From 7add4b0812ff7b37857c5d6ce32b13cd08bd3d4b Mon Sep 17 00:00:00 2001
From: Ørjan Malde <red@foxi.me>
Date: May 08 2019 11:02:50 +0000
Subject: don't request password if -i / --init is specified


---

diff --git a/login.c b/login.c
index 94893aa..bcd5ac2 100644
--- a/login.c
+++ b/login.c
@@ -122,9 +122,9 @@ int main(int argc, char **argv)
 	}
 	pwd = getpwnam(username);
 
-	char* pw = getpass("Password: ");
 	if(pwd) {
 		if(!iflag) {
+			char* pw = getpass("Password: ");
 			if(!(*pwd->pw_passwd == '\0' && !strlen(pw))) {
 				char* pw_encrypted = crypt(pw, pwd->pw_passwd);
 				if(!timingsafe_memcmp(pw_encrypted, pwd->pw_passwd, strlen(pw_encrypted))) {
@@ -132,16 +132,18 @@ int main(int argc, char **argv)
 					explicit_bzero(pw, strlen(pw));
 					exit(1);
 				}
+				explicit_bzero(pw, strlen(pw));
 			}
 		}
 	}
 	else {
-		/* user doesn't exist, bail */
+		/* asking for password even if the user is not found, no /etc/passwd is found, etc. */
+		/* this stops easy probing for accounts */
+		char* pw = getpass("Password: ");
 		puts("Login incorrect.");
 		explicit_bzero(pw, strlen(pw));
 		exit(1);
 	}
-	explicit_bzero(pw, strlen(pw));
 
 	endpwent();