_PAM */
             x = cmtxt("","",&s,NULL);   /* Get a literal line of text */
             if (x == -4 || x == -10) {
                 printf("\r\n%sLogin cancelled\n",
@@ -14861,6 +14870,10 @@
 #endif /* CKSYSLOG */
                 doexit(GOOD_EXIT,0);
             }
+#ifdef CK_PAM
+	    if(!*s)
+		gotemptypasswd=1;
+#endif /* CK_PAM */
             if (sstate)                 /* In case of a Kermit packet */
               goto XCKXLOG;
             cmres();                    /* Reset the parser again */
@@ -14895,6 +14908,12 @@
     if (ok) {
         ok = zvpass((char *)passwd);    /* Check password */
         debug(F101,"ckxlogin zvpass","",ok);
+#ifdef CK_PAM
+    } else {
+	/* Fake pam password failure for nonexistent users */
+	sleep(1);
+	printf("Authentication failure\n");
+#endif
     }
 
     if (ok > 0 && isguest) {