+++ /dev/null
-Make IKSD authentication (using PAM) ask for a password when an
-invalid username has been given, to avoid disclosing which account
-names are valid. See #417247.
---- ckermit-211.orig/ckufio.c
-+++ ckermit-211/ckufio.c
-@@ -490,6 +490,9 @@
- static char guestpass[GUESTPASS] = { NUL, NUL }; /* Anonymous "password" */
- static int logged_in = 0; /* Set when user is logged in */
- static int askpasswd = 0; /* Have OK user, must ask for passwd */
-+#ifdef CK_PAM
-+extern int gotemptypasswd;
-+#endif /* CK_PAM */
- #endif /* CK_LOGIN */
-
- #ifdef CKROOT
-@@ -8043,8 +8046,12 @@
- }
- }
- debug(F110,"zvpass","calling pam_authenticate",0);
-- if (*p)
-- pam_pw = p;
-+ if (*p
-+#ifdef CK_LOGIN
-+ || gotemptypasswd
-+#endif /* CK_LOGIN */
-+ )
-+ pam_pw = p;
- if ((pam_status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
- reply = pam_strerror(pamh, pam_status);
- debug(F110,"zvpass PAM failure",reply,0);
---- ckermit-211.orig/ckuus7.c
-+++ ckermit-211/ckuus7.c
-@@ -98,6 +98,12 @@
-
- extern char * k_info_dir;
-
-+#ifdef CK_LOGIN
-+#ifdef CK_PAM
-+int gotemptypasswd = 0; /* distinguish empty passwd from none given */
-+#endif /* CK_PAM */
-+#endif /* CK_LOGIN */
-+
- #ifndef NOSPL
- extern int nmac;
- extern struct mtab *mactab;
-@@ -14656,9 +14662,9 @@
- #ifdef CK_RECALL
- extern int on_recall; /* around Password prompting */
- #endif /* CK_RECALL */
--#ifdef CK_PAM
-+#ifdef COMMENT
- extern int guest;
--#endif /* CK_PAM */
-+#endif /* COMMENT */
- int rprompt = 0; /* Restore prompt */
- #ifdef CKSYSLOG
- int savlog;
-@@ -14774,9 +14780,9 @@
- debug(F111,"ckxlogin zvuser",userid,ok);
-
- if (!*passwd && promptok
--#ifdef CK_PAM
-+#ifdef COMMENT
- && guest
--#endif /* CK_PAM */
-+#endif /* COMMENT */
- ) {
- char prmpt[80];
-
-@@ -14852,6 +14858,9 @@
- if (pflag) prompt(xxstring); /* Issue prompt if at top level */
- cmres(); /* Reset the parser */
- for (x = -1; x < 0;) { /* Prompt till they answer */
-+#ifdef CK_PAM
-+ gotemptypasswd=0;
-+#endif /* CK_PAM */
- x = cmtxt("","",&s,NULL); /* Get a literal line of text */
- if (x == -4 || x == -10) {
- printf("\r\n%sLogin cancelled\n",
-@@ -14861,6 +14870,10 @@
- #endif /* CKSYSLOG */
- doexit(GOOD_EXIT,0);
- }
-+#ifdef CK_PAM
-+ if(!*s)
-+ gotemptypasswd=1;
-+#endif /* CK_PAM */
- if (sstate) /* In case of a Kermit packet */
- goto XCKXLOG;
- cmres(); /* Reset the parser again */
-@@ -14895,6 +14908,12 @@
- if (ok) {
- ok = zvpass((char *)passwd); /* Check password */
- debug(F101,"ckxlogin zvpass","",ok);
-+#ifdef CK_PAM
-+ } else {
-+ /* Fake pam password failure for nonexistent users */
-+ sleep(1);
-+ printf("Authentication failure\n");
-+#endif
- }
-
- if (ok > 0 && isguest) {