New upstream version 1.5.3

21 files changed, 269 insertions, 258 deletions

diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
index 1658735b..a1dfe44e 100644
--- a/modules/pam_unix/Makefile.am
+++ b/modules/pam_unix/Makefile.am
@@ -5,7 +5,7 @@
 CLEANFILES = *~
 MAINTAINERCLEANFILES = $(MANS) README
 
-EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c $(XMLS) CHANGELOG
+EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c yppasswd_xdr.c $(XMLS) CHANGELOG
 
 if HAVE_DOC
 dist_man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8
@@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_unix
 TESTS = $(dist_check_SCRIPTS)
 
 securelibdir = $(SECUREDIR)
+if HAVE_VENDORDIR
+secureconfdir = $(VENDOR_SCONFIGDIR)
+else
 secureconfdir = $(SCONFIGDIR)
+endif
 
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
 	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
@@ -39,7 +43,10 @@ noinst_PROGRAMS = bigcrypt
 
 pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \
 	pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
-	passverify.c yppasswd_xdr.c md5_good.c md5_broken.c
+	passverify.c md5_good.c md5_broken.c
+if HAVE_NIS
+  pam_unix_la_SOURCES += yppasswd_xdr.c
+endif
 
 bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
 bigcrypt_CFLAGS = $(AM_CFLAGS)
diff --git a/modules/pam_unix/Makefile.in b/modules/pam_unix/Makefile.in
index 4dcfdf64..1de5b72b 100644
--- a/modules/pam_unix/Makefile.in
+++ b/modules/pam_unix/Makefile.in
@@ -98,6 +98,7 @@ host_triplet = @host@
 @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map
 sbin_PROGRAMS = unix_chkpwd$(EXEEXT) unix_update$(EXEEXT)
 noinst_PROGRAMS = bigcrypt$(EXEEXT)
+@HAVE_NIS_TRUE@am__append_2 = yppasswd_xdr.c
 subdir = modules/pam_unix
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
@@ -156,9 +157,13 @@ am__uninstall_files_from_dir = { \
   }
 LTLIBRARIES = $(securelib_LTLIBRARIES)
 pam_unix_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la
+am__pam_unix_la_SOURCES_DIST = bigcrypt.c pam_unix_acct.c \
+	pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
+	passverify.c md5_good.c md5_broken.c yppasswd_xdr.c
+@HAVE_NIS_TRUE@am__objects_1 = yppasswd_xdr.lo
 am_pam_unix_la_OBJECTS = bigcrypt.lo pam_unix_acct.lo pam_unix_auth.lo \
 	pam_unix_passwd.lo pam_unix_sess.lo support.lo passverify.lo \
-	yppasswd_xdr.lo md5_good.lo md5_broken.lo
+	md5_good.lo md5_broken.lo $(am__objects_1)
 pam_unix_la_OBJECTS = $(am_pam_unix_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -247,7 +252,7 @@ am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
 SOURCES = $(pam_unix_la_SOURCES) $(bigcrypt_SOURCES) \
 	$(unix_chkpwd_SOURCES) $(unix_update_SOURCES)
-DIST_SOURCES = $(pam_unix_la_SOURCES) $(bigcrypt_SOURCES) \
+DIST_SOURCES = $(am__pam_unix_la_SOURCES_DIST) $(bigcrypt_SOURCES) \
 	$(unix_chkpwd_SOURCES) $(unix_update_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
@@ -486,6 +491,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLTOOL = @DLLTOOL@
+DOCBOOK_RNG = @DOCBOOK_RNG@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -498,11 +504,13 @@ EXEEXT = @EXEEXT@
 EXE_CFLAGS = @EXE_CFLAGS@
 EXE_LDFLAGS = @EXE_LDFLAGS@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 FO2PDF = @FO2PDF@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTML_STYLESHEET = @HTML_STYLESHEET@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
@@ -534,12 +542,14 @@ LIBSELINUX = @LIBSELINUX@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
+LOGIND_CFLAGS = @LOGIND_CFLAGS@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
+MAN_STYLESHEET = @MAN_STYLESHEET@
 MKDIR_P = @MKDIR_P@
 MSGFMT = @MSGFMT@
 MSGFMT_015 = @MSGFMT_015@
@@ -562,6 +572,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PDF_STYLESHEET = @PDF_STYLESHEET@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
@@ -572,12 +583,16 @@ SECUREDIR = @SECUREDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
-STRINGPARAM_HMAC = @STRINGPARAM_HMAC@
+STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@
 STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@
 STRIP = @STRIP@
+SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@
+SYSTEMD_LIBS = @SYSTEMD_LIBS@
 TIRPC_CFLAGS = @TIRPC_CFLAGS@
 TIRPC_LIBS = @TIRPC_LIBS@
+TXT_STYLESHEET = @TXT_STYLESHEET@
 USE_NLS = @USE_NLS@
+VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@
 VERSION = @VERSION@
 WARN_CFLAGS = @WARN_CFLAGS@
 XGETTEXT = @XGETTEXT@
@@ -645,13 +660,14 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 CLEANFILES = *~
 MAINTAINERCLEANFILES = $(MANS) README
-EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c $(XMLS) CHANGELOG
+EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c yppasswd_xdr.c $(XMLS) CHANGELOG
 @HAVE_DOC_TRUE@dist_man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8
 XMLS = README.xml pam_unix.8.xml unix_chkpwd.8.xml unix_update.8.xml
 dist_check_SCRIPTS = tst-pam_unix
 TESTS = $(dist_check_SCRIPTS)
 securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
+@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR)
+@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR)
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
 	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
 	-DUPDATE_HELPER=\"$(sbindir)/unix_update\" \
@@ -664,10 +680,9 @@ pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
 
 securelib_LTLIBRARIES = pam_unix.la
 noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h
-pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \
-	pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
-	passverify.c yppasswd_xdr.c md5_good.c md5_broken.c
-
+pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c pam_unix_auth.c \
+	pam_unix_passwd.c pam_unix_sess.c support.c passverify.c \
+	md5_good.c md5_broken.c $(am__append_2)
 bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
 bigcrypt_CFLAGS = $(AM_CFLAGS)
 bigcrypt_LDADD = @LIBCRYPT@
diff --git a/modules/pam_unix/README.xml b/modules/pam_unix/README.xml
index 7fd340b3..49a65946 100644
--- a/modules/pam_unix/README.xml
+++ b/modules/pam_unix/README.xml
@@ -1,41 +1,27 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_unix.8.xml">
--->
-]>
+<article xmlns="http://docbook.org/ns/docbook" version="5.0">
 
-<article>
-
-  <articleinfo>
+  <info>
 
     <title>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_unix.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_unix-name"]/*)'/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-name")/*)'/>
     </title>
 
-  </articleinfo>
+  </info>
 
   <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-description"]/*)'/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-description")/*)'/>
   </section>
 
   <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-options"]/*)'/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-options")/*)'/>
   </section>
 
   <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-examples"]/*)'/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-examples")/*)'/>
   </section>
 
   <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-author"]/*)'/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-author")/*)'/>
   </section>
 
-</article>
+</article>
\ No newline at end of file
diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c
index d8d61a4b..c1028668 100644
--- a/modules/pam_unix/bigcrypt.c
+++ b/modules/pam_unix/bigcrypt.c
@@ -29,6 +29,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <security/_pam_macros.h>
+#include "pam_inline.h"
 #ifdef HAVE_CRYPT_H
 #include <crypt.h>
 #endif
@@ -56,12 +57,12 @@ char *bigcrypt(const char *key, const char *salt)
 #endif
 	unsigned long int keylen, n_seg, j;
 	char *cipher_ptr, *plaintext_ptr, *tmp_ptr, *salt_ptr;
-	char keybuf[KEYBUF_SIZE + 1];
+	char keybuf[KEYBUF_SIZE + 1] = {};
 
 	D(("called with key='%s', salt='%s'.", key, salt));
 
 	/* reset arrays */
-	dec_c2_cryptbuf = malloc(CBUF_SIZE);
+	dec_c2_cryptbuf = calloc(1, CBUF_SIZE);
 	if (!dec_c2_cryptbuf) {
 		return NULL;
 	}
@@ -73,8 +74,6 @@ char *bigcrypt(const char *key, const char *salt)
 	}
 	cdata->initialized = 0;
 #endif
-	memset(keybuf, 0, KEYBUF_SIZE + 1);
-	memset(dec_c2_cryptbuf, 0, CBUF_SIZE);
 
 	/* fill KEYBUF_SIZE with key */
 	strncpy(keybuf, key, KEYBUF_SIZE);
@@ -116,6 +115,7 @@ char *bigcrypt(const char *key, const char *salt)
 	}
 	/* and place in the static area */
 	strncpy(cipher_ptr, tmp_ptr, 13);
+	pam_overwrite_string(tmp_ptr);
 	cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
 	plaintext_ptr += SEGMENT_SIZE;	/* first block of SEGMENT_SIZE */
 
@@ -136,9 +136,10 @@ char *bigcrypt(const char *key, const char *salt)
 			tmp_ptr = crypt(plaintext_ptr, salt_ptr);
 #endif
 			if (tmp_ptr == NULL) {
-				_pam_overwrite(dec_c2_cryptbuf);
+				pam_overwrite_string(dec_c2_cryptbuf);
 				free(dec_c2_cryptbuf);
 #ifdef HAVE_CRYPT_R
+				pam_overwrite_object(cdata);
 				free(cdata);
 #endif
 				return NULL;
@@ -146,6 +147,7 @@ char *bigcrypt(const char *key, const char *salt)
 
 			/* skip the salt for seg!=0 */
 			strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
+			pam_overwrite_string(tmp_ptr);
 
 			cipher_ptr += ESEGMENT_SIZE;
 			plaintext_ptr += SEGMENT_SIZE;
@@ -155,6 +157,7 @@ char *bigcrypt(const char *key, const char *salt)
 	D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf));
 
 #ifdef HAVE_CRYPT_R
+	pam_overwrite_object(cdata);
 	free(cdata);
 #endif
 
diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c
index 593d6dc3..95b8de4c 100644
--- a/modules/pam_unix/md5.c
+++ b/modules/pam_unix/md5.c
@@ -21,26 +21,27 @@
 #include <string.h>
 #include "md5.h"
 
+#include "pam_inline.h"
+
 #ifndef HIGHFIRST
 #define byteReverse(buf, len)	/* Nothing */
 #else
 
-typedef unsigned char PAM_ATTRIBUTE_ALIGNED(4) uint8_aligned;
-
-static void byteReverse(uint8_aligned *buf, unsigned longs);
+static void byteReverse(uint32 *buf, unsigned longs);
 
 #ifndef ASM_MD5
 /*
  * Note: this code is harmless on little-endian machines.
  */
-static void byteReverse(uint8_aligned *buf, unsigned longs)
+static void byteReverse(uint32 *buf, unsigned longs)
 {
 	uint32 t;
 	do {
-		t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
-		    ((unsigned) buf[1] << 8 | buf[0]);
-		*(uint32 *) buf = t;
-		buf += 4;
+		unsigned char *p = (unsigned char *) buf;
+		t = (uint32) ((unsigned) p[3] << 8 | p[2]) << 16 |
+		    ((unsigned) p[1] << 8 | p[0]);
+		*buf = t;
+		++buf;
 	} while (--longs);
 }
 #endif
@@ -89,7 +90,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign
 			return;
 		}
 		memcpy(p, buf, t);
-		byteReverse(ctx->in.c, 16);
+		byteReverse(ctx->in.i, 16);
 		MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i);
 		buf += t;
 		len -= t;
@@ -98,7 +99,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign
 
 	while (len >= 64) {
 		memcpy(ctx->in.c, buf, 64);
-		byteReverse(ctx->in.c, 16);
+		byteReverse(ctx->in.i, 16);
 		MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i);
 		buf += 64;
 		len -= 64;
@@ -133,7 +134,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
 	if (count < 8) {
 		/* Two lots of padding:  Pad the first block to 64 bytes */
 		memset(p, 0, count);
-		byteReverse(ctx->in.c, 16);
+		byteReverse(ctx->in.i, 16);
 		MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i);
 
 		/* Now fill the next block with 56 bytes */
@@ -142,15 +143,15 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
 		/* Pad block to 56 bytes */
 		memset(p, 0, count - 8);
 	}
-	byteReverse(ctx->in.c, 14);
+	byteReverse(ctx->in.i, 14);
 
 	/* Append length in bits and transform */
 	memcpy(ctx->in.i + 14, ctx->bits, 2*sizeof(uint32));
 
 	MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i);
-	byteReverse(ctx->buf.c, 4);
+	byteReverse(ctx->buf.i, 4);
 	memcpy(digest, ctx->buf.c, 16);
-	memset(ctx, 0, sizeof(*ctx));	/* In case it's sensitive */
+	pam_overwrite_object(ctx);	/* In case it's sensitive */
 }
 
 #ifndef ASM_MD5
diff --git a/modules/pam_unix/md5_crypt.c b/modules/pam_unix/md5_crypt.c
index 94f7b434..ed5ecda4 100644
--- a/modules/pam_unix/md5_crypt.c
+++ b/modules/pam_unix/md5_crypt.c
@@ -87,7 +87,7 @@ char *MD5Name(crypt_md5)(const char *pw, const char *salt)
 		MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl);
 
 	/* Don't leave anything around in vm they could use. */
-	memset(final, 0, sizeof final);
+	pam_overwrite_array(final);
 
 	/* Then something really weird... */
 	for (j = 0, i = strlen(pw); i; i >>= 1)
@@ -151,7 +151,7 @@ char *MD5Name(crypt_md5)(const char *pw, const char *salt)
 	*p = '\0';
 
 	/* Don't leave anything around in vm they could use. */
-	memset(final, 0, sizeof final);
+	pam_overwrite_array(final);
 
 	return passwd;
 }
diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
index d9cdea5a..438717f9 100644
--- a/modules/pam_unix/pam_unix.8
+++ b/modules/pam_unix/pam_unix.8
@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: pam_unix
 .\"    Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 09/03/2021
+.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
+.\"      Date: 05/07/2023
 .\"    Manual: Linux-PAM Manual
-.\"    Source: Linux-PAM Manual
+.\"    Source: Linux-PAM
 .\"  Language: English
 .\"
-.TH "PAM_UNIX" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_UNIX" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -71,31 +71,31 @@ Remaining arguments, supported by others functions of this module, are silently
 \fBsyslog\fR(3)\&.
 .SH "OPTIONS"
 .PP
-\fBdebug\fR
+debug
 .RS 4
 Turns on debugging via
 \fBsyslog\fR(3)\&.
 .RE
 .PP
-\fBaudit\fR
+audit
 .RS 4
 A little more extreme than debug\&.
 .RE
 .PP
-\fBquiet\fR
+quiet
 .RS 4
 Turns off informational messages namely messages about session open and close via
 \fBsyslog\fR(3)\&.
 .RE
 .PP
-\fBnullok\fR
+nullok
 .RS 4
 The default action of this module is to not permit the user access to a service if their official password is blank\&. The
 \fBnullok\fR
 argument overrides this default\&.
 .RE
 .PP
-\fBnullresetok\fR
+nullresetok
 .RS 4
 Allow users to authenticate with blank password if password reset is enforced even if
 \fBnullok\fR
@@ -104,24 +104,24 @@ is not set\&. If password reset is not required and
 is not set the authentication with blank password will be denied\&.
 .RE
 .PP
-\fBtry_first_pass\fR
+try_first_pass
 .RS 4
 Before prompting the user for their password, the module first tries the previous stacked module\*(Aqs password in case that satisfies this module as well\&.
 .RE
 .PP
-\fBuse_first_pass\fR
+use_first_pass
 .RS 4
 The argument
 \fBuse_first_pass\fR
 forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&.
 .RE
 .PP
-\fBnodelay\fR
+nodelay
 .RS 4
 This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&.
 .RE
 .PP
-\fBuse_authtok\fR
+use_authtok
 .RS 4
 When password changing enforce the module to set the new password to the one provided by a previously stacked
 \fBpassword\fR
@@ -130,17 +130,17 @@ module (this is used in the example of the stacking of the
 module documented below)\&.
 .RE
 .PP
-\fBauthtok_type=\fR\fB\fItype\fR\fR
+authtok_type=type
 .RS 4
 This argument can be used to modify the password prompt when changing passwords to include the type of the password\&. Empty by default\&.
 .RE
 .PP
-\fBnis\fR
+nis
 .RS 4
 NIS RPC is used for setting new passwords\&.
 .RE
 .PP
-\fBremember=\fR\fB\fIn\fR\fR
+remember=n
 .RS 4
 The last
 \fIn\fR
@@ -151,75 +151,75 @@ in order to force password change history and keep the user from alternating bet
 module should be used\&.
 .RE
 .PP
-\fBshadow\fR
+shadow
 .RS 4
 Try to maintain a shadow based system\&.
 .RE
 .PP
-\fBmd5\fR
+md5
 .RS 4
 When a user changes their password next, encrypt it with the MD5 algorithm\&.
 .RE
 .PP
-\fBbigcrypt\fR
+bigcrypt
 .RS 4
 When a user changes their password next, encrypt it with the DEC C2 algorithm\&.
 .RE
 .PP
-\fBsha256\fR
+sha256
 .RS 4
 When a user changes their password next, encrypt it with the SHA256 algorithm\&. The SHA256 algorithm must be supported by the
 \fBcrypt\fR(3)
 function\&.
 .RE
 .PP
-\fBsha512\fR
+sha512
 .RS 4
 When a user changes their password next, encrypt it with the SHA512 algorithm\&. The SHA512 algorithm must be supported by the
 \fBcrypt\fR(3)
 function\&.
 .RE
 .PP
-\fBblowfish\fR
+blowfish
 .RS 4
 When a user changes their password next, encrypt it with the blowfish algorithm\&. The blowfish algorithm must be supported by the
 \fBcrypt\fR(3)
 function\&.
 .RE
 .PP
-\fBgost_yescrypt\fR
+gost_yescrypt
 .RS 4
 When a user changes their password next, encrypt it with the gost\-yescrypt algorithm\&. The gost\-yescrypt algorithm must be supported by the
 \fBcrypt\fR(3)
 function\&.
 .RE
 .PP
-\fByescrypt\fR
+yescrypt
 .RS 4
 When a user changes their password next, encrypt it with the yescrypt algorithm\&. The yescrypt algorithm must be supported by the
 \fBcrypt\fR(3)
 function\&.
 .RE
 .PP
-\fBrounds=\fR\fB\fIn\fR\fR
+rounds=n
 .RS 4
 Set the optional number of rounds of the SHA256, SHA512, blowfish, gost\-yescrypt, and yescrypt password hashing algorithms to
 \fIn\fR\&.
 .RE
 .PP
-\fBbroken_shadow\fR
+broken_shadow
 .RS 4
 Ignore errors reading shadow information for users in the account management module\&.
 .RE
 .PP
-\fBminlen=\fR\fB\fIn\fR\fR
+minlen=n
 .RS 4
 Set a minimum password length of
 \fIn\fR
 characters\&. The max\&. for DES crypt based passwords are 8 characters\&.
 .RE
 .PP
-\fBno_pass_expiry\fR
+no_pass_expiry
 .RS 4
 When set ignore password expiration as defined by the
 \fIshadow\fR
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index 9f9c8185..dfc04274 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -1,30 +1,27 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_unix">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_unix">
 
   <refmeta>
     <refentrytitle>pam_unix</refentrytitle>
     <manvolnum>8</manvolnum>
-    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+    <refmiscinfo class="source">Linux-PAM</refmiscinfo>
+    <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
   </refmeta>
 
-  <refnamediv id="pam_unix-name">
+  <refnamediv xml:id="pam_unix-name">
     <refname>pam_unix</refname>
     <refpurpose>Module for traditional password authentication</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
-    <cmdsynopsis id="pam_unix-cmdsynopsis">
+    <cmdsynopsis xml:id="pam_unix-cmdsynopsis" sepchar=" ">
       <command>pam_unix.so</command>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         ...
       </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
-  <refsect1 id="pam_unix-description">
+  <refsect1 xml:id="pam_unix-description">
 
     <title>DESCRIPTION</title>
 
@@ -42,7 +39,7 @@
       <emphasis>shadow</emphasis> elements: expire, last_change, max_change,
       min_change, warn_change. In the case of the latter, it may offer advice
       to the user on changing their password or, through the
-      <emphasis remap='B'>PAM_AUTHTOKEN_REQD</emphasis> return, delay
+      <emphasis remap="B">PAM_AUTHTOKEN_REQD</emphasis> return, delay
       giving service to the user until they have established a new password.
       The entries listed above are documented in the <citerefentry>
       <refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
@@ -89,7 +86,7 @@
     <para>
       The password component of this module performs the task of updating
       the user's password. The default encryption hash is taken from the
-      <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
+      <emphasis remap="B">ENCRYPT_METHOD</emphasis> variable from
       <emphasis>/etc/login.defs</emphasis>
     </para>
 
@@ -107,13 +104,13 @@
     </para>
   </refsect1>
 
-  <refsect1 id="pam_unix-options">
+  <refsect1 xml:id="pam_unix-options">
 
     <title>OPTIONS</title>
     <variablelist>
       <varlistentry>
         <term>
-          <option>debug</option>
+          debug
         </term>
         <listitem>
           <para>
@@ -127,7 +124,7 @@
 
       <varlistentry>
         <term>
-          <option>audit</option>
+          audit
         </term>
         <listitem>
           <para>
@@ -138,7 +135,7 @@
 
       <varlistentry>
         <term>
-          <option>quiet</option>
+          quiet
         </term>
         <listitem>
           <para>
@@ -153,7 +150,7 @@
 
       <varlistentry>
         <term>
-          <option>nullok</option>
+          nullok
         </term>
         <listitem>
           <para>
@@ -165,7 +162,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>nullresetok</option>
+          nullresetok
         </term>
         <listitem>
           <para>
@@ -178,7 +175,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>try_first_pass</option>
+          try_first_pass
         </term>
         <listitem>
           <para>
@@ -190,7 +187,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>use_first_pass</option>
+          use_first_pass
         </term>
         <listitem>
           <para>
@@ -203,7 +200,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>nodelay</option>
+          nodelay
         </term>
         <listitem>
           <para>
@@ -216,7 +213,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>use_authtok</option>
+          use_authtok
         </term>
         <listitem>
           <para>
@@ -230,7 +227,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>authtok_type=<replaceable>type</replaceable></option>
+          authtok_type=type
         </term>
         <listitem>
           <para>
@@ -242,7 +239,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>nis</option>
+          nis
         </term>
         <listitem>
           <para>
@@ -252,7 +249,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>remember=<replaceable>n</replaceable></option>
+          remember=n
         </term>
         <listitem>
           <para>
@@ -269,7 +266,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>shadow</option>
+          shadow
         </term>
         <listitem>
           <para>
@@ -279,7 +276,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>md5</option>
+          md5
         </term>
         <listitem>
           <para>
@@ -290,7 +287,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>bigcrypt</option>
+          bigcrypt
         </term>
         <listitem>
           <para>
@@ -301,7 +298,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>sha256</option>
+          sha256
         </term>
         <listitem>
           <para>
@@ -315,7 +312,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>sha512</option>
+          sha512
         </term>
         <listitem>
           <para>
@@ -329,7 +326,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>blowfish</option>
+          blowfish
         </term>
         <listitem>
           <para>
@@ -343,7 +340,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>gost_yescrypt</option>
+          gost_yescrypt
         </term>
         <listitem>
           <para>
@@ -357,7 +354,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>yescrypt</option>
+          yescrypt
         </term>
         <listitem>
           <para>
@@ -371,7 +368,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>rounds=<replaceable>n</replaceable></option>
+          rounds=n
         </term>
         <listitem>
           <para>
@@ -384,7 +381,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>broken_shadow</option>
+          broken_shadow
         </term>
         <listitem>
           <para>
@@ -395,7 +392,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>minlen=<replaceable>n</replaceable></option>
+          minlen=n
         </term>
         <listitem>
           <para>
@@ -407,7 +404,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>no_pass_expiry</option>
+          no_pass_expiry
         </term>
         <listitem>
           <para>
@@ -418,9 +415,9 @@
             meaning that other authentication source or method succeeded.
             The example can be public key authentication in
             <emphasis>sshd</emphasis>. The module will return
-            <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual
-            <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or
-            <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>.
+            <emphasis remap="B">PAM_SUCCESS</emphasis> instead of eventual
+            <emphasis remap="B">PAM_NEW_AUTHTOK_REQD</emphasis> or
+            <emphasis remap="B">PAM_AUTHTOK_EXPIRED</emphasis>.
           </para>
         </listitem>
       </varlistentry>
@@ -432,7 +429,7 @@
     </para>
   </refsect1>
 
-  <refsect1 id="pam_unix-types">
+  <refsect1 xml:id="pam_unix-types">
     <title>MODULE TYPES PROVIDED</title>
     <para>
       All module types (<option>account</option>, <option>auth</option>,
@@ -440,7 +437,7 @@
     </para>
   </refsect1>
 
-  <refsect1 id='pam_unix-return_values'>
+  <refsect1 xml:id="pam_unix-return_values">
     <title>RETURN VALUES</title>
     <variablelist>
       <varlistentry>
@@ -454,7 +451,7 @@
     </variablelist>
      </refsect1>
 
-  <refsect1 id='pam_unix-examples'>
+  <refsect1 xml:id="pam_unix-examples">
     <title>EXAMPLES</title>
     <para>
       An example usage for <filename>/etc/pam.d/login</filename>
@@ -473,7 +470,7 @@ session    required   pam_unix.so
     </para>
   </refsect1>
 
-  <refsect1 id='pam_unix-see_also'>
+  <refsect1 xml:id="pam_unix-see_also">
     <title>SEE ALSO</title>
     <para>
       <citerefentry>
@@ -491,11 +488,11 @@ session    required   pam_unix.so
     </para>
   </refsect1>
 
-  <refsect1 id='pam_unix-author'>
+  <refsect1 xml:id="pam_unix-author">
     <title>AUTHOR</title>
       <para>
         pam_unix was written by various people.
       </para>
   </refsect1>
 
-</refentry>
+</refentry>
\ No newline at end of file
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index a20e919e..c3417413 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -66,30 +66,21 @@
 #include <security/pam_ext.h>
 #include <security/pam_modutil.h>
 
+#include "pam_inline.h"
 #include "pam_cc_compat.h"
 #include "md5.h"
 #include "support.h"
 #include "passverify.h"
 #include "bigcrypt.h"
 
-#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
-# define HAVE_NIS
-#endif
-
 #ifdef HAVE_NIS
 # include <rpc/rpc.h>
-
-# if HAVE_RPCSVC_YP_PROT_H
-#  include <rpcsvc/yp_prot.h>
-# endif
-
-# if HAVE_RPCSVC_YPCLNT_H
-#  include <rpcsvc/ypclnt.h>
-# endif
+# include <rpcsvc/yp_prot.h>
+# include <rpcsvc/ypclnt.h>
 
 # include "yppasswd.h"
 
-# if !HAVE_DECL_GETRPCPORT &&!HAVE_RPCB_GETADDR
+# if !defined(HAVE_DECL_GETRPCPORT) &&!defined(HAVE_RPCB_GETADDR)
 extern int getrpcport(const char *host, unsigned long prognum,
 		      unsigned long versnum, unsigned int proto);
 # endif				/* GNU libc 2.1 */
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index f2474a5b..81b10d88 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -96,7 +96,7 @@ PAMH_ARG_DECL(int verify_pwd_hash,
 		} else if (*hash != '$' && hash_len >= 13) {
 			pp = bigcrypt(p, hash);
 			if (pp && hash_len == 13 && strlen(pp) > hash_len) {
-				_pam_overwrite(pp + hash_len);
+				pam_overwrite_string(pp + hash_len);
 			}
 		} else {
 			/*
@@ -147,7 +147,7 @@ PAMH_ARG_DECL(int verify_pwd_hash,
 			if (cdata != NULL) {
 				cdata->initialized = 0;
 				pp = x_strdup(crypt_r(p, hash, cdata));
-				memset(cdata, '\0', sizeof(*cdata));
+				pam_overwrite_object(cdata);
 				free(cdata);
 			}
 #else
@@ -334,7 +334,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 
 #define PW_TMPFILE              "/etc/npasswd"
 #define SH_TMPFILE              "/etc/nshadow"
-#define OPW_TMPFILE             "/etc/security/nopasswd"
+#define OPW_TMPFILE             SCONFIGDIR "/nopasswd"
 
 /*
  * i64c - convert an integer to a radix 64 character
@@ -427,7 +427,7 @@ PAMH_ARG_DECL(char * create_password_hash,
 #else
 	char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */
 #endif
-	char *sp;
+	char *sp, *ret;
 #ifdef HAVE_CRYPT_R
 	struct crypt_data *cdata = NULL;
 #endif
@@ -456,7 +456,7 @@ PAMH_ARG_DECL(char * create_password_hash,
 			password = tmppass;
 		}
 		hashed = bigcrypt(password, salt);
-		memset(tmppass, '\0', sizeof(tmppass));
+		pam_overwrite_array(tmppass);
 		password = NULL;
 		return hashed;
 	}
@@ -494,18 +494,21 @@ PAMH_ARG_DECL(char * create_password_hash,
 			   on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
 			   on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
 		if(sp) {
-		   memset(sp, '\0', strlen(sp));
+		   pam_overwrite_string(sp);
 		}
 #ifdef HAVE_CRYPT_R
+		pam_overwrite_object(cdata);
 		free(cdata);
 #endif
 		return NULL;
 	}
-	sp = x_strdup(sp);
+	ret = strdup(sp);
+	pam_overwrite_string(sp);
 #ifdef HAVE_CRYPT_R
+	pam_overwrite_object(cdata);
 	free(cdata);
 #endif
-	return sp;
+	return ret;
 }
 
 #ifdef WITH_SELINUX
@@ -1090,7 +1093,7 @@ helper_verify_password(const char *name, const char *p, int nullok)
 	}
 
 	if (hash) {
-		_pam_overwrite(hash);
+		pam_overwrite_string(hash);
 		_pam_drop(hash);
 	}
 
diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
index c07037d2..463ef185 100644
--- a/modules/pam_unix/passverify.h
+++ b/modules/pam_unix/passverify.h
@@ -8,7 +8,7 @@
 
 #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
 
-#define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
+#define OLD_PASSWORDS_FILE      SCONFIGDIR "/opasswd"
 
 int
 is_pwd_shadowed(const struct passwd *pwd);
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 27ca7127..043273d2 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -19,7 +19,7 @@
 #include <ctype.h>
 #include <syslog.h>
 #include <sys/resource.h>
-#ifdef HAVE_RPCSVC_YPCLNT_H
+#ifdef HAVE_NIS
 #include <rpcsvc/ypclnt.h>
 #endif
 
@@ -805,7 +805,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
 	}
 
 cleanup:
-	memset(pw, 0, sizeof(pw)); /* clear memory of the password */
+	pam_overwrite_array(pw); /* clear memory of the password */
 	if (data_name)
 		_pam_delete(data_name);
 	if (salt)
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 19754dc1..81054002 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -151,10 +151,10 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
 
 /* use this to free strings. ESPECIALLY password strings */
 
-#define _pam_delete(xx)		\
-{				\
-	_pam_overwrite(xx);	\
-	_pam_drop(xx);		\
+#define _pam_delete(xx)			\
+{					\
+	pam_overwrite_string(xx);	\
+	_pam_drop(xx);			\
 }
 
 extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
diff --git a/modules/pam_unix/unix_chkpwd.8 b/modules/pam_unix/unix_chkpwd.8
index 93c95bd6..7c1963b3 100644
--- a/modules/pam_unix/unix_chkpwd.8
+++ b/modules/pam_unix/unix_chkpwd.8
@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: unix_chkpwd
 .\"    Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 09/03/2021
+.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
+.\"      Date: 05/07/2023
 .\"    Manual: Linux-PAM Manual
-.\"    Source: Linux-PAM Manual
+.\"    Source: Linux-PAM
 .\"  Language: English
 .\"
-.TH "UNIX_CHKPWD" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "UNIX_CHKPWD" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff --git a/modules/pam_unix/unix_chkpwd.8.xml b/modules/pam_unix/unix_chkpwd.8.xml
index a10dbe33..ca0fa109 100644
--- a/modules/pam_unix/unix_chkpwd.8.xml
+++ b/modules/pam_unix/unix_chkpwd.8.xml
@@ -1,30 +1,27 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="unix_chkpwd">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="unix_chkpwd">
 
   <refmeta>
     <refentrytitle>unix_chkpwd</refentrytitle>
     <manvolnum>8</manvolnum>
-    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+    <refmiscinfo class="source">Linux-PAM</refmiscinfo>
+    <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
   </refmeta>
 
-  <refnamediv id="unix_chkpwd-name">
+  <refnamediv xml:id="unix_chkpwd-name">
     <refname>unix_chkpwd</refname>
     <refpurpose>Helper binary that verifies the password of the current user</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
-    <cmdsynopsis id="unix_chkpwd-cmdsynopsis">
+    <cmdsynopsis xml:id="unix_chkpwd-cmdsynopsis" sepchar=" ">
       <command>unix_chkpwd</command>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         ...
       </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
-  <refsect1 id="unix_chkpwd-description">
+  <refsect1 xml:id="unix_chkpwd-description">
 
     <title>DESCRIPTION</title>
 
@@ -48,7 +45,7 @@
     </para>
   </refsect1>
 
-  <refsect1 id='unix_chkpwd-see_also'>
+  <refsect1 xml:id="unix_chkpwd-see_also">
     <title>SEE ALSO</title>
     <para>
       <citerefentry>
@@ -57,11 +54,11 @@
     </para>
   </refsect1>
 
-  <refsect1 id='unix_chkpwd-author'>
+  <refsect1 xml:id="unix_chkpwd-author">
     <title>AUTHOR</title>
       <para>
         Written by Andrew Morgan and other various people.
       </para>
   </refsect1>
 
-</refentry>
+</refentry>
\ No newline at end of file
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 3931bab2..556a2e2c 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -176,7 +176,7 @@ int main(int argc, char *argv[])
 
 	retval = helper_verify_password(user, pass, nullok);
 
-	memset(pass, '\0', PAM_MAX_RESP_SIZE);	/* clear memory of the password */
+	pam_overwrite_array(pass);	/* clear memory of the password */
 
 	/* return pass or fail */
 
diff --git a/modules/pam_unix/unix_update.8 b/modules/pam_unix/unix_update.8
index b1f5ac71..b3b7a28f 100644
--- a/modules/pam_unix/unix_update.8
+++ b/modules/pam_unix/unix_update.8
@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: unix_update
 .\"    Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 09/03/2021
+.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
+.\"      Date: 05/07/2023
 .\"    Manual: Linux-PAM Manual
-.\"    Source: Linux-PAM Manual
+.\"    Source: Linux-PAM
 .\"  Language: English
 .\"
-.TH "UNIX_UPDATE" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "UNIX_UPDATE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff --git a/modules/pam_unix/unix_update.8.xml b/modules/pam_unix/unix_update.8.xml
index 6c7467b9..1a968652 100644
--- a/modules/pam_unix/unix_update.8.xml
+++ b/modules/pam_unix/unix_update.8.xml
@@ -1,30 +1,27 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="unix_update">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="unix_update">
 
   <refmeta>
     <refentrytitle>unix_update</refentrytitle>
     <manvolnum>8</manvolnum>
-    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+    <refmiscinfo class="source">Linux-PAM</refmiscinfo>
+    <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
   </refmeta>
 
-  <refnamediv id="unix_update-name">
+  <refnamediv xml:id="unix_update-name">
     <refname>unix_update</refname>
     <refpurpose>Helper binary that updates the password of a given user</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
-    <cmdsynopsis id="unix_update-cmdsynopsis">
+    <cmdsynopsis xml:id="unix_update-cmdsynopsis" sepchar=" ">
       <command>unix_update</command>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         ...
       </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
-  <refsect1 id="unix_update-description">
+  <refsect1 xml:id="unix_update-description">
 
     <title>DESCRIPTION</title>
 
@@ -48,7 +45,7 @@
     </para>
   </refsect1>
 
-  <refsect1 id='unix_update-see_also'>
+  <refsect1 xml:id="unix_update-see_also">
     <title>SEE ALSO</title>
     <para>
       <citerefentry>
@@ -57,11 +54,11 @@
     </para>
   </refsect1>
 
-  <refsect1 id='unix_update-author'>
+  <refsect1 xml:id="unix_update-author">
     <title>AUTHOR</title>
       <para>
         Written by Tomas Mraz and other various people.
       </para>
   </refsect1>
 
-</refentry>
+</refentry>
\ No newline at end of file
diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c
index 3559972b..49a70ff3 100644
--- a/modules/pam_unix/unix_update.c
+++ b/modules/pam_unix/unix_update.c
@@ -55,15 +55,18 @@ set_password(const char *forwho, const char *shadow, const char *remember)
     if (npass != 2) {	/* is it a valid password? */
       if (npass == 1) {
         helper_log_err(LOG_DEBUG, "no new password supplied");
-	memset(pass, '\0', PAM_MAX_RESP_SIZE);
+        pam_overwrite_array(pass);
       } else {
         helper_log_err(LOG_DEBUG, "no valid passwords supplied");
       }
       return PAM_AUTHTOK_ERR;
     }
 
-    if (lock_pwdf() != PAM_SUCCESS)
+    if (lock_pwdf() != PAM_SUCCESS) {
+	pam_overwrite_array(pass);
+	pam_overwrite_array(towhat);
 	return PAM_AUTHTOK_LOCK_BUSY;
+    }
 
     pwd = getpwnam(forwho);
 
@@ -98,8 +101,8 @@ set_password(const char *forwho, const char *shadow, const char *remember)
     }
 
 done:
-    memset(pass, '\0', PAM_MAX_RESP_SIZE);
-    memset(towhat, '\0', PAM_MAX_RESP_SIZE);
+    pam_overwrite_array(pass);
+    pam_overwrite_array(towhat);
 
     unlock_pwdf();
 
diff --git a/modules/pam_unix/yppasswd.h b/modules/pam_unix/yppasswd.h
index 5f947071..dc686cd7 100644
--- a/modules/pam_unix/yppasswd.h
+++ b/modules/pam_unix/yppasswd.h
@@ -1,28 +1,20 @@
 /*
- * yppasswdd
- * Copyright 1994, 1995, 1996 Olaf Kirch, <okir@lst.de>
- *
- * This program is covered by the GNU General Public License, version 2
- * or later. It is provided in the hope that it is useful. However, the author
- * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
- *
- * This file was generated automatically by rpcgen from yppasswd.x, and
- * editied manually.
+ * Please do not edit this file.
+ * It was generated using rpcgen.
  */
 
-#ifndef _YPPASSWD_H_
-#define _YPPASSWD_H_
+#ifndef _YPPASSWD_H_RPCGEN
+#define _YPPASSWD_H_RPCGEN
 
-#define YPPASSWDPROG ((u_long)100009)
-#define YPPASSWDVERS ((u_long)1)
-#define YPPASSWDPROC_UPDATE ((u_long)1)
+#include <rpc/rpc.h>
 
-/*
- * The password struct passed by the update call. I renamed it to
- * xpasswd to avoid a type clash with the one defined in <pwd.h>.
- */
-#ifndef __sgi
-typedef struct xpasswd {
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+struct xpasswd {
 	char *pw_name;
 	char *pw_passwd;
 	int pw_uid;
@@ -30,22 +22,45 @@ typedef struct xpasswd {
 	char *pw_gecos;
 	char *pw_dir;
 	char *pw_shell;
-} xpasswd;
-
-#else
-#include <pwd.h>
+};
 typedef struct xpasswd xpasswd;
-#endif
 
-/* The updated password information, plus the old password.
- */
-typedef struct yppasswd {
+struct yppasswd {
 	char *oldpass;
 	xpasswd newpw;
-} yppasswd;
+};
+typedef struct yppasswd yppasswd;
 
-/* XDR encoding/decoding routines */
-bool_t xdr_xpasswd(XDR * xdrs, xpasswd * objp);
-bool_t xdr_yppasswd(XDR * xdrs, yppasswd * objp);
+#define YPPASSWDPROG 100009
+#define YPPASSWDVERS 1
+
+#if defined(__STDC__) || defined(__cplusplus)
+#define YPPASSWDPROC_UPDATE 1
+extern  int * yppasswdproc_update_1(yppasswd *, CLIENT *);
+extern  int * yppasswdproc_update_1_svc(yppasswd *, struct svc_req *);
+extern int yppasswdprog_1_freeresult (SVCXPRT *, xdrproc_t, caddr_t);
+
+#else /* K&R C */
+#define YPPASSWDPROC_UPDATE 1
+extern  int * yppasswdproc_update_1();
+extern  int * yppasswdproc_update_1_svc();
+extern int yppasswdprog_1_freeresult ();
+#endif /* K&R C */
+
+/* the xdr functions */
+
+#if defined(__STDC__) || defined(__cplusplus)
+extern  bool_t xdr_passwd (XDR *, xpasswd*);
+extern  bool_t xdr_yppasswd (XDR *, yppasswd*);
+
+#else /* K&R C */
+extern bool_t xdr_passwd ();
+extern bool_t xdr_yppasswd ();
+
+#endif /* K&R C */
+
+#ifdef __cplusplus
+}
+#endif
 
-#endif	/* _YPPASSWD_H_ */
+#endif /* !_YPPASSWD_H_RPCGEN */
diff --git a/modules/pam_unix/yppasswd_xdr.c b/modules/pam_unix/yppasswd_xdr.c
index f2b86a56..0523d523 100644
--- a/modules/pam_unix/yppasswd_xdr.c
+++ b/modules/pam_unix/yppasswd_xdr.c
@@ -1,40 +1,36 @@
 /*
- * yppasswdd
- * Copyright 1994, 1995, 1996 Olaf Kirch, <okir@lst.de>
- *
- * This program is covered by the GNU General Public License, version 2
- * or later. It is provided in the hope that it is useful. However, the author
- * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
- *
- * This file was generated automatically by rpcgen from yppasswd.x, and
- * editied manually.
+ * Please do not edit this file.
+ * It was generated using rpcgen.
  */
 
-#include "config.h"
-
-#ifdef HAVE_RPC_RPC_H
-
-#include <rpc/rpc.h>
 #include "yppasswd.h"
 
 bool_t
-xdr_xpasswd(XDR * xdrs, xpasswd * objp)
+xdr_passwd (XDR *xdrs, xpasswd *objp)
 {
-	return xdr_string(xdrs, &objp->pw_name, ~0)
-	    && xdr_string(xdrs, &objp->pw_passwd, ~0)
-	    && xdr_int(xdrs, &objp->pw_uid)
-	    && xdr_int(xdrs, &objp->pw_gid)
-	    && xdr_string(xdrs, &objp->pw_gecos, ~0)
-	    && xdr_string(xdrs, &objp->pw_dir, ~0)
-	    && xdr_string(xdrs, &objp->pw_shell, ~0);
+	 if (!xdr_string (xdrs, &objp->pw_name, ~0))
+		 return FALSE;
+	 if (!xdr_string (xdrs, &objp->pw_passwd, ~0))
+		 return FALSE;
+	 if (!xdr_int (xdrs, &objp->pw_uid))
+		 return FALSE;
+	 if (!xdr_int (xdrs, &objp->pw_gid))
+		 return FALSE;
+	 if (!xdr_string (xdrs, &objp->pw_gecos, ~0))
+		 return FALSE;
+	 if (!xdr_string (xdrs, &objp->pw_dir, ~0))
+		 return FALSE;
+	 if (!xdr_string (xdrs, &objp->pw_shell, ~0))
+		 return FALSE;
+	return TRUE;
 }
 
-
 bool_t
-xdr_yppasswd(XDR * xdrs, yppasswd * objp)
+xdr_yppasswd (XDR *xdrs, yppasswd *objp)
 {
-	return xdr_string(xdrs, &objp->oldpass, ~0)
-	    && xdr_xpasswd(xdrs, &objp->newpw);
+	 if (!xdr_string (xdrs, &objp->oldpass, ~0))
+		 return FALSE;
+	 if (!xdr_passwd (xdrs, &objp->newpw))
+		 return FALSE;
+	return TRUE;
 }
-
-#endif