diff --git a/templates/shadow/files/chage.pam b/templates/shadow/files/chage.pam
new file mode 100644
index 00000000000..e7f8fcd4db5
--- /dev/null
+++ b/templates/shadow/files/chage.pam
@@ -0,0 +1,5 @@
+auth 		sufficient	pam_rootok.so
+auth 		required	pam_unix.so
+account 	required	pam_unix.so
+session 	required	pam_unix.so
+password 	required	pam_permit.so
diff --git a/templates/shadow/files/login.defs b/templates/shadow/files/login.defs
new file mode 100644
index 00000000000..8253f5e38d4
--- /dev/null
+++ b/templates/shadow/files/login.defs
@@ -0,0 +1,63 @@
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#   QMAIL_DIR is for Qmail
+#
+#QMAIL_DIR	Maildir
+MAIL_DIR	/var/mail
+#MAIL_FILE	.mail
+
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_MIN_LEN	Minimum acceptable password length.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+SYS_UID_MIN		  100
+SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			  100
+GID_MAX			60000
+# System accounts
+SYS_GID_MIN		  100
+SYS_GID_MAX		  999
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If useradd should create home directories for users by default
+# On RH systems, we do. This option is overridden with the -m flag on
+# useradd command line.
+#
+CREATE_HOME	yes
+
+# The permission mask is initialized to this value. If not specified, 
+# the permission mask will be initialized to 022.
+UMASK           077
+
+# This enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+# Disable MD5 and use SHA512 by default.
+MD5_CRYPT_ENAB no
+ENCRYPT_METHOD SHA512
diff --git a/templates/shadow/files/login.pam b/templates/shadow/files/login.pam
new file mode 100644
index 00000000000..644c98d286f
--- /dev/null
+++ b/templates/shadow/files/login.pam
@@ -0,0 +1,14 @@
+# /etc/pam.d/login service with cracklib.
+auth 		requisite	pam_nologin.so
+auth 		required	pam_securetty.so
+auth 		required	pam_unix.so
+account 	required	pam_access.so
+account 	required	pam_unix.so
+session 	required	pam_env.so
+session 	required	pam_motd.so
+session 	required	pam_limits.so
+session 	optional	pam_mail.so 	dir=/var/mail standard
+session 	optional	pam_lastlog.so
+session 	required	pam_unix.so
+password	required	pam_cracklib.so	try_first_pass retry=3
+password	required	pam_unix.so 	sha512 shadow nullok try_first_pass use_authtok
diff --git a/templates/shadow/files/other.pam b/templates/shadow/files/other.pam
new file mode 100644
index 00000000000..54503f74c78
--- /dev/null
+++ b/templates/shadow/files/other.pam
@@ -0,0 +1,8 @@
+auth 		required	pam_deny.so
+auth 		required	pam_warn.so
+account 	required	pam_deny.so
+account 	required	pam_warn.so
+password 	required	pam_deny.so
+password 	required	pam_warn.so
+session 	required	pam_deny.so
+session 	required	pam_warn.so
diff --git a/templates/shadow/files/passwd.pam b/templates/shadow/files/passwd.pam
new file mode 100644
index 00000000000..68cde65d52f
--- /dev/null
+++ b/templates/shadow/files/passwd.pam
@@ -0,0 +1,6 @@
+password	required	pam_cracklib.so	type=Linux retry=3 \
+						difok=5 diffignore=23 minlen=9 \
+						dcredit=1 ucredit=1 lcredit=1 \
+						ocredit=1 \
+						dictpath=/lib/cracklib/pw_dict
+password	required	pam_unix.so	sha512 shadow use_authtok
diff --git a/templates/shadow/files/shadow.cron-daily b/templates/shadow/files/shadow.cron-daily
old mode 100755
new mode 100644
diff --git a/templates/shadow/files/su.pam b/templates/shadow/files/su.pam
new file mode 100644
index 00000000000..2307f44c19b
--- /dev/null
+++ b/templates/shadow/files/su.pam
@@ -0,0 +1,7 @@
+auth		sufficient	pam_rootok.so
+auth 		required	pam_unix.so
+account		required	pam_unix.so
+session		optional	pam_mail.so	dir=/var/mail standard
+session		optional	pam_xauth.so
+session		required	pam_env.so
+session		required	pam_unix.so
diff --git a/templates/shadow/shadow-enable-pam.diff b/templates/shadow/shadow-enable-pam.diff
deleted file mode 100644
index 6477c3d16d1..00000000000
--- a/templates/shadow/shadow-enable-pam.diff
+++ /dev/null
@@ -1,239 +0,0 @@
---- etc/login.defs.orig	2008-12-16 03:07:47.000000000 +0100
-+++ etc/login.defs	2008-12-16 03:11:46.000000000 +0100
-@@ -12,7 +12,7 @@ FAIL_DELAY		3
- #
- # Enable logging and display of /var/log/faillog login failure info.
- #
--FAILLOG_ENAB		yes
-+#FAILLOG_ENAB		yes
- 
- #
- # Enable display of unknown usernames when login failures are recorded.
-@@ -27,7 +27,7 @@ LOG_OK_LOGINS		no
- #
- # Enable logging and display of /var/log/lastlog login time info.
- #
--LASTLOG_ENAB		yes
-+#LASTLOG_ENAB		yes
- 
- #
- # Enable checking and display of mailbox status upon login.
-@@ -35,22 +35,22 @@ LASTLOG_ENAB		yes
- # Disable if the shell startup files already check for mail
- # ("mailx -e" or equivalent).
- #
--MAIL_CHECK_ENAB		yes
-+#MAIL_CHECK_ENAB		yes
- 
- #
- # Enable additional checks upon password changes.
- #
--OBSCURE_CHECKS_ENAB	yes
-+#OBSCURE_CHECKS_ENAB	yes
- 
- #
- # Enable checking of time restrictions specified in /etc/porttime.
- #
--PORTTIME_CHECKS_ENAB	yes
-+#PORTTIME_CHECKS_ENAB	yes
- 
- #
- # Enable setting of ulimit, umask, and niceness from passwd gecos field.
- #
--QUOTAS_ENAB		yes
-+#QUOTAS_ENAB		yes
- 
- #
- # Enable "syslog" logging of su activity - in addition to sulog file logging.
-@@ -64,7 +64,7 @@ SYSLOG_SG_ENAB		yes
- # a ":" delimited list of device names.  Root logins will be allowed only
- # upon these devices.
- #
--CONSOLE		/etc/securetty
-+#CONSOLE		/etc/securetty
- #CONSOLE	console:tty01:tty02:tty03:tty04
- 
- #
-@@ -76,7 +76,7 @@ CONSOLE		/etc/securetty
- # If defined, ":" delimited list of "message of the day" files to
- # be displayed upon login.
- #
--MOTD_FILE	/etc/motd
-+#MOTD_FILE	/etc/motd
- #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
- 
- #
-@@ -94,14 +94,14 @@ MOTD_FILE	/etc/motd
- # If defined, login failures will be logged here in a utmp format.
- # last, when invoked as lastb, will read /var/log/btmp, so...
- #
--FTMP_FILE	/var/log/btmp
-+#FTMP_FILE	/var/log/btmp
- 
- #
- # If defined, name of file whose presence which will inhibit non-root
- # logins.  The contents of this file should be a message indicating
- # why logins are inhibited.
- #
--NOLOGINS_FILE	/etc/nologin
-+#NOLOGINS_FILE	/etc/nologin
- 
- #
- # If defined, the command name to display when running "su -".  For
-@@ -116,7 +116,7 @@ SU_NAME		su
- #   Directory where mailboxes reside, _or_ name of file, relative to the
- #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
- #
--MAIL_DIR	/var/spool/mail
-+#MAIL_DIR	/var/spool/mail
- #MAIL_FILE	.mail
- 
- #
-@@ -139,7 +139,7 @@ HUSHLOGIN_FILE	.hushlogin
- # If defined, an HZ environment parameter spec.
- #
- # for Linux/x86
--ENV_HZ		HZ=100
-+#ENV_HZ		HZ=100
- # For Linux/Alpha...
- #ENV_HZ		HZ=1024
- 
-@@ -147,8 +147,8 @@ ENV_HZ		HZ=100
- # *REQUIRED*  The default PATH settings, for superuser and normal users.
- #
- # (they are minimal, add the rest in the shell startup files)
--ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
--ENV_PATH	PATH=/bin:/usr/bin
-+#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-+#ENV_PATH	PATH=/bin:/usr/bin
- 
- #
- # Terminal permissions
-@@ -193,7 +193,7 @@ UMASK		022
- #
- PASS_MAX_DAYS	99999
- PASS_MIN_DAYS	0
--PASS_MIN_LEN	5
-+#PASS_MIN_LEN	5
- PASS_WARN_AGE	7
- 
- #
-@@ -202,12 +202,12 @@ PASS_WARN_AGE	7
- # to uid 0 accounts.  If the group doesn't exist or is empty, no one
- # will be able to "su" to uid 0.
- #
--SU_WHEEL_ONLY	no
-+#SU_WHEEL_ONLY	no
- 
- #
- # If compiled with cracklib support, where are the dictionaries
- #
--CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
-+#CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
- 
- #
- # Min/max values for automatic uid selection in useradd
-@@ -240,12 +240,12 @@ LOGIN_TIMEOUT		60
- #
- # Maximum number of attempts to change password if rejected (too easy)
- #
--PASS_CHANGE_TRIES	5
-+#PASS_CHANGE_TRIES	5
- 
- #
- # Warn about weak passwords (but still allow them) if you are root.
- #
--PASS_ALWAYS_WARN	yes
-+#PASS_ALWAYS_WARN	yes
- 
- #
- # Number of significant characters in the password for crypt().
-@@ -257,7 +257,7 @@ PASS_ALWAYS_WARN	yes
- #
- # Require password before chfn/chsh can make any changes.
- #
--CHFN_AUTH		yes
-+#CHFN_AUTH		yes
- 
- #
- # Which fields may be changed by regular users using chfn - use
-@@ -339,7 +339,7 @@ DEFAULT_HOME	yes
- # If this file exists and is readable, login environment will be
- # read from it.  Every line should be in the form name=value.
- #
--ENVIRON_FILE	/etc/environment
-+#ENVIRON_FILE	/etc/environment
- 
- #
- # If defined, this command is run when removing a user.
---- etc/pam.d/login.orig	2008-12-16 03:29:36.000000000 +0100
-+++ etc/pam.d/login	2008-12-16 03:29:56.000000000 +0100
-@@ -1,11 +1,13 @@
--#%PAM-1.0
-+auth		requisite	pam_nologin.so
- auth		required	pam_securetty.so
--auth		include		system-auth
--account		required	pam_nologin.so
--account		include		system-auth
--password	include		system-auth
--session		required	pam_selinux.so close
--session		include		system-auth
--session		required	pam_loginuid.so
--session		optional	pam_console.so
--session		required	pam_selinux.so open
-+auth		required	pam_unix.so
-+account	required	pam_access.so
-+account	required	pam_unix.so
-+session	required	pam_env.so
-+session	required	pam_motd.so
-+session	required	pam_limits.so
-+session	optional	pam_mail.so	dir=/var/mail standard
-+session	optional	pam_lastlog.so
-+session	required	pam_unix.so
-+password	required	pam_cracklib.so  retry=3
-+password	required	pam_unix.so      sha512 shadow use_authtok
---- etc/pam.d/passwd.orig	2008-12-16 03:30:36.000000000 +0100
-+++ etc/pam.d/passwd	2008-12-16 03:30:52.000000000 +0100
-@@ -1,4 +1,6 @@
--#%PAM-1.0
--auth		include		system-auth
--account		include		system-auth
--password	include		system-auth
-+password	required	pam_cracklib.so  type=Linux retry=1 \
-+						difok=5 diffignore=23 minlen=9 \
-+						dcredit=1 ucredit=1 lcredit=1 \
-+						ocredit=1 \
-+						dictpath=/lib/cracklib/pw_dict
-+password	required	pam_unix.so	sha512 shadow use_authtok
---- etc/pam.d/su.orig	2008-12-16 03:31:25.000000000 +0100
-+++ etc/pam.d/su	2008-12-16 03:31:35.000000000 +0100
-@@ -1,13 +1,7 @@
--#%PAM-1.0
- auth		sufficient	pam_rootok.so
--# Uncomment the following line to implicitly trust users in the "wheel" group.
--#auth		sufficient	pam_wheel.so trust use_uid
--# Uncomment the following line to require a user to be in the "wheel" group.
--auth		required	pam_wheel.so use_uid
--auth		include		system-auth
--account		include		system-auth
--password	include		system-auth
--session		required	pam_selinux.so close
--session		include		system-auth
--session		required	pam_selinux.so open multiple
-+auth		required	pam_unix.so
-+account	required	pam_unix.so
-+session	optional	pam_mail.so	dir=/var/mail standard
- session		optional	pam_xauth.so
-+session	required	pam_env.so
-+session	required	pam_unix.so
---- etc/pam.d/chage.orig	2008-12-16 03:32:38.000000000 +0100
-+++ etc/pam.d/chage	2008-12-16 03:32:56.000000000 +0100
-@@ -1,4 +1,5 @@
--#%PAM-1.0
- auth		sufficient	pam_rootok.so
--account		required	pam_permit.so
--password	include		system-auth
-+auth		required	pam_unix.so
-+account	required	pam_unix.so
-+session	required	pam_unix.so
-+password	required	pam_permit.so
diff --git a/templates/shadow/template b/templates/shadow/template
index 92d8a6b6180..ba76a4257be 100644
--- a/templates/shadow/template
+++ b/templates/shadow/template
@@ -1,8 +1,7 @@
 # Template file for 'shadow'
 pkgname=shadow
 version=4.1.2.2
-revision=2
-patch_files="$pkgname-enable-pam.diff"
+revision=3
 distfiles="ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/$pkgname-$version.tar.bz2"
 build_style=gnu_configure
 configure_args="--libdir=/lib --enable-shared --disable-static
@@ -29,16 +28,20 @@ pre_build()
 	cd $wrksrc && \
 		sed -i 's/groups$(EXEEXT) //' src/Makefile && \
 		find man -name Makefile -exec sed -i 's/groups\.1 / /' {}
-	sed -i -e 's@/var/spool/mail@/var/mail@' etc/login.defs
 }
 
 post_install()
 {
-	# Use the same auth file for all these cmds.
+	# Install our pam files not the ones supplied with shadow.
+	rm -f ${DESTDIR}/etc/pam.d/*
+	for f in chage login passwd su other; do
+		install -m644 ${FILESDIR}/${f}.pam ${DESTDIR}/etc/pam.d/${f}
+	done
 	for f in chpasswd chgpasswd groupadd groupdel groupmems \
-		 groupmod newusers useradd userdel usermod other; do
+		 groupmod newusers useradd userdel usermod; do
 		install -m644 $DESTDIR/etc/pam.d/chage $DESTDIR/etc/pam.d/${f}
 	done
+	install -m644 ${FILESDIR}/login.defs ${DESTDIR}/etc
 
 	# Disable creating mailbox files by default.
 	sed -i -e 's/yes/no/' $DESTDIR/etc/default/useradd
@@ -46,4 +49,9 @@ post_install()
 	# Install the cron daily job.
 	install -D -m744 ${FILESDIR}/shadow.cron-daily \
 		${DESTDIR}/etc/cron.daily/shadow
+
+	# Remove unused files due to PAM.
+	for f in login.access limits; do
+		[ -f ${DESTDIR}/etc/${f} ] && rm -f ${DESTDIR}/etc/${f}
+	done
 }