--- /dev/null
+Make IKSD authentication (using PAM) ask for a password when an
+invalid username has been given, to avoid disclosing which account
+names are valid. See #417247.
+--- ckermit-211.orig/ckufio.c
++++ ckermit-211/ckufio.c
+@@ -490,6 +490,9 @@
+ static char guestpass[GUESTPASS] = { NUL, NUL }; /* Anonymous "password" */
+ static int logged_in = 0; /* Set when user is logged in */
+ static int askpasswd = 0; /* Have OK user, must ask for passwd */
++#ifdef CK_PAM
++extern int gotemptypasswd;
++#endif /* CK_PAM */
+ #endif /* CK_LOGIN */
+
+ #ifdef CKROOT
+@@ -8043,8 +8046,12 @@
+ }
+ }
+ debug(F110,"zvpass","calling pam_authenticate",0);
+- if (*p)
+- pam_pw = p;
++ if (*p
++#ifdef CK_LOGIN
++ || gotemptypasswd
++#endif /* CK_LOGIN */
++ )
++ pam_pw = p;
+ if ((pam_status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
+ reply = pam_strerror(pamh, pam_status);
+ debug(F110,"zvpass PAM failure",reply,0);
+--- ckermit-211.orig/ckuus7.c
++++ ckermit-211/ckuus7.c
+@@ -98,6 +98,12 @@
+
+ extern char * k_info_dir;
+
++#ifdef CK_LOGIN
++#ifdef CK_PAM
++int gotemptypasswd = 0; /* distinguish empty passwd from none given */
++#endif /* CK_PAM */
++#endif /* CK_LOGIN */
++
+ #ifndef NOSPL
+ extern int nmac;
+ extern struct mtab *mactab;
+@@ -14656,9 +14662,9 @@
+ #ifdef CK_RECALL
+ extern int on_recall; /* around Password prompting */
+ #endif /* CK_RECALL */
+-#ifdef CK_PAM
++#ifdef COMMENT
+ extern int guest;
+-#endif /* CK_PAM */
++#endif /* COMMENT */
+ int rprompt = 0; /* Restore prompt */
+ #ifdef CKSYSLOG
+ int savlog;
+@@ -14774,9 +14780,9 @@
+ debug(F111,"ckxlogin zvuser",userid,ok);
+
+ if (!*passwd && promptok
+-#ifdef CK_PAM
++#ifdef COMMENT
+ && guest
+-#endif /* CK_PAM */
++#endif /* COMMENT */
+ ) {
+ char prmpt[80];
+
+@@ -14852,6 +14858,9 @@
+ if (pflag) prompt(xxstring); /* Issue prompt if at top level */
+ cmres(); /* Reset the parser */
+ for (x = -1; x < 0;) { /* Prompt till they answer */
++#ifdef CK_PAM
++ gotemptypasswd=0;
++#endif /* CK_PAM */
+ x = cmtxt("","",&s,NULL); /* Get a literal line of text */
+ if (x == -4 || x == -10) {
+ printf("\r\n%sLogin cancelled\n",
+@@ -14861,6 +14870,10 @@
+ #endif /* CKSYSLOG */
+ doexit(GOOD_EXIT,0);
+ }
++#ifdef CK_PAM
++ if(!*s)
++ gotemptypasswd=1;
++#endif /* CK_PAM */
+ if (sstate) /* In case of a Kermit packet */
+ goto XCKXLOG;
+ cmres(); /* Reset the parser again */
+@@ -14895,6 +14908,12 @@
+ if (ok) {
+ ok = zvpass((char *)passwd); /* Check password */
+ debug(F101,"ckxlogin zvpass","",ok);
++#ifdef CK_PAM
++ } else {
++ /* Fake pam password failure for nonexistent users */
++ sleep(1);
++ printf("Authentication failure\n");
++#endif
+ }
+
+ if (ok > 0 && isguest) {