ghoneycutt · ashoksundeep · Jul 23, 2025
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -35,6 +35,9 @@
 # @param manage_pwquality
 #   Controls whether to manage pwquality.conf and pwquality.conf.d
 #
+# @param manage_pwhistory
+#   Controls whether to manage pwhistory.conf and pwhistory.conf.d
+#
 # @param package_name
 #   String or Array of packages providing the pam functionality. If undef,
 #   parameter is set based on the OS version.
@@ -211,6 +214,7 @@
   Boolean $limits_fragments_hiera_merge                     = false,
   Boolean $manage_faillock                                  = false,
   Boolean $manage_pwquality                                 = false,
+  Boolean $manage_pwhistory                                 = false,
   Array $pam_d_login_oracle_options                         = [],
   Stdlib::Absolutepath $pam_d_login_path                    = '/etc/pam.d/login',
   String $pam_d_login_owner                                 = 'root',
@@ -307,6 +311,10 @@
     include pam::pwquality
   }
 
+  if $manage_pwhistory {
+    include pam::pwhistory
+  }
+
   if $manage_nsswitch {
     include nsswitch
   }

diff --git a/manifests/pwhistory.pp b/manifests/pwhistory.pp
@@ -0,0 +1,64 @@
+# @summary Manages pwhistory.conf settings.
+#
+# This class configures the /etc/security/pwhistory.conf file.
+#
+# @param config_file
+#   Path to the pwhistory.conf file. Defaults to '/etc/security/pwhistory.conf'.
+# @param config_file_owner
+#   Owner of the pwhistory.conf file. Defaults to 'root'.
+# @param config_file_group
+#   Group of the pwhistory.conf file. Defaults to 'root'.
+# @param config_file_mode
+#   File mode for pwhistory.conf. Defaults to '0644'.
+# @param config_file_source
+#   Optional: Specifies a source file for pwhistory.conf. If set, ignores template.
+# @param config_file_template
+#   Optional: Specifies the template to use for pwhistory.conf. Defaults to 'pam/pwhistory.conf.erb'.
+# @param remember
+#   The number of old passwords to remember. This value will be written to pwhistory.conf.
+#   If undef, the 'remember' option will be commented out in the generated config.
+# @param enforce_for_root
+#   Boolean to enforce password history for the root user. If true, 'enforce_for_root'
+#   will be enabled in the config. If false or undef, it will be commented out.
+# @param debug
+#   Boolean to enable debugging logs. If true, 'debug' will be enabled in the config.
+#   If false or undef, it will be commented out.
+# @param retry
+#   The number of times to prompt for the password. This value will be written to pwhistory.conf.
+#   If undef, the 'retry' option will be commented out in the generated config.
+# @param file
+#   The directory where the last passwords are kept. This value will be written to pwhistory.conf.
+#   If undef, the 'file' option will be commented out in the generated config.
+#
+class pam::pwhistory (
+  Stdlib::Absolutepath $config_file        = '/etc/security/pwhistory.conf',
+  String[1] $config_file_owner             = 'root',
+  String[1] $config_file_group             = 'root',
+  Stdlib::Filemode $config_file_mode       = '0644',
+  Optional[Stdlib::Filesource] $config_file_source = undef,
+  String[1] $config_file_template          = 'pam/pwhistory.conf.erb',
+  Optional[Integer[0]] $remember           = undef,
+  Optional[Boolean] $enforce_for_root      = undef,
+  Optional[Boolean] $debug                 = undef,
+  Optional[Integer[1]] $retry              = undef,
+  Optional[Stdlib::Absolutepath] $file     = undef,
+) {
+  include pam
+
+  if $config_file_source {
+    $_config_file_content = undef
+  } else {
+    $_config_file_content = template($config_file_template)
+  }
+
+  file { 'pwhistory.conf':
+    ensure  => 'file',
+    path    => $config_file,
+    owner   => $config_file_owner,
+    group   => $config_file_group,
+    mode    => $config_file_mode,
+    source  => $config_file_source,
+    content => $_config_file_content,
+    require => Package[$pam::package_name],
+  }
+}
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -288,6 +288,16 @@
           it { is_expected.to contain_class('pam::pwquality') }
         end
 
+        context 'with manage_pwhistory parameter default value' do
+          it { is_expected.not_to contain_class('pam::pwhistory') }
+        end
+
+        context 'with manage_pwhistory parameter set to true' do
+          let(:params) { { manage_pwhistory: true } }
+
+          it { is_expected.to contain_class('pam::pwhistory') }
+        end
+
         context 'with manage_nsswitch parameter default value' do
           it { is_expected.to contain_class('nsswitch') }
         end