Don't log the password in pam_sm_authenticate() unless DEBUG_PASSWORD is

defined.  This is done with --enable-developer mode.
(This used to be commit caff5dc1d66953cb52f94cd6407778b23e1810eb)

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index b3dea202c2c5efd04c2c5b03a308ae581ca87d44..7cb2cd8bf1e1dc67b6b9480a24f8ce5ecf3c8baa 100644 (file)
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -256,10 +256,18 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
         return PAM_AUTHTOK_ERR;
      }
      
-     if (ctrl & PAM_DEBUG_ARG)
+     if (ctrl & PAM_DEBUG_ARG) {
+
+            /* Let's not give too much away in the log file */
+
+#ifdef DEBUG_PASSWORD
         _pam_log(LOG_INFO, "Verify user `%s' with password `%s'",
                  username, password);
-     
+#else
+        _pam_log(LOG_INFO, "Verify user `%s'", username);
+#endif
+     }
+
      /* Now use the username to look up password */
      retval = user_lookup(username, password);
      switch (retval) {