From c8d2175981bb7dd96ebc4541d33f7a3f1083efea Mon Sep 17 00:00:00 2001
From: nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7>
Date: Sat, 20 Sep 2008 20:05:22 +0000
Subject: [PATCH] 	* src/login.c: Erase the username later since it it
 used for the 	fake password check (in case of empty password).

---
 ChangeLog   |  2 ++
 src/login.c | 10 ++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c590ac64..586a5be2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,8 @@
 	* src/login.c: Make sure a username is specified with -f.
 	* src/login.c: Explicitly tag the end of the #ifdef RLOGIN
 	sections.
+	* src/login.c: Erase the username later since it it used for the
+	fake password check (in case of empty password).
 
 2008-09-20  Nicolas François  <nicolas.francois@centraliens.net>
 
diff --git a/src/login.c b/src/login.c
index 4a9cab01..eb500825 100644
--- a/src/login.c
+++ b/src/login.c
@@ -975,14 +975,13 @@ int main (int argc, char **argv)
 			failent.ut_type = USER_PROCESS;
 			failtmp (&failent);
 		}
-		free (username);
-		username = NULL;
 
 		retries--;
 		if (retries <= 0) {
 			SYSLOG ((LOG_CRIT, "REPEATED login failures%s",
 			         fromhost));
 		}
+
 		/*
 		 * If this was a passwordless account and we get here, login
 		 * was denied (securetty, faillog, etc.). There was no
@@ -994,6 +993,13 @@ int main (int argc, char **argv)
 			pw_auth ("!", username, reason, (char *) 0);
 		}
 
+		/*
+		 * Authentication of this user failed.
+		 * The username must be confirmed in the next try.
+		 */
+		free (username);
+		username = NULL;
+
 		/*
 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
 		 * to login the user again. If the earlier alarm occurs