From a9f467efba7d0653cbb5c452d37632ba210bc346 Mon Sep 17 00:00:00 2001
From: Marcin Krol <hawk@tld-linux.org>
Date: Fri, 31 Aug 2018 21:48:06 +0000
Subject: [PATCH] - from PLD

---
 chage.pamd            |   5 +
 chfn.pamd             |   6 +
 chgpasswd.pamd        |   5 +
 chpasswd.pamd         |   5 +
 chsh.pamd             |   6 +
 groupadd.pamd         |   5 +
 groupdel.pamd         |   5 +
 groupmems.pamd        |   6 +
 groupmod.pamd         |   5 +
 newusers.pamd         |   5 +
 passwd.pamd           |   5 +
 shadow-goodname.patch | 118 ++++++++
 shadow-login.defs     | 387 +++++++++++++++++++++++++
 shadow-pld.patch      |  51 ++++
 shadow.spec           | 648 ++++++++++++++++++++++++++++++++++++++++++
 shadow.useradd        |   7 +
 useradd.pamd          |   5 +
 userdel.pamd          |   5 +
 usermod.pamd          |   5 +
 19 files changed, 1284 insertions(+)
 create mode 100644 chage.pamd
 create mode 100644 chfn.pamd
 create mode 100644 chgpasswd.pamd
 create mode 100644 chpasswd.pamd
 create mode 100644 chsh.pamd
 create mode 100644 groupadd.pamd
 create mode 100644 groupdel.pamd
 create mode 100644 groupmems.pamd
 create mode 100644 groupmod.pamd
 create mode 100644 newusers.pamd
 create mode 100644 passwd.pamd
 create mode 100644 shadow-goodname.patch
 create mode 100644 shadow-login.defs
 create mode 100644 shadow-pld.patch
 create mode 100644 shadow.spec
 create mode 100644 shadow.useradd
 create mode 100644 useradd.pamd
 create mode 100644 userdel.pamd
 create mode 100644 usermod.pamd

diff --git a/chage.pamd b/chage.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/chage.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/chfn.pamd b/chfn.pamd
new file mode 100644
index 0000000..0aa09c4
--- /dev/null
+++ b/chfn.pamd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_listfile.so item=user sense=allow file=/etc/security/chfn.allow onerr=fail
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
diff --git a/chgpasswd.pamd b/chgpasswd.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/chgpasswd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/chpasswd.pamd b/chpasswd.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/chpasswd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/chsh.pamd b/chsh.pamd
new file mode 100644
index 0000000..ac578e1
--- /dev/null
+++ b/chsh.pamd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_listfile.so item=user sense=allow file=/etc/security/chsh.allow onerr=fail
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
diff --git a/groupadd.pamd b/groupadd.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/groupadd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/groupdel.pamd b/groupdel.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/groupdel.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/groupmems.pamd b/groupmems.pamd
new file mode 100644
index 0000000..0aa09c4
--- /dev/null
+++ b/groupmems.pamd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_listfile.so item=user sense=allow file=/etc/security/chfn.allow onerr=fail
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
diff --git a/groupmod.pamd b/groupmod.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/groupmod.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/newusers.pamd b/newusers.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/newusers.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/passwd.pamd b/passwd.pamd
new file mode 100644
index 0000000..6a4fd03
--- /dev/null
+++ b/passwd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		required	pam_listfile.so item=user sense=deny file=/etc/security/blacklist.passwd onerr=succeed
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
diff --git a/shadow-goodname.patch b/shadow-goodname.patch
new file mode 100644
index 0000000..1fdd84f
--- /dev/null
+++ b/shadow-goodname.patch
@@ -0,0 +1,118 @@
+diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c
+--- shadow-4.1.5.1/libmisc/chkname.c.goodname	2009-07-13 00:24:45.000000000 +0200
++++ shadow-4.1.5.1/libmisc/chkname.c	2012-09-19 18:43:53.492160653 +0200
+@@ -49,20 +49,28 @@
+ static bool is_valid_name (const char *name)
+ {
+ 	/*
+-	 * User/group names must match [a-z_][a-z0-9_-]*[$]
+-	 */
+-	if (('\0' == *name) ||
+-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
++         * User/group names must match gnu e-regex:
++         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
++         *
++         * as a non-POSIX, extension, allow "$" as the last char for
++         * sake of Samba 3.x "add machine script"
++         */
++	if ( ('\0' == *name) ||
++             !((*name >= 'a' && *name <= 'z') ||
++               (*name >= 'A' && *name <= 'Z') ||
++               (*name >= '0' && *name <= '9') ||
++               (*name == '_') || (*name == '.') 
++	      )) {
+ 		return false;
+ 	}
+ 
+ 	while ('\0' != *++name) {
+-		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
+-		      ( ('0' <= *name) && ('9' >= *name) ) ||
+-		      ('_' == *name) ||
+-		      ('-' == *name) ||
+-		      ( ('$' == *name) && ('\0' == *(name + 1)) )
+-		     )) {
++                if (!(  (*name >= 'a' && *name <= 'z') ||
++                        (*name >= 'A' && *name <= 'Z') ||
++                        (*name >= '0' && *name <= '9') ||
++                        (*name == '_') || (*name == '.') || (*name == '-') ||
++                        (*name == '$' && *(name + 1) == '\0') 
++                     )) {
+ 			return false;
+ 		}
+ 	}
+diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml
+--- shadow-4.1.5.1/man/groupadd.8.xml.goodname	2012-05-25 13:45:27.000000000 +0200
++++ shadow-4.1.5.1/man/groupadd.8.xml	2012-09-19 18:43:53.492160653 +0200
+@@ -259,12 +259,6 @@
+    <refsect1 id='caveats'>
+      <title>CAVEATS</title>
+      <para>
+-       Groupnames must start with a lower case letter or an underscore,
+-       followed by lower case letters, digits, underscores, or dashes.
+-       They can end with a dollar sign.
+-       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+-     </para>
+-     <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+      </para>
+      <para>
+diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/groupadd.8
+--- shadow-4.1.5.1/man/man8/groupadd.8.goodname	2012-05-25 13:58:40.000000000 +0200
++++ shadow-4.1.5.1/man/man8/groupadd.8	2012-09-19 18:44:42.175123079 +0200
+@@ -190,9 +190,7 @@ Shadow password suite configuration\&.
+ .RE
+ .SH "CAVEATS"
+ .PP
+-Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]?
+-.PP
+-Groupnames may only be up to 16 characters long\&.
++Groupnames may only be up to 32 characters long\&.
+ .PP
+ You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&.
+ .PP
+diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/useradd.8
+--- shadow-4.1.5.1/man/man8/useradd.8.goodname	2012-05-25 13:59:28.000000000 +0200
++++ shadow-4.1.5.1/man/man8/useradd.8	2012-09-19 18:46:09.249033949 +0200
+@@ -224,7 +224,7 @@ is not enabled, no home directories are
+ .PP
+ \fB\-M\fR
+ .RS 4
+-Do no create the user\*(Aqs home directory, even if the system wide setting from
++Do not create the user\*(Aqs home directory, even if the system wide setting from
+ /etc/login\&.defs
+ (\fBCREATE_HOME\fR) is set to
+ \fIyes\fR\&.
+@@ -430,8 +430,6 @@ Similarly, if the username already exist
+ \fBuseradd\fR
+ will deny the user account creation request\&.
+ .PP
+-Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]?
+-.PP
+ Usernames may only be up to 32 characters long\&.
+ .SH "CONFIGURATION"
+ .PP
+diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml
+--- shadow-4.1.5.1/man/useradd.8.xml.goodname	2012-05-25 13:45:29.000000000 +0200
++++ shadow-4.1.5.1/man/useradd.8.xml	2012-09-19 18:43:53.493160675 +0200
+@@ -366,7 +366,7 @@
+ 	</term>
+ 	<listitem>
+ 	  <para>
+-	    Do no create the user's home directory, even if the system
++	    Do not create the user's home directory, even if the system
+ 	    wide setting from <filename>/etc/login.defs</filename>
+ 	    (<option>CREATE_HOME</option>) is set to
+ 	    <replaceable>yes</replaceable>.
+@@ -654,12 +654,6 @@
+     </para>
+ 
+     <para>
+-      Usernames must start with a lower case letter or an underscore,
+-      followed by lower case letters, digits, underscores, or dashes.
+-      They can end with a dollar sign.
+-      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+-    </para>
+-    <para>
+       Usernames may only be up to 32 characters long.
+     </para>
+   </refsect1>
diff --git a/shadow-login.defs b/shadow-login.defs
new file mode 100644
index 0000000..25b4b05
--- /dev/null
+++ b/shadow-login.defs
@@ -0,0 +1,387 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+#	$Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+# Note: When PAM is used, some modules may enfore a minimal delay (e.g.
+#       pam_unix enforces a 2s delay)
+#
+FAIL_DELAY		3
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+#
+FAILLOG_ENAB		yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable logging and display of /var/log/lastlog login time info.
+#
+LASTLOG_ENAB		yes
+
+#
+# Enable checking and display of mailbox status upon login.
+#
+# Disable if the shell startup files already check for mail
+# ("mailx -e" or equivalent).
+#
+MAIL_CHECK_ENAB		yes
+
+#
+# Enable additional checks upon password changes.
+#
+OBSCURE_CHECKS_ENAB	yes
+
+#
+# Enable checking of time restrictions specified in /etc/porttime.
+#
+PORTTIME_CHECKS_ENAB	yes
+
+#
+# Enable setting of ulimit, umask, and niceness from passwd gecos field.
+#
+QUOTAS_ENAB		yes
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE		/etc/securetty
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, ":" delimited list of "message of the day" files to
+# be displayed upon login.
+#
+MOTD_FILE	/etc/motd
+#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
+
+#
+# If defined, this file will be output before each login prompt.
+#
+#ISSUE_FILE	/etc/issue
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format.
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE	/var/log/btmp
+
+#
+# If defined, name of file whose presence which will inhibit non-root
+# logins.  The contents of this file should be a message indicating
+# why logins are inhibited.
+#
+NOLOGINS_FILE	/etc/nologin
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR	/var/mail
+#MAIL_FILE	.mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# If defined, either a TZ environment parameter spec or the
+# fully-rooted pathname of a file containing such a spec.
+#
+#ENV_TZ		TZ=CST6CDT
+#ENV_TZ		/etc/tzname
+
+#
+# If defined, an HZ environment parameter spec.
+#
+# for Linux/x86
+ENV_HZ		HZ=100
+# For Linux/Alpha...
+#ENV_HZ		HZ=1024
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH	PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#	ULIMIT		Default "ulimit" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+#ULIMIT		2097152
+
+# Default initial "umask" value used by login on non-PAM enabled systems.
+# Default "umask" value for pam_umask on PAM enabled systems.
+# UMASK is also used by useradd and newusers to set the mode of new home
+# directories.
+# 022 is the default value, but 027, or even 077, could be considered
+# better for privacy. There is no One True Answer here: each sysadmin
+# must make up her mind.
+UMASK		022
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_MIN_LEN	Minimum acceptable password length.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_MIN_LEN	5
+PASS_WARN_AGE	7
+
+#
+# If "yes", the user must be listed as a member of the first gid 0 group
+# in /etc/group (called "root" on most Linux systems) to be able to "su"
+# to uid 0 accounts.  If the group doesn't exist or is empty, no one
+# will be able to "su" to uid 0.
+#
+SU_WHEEL_ONLY	no
+
+#
+# If compiled with cracklib support, where are the dictionaries
+#
+CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+SYS_UID_MIN		  1
+SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+SYS_GID_MIN		  10
+SYS_GID_MAX		  999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Maximum number of attempts to change password if rejected (too easy)
+#
+PASS_CHANGE_TRIES	5
+
+#
+# Warn about weak passwords (but still allow them) if you are root.
+#
+PASS_ALWAYS_WARN	yes
+
+#
+# Number of significant characters in the password for crypt().
+# Default is 8, don't change unless your crypt() is better.
+# Ignored if MD5_CRYPT_ENAB set to "yes".
+#
+#PASS_MAX_LEN		8
+
+#
+# Require password before chfn/chsh can make any changes.
+#
+CHFN_AUTH		yes
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# Password prompt (%s will be replaced by user name).
+#
+# XXX - it doesn't work correctly yet, for now leave it commented out
+# to use the default which is just "Password: ".
+#LOGIN_STRING		"%s's Password: "
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm.  Default is "no".
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB	no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+#ENCRYPT_METHOD DES
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If this file exists and is readable, login environment will be
+# read from it.  Every line should be in the form name=value.
+#
+ENVIRON_FILE	/etc/environment
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+#USERGROUPS_ENAB yes
+
+#
+# If set to a non-nul number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permit to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP	0
+
+#
+# If useradd should create home directories for users by default (non
+# system users only)
+# This option is overridden with the -M or -m flags on the useradd command
+# line.
+#
+#CREATE_HOME     yes
+
diff --git a/shadow-pld.patch b/shadow-pld.patch
new file mode 100644
index 0000000..69836c2
--- /dev/null
+++ b/shadow-pld.patch
@@ -0,0 +1,51 @@
+--- shadow-4.0.6/src/useradd.c	2004-11-18 21:45:00.713398344 +0100
++++ shadow-4.0.16/src/useradd.c	2006-06-08 01:17:05.580340031 +0300
+@@ -72,10 +72,10 @@
+ /*
+  * These defaults are used if there is no defaults file.
+  */
+-static gid_t def_group = 100;
++static gid_t def_group = 1000;
+ static const char *def_gname = "other";
+-static const char *def_home = "/home";
+-static const char *def_shell = "";
++static const char *def_home = "/home/users";
++static const char *def_shell = "/sbin/nologin";
+ static const char *def_template = SKEL_DIR;
+ static const char *def_create_mail_spool = "no";
+ 
+@@ -89,7 +89,7 @@
+ #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
+ 
+ static const char *user_name = "";
+-static const char *user_pass = "!";
++static const char *user_pass = "!!";
+ static uid_t user_id;
+ static gid_t user_gid;
+ static const char *user_comment = "";
+--- shadow-4.5/libmisc/find_new_gid.c~	2017-01-29 22:37:22.000000000 +0200
++++ shadow-4.5/libmisc/find_new_gid.c	2017-05-17 23:13:32.785253060 +0300
+@@ -61,8 +61,8 @@
+ 		/* A requested ID is allowed to be below the autoselect range */
+ 		*preferred_min = (gid_t) 1;
+ 
+-		/* Get the minimum ID range from login.defs or default to 101 */
+-		*min_id = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
++		/* Get the minimum ID range from login.defs or default to 10 */
++		*min_id = (gid_t) getdef_ulong ("SYS_GID_MIN", 10UL);
+ 
+ 		/*
+ 		 * If SYS_GID_MAX is unspecified, we should assume it to be one
+--- shadow-4.5/libmisc/find_new_uid.c~	2017-01-29 22:37:22.000000000 +0200
++++ shadow-4.5/libmisc/find_new_uid.c	2017-05-17 23:10:38.366687971 +0300
+@@ -61,8 +61,8 @@
+ 		/* A requested ID is allowed to be below the autoselect range */
+ 		*preferred_min = (uid_t) 1;
+ 
+-		/* Get the minimum ID range from login.defs or default to 101 */
+-		*min_id = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
++		/* Get the minimum ID range from login.defs or default to 1 */
++		*min_id = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL);
+ 
+ 		/*
+ 		 * If SYS_UID_MAX is unspecified, we should assume it to be one
diff --git a/shadow.spec b/shadow.spec
new file mode 100644
index 0000000..ab458da
--- /dev/null
+++ b/shadow.spec
@@ -0,0 +1,648 @@
+# TODO
+# - /etc/login.defs contains options valid only when PAM is disabled:
+# gpasswd -M chef_server chef_server
+#configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
+#configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
+#configuration error - unknown item 'MAIL_CHECK_ENAB' (notify administrator)
+#configuration error - unknown item 'OBSCURE_CHECKS_ENAB' (notify administrator)
+#configuration error - unknown item 'PORTTIME_CHECKS_ENAB' (notify administrator)
+#configuration error - unknown item 'QUOTAS_ENAB' (notify administrator)
+#configuration error - unknown item 'MOTD_FILE' (notify administrator)
+#configuration error - unknown item 'FTMP_FILE' (notify administrator)
+#configuration error - unknown item 'NOLOGINS_FILE' (notify administrator)
+#configuration error - unknown item 'ENV_HZ' (notify administrator)
+#configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
+#configuration error - unknown item 'SU_WHEEL_ONLY' (notify administrator)
+#configuration error - unknown item 'CRACKLIB_DICTPATH' (notify administrator)
+#configuration error - unknown item 'PASS_CHANGE_TRIES' (notify administrator)
+#configuration error - unknown item 'PASS_ALWAYS_WARN' (notify administrator)
+#configuration error - unknown item 'CHFN_AUTH' (notify administrator)
+#configuration error - unknown item 'ENVIRON_FILE' (notify administrator)
+# - sync pam files from pwdutils
+# - tcb support?
+# - ensure Conflicts with various packages (util-linux,sysvinit,coreutils) is up to date
+
+# Conditional build:
+%bcond_without	selinux		# build without SE-Linux support
+%bcond_with	shared		# build with shared libshadow (linking with selinux is broken)
+
+Summary:	Shadow password file utilities for Linux
+Summary(de.UTF-8):	Shadow-PaÃwortdatei-Dienstprogramme fÃ¼r Linux
+Summary(es.UTF-8):	Utilitarios para el archivo de contraseÃ±as Shadow
+Summary(fr.UTF-8):	Fichiers utilitaires pour Shadow password pour Linux
+Summary(pl.UTF-8):	NarzÄdzia do obsÅugi mechanizmu ukrytych haseÅ
+Summary(pt_BR.UTF-8):	UtilitÃ¡rios para o arquivo de senhas Shadow
+Summary(tr.UTF-8):	GÃ¶lge parola dosyasÄ± araÃ§larÄ±
+Name:		shadow
+Version:	4.6
+#BuildRequires:	useradd -g is broken, use pwdutils, or fix it:
+# http://zie.pg.gda.pl/mailman/pipermail/shadow/2006-September/000395.html
+Release:	0.1
+Epoch:		1
+License:	BSD
+Group:		Applications/System
+Source0:	https://github.com/shadow-maint/shadow/releases/download/%{version}/%{name}-%{version}.tar.xz
+# Source0-md5:	b491fecbf1232632c32ff8f1437fd60e
+Source2:	%{name}-login.defs
+Source3:	%{name}.useradd
+Source10:	chage.pamd
+Source11:	chfn.pamd
+Source12:	chgpasswd.pamd
+Source13:	chpasswd.pamd
+Source14:	chsh.pamd
+Source15:	groupadd.pamd
+Source16:	groupdel.pamd
+Source17:	groupmems.pamd
+Source18:	groupmod.pamd
+Source19:	newusers.pamd
+Source20:	passwd.pamd
+Source21:	useradd.pamd
+Source22:	userdel.pamd
+Source23:	usermod.pamd
+Patch0:		%{name}-pld.patch
+# allow names with upper case letters or containing dot in the middle
+Patch1:		%{name}-goodname.patch
+URL:		https://github.com/shadow-maint/shadow
+BuildRequires:	acl-devel
+BuildRequires:	attr-devel
+BuildRequires:	audit-libs-devel
+BuildRequires:	autoconf >= 2.64
+BuildRequires:	automake >= 1:1.11
+BuildRequires:	gettext-tools >= 0.12.1
+%{?with_selinux:BuildRequires:	libselinux-devel}
+%{?with_selinux:BuildRequires:	libsemanage-devel}
+BuildRequires:	libtool
+BuildRequires:	pam-devel
+BuildRequires:	tar >= 1:1.22
+BuildRequires:	xz
+Requires:	pam >= 0.99.7.1
+Provides:	passwd
+Provides:	shadow-utils
+Obsoletes:	passwd
+Obsoletes:	pwdutils
+Obsoletes:	shadow-extras
+Obsoletes:	shadow-utils
+Conflicts:	util-linux < 2.12-10
+BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%description
+This package includes the programs necessary to convert standard UNIX
+password files to the shadow password format, as well as programs for
+command-line management of the user's accounts.
+- pwconv - converts everything to the shadow password format,
+- pwunconv - unconverts from shadow password, generating a file in the
+  current directory called npasswd that is a standard UNIX password
+  file,
+- pwck - checks the integrity of the password and shadow files,
+- useradd, userdel, usermod - for accounts management,
+- groupadd, groupdel, groupmod - for group management.
+
+A number of man pages are also included that relate to these
+utilities, and shadow passwords in general.
+
+%description -l es.UTF-8
+Este paquete incluye los programas necesarios para convertir Archivos
+padrÃ³n UNIX de contraseÃ±a al formato shadow.
+- pwconv5 - convierte todo al formato de contraseÃ±as del shadow,
+- pwunconv - deshace la conversiÃ³n de contraseÃ±as shadow, creando un
+  archivo en el directorio corriente llamado npasswd que es el archivo
+  padrÃ³n UNIX de contraseÃ±a,
+- pwck - chequea la integridad de la contraseÃ±a y de los archivos
+  shadow,
+
+EstÃ¡n tambiÃ©n incluidas, en general, varias pÃ¡ginas de manual sobre
+estos utilitarios y contraseÃ±as shadow.
+
+%description -l pl.UTF-8
+Pakiet zawiera programy do obsÅugi mechanizmu ukrytych haseÅ (shadow
+password). ZnajdujÄ siÄ w nim programy do konwersji standardowego
+pliku haseÅ do wersji shadow password a takÅ¼e programy do zarzÄdzania
+kontami uÅ¼ytkownikÃ³w w systemie:
+- pwconv - konwertuje do formatu shadow password
+- pwunconv - konwertuje z shadow password do formatu standardowego
+  pliku haseÅ. W bieÅ¼Äcym katalogu tworzy plik npasswd bÄdÄcy
+  standardowym plikiem z hasÅami,
+- useradd, userdel, usermod - do zarzÄdzania kontami uÅ¼ytkownikÃ³w,
+- groupadd, groupdel, groupmod - do zarzÄdzania grupami.
+
+OstrzeÅ¼enie:
+
+Programy znajdujÄce siÄ w tym pakiecie sÄ niezbÄdne do prawidÅowej
+pracy systemu i podobnie jak pakiet z bibliotekami systemowymi (glibc)
+nigdy nie powinien zostaÄ odinstalowany!
+
+%description -l pt_BR.UTF-8
+Este pacote inclui os programas necessÃ¡rios para converter
+arquivos-padrÃ£o UNIX de senha para o formato shadow.
+- pwconv - converte tudo para o formato de senhas do shadow,
+- pwunconv - desconverte senhas shadow, gerando um arquivo no
+  diretÃ³rio corrente chamado npasswd que Ã© o arquivo-padrÃ£o UNIX de
+  senha,
+- pwck - checa a integridade da senha e dos arquivos shadow,
+
+VÃ¡rias pÃ¡ginas de manual estÃ£o tambÃ©m incluÃ­das sobre estes
+utilitÃ¡rios e senhas shadow em geral.
+
+%prep
+%setup -q
+%patch0 -p1
+%patch1 -p1
+
+%build
+# NOTE:
+# - cracklib option refers to non-PAM passwd code
+# - skey referes to non-PAM pw_auth/passwd_check (login, su, chfn, chsh) code
+%configure \
+	--bindir=/bin \
+	--sbindir=/sbin \
+	--enable-shadowgrp \
+	%{?with_shared:--enable-shared --disable-static} \
+	--disable-silent-rules \
+	--enable-subordinate-ids \
+	--with-acl \
+	--with-attr \
+	--with-audit \
+	--with-group-name-max-length=32 \
+	--with-libpam \
+	--with-nscd \
+	--without-libcrack \
+	%{?with_selinux:--with-selinux} \
+	--with-sha-crypt \
+	--without-tcb
+
+%{__make}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT{/sbin,%{_sysconfdir}/{default,pam.d,security,skel/tmp}}
+
+%{__make} install \
+	DESTDIR=$RPM_BUILD_ROOT
+
+cp -p %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
+cp -p %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
+
+cp -p %{SOURCE10} $RPM_BUILD_ROOT/etc/pam.d/chage
+cp -p %{SOURCE11} $RPM_BUILD_ROOT/etc/pam.d/chfn
+cp -p %{SOURCE12} $RPM_BUILD_ROOT/etc/pam.d/chgpasswd
+cp -p %{SOURCE13} $RPM_BUILD_ROOT/etc/pam.d/chpasswd
+cp -p %{SOURCE14} $RPM_BUILD_ROOT/etc/pam.d/chsh
+cp -p %{SOURCE15} $RPM_BUILD_ROOT/etc/pam.d/groupadd
+cp -p %{SOURCE16} $RPM_BUILD_ROOT/etc/pam.d/groupdel
+cp -p %{SOURCE17} $RPM_BUILD_ROOT/etc/pam.d/groupmems
+cp -p %{SOURCE18} $RPM_BUILD_ROOT/etc/pam.d/groupmod
+cp -p %{SOURCE19} $RPM_BUILD_ROOT/etc/pam.d/newusers
+cp -p %{SOURCE20} $RPM_BUILD_ROOT/etc/pam.d/passwd
+cp -p %{SOURCE21} $RPM_BUILD_ROOT/etc/pam.d/useradd
+cp -p %{SOURCE22} $RPM_BUILD_ROOT/etc/pam.d/userdel
+cp -p %{SOURCE23} $RPM_BUILD_ROOT/etc/pam.d/usermod
+
+> $RPM_BUILD_ROOT%{_sysconfdir}/shadow
+> $RPM_BUILD_ROOT/etc/security/chfn.allow
+> $RPM_BUILD_ROOT/etc/security/chsh.allow
+
+%{__rm} $RPM_BUILD_ROOT/{etc/pam.d,bin}/{login,su}
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man1/{login,su}.1*
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man3/*.3*
+
+# packaged in SysVinit-tools
+%{__rm} $RPM_BUILD_ROOT%{_bindir}/lastlog
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man8/lastlog.8*
+# packaged in coreutils
+%{__rm} $RPM_BUILD_ROOT/bin/groups
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man1/groups.1*
+# packaged in util-linux
+%{__rm} $RPM_BUILD_ROOT/sbin/nologin
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man*/nologin.8*
+
+%find_lang %{name}
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+%{?with_shared:/sbin/ldconfig}
+if [ ! -f /etc/shadow ]; then
+	%{_sbindir}/pwconv
+fi
+
+%{?with_shared:%postun -p /sbin/ldconfig}
+
+%files -f %{name}.lang
+%defattr(644,root,root,755)
+%doc ChangeLog NEWS TODO doc/{HOWTO,WISHLIST}
+%attr(750,root,root) %dir %{_sysconfdir}/default
+%attr(640,root,root) %config %verify(not md5 mtime size) %{_sysconfdir}/default/useradd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chage
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chfn
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chgpasswd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chpasswd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chsh
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/groupadd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/groupdel
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/groupmems
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/groupmod
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/newusers
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/passwd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/useradd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/userdel
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/usermod
+
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/chfn.allow
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/chsh.allow
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/login.defs
+%attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) %ghost %{_sysconfdir}/shadow
+%dir /etc/skel
+%dir /etc/skel/tmp
+%{?with_shared:%attr(755,root,root) %{_libdir}/lib*.so.*.*}
+%attr(4755,root,root) %{_bindir}/chfn
+%attr(4755,root,root) %{_bindir}/chsh
+%attr(4755,root,root) %{_bindir}/expiry
+%attr(4755,root,root) %{_bindir}/gpasswd
+%attr(4755,root,root) %{_bindir}/passwd
+%attr(755,root,root) %{_bindir}/chage
+%attr(755,root,root) %{_bindir}/faillog
+%attr(755,root,root) %{_bindir}/newgidmap
+%attr(755,root,root) %{_bindir}/newgrp
+%attr(755,root,root) %{_bindir}/newuidmap
+%attr(755,root,root) %{_bindir}/sg
+%attr(755,root,root) %{_sbindir}/chgpasswd
+%attr(755,root,root) %{_sbindir}/chpasswd
+%attr(755,root,root) %{_sbindir}/groupadd
+%attr(755,root,root) %{_sbindir}/groupdel
+%attr(755,root,root) %{_sbindir}/groupmems
+%attr(755,root,root) %{_sbindir}/groupmod
+%attr(755,root,root) %{_sbindir}/grpck
+%attr(755,root,root) %{_sbindir}/grpconv
+%attr(755,root,root) %{_sbindir}/grpunconv
+%attr(755,root,root) %{_sbindir}/logoutd
+%attr(755,root,root) %{_sbindir}/newusers
+%attr(755,root,root) %{_sbindir}/pwck
+%attr(755,root,root) %{_sbindir}/pwconv
+%attr(755,root,root) %{_sbindir}/pwunconv
+%attr(755,root,root) %{_sbindir}/useradd
+%attr(755,root,root) %{_sbindir}/userdel
+%attr(755,root,root) %{_sbindir}/usermod
+%attr(755,root,root) %{_sbindir}/vigr
+%attr(755,root,root) %{_sbindir}/vipw
+%{_mandir}/man1/chage.1*
+%{_mandir}/man1/chfn.1*
+%{_mandir}/man1/chsh.1*
+%{_mandir}/man1/expiry.1*
+%{_mandir}/man1/gpasswd.1*
+%{_mandir}/man1/newgidmap.1*
+%{_mandir}/man1/newgrp.1*
+%{_mandir}/man1/newuidmap.1*
+%{_mandir}/man1/passwd.1*
+%{_mandir}/man1/sg.1*
+%{_mandir}/man5/faillog.5*
+%{_mandir}/man5/gshadow.5*
+%{_mandir}/man5/login.defs.5*
+%{_mandir}/man5/passwd.5*
+%{_mandir}/man5/shadow.5*
+%{_mandir}/man5/suauth.5*
+%{_mandir}/man5/subgid.5*
+%{_mandir}/man5/subuid.5*
+%{_mandir}/man8/chgpasswd.8*
+%{_mandir}/man8/chpasswd.8*
+%{_mandir}/man8/faillog.8*
+%{_mandir}/man8/groupadd.8*
+%{_mandir}/man8/groupdel.8*
+%{_mandir}/man8/groupmems.8*
+%{_mandir}/man8/groupmod.8*
+%{_mandir}/man8/grpck.8*
+%{_mandir}/man8/grpconv.8*
+%{_mandir}/man8/grpunconv.8*
+%{_mandir}/man8/logoutd.8*
+%{_mandir}/man8/newusers.8*
+%{_mandir}/man8/pwck.8*
+%{_mandir}/man8/pwconv.8*
+%{_mandir}/man8/pwunconv.8*
+%{_mandir}/man8/useradd.8*
+%{_mandir}/man8/userdel.8*
+%{_mandir}/man8/usermod.8*
+%{_mandir}/man8/vigr.8*
+%{_mandir}/man8/vipw.8*
+
+%lang(cs) %{_mandir}/cs/man1/expiry.1*
+%lang(cs) %{_mandir}/cs/man1/gpasswd.1*
+%lang(cs) %{_mandir}/cs/man5/faillog.5*
+%lang(cs) %{_mandir}/cs/man5/gshadow.5*
+%lang(cs) %{_mandir}/cs/man5/passwd.5*
+%lang(cs) %{_mandir}/cs/man5/shadow.5*
+%lang(cs) %{_mandir}/cs/man8/faillog.8*
+%lang(cs) %{_mandir}/cs/man8/groupadd.8*
+%lang(cs) %{_mandir}/cs/man8/groupdel.8*
+%lang(cs) %{_mandir}/cs/man8/groupmod.8*
+%lang(cs) %{_mandir}/cs/man8/grpck.8*
+%lang(cs) %{_mandir}/cs/man8/vipw.8*
+
+%lang(da) %{_mandir}/da/man1/chfn.1*
+%lang(da) %{_mandir}/da/man1/newgrp.1*
+%lang(da) %{_mandir}/da/man1/sg.1*
+%lang(da) %{_mandir}/da/man5/gshadow.5*
+%lang(da) %{_mandir}/da/man8/groupdel.8*
+%lang(da) %{_mandir}/da/man8/logoutd.8*
+%lang(da) %{_mandir}/da/man8/vigr.8
+%lang(da) %{_mandir}/da/man8/vipw.8*
+
+%lang(de) %{_mandir}/de/man1/chage.1*
+%lang(de) %{_mandir}/de/man1/chfn.1*
+%lang(de) %{_mandir}/de/man1/chsh.1*
+%lang(de) %{_mandir}/de/man1/expiry.1*
+%lang(de) %{_mandir}/de/man1/gpasswd.1*
+%lang(de) %{_mandir}/de/man1/newgrp.1*
+%lang(de) %{_mandir}/de/man1/passwd.1*
+%lang(de) %{_mandir}/de/man1/sg.1*
+%lang(de) %{_mandir}/de/man5/faillog.5*
+%lang(de) %{_mandir}/de/man5/gshadow.5*
+%lang(de) %{_mandir}/de/man5/login.defs.5*
+%lang(de) %{_mandir}/de/man5/passwd.5*
+%lang(de) %{_mandir}/de/man5/shadow.5*
+%lang(de) %{_mandir}/de/man5/suauth.5*
+%lang(de) %{_mandir}/de/man8/chgpasswd.8*
+%lang(de) %{_mandir}/de/man8/chpasswd.8*
+%lang(de) %{_mandir}/de/man8/faillog.8*
+%lang(de) %{_mandir}/de/man8/groupadd.8*
+%lang(de) %{_mandir}/de/man8/groupdel.8*
+%lang(de) %{_mandir}/de/man8/groupmems.8*
+%lang(de) %{_mandir}/de/man8/groupmod.8*
+%lang(de) %{_mandir}/de/man8/grpck.8*
+%lang(de) %{_mandir}/de/man8/grpconv.8*
+%lang(de) %{_mandir}/de/man8/grpunconv.8*
+%lang(de) %{_mandir}/de/man8/logoutd.8*
+%lang(de) %{_mandir}/de/man8/newusers.8*
+%lang(de) %{_mandir}/de/man8/pwck.8*
+%lang(de) %{_mandir}/de/man8/pwconv.8*
+%lang(de) %{_mandir}/de/man8/pwunconv.8*
+%lang(de) %{_mandir}/de/man8/useradd.8*
+%lang(de) %{_mandir}/de/man8/userdel.8*
+%lang(de) %{_mandir}/de/man8/usermod.8*
+%lang(de) %{_mandir}/de/man8/vigr.8*
+%lang(de) %{_mandir}/de/man8/vipw.8*
+
+%lang(fi) %{_mandir}/fi/man1/chfn.1*
+%lang(fi) %{_mandir}/fi/man1/chsh.1*
+
+%lang(fr) %{_mandir}/fr/man1/chage.1*
+%lang(fr) %{_mandir}/fr/man1/chfn.1*
+%lang(fr) %{_mandir}/fr/man1/chsh.1*
+%lang(fr) %{_mandir}/fr/man1/expiry.1*
+%lang(fr) %{_mandir}/fr/man1/gpasswd.1*
+%lang(fr) %{_mandir}/fr/man1/newgidmap.1*
+%lang(fr) %{_mandir}/fr/man1/newgrp.1*
+%lang(fr) %{_mandir}/fr/man1/newuidmap.1*
+%lang(fr) %{_mandir}/fr/man1/passwd.1*
+%lang(fr) %{_mandir}/fr/man1/sg.1*
+%lang(fr) %{_mandir}/fr/man5/faillog.5*
+%lang(fr) %{_mandir}/fr/man5/gshadow.5*
+%lang(fr) %{_mandir}/fr/man5/login.defs.5*
+%lang(fr) %{_mandir}/fr/man5/passwd.5*
+%lang(fr) %{_mandir}/fr/man5/shadow.5*
+%lang(fr) %{_mandir}/fr/man5/suauth.5*
+%lang(fr) %{_mandir}/fr/man5/subgid.5*
+%lang(fr) %{_mandir}/fr/man5/subuid.5*
+%lang(fr) %{_mandir}/fr/man8/chgpasswd.8*
+%lang(fr) %{_mandir}/fr/man8/chpasswd.8*
+%lang(fr) %{_mandir}/fr/man8/faillog.8*
+%lang(fr) %{_mandir}/fr/man8/groupadd.8*
+%lang(fr) %{_mandir}/fr/man8/groupdel.8*
+%lang(fr) %{_mandir}/fr/man8/groupmems.8*
+%lang(fr) %{_mandir}/fr/man8/groupmod.8*
+%lang(fr) %{_mandir}/fr/man8/grpck.8*
+%lang(fr) %{_mandir}/fr/man8/grpconv.8*
+%lang(fr) %{_mandir}/fr/man8/grpunconv.8*
+%lang(fr) %{_mandir}/fr/man8/logoutd.8*
+%lang(fr) %{_mandir}/fr/man8/newusers.8*
+%lang(fr) %{_mandir}/fr/man8/pwck.8*
+%lang(fr) %{_mandir}/fr/man8/pwconv.8*
+%lang(fr) %{_mandir}/fr/man8/pwunconv.8*
+%lang(fr) %{_mandir}/fr/man8/useradd.8*
+%lang(fr) %{_mandir}/fr/man8/userdel.8*
+%lang(fr) %{_mandir}/fr/man8/usermod.8*
+%lang(fr) %{_mandir}/fr/man8/vigr.8*
+%lang(fr) %{_mandir}/fr/man8/vipw.8*
+
+%lang(hu) %{_mandir}/hu/man1/passwd.1*
+%lang(hu) %{_mandir}/hu/man1/chsh.1*
+%lang(hu) %{_mandir}/hu/man1/gpasswd.1*
+%lang(hu) %{_mandir}/hu/man1/newgrp.1*
+%lang(hu) %{_mandir}/hu/man1/sg.1*
+%lang(hu) %{_mandir}/hu/man5/passwd.5*
+
+%lang(id) %{_mandir}/id/man1/chsh.1*
+%lang(id) %{_mandir}/id/man8/useradd.8*
+
+%lang(it) %{_mandir}/it/man1/chage.1*
+%lang(it) %{_mandir}/it/man1/chfn.1*
+%lang(it) %{_mandir}/it/man1/chsh.1*
+%lang(it) %{_mandir}/it/man1/expiry.1*
+%lang(it) %{_mandir}/it/man1/gpasswd.1*
+%lang(it) %{_mandir}/it/man1/newgrp.1*
+%lang(it) %{_mandir}/it/man1/passwd.1*
+%lang(it) %{_mandir}/it/man1/sg.1*
+%lang(it) %{_mandir}/it/man5/faillog.5*
+%lang(it) %{_mandir}/it/man5/gshadow.5*
+%lang(it) %{_mandir}/it/man5/login.defs.5*
+%lang(it) %{_mandir}/it/man5/passwd.5*
+%lang(it) %{_mandir}/it/man5/shadow.5*
+%lang(it) %{_mandir}/it/man5/suauth.5*
+%lang(it) %{_mandir}/it/man8/chgpasswd.8*
+%lang(it) %{_mandir}/it/man8/chpasswd.8*
+%lang(it) %{_mandir}/it/man8/faillog.8*
+%lang(it) %{_mandir}/it/man8/groupadd.8*
+%lang(it) %{_mandir}/it/man8/groupdel.8*
+%lang(it) %{_mandir}/it/man8/groupmems.8*
+%lang(it) %{_mandir}/it/man8/groupmod.8*
+%lang(it) %{_mandir}/it/man8/grpck.8*
+%lang(it) %{_mandir}/it/man8/grpconv.8*
+%lang(it) %{_mandir}/it/man8/grpunconv.8*
+%lang(it) %{_mandir}/it/man8/logoutd.8*
+%lang(it) %{_mandir}/it/man8/newusers.8*
+%lang(it) %{_mandir}/it/man8/pwck.8*
+%lang(it) %{_mandir}/it/man8/pwconv.8*
+%lang(it) %{_mandir}/it/man8/pwunconv.8*
+%lang(it) %{_mandir}/it/man8/useradd.8*
+%lang(it) %{_mandir}/it/man8/userdel.8*
+%lang(it) %{_mandir}/it/man8/usermod.8*
+%lang(it) %{_mandir}/it/man8/vigr.8*
+%lang(it) %{_mandir}/it/man8/vipw.8*
+
+%lang(ja) %{_mandir}/ja/man1/chage.1*
+%lang(ja) %{_mandir}/ja/man1/chfn.1*
+%lang(ja) %{_mandir}/ja/man1/chsh.1*
+%lang(ja) %{_mandir}/ja/man1/expiry.1*
+%lang(ja) %{_mandir}/ja/man1/gpasswd.1*
+%lang(ja) %{_mandir}/ja/man1/newgrp.1*
+%lang(ja) %{_mandir}/ja/man1/passwd.1*
+%lang(ja) %{_mandir}/ja/man1/sg.1*
+%lang(ja) %{_mandir}/ja/man5/faillog.5*
+%lang(ja) %{_mandir}/ja/man5/login.defs.5*
+%lang(ja) %{_mandir}/ja/man5/passwd.5*
+%lang(ja) %{_mandir}/ja/man5/shadow.5*
+%lang(ja) %{_mandir}/ja/man5/suauth.5*
+%lang(ja) %{_mandir}/ja/man8/chpasswd.8*
+%lang(ja) %{_mandir}/ja/man8/faillog.8*
+%lang(ja) %{_mandir}/ja/man8/groupadd.8*
+%lang(ja) %{_mandir}/ja/man8/groupdel.8*
+%lang(ja) %{_mandir}/ja/man8/groupmod.8*
+%lang(ja) %{_mandir}/ja/man8/grpck.8*
+%lang(ja) %{_mandir}/ja/man8/grpconv.8*
+%lang(ja) %{_mandir}/ja/man8/grpunconv.8*
+%lang(ja) %{_mandir}/ja/man8/logoutd.8*
+%lang(ja) %{_mandir}/ja/man8/newusers.8*
+%lang(ja) %{_mandir}/ja/man8/pwck.8*
+%lang(ja) %{_mandir}/ja/man8/pwconv.8*
+%lang(ja) %{_mandir}/ja/man8/pwunconv.8*
+%lang(ja) %{_mandir}/ja/man8/useradd.8*
+%lang(ja) %{_mandir}/ja/man8/userdel.8*
+%lang(ja) %{_mandir}/ja/man8/usermod.8*
+%lang(ja) %{_mandir}/ja/man8/vigr.8*
+%lang(ja) %{_mandir}/ja/man8/vipw.8*
+
+%lang(ko) %{_mandir}/ko/man1/chfn.1*
+%lang(ko) %{_mandir}/ko/man1/chsh.1*
+%lang(ko) %{_mandir}/ko/man5/passwd.5*
+%lang(ko) %{_mandir}/ko/man8/vigr.8*
+%lang(ko) %{_mandir}/ko/man8/vipw.8*
+
+%lang(pl) %{_mandir}/pl/man1/chage.1*
+%lang(pl) %{_mandir}/pl/man1/chsh.1*
+%lang(pl) %{_mandir}/pl/man1/expiry.1*
+%lang(pl) %{_mandir}/pl/man1/newgrp.1*
+%lang(pl) %{_mandir}/pl/man1/sg.1*
+%lang(pl) %{_mandir}/pl/man5/faillog.5*
+%lang(pl) %{_mandir}/pl/man8/faillog.8*
+%lang(pl) %{_mandir}/pl/man8/groupadd.8*
+%lang(pl) %{_mandir}/pl/man8/groupdel.8*
+%lang(pl) %{_mandir}/pl/man8/groupmems.8*
+%lang(pl) %{_mandir}/pl/man8/groupmod.8*
+%lang(pl) %{_mandir}/pl/man8/grpck.8*
+%lang(pl) %{_mandir}/pl/man8/logoutd.8*
+%lang(pl) %{_mandir}/pl/man8/userdel.8*
+%lang(pl) %{_mandir}/pl/man8/usermod.8*
+%lang(pl) %{_mandir}/pl/man8/vigr.8*
+%lang(pl) %{_mandir}/pl/man8/vipw.8*
+
+%lang(pt_BR) %{_mandir}/pt_BR/man1/gpasswd.1*
+%lang(pt_BR) %{_mandir}/pt_BR/man5/passwd.5*
+%lang(pt_BR) %{_mandir}/pt_BR/man5/shadow.5*
+%lang(pt_BR) %{_mandir}/pt_BR/man8/groupadd.8*
+%lang(pt_BR) %{_mandir}/pt_BR/man8/groupdel.8*
+%lang(pt_BR) %{_mandir}/pt_BR/man8/groupmod.8*
+
+%lang(ru) %{_mandir}/ru/man1/chage.1*
+%lang(ru) %{_mandir}/ru/man1/chfn.1*
+%lang(ru) %{_mandir}/ru/man1/chsh.1*
+%lang(ru) %{_mandir}/ru/man1/expiry.1*
+%lang(ru) %{_mandir}/ru/man1/gpasswd.1*
+%lang(ru) %{_mandir}/ru/man1/newgrp.1*
+%lang(ru) %{_mandir}/ru/man1/passwd.1*
+%lang(ru) %{_mandir}/ru/man1/sg.1*
+%lang(ru) %{_mandir}/ru/man5/faillog.5*
+%lang(ru) %{_mandir}/ru/man5/gshadow.5*
+%lang(ru) %{_mandir}/ru/man5/login.defs.5*
+%lang(ru) %{_mandir}/ru/man5/passwd.5*
+%lang(ru) %{_mandir}/ru/man5/shadow.5*
+%lang(ru) %{_mandir}/ru/man5/suauth.5*
+%lang(ru) %{_mandir}/ru/man8/chgpasswd.8*
+%lang(ru) %{_mandir}/ru/man8/chpasswd.8*
+%lang(ru) %{_mandir}/ru/man8/faillog.8*
+%lang(ru) %{_mandir}/ru/man8/groupadd.8*
+%lang(ru) %{_mandir}/ru/man8/groupdel.8*
+%lang(ru) %{_mandir}/ru/man8/groupmems.8*
+%lang(ru) %{_mandir}/ru/man8/groupmod.8*
+%lang(ru) %{_mandir}/ru/man8/grpck.8*
+%lang(ru) %{_mandir}/ru/man8/grpconv.8*
+%lang(ru) %{_mandir}/ru/man8/grpunconv.8*
+%lang(ru) %{_mandir}/ru/man8/logoutd.8*
+%lang(ru) %{_mandir}/ru/man8/newusers.8*
+%lang(ru) %{_mandir}/ru/man8/pwck.8*
+%lang(ru) %{_mandir}/ru/man8/pwconv.8*
+%lang(ru) %{_mandir}/ru/man8/pwunconv.8*
+%lang(ru) %{_mandir}/ru/man8/useradd.8*
+%lang(ru) %{_mandir}/ru/man8/userdel.8*
+%lang(ru) %{_mandir}/ru/man8/usermod.8*
+%lang(ru) %{_mandir}/ru/man8/vigr.8*
+%lang(ru) %{_mandir}/ru/man8/vipw.8*
+
+%lang(sv) %{_mandir}/sv/man1/chage.1*
+%lang(sv) %{_mandir}/sv/man1/chsh.1*
+%lang(sv) %{_mandir}/sv/man1/expiry.1*
+%lang(sv) %{_mandir}/sv/man1/newgrp.1*
+%lang(sv) %{_mandir}/sv/man1/passwd.1*
+%lang(sv) %{_mandir}/sv/man1/sg.1*
+%lang(sv) %{_mandir}/sv/man5/faillog.5*
+%lang(sv) %{_mandir}/sv/man5/gshadow.5*
+%lang(sv) %{_mandir}/sv/man5/passwd.5*
+%lang(sv) %{_mandir}/sv/man5/suauth.5*
+%lang(sv) %{_mandir}/sv/man8/faillog.8*
+%lang(sv) %{_mandir}/sv/man8/groupadd.8*
+%lang(sv) %{_mandir}/sv/man8/groupdel.8*
+%lang(sv) %{_mandir}/sv/man8/groupmems.8*
+%lang(sv) %{_mandir}/sv/man8/groupmod.8*
+%lang(sv) %{_mandir}/sv/man8/grpck.8*
+%lang(sv) %{_mandir}/sv/man8/logoutd.8*
+%lang(sv) %{_mandir}/sv/man8/pwck.8*
+%lang(sv) %{_mandir}/sv/man8/userdel.8*
+%lang(sv) %{_mandir}/sv/man8/vigr.8*
+%lang(sv) %{_mandir}/sv/man8/vipw.8*
+
+%lang(tr) %{_mandir}/tr/man1/chage.1*
+%lang(tr) %{_mandir}/tr/man1/chfn.1*
+%lang(tr) %{_mandir}/tr/man1/passwd.1*
+%lang(tr) %{_mandir}/tr/man5/passwd.5*
+%lang(tr) %{_mandir}/tr/man5/shadow.5*
+%lang(tr) %{_mandir}/tr/man8/groupadd.8*
+%lang(tr) %{_mandir}/tr/man8/groupdel.8*
+%lang(tr) %{_mandir}/tr/man8/groupmod.8*
+%lang(tr) %{_mandir}/tr/man8/useradd.8*
+%lang(tr) %{_mandir}/tr/man8/userdel.8*
+%lang(tr) %{_mandir}/tr/man8/usermod.8*
+
+%lang(zh_CN) %{_mandir}/zh_CN/man1/chage.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/chfn.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/chsh.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/expiry.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/gpasswd.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/newgrp.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/passwd.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/sg.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/faillog.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/gshadow.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/login.defs.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/passwd.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/shadow.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/suauth.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/chgpasswd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/chpasswd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/faillog.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/groupadd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/groupdel.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/groupmems.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/groupmod.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/grpck.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/grpconv.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/grpunconv.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/logoutd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/newusers.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/pwck.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/pwconv.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/pwunconv.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/useradd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/userdel.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/usermod.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/vigr.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/vipw.8*
+
+%lang(zh_TW) %{_mandir}/zh_TW/man1/chfn.1*
+%lang(zh_TW) %{_mandir}/zh_TW/man1/chsh.1*
+%lang(zh_TW) %{_mandir}/zh_TW/man1/newgrp.1*
+%lang(zh_TW) %{_mandir}/zh_TW/man5/passwd.5*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/chpasswd.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/groupadd.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/groupdel.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/groupmod.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/useradd.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/userdel.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/usermod.8*
diff --git a/shadow.useradd b/shadow.useradd
new file mode 100644
index 0000000..0a28b4e
--- /dev/null
+++ b/shadow.useradd
@@ -0,0 +1,7 @@
+# useradd defaults file
+GROUP=1000
+HOME=/home/users
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
diff --git a/useradd.pamd b/useradd.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/useradd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/userdel.pamd b/userdel.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/userdel.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/usermod.pamd b/usermod.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/usermod.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
-- 
2.37.3