===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/readpass.c,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- src/usr.bin/ssh/readpass.c	2018/07/18 11:34:04	1.52
+++ src/usr.bin/ssh/readpass.c	2019/01/19 04:15:56	1.53
@@ -1,4 +1,4 @@
-/* $OpenBSD: readpass.c,v 1.52 2018/07/18 11:34:04 dtucker Exp $ */
+/* $OpenBSD: readpass.c,v 1.53 2019/01/19 04:15:56 tb Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -114,7 +114,7 @@
 char *
 read_passphrase(const char *prompt, int flags)
 {
-	char *askpass = NULL, *ret, buf[1024];
+	char cr = '\r', *askpass = NULL, *ret, buf[1024];
 	int rppflags, use_askpass = 0, ttyfd;
 
 	rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
@@ -128,9 +128,16 @@
 	} else {
 		rppflags |= RPP_REQUIRE_TTY;
 		ttyfd = open(_PATH_TTY, O_RDWR);
-		if (ttyfd >= 0)
+		if (ttyfd >= 0) {
+			/*
+			 * If we're on a tty, ensure that show the prompt at
+			 * the beginning of the line. This will hopefully
+			 * clobber any password characters the user has
+			 * optimistically typed before echo is disabled.
+			 */
+			(void)write(ttyfd, &cr, 1);
 			close(ttyfd);
-		else {
+		} else {
 			debug("read_passphrase: can't open %s: %s", _PATH_TTY,
 			    strerror(errno));
 			use_askpass = 1;