shadow/shadow-login_defs-unused-by-pam.patch

Remove variables that are present in login.defs, but shadow with the
current configuration (e. g. with PAM) does not use them.

It also includes variables used by the current configuration, but deleted
in the spec file.

shadow-login_defs-unused-check.sh makes possible to verify that it is
still up to date.

Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -12,11 +12,6 @@
 FAIL_DELAY		3
 
 #
-# Enable logging and display of /var/log/faillog login(1) failure info.
-#
-FAILLOG_ENAB		yes
-
-#
 # Enable display of unknown usernames when login(1) failures are recorded.
 #
 LOG_UNKFAIL_ENAB	no
@@ -27,11 +22,6 @@ LOG_UNKFAIL_ENAB	no
 LOG_OK_LOGINS		no
 
 #
-# Enable logging and display of /var/log/lastlog login(1) time info.
-#
-LASTLOG_ENAB		yes
-
-#
 # Limit the highest user ID number for which the lastlog entries should
 # be updated.
 #
@@ -41,29 +31,6 @@ LASTLOG_ENAB		yes
 #LASTLOG_UID_MAX
 
 #
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB		yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB	yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB	yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
-#
-QUOTAS_ENAB		yes
-
-#
 # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
 # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
 #
@@ -91,46 +58,12 @@ MOTD_FILE	/etc/motd
 #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
 
 #
-# If defined, this file will be output before each login(1) prompt.
-#
-#ISSUE_FILE	/etc/issue
-
-#
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
 #
 #TTYTYPE_FILE	/etc/ttytype
 
 #
-# If defined, login(1) failures will be logged here in a utmp format.
-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
-#
-FTMP_FILE	/var/log/btmp
-
-#
-# If defined, name of file whose presence will inhibit non-root
-# logins.  The content of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE	/etc/nologin
-
-#
-# If defined, the command name to display when running "su -".  For
-# example, if this is defined as "su" then ps(1) will display the
-# command as "-su".  If not defined, then ps(1) will display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME		su
-
-#
-# *REQUIRED*
-#   Directory where mailboxes reside, _or_ name of file, relative to the
-#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR	/var/spool/mail
-#MAIL_FILE	.mail
-
-#
 # If defined, file which inhibits all the usual chatter during the login
 # sequence.  If a full pathname, then hushed mode will be enabled if the
 # user's name or shell are found in the file.  If not a full pathname, then
@@ -140,21 +73,6 @@ HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 
 #
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ		TZ=CST6CDT
-#ENV_TZ		/etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ		HZ=100
-# For Linux/Alpha...
-#ENV_HZ		HZ=1024
-
-#
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
@@ -180,17 +98,13 @@ TTYPERM		0600
 #
 #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#	ULIMIT		Default "ulimit" value.
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
 #
 # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
 #
 ERASECHAR	0177
 KILLCHAR	025
-#ULIMIT		2097152
 
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -211,23 +125,13 @@ UMASK		022
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
 #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
-#	PASS_MIN_LEN	Minimum acceptable password length.
 #	PASS_WARN_AGE	Number of days warning given before a password expires.
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
-PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 
 #
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts.  If the group doesn't exist or is empty, no one
-# will be able to "su" to uid 0.
-#
-SU_WHEEL_ONLY	no
-
-#
 # Min/max values for automatic uid selection in useradd(8)
 #
 UID_MIN			 1000
@@ -264,28 +168,6 @@ LOGIN_RETRIES		5
 LOGIN_TIMEOUT		60
 
 #
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES	5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
-#
-PASS_ALWAYS_WARN	yes
-
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
-#
-#PASS_MAX_LEN		8
-
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH		yes
-
-#
 # Which fields may be changed by regular users using chfn(1) - use
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
@@ -294,13 +176,6 @@ CHFN_AUTH		yes
 CHFN_RESTRICT		rwh
 
 #
-# Password prompt (%s will be replaced by user name).
-#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING		"%s's Password: "
-
-#
 # Only works if compiled with MD5_CRYPT defined:
 # If set to "yes", new passwords will be encrypted using the MD5-based
 # algorithm compatible with the one used by recent releases of FreeBSD.
@@ -349,45 +224,6 @@ CHFN_RESTRICT		rwh
 #SHA_CRYPT_MAX_ROUNDS 5000
 
 #
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 13
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
-#
-#YESCRYPT_COST_FACTOR 5
-
-#
-# List of groups to add to the user's supplementary group set
-# when logging in from the console (as determined by the CONSOLE
-# setting).  Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in from the console.
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS		floppy:audio:cdrom
-
-#
 # Should login be allowed if we can't cd to the home directory?
 # Default is no.
 #
@@ -402,12 +238,6 @@ DEFAULT_HOME	yes
 NONEXISTENT	/nonexistent
 
 #
-# If this file exists and is readable, login environment will be
-# read from it.  Every line should be in the form name=value.
-#
-ENVIRON_FILE	/etc/environment
-
-#
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by
 # the user to be removed (passed as the first argument).