* src/login.c: Erase the username later since it it used for the

fake password check (in case of empty password).

ChangeLog

@@ -8,6 +8,8 @@
 	* src/login.c: Make sure a username is specified with -f.
 	* src/login.c: Explicitly tag the end of the #ifdef RLOGIN
 	sections.
+	* src/login.c: Erase the username later since it it used for the
+	fake password check (in case of empty password).
 
 2008-09-20  Nicolas François  <nicolas.francois@centraliens.net>
 

src/login.c

@@ -975,14 +975,13 @@ int main (int argc, char **argv)
 			failent.ut_type = USER_PROCESS;
 			failtmp (&failent);
 		}
-		free (username);
-		username = NULL;
 
 		retries--;
 		if (retries <= 0) {
 			SYSLOG ((LOG_CRIT, "REPEATED login failures%s",
 			         fromhost));
 		}
+
 		/*
 		 * If this was a passwordless account and we get here, login
 		 * was denied (securetty, faillog, etc.). There was no
@@ -994,6 +993,13 @@ int main (int argc, char **argv)
 			pw_auth ("!", username, reason, (char *) 0);
 		}
 
+		/*
+		 * Authentication of this user failed.
+		 * The username must be confirmed in the next try.
+		 */
+		free (username);
+		username = NULL;
+
 		/*
 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
 		 * to login the user again. If the earlier alarm occurs