1 files changed, 7 insertions, 2 deletions

diff --git a/auth-pam.c b/auth-pam.c
index b93241f48..147f4f8bb 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -185,6 +185,7 @@ static int sshpam_cred_established = 0;
 static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
 static Authctxt *sshpam_authctxt = NULL;
+static char badpw[] = "\b\n\r\177INCORRECT";
 static const char *sshpam_password = NULL;
 
 /* Some PAM implementations don't implement this */
@@ -696,7 +697,12 @@ sshpam_respond(void *ctx, u_int num, char **resp)
                 return (-1);
         }
         buffer_init(&buffer);
-        buffer_put_cstring(&buffer, *resp);
+        if (sshpam_authctxt->valid &&
+            (sshpam_authctxt->pw->pw_uid != 0 ||
+             options.permit_root_login == PERMIT_YES))
+                buffer_put_cstring(&buffer, *resp);
+        else
+                buffer_put_cstring(&buffer, badpw);
         if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
                 buffer_free(&buffer);
                 return (-1);
@@ -1075,7 +1081,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 {
         int flags = (options.permit_empty_passwd == 0 ?
             PAM_DISALLOW_NULL_AUTHTOK : 0);
-        static char badpw[] = "\b\n\r\177INCORRECT";
 
         if (!options.use_pam || sshpam_handle == NULL)
                 fatal("PAM: %s called when PAM disabled or failed to "