diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am

--- Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.709355179 +0200

+++ Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am	2022-09-29 10:13:35.780355766 +0200

@@ -10,9 +10,10 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-

 TESTS = tst-pam_pwhistory

-man_MANS = pam_pwhistory.8 pwhistory_helper.8

+man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5

-XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml

+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \

+  pwhistory.conf.5.xml

 securelibdir = $(SECUREDIR)

 secureconfdir = $(SCONFIGDIR)

@@ -25,12 +26,14 @@ if HAVE_VERSIONING

   pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map

 endif

-noinst_HEADERS = opasswd.h

+noinst_HEADERS = opasswd.h pwhistory_config.h

+

+dist_secureconf_DATA = pwhistory.conf

 securelib_LTLIBRARIES = pam_pwhistory.la

 pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)

 pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@

-pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c

+pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c

 sbin_PROGRAMS = pwhistory_helper

 pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@

diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml

--- Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file	2017-02-10 11:10:15.000000000 +0100

+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml	2022-09-29 10:13:35.780355766 +0200

@@ -36,6 +36,9 @@

       <arg choice="opt">

         authtok_type=<replaceable>STRING</replaceable>

       </arg>

+      <arg choice="opt">

+	      conf=<replaceable>/path/to/config-file</replaceable>

+      </arg>

     </cmdsynopsis>

   </refsynopsisdiv>

@@ -104,7 +107,7 @@

         <listitem>

           <para>

             The last <replaceable>N</replaceable> passwords for each

-            user are saved in <filename>/etc/security/opasswd</filename>.

+            user are saved.

             The default is <emphasis>10</emphasis>. Value of

             <emphasis>0</emphasis> makes the module to keep the existing

             contents of the <filename>opasswd</filename> file unchanged.

@@ -137,7 +140,26 @@

           </listitem>

         </varlistentry>

+        <varlistentry>

+          <term>

+            <option>conf=<replaceable>/path/to/config-file</replaceable></option>

+          </term>

+          <listitem>

+            <para>

+              Use another configuration file instead of the default

+              <filename>/etc/security/pwhistory.conf</filename>.

+            </para>

+          </listitem>

+        </varlistentry>

+

     </variablelist>

+    <para>

+      The options for configuring the module behavior are described in the

+      <citerefentry><refentrytitle>pwhistory.conf</refentrytitle>

+      <manvolnum>5</manvolnum></citerefentry> manual page. The options

+      specified on the module command line override the values from the

+      configuration file.

+    </para>

   </refsect1>

   <refsect1 id="pam_pwhistory-types">

@@ -223,6 +245,9 @@ password     required       pam_unix.so

     <title>SEE ALSO</title>

     <para>

       <citerefentry>

+	<refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum>

+      </citerefentry>,

+      <citerefentry>

 	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>

       </citerefentry>,

       <citerefentry>

diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c

--- Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.711355195 +0200

+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c	2022-09-29 10:13:35.780355766 +0200

@@ -62,18 +62,11 @@

 #include <security/_pam_macros.h>

 #include "opasswd.h"

+#include "pwhistory_config.h"

 #define DEFAULT_BUFLEN 2048

 #define MAX_FD_NO 20000

-struct options_t {

-  int debug;

-  int enforce_for_root;

-  int remember;

-  int tries;

-};

-typedef struct options_t options_t;

-

 static void

 parse_option (pam_handle_t *pamh, const char *argv, options_t *options)

@@ -304,6 +297,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in

   options.remember = 10;

   options.tries = 1;

+  parse_config_file(pamh, argc, argv, &options);

+

   /* Parse parameters for module */

   for ( ; argc-- > 0; argv++)

     parse_option (pamh, *argv, &options);

@@ -311,7 +306,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in

   if (options.debug)

     pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered");

-

   if (options.remember == 0)

     return PAM_IGNORE;

diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml

--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.780355766 +0200

+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml	2022-09-29 10:13:35.780355766 +0200

@@ -0,0 +1,155 @@

+

+

+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">

+

+<refentry id="pwhistory.conf">

+

+  <refmeta>

+    <refentrytitle>pwhistory.conf</refentrytitle>

+    <manvolnum>5</manvolnum>

+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>

+  </refmeta>

+

+  <refnamediv id="pwhistory.conf-name">

+    <refname>pwhistory.conf</refname>

+    <refpurpose>pam_pwhistory configuration file</refpurpose>

+  </refnamediv>

+

+  <refsect1 id="pwhistory.conf-description">

+

+    <title>DESCRIPTION</title>

+    <para>

+       <emphasis remap='B'>pwhistory.conf</emphasis> provides a way to configure the

+       default settings for saving the last passwords for each user.

+       This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the

+       preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly.

+    </para>

+    <para>

+       The file has a very simple <emphasis>name = value</emphasis> format with possible comments

+       starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end

+       of line, and around the <emphasis>=</emphasis> sign is ignored.

+    </para>

+  </refsect1>

+

+  <refsect1 id="pwhistory.conf-options">

+

+    <title>OPTIONS</title>

+         <variablelist>

+            <varlistentry>

+              <term>

+                <option>debug</option>

+              </term>

+              <listitem>

+                <para>

+                  Turns on debugging via

+                  <citerefentry>

+                    <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>

+                  </citerefentry>.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>enforce_for_root</option>

+              </term>

+              <listitem>

+                <para>

+                  If this option is set, the check is enforced for root, too.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>remember=<replaceable>N</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  The last <replaceable>N</replaceable> passwords for each

+                  user are saved.

+                  The default is <emphasis>10</emphasis>. Value of

+                  <emphasis>0</emphasis> makes the module to keep the existing

+                  contents of the <filename>opasswd</filename> file unchanged.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>retry=<replaceable>N</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  Prompt user at most <replaceable>N</replaceable> times

+                  before returning with error. The default is 1.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>file=<replaceable>/path/filename</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  Store password history in file

+                  <replaceable>/path/filename</replaceable> rather than the default

+                  location. The default location is

+	                <filename>/etc/security/opasswd</filename>.

+                </para>

+              </listitem>

+            </varlistentry>

+        </variablelist>

+  </refsect1>

+

+  <refsect1 id='pwhistory.conf-examples'>

+    <title>EXAMPLES</title>

+    <para>

+      /etc/security/pwhistory.conf file example:

+    </para>

+    <programlisting>

+debug

+remember=5

+file=/tmp/opasswd

+    </programlisting>

+  </refsect1>

+

+  <refsect1 id="pwhistory.conf-files">

+    <title>FILES</title>

+    <variablelist>

+      <varlistentry>

+        <term><filename>/etc/security/pwhistory.conf</filename></term>

+        <listitem>

+          <para>the config file for custom options</para>

+        </listitem>

+      </varlistentry>

+    </variablelist>

+  </refsect1>

+

+  <refsect1 id='pwhistory.conf-see_also'>

+    <title>SEE ALSO</title>

+    <para>

+      <citerefentry>

+        <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>

+      </citerefentry>

+    </para>

+  </refsect1>

+

+  <refsect1 id='pwhistory.conf-author'>

+    <title>AUTHOR</title>

+      <para>

+        pam_pwhistory was written by Thorsten Kukuk. The support for

+        pwhistory.conf was written by Iker Pedrosa.

+      </para>

+  </refsect1>

+

+</refentry>

diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c

--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.781355775 +0200

+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c	2022-09-29 10:14:33.377832622 +0200

@@ -0,0 +1,195 @@

+/*

+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, and the entire permission notice in its entirety,

+ *    including the disclaimer of warranties.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 3. The name of the author may not be used to endorse or promote

+ *    products derived from this software without specific prior

+ *    written permission.

+ *

+ * ALTERNATIVELY, this product may be distributed under the terms of

+ * the GNU Public License, in which case the provisions of the GPL are

+ * required INSTEAD OF the above restrictions.  (This clause is

+ * necessary due to a potential bad interaction between the GPL and

+ * the restrictions contained in a BSD-style copyright.)

+ *

+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,

+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

+ * OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+#include "config.h"

+

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include <syslog.h>

+#include <ctype.h>

+

+#include <security/pam_modutil.h>

+

+#include "pam_inline.h"

+#include "pwhistory_config.h"

+

+#define PWHISTORY_DEFAULT_CONF "/etc/security/pwhistory.conf"

+

+/* lookup a value for key in login.defs file or similar key value format */

+static char *

+pwhistory_search_key(pam_handle_t *pamh UNUSED,

+		       const char *file_name,

+		       const char *key)

+{

+	FILE *fp;

+	char *buf = NULL;

+	size_t buflen = 0;

+	char *retval = NULL;

+

+#ifdef USE_ECONF

+	if (strcmp (file_name, LOGIN_DEFS) == 0)

+		return econf_search_key ("login", ".defs", key);

+#endif

+

+	fp = fopen(file_name, "r");

+	if (NULL == fp)

+		return NULL;

+

+	while (!feof(fp)) {

+		char *tmp, *cp;

+#if defined(HAVE_GETLINE)

+		ssize_t n = getline(&buf, &buflen, fp);

+#elif defined (HAVE_GETDELIM)

+		ssize_t n = getdelim(&buf, &buflen, '\n', fp);

+#else

+		ssize_t n;

+

+		if (buf == NULL) {

+			buflen = BUF_SIZE;

+			buf = malloc(buflen);

+			if (buf == NULL) {

+				fclose(fp);

+				return NULL;

+			}

+		}

+		buf[0] = '\0';

+		if (fgets(buf, buflen - 1, fp) == NULL)

+			break;

+		else if (buf != NULL)

+			n = strlen(buf);

+		else

+			n = 0;

+#endif /* HAVE_GETLINE / HAVE_GETDELIM */

+		cp = buf;

+

+		if (n < 1)

+			break;

+		if (cp[n - 1] == '\n')

+			cp[n - 1] = '\0';

+

+		tmp = strchr(cp, '#');  /* remove comments */

+		if (tmp)

+			*tmp = '\0';

+		while (isspace((int)*cp))    /* remove spaces and tabs */

+			++cp;

+		if (*cp == '\0')        /* ignore empty lines */

+			continue;

+

+		tmp = strsep (&cp, " \t=");

+		if (cp != NULL)

+			while (isspace((int)*cp) || *cp == '=')

+				++cp;

+		else

+			cp = buf + n;   /* empty string */

+

+		if (strcasecmp(tmp, key) == 0) {

+			retval = strdup(cp);

+			break;

+		}

+	}

+	fclose(fp);

+

+	free(buf);

+

+	return retval;

+}

+

+void

+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,

+                  struct options_t *options)

+{

+    const char *fname = NULL;

+    int i;

+    char *val;

+

+    for (i = 0; i < argc; ++i) {

+        const char *str = pam_str_skip_prefix(argv[i], "conf=");

+

+        if (str != NULL) {

+            fname = str;

+        }

+    }

+

+    if (fname == NULL) {

+        fname = PWHISTORY_DEFAULT_CONF;

+    }

+

+    val = pwhistory_search_key (pamh, fname, "debug");

+    if (val != NULL) {

+        options->debug = 1;

+        free(val);

+    }

+

+    val = pwhistory_search_key (pamh, fname, "enforce_for_root");

+    if (val != NULL) {

+        options->enforce_for_root = 1;

+        free(val);

+    }

+

+    val = pwhistory_search_key (pamh, fname, "remember");

+    if (val != NULL) {

+        unsigned int temp;

+        if (sscanf(val, "%u", &temp) != 1) {

+            pam_syslog(pamh, LOG_ERR,

+                "Bad number supplied for remember argument");

+        } else {

+            options->remember = temp;

+        }

+        free(val);

+    }

+

+    val = pwhistory_search_key (pamh, fname, "retry");

+    if (val != NULL) {

+        unsigned int temp;

+        if (sscanf(val, "%u", &temp) != 1) {

+            pam_syslog(pamh, LOG_ERR,

+                "Bad number supplied for retry argument");

+        } else {

+            options->tries = temp;

+        }

+        free(val);

+    }

+

+    val = pwhistory_search_key (pamh, fname, "file");

+    if (val != NULL) {

+        if (*val != '/') {

+            pam_syslog (pamh, LOG_ERR,

+                "File path should be absolute: %s", val);

+        } else {

+            options->filename = val;

+        }

+    }

+}

diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h

--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.781355775 +0200

+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h	2022-09-29 10:13:35.781355775 +0200

@@ -0,0 +1,54 @@

+/*

+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, and the entire permission notice in its entirety,

+ *    including the disclaimer of warranties.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 3. The name of the author may not be used to endorse or promote

+ *    products derived from this software without specific prior

+ *    written permission.

+ *

+ * ALTERNATIVELY, this product may be distributed under the terms of

+ * the GNU Public License, in which case the provisions of the GPL are

+ * required INSTEAD OF the above restrictions.  (This clause is

+ * necessary due to a potential bad interaction between the GPL and

+ * the restrictions contained in a BSD-style copyright.)

+ *

+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,

+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

+ * OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+#ifndef _PWHISTORY_CONFIG_H

+#define _PWHISTORY_CONFIG_H

+

+#include <security/pam_ext.h>

+

+struct options_t {

+    int debug;

+    int enforce_for_root;

+    int remember;

+    int tries;

+    const char *filename;

+};

+typedef struct options_t options_t;

+

+void

+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,

+                  struct options_t *options);

+

+#endif /* _PWHISTORY_CONFIG_H */

diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf

--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.781355775 +0200

+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf	2022-09-29 10:13:35.781355775 +0200

@@ -0,0 +1,21 @@

+# Configuration for remembering the last passwords used by a user.

+#

+# Enable the debugging logs.

+# Enabled if option is present.

+# debug

+#

+# root account's passwords are also remembered.

+# Enabled if option is present.

+# enforce_for_root

+#

+# Number of passwords to remember.

+# The default is 10.

+# remember = 10

+#

+# Number of times to prompt for the password.

+# The default is 1.

+# retry = 1

+#

+# The directory where the last passwords are kept.

+# The default is /etc/security/opasswd.

+# file = /etc/security/opasswd