diff --git a/ChangeLog b/ChangeLog
index 37463eb4..de02729a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-04-20  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* src/login.c: Open the PAM session before pam_setcred and before
+	initgroups. This is more consistent with rfc86.0.
+
 2009-04-20  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/login.c: Added helper functions get_pam_user() and
diff --git a/src/login.c b/src/login.c
index 7a05d2d4..a5a0063a 100644
--- a/src/login.c
+++ b/src/login.c
@@ -849,6 +849,11 @@ int main (int argc, char **argv)
 	}
 	PAM_FAIL_CHECK;
 
+	/* Open the PAM session */
+	get_pam_user (&pam_user);
+	retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
+	PAM_FAIL_CHECK;
+
 	/* Grab the user information out of the password file for future usage
 	 * First get the username that we are actually using, though.
 	 *
@@ -880,9 +885,9 @@ int main (int argc, char **argv)
 
 	retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
 	PAM_FAIL_CHECK;
-
-	retcode = pam_open_session (pamh, hushed (username) ? PAM_SILENT : 0);
-	PAM_FAIL_CHECK;
+	/* NOTE: If pam_setcred changes PAM_USER, this will not be taken
+	 * into account.
+	 */
 
 #else				/* ! USE_PAM */
 	while (true) {	/* repeatedly get login/password pairs */