pam_tty_audit icanon log switch

Hi folks, There's been a couple of requests to add a switch to pam_tty_audit to *not* log passwords when logging user commands. Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode to do this. This feature (icanon) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of canonical mode per task. Note: The original patch added a sysctl to control this system-wide, which did work fine as expected, but it was recommended to keep the switch with the module invocation, turning it into a per-task switch. This method has also been tested. Here are two patches, the first to pam to add the switch to the pam_tty_audit module. The second is to the kernel to add the necessary bits in audit and tty: pam_tty_audit: add an option to control logging of passwords tty: add an option to control logging of passwords with pam_tty_audit Please have a quick look and with some initial feedback I'll post them upstream. I'd normally use git send-email and in-line it, but since they were patches for two different entities, thought it best to do it this way instead. - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com&gt; Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635