path: root/modules/pam_tty_audit/pam_tty_audit.8.xml
diff options
authorRichard Guy Briggs <>2013-06-21 08:29:00 -0400
committerDmitry V. Levin <>2013-06-21 21:36:20 +0000
commit333686501468f66160c8eb50ae23f1dc08b82e12 (patch)
treea6adc46e5ecddac9bea683f4b0ffb0db6621978f /modules/pam_tty_audit/pam_tty_audit.8.xml
parent43a69398c33f8580c5925953fa7ee561666d8e33 (diff)
pam_tty_audit: add an option to control logging of passwords: log_passwd
Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode with echo set to off to do this. This feature (icanon and !echo) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of logging passwords per task. * autoconf bits to conditionally add support at compile time depending on struct audit_tty_status kernel header version. * modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module log_passwd option. * modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added "log_passwd" option parsing. Signed-off-by: Richard Guy Briggs <>
Diffstat (limited to 'modules/pam_tty_audit/pam_tty_audit.8.xml')
1 files changed, 15 insertions, 0 deletions
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 447b8454..552353ce 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -77,6 +77,19 @@
+ <varlistentry>
+ <term>
+ <option>log_passwd</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
+ This is the mode in which the tty is placed during password entry.
+ By default, passwords are not logged. This option may not be
+ available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
@@ -161,6 +174,8 @@ session required disable=* enable=root
pam_tty_audit was written by Miloslav Trma&ccaron;
+ The log_passwd option was added by Richard Guy Briggs
+ &lt;;.