* src/login.c: Erase the username later since it it used for the

	fake password check (in case of empty password).

diff --git a/ChangeLog b/ChangeLog
index c590ac646900456dc2cb7f2a9af69840c6d4d5d7..586a5be27f5d0ac954a94b00b3bbd1888deb2611 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,8 @@
        * src/login.c: Make sure a username is specified with -f.
        * src/login.c: Explicitly tag the end of the #ifdef RLOGIN
        sections.
+       * src/login.c: Erase the username later since it it used for the
+       fake password check (in case of empty password).
 
 2008-09-20  Nicolas François  <nicolas.francois@centraliens.net>
 

diff --git a/src/login.c b/src/login.c
index 4a9cab013491c56f6c1471521bd6849a984c8353..eb50082510b3963360f0bef81deed22e56a9868e 100644 (file)
--- a/src/login.c
+++ b/src/login.c
@@ -975,14 +975,13 @@ int main (int argc, char **argv)
                        failent.ut_type = USER_PROCESS;
                        failtmp (&failent);
                }
-               free (username);
-               username = NULL;
 
                retries--;
                if (retries <= 0) {
                        SYSLOG ((LOG_CRIT, "REPEATED login failures%s",
                                 fromhost));
                }
+
                /*
                 * If this was a passwordless account and we get here, login
                 * was denied (securetty, faillog, etc.). There was no
@@ -994,6 +993,13 @@ int main (int argc, char **argv)
                        pw_auth ("!", username, reason, (char *) 0);
                }
 
+               /*
+                * Authentication of this user failed.
+                * The username must be confirmed in the next try.
+                */
+               free (username);
+               username = NULL;
+
                /*
                 * Wait a while (a la SVR4 /usr/bin/login) before attempting
                 * to login the user again. If the earlier alarm occurs