diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in
--- Linux-PAM-1.1.6/configure.in.tty-audit-echo	2013-08-07 15:41:08.245745447 +0200
+++ Linux-PAM-1.1.6/configure.in	2013-08-07 18:13:04.358958936 +0200
@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
         fi
         if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
             AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+            AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
+                            AC_MSG_WARN([audit_tty_status.log_passwd is not available.  The log_passwd option is disabled.]),
+                            [[#include <libaudit.h>]])
         fi
 else
 	LIBAUDIT=""
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo	2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml	2013-08-07 18:08:55.310028229 +0200
@@ -77,6 +77,19 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>
+          <option>log_passwd</option>
+        </term>
+        <listitem>
+          <para>
+	   Log keystrokes when ECHO mode is off but ICANON mode is active.
+	   This is the mode in which the tty is placed during password entry.
+	   By default, passwords are not logged.  This option may not be
+	   available on older kernels (3.9?).
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -161,6 +174,8 @@ session	required pam_tty_audit.so disabl
       <para>
         pam_tty_audit was written by Miloslav Trma&ccaron;
 	&lt;mitr@redhat.com&gt;.
+        The log_passwd option was added by Richard Guy Briggs
+        &lt;rgb@redhat.com&gt;.
       </para>
   </refsect1>
 
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo	2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c	2013-08-07 18:09:29.428694493 +0200
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh,
   struct audit_tty_status *old_status, new_status;
   const char *user;
   int i, fd, open_only;
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+  int log_passwd;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
 
   (void)flags;
 
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh,
 
   command = CMD_NONE;
   open_only = 0;
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+  log_passwd = 0;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
   for (i = 0; i < argc; i++)
     {
       if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh,
 	}
       else if (strcmp (argv[i], "open_only") == 0)
 	open_only = 1;
+      else if (strcmp (argv[i], "log_passwd") == 0)
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+        log_passwd = 1;
+#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+        pam_syslog (pamh, LOG_WARNING,
+                    "The log_passwd option was not available at compile time.");
+#warning "pam_tty_audit: The log_passwd option is not available.  Please upgrade your headers/kernel."
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
       else
 	{
 	  pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
     }
 
   new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
-  if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+  new_status.log_passwd = log_passwd;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+  if (old_status->enabled == new_status.enabled
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+      && old_status->log_passwd == new_status.log_passwd
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+     )
     {
       open_only = 1; /* to clean up old_status */
       goto ok_fd;