diff --git a/chkname-regex.patch b/chkname-regex.patch
index c27e7a5..9fc4c27 100644
--- a/chkname-regex.patch
+++ b/chkname-regex.patch
@@ -1,3 +1,19 @@
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -274,3 +274,11 @@ USERGROUPS_ENAB yes
+ # missing.
+ #
+ #FORCE_SHADOW    yes
++
++#
++# User/group names must match the following regex expression.
++# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
++# but be aware that the result could depend on the locale settings.
++#
++#CHARACTER_CLASS                [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
++CHARACTER_CLASS         [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
 Index: lib/getdef.c
 ===================================================================
 --- lib/getdef.c.orig
diff --git a/encryption_method_nis.patch b/encryption_method_nis.patch
index 47f6ab3..8235523 100644
--- a/encryption_method_nis.patch
+++ b/encryption_method_nis.patch
@@ -1,10 +1,32 @@
---- lib/getdef.c
+Add support for ENCRYPT_METHOD_NIS used by pam: modules/pam_unix/pam_unix_passwd.c.
+
+Index: lib/getdef.c
+===================================================================
+--- lib/getdef.c.orig
 +++ lib/getdef.c
-@@ -58,6 +58,7 @@ static struct itemdef def_table[] = {
+@@ -85,6 +85,7 @@ static struct itemdef def_table[] = {
  	{"CREATE_HOME", NULL},
  	{"DEFAULT_HOME", NULL},
  	{"ENCRYPT_METHOD", NULL},
 +	{"ENCRYPT_METHOD_NIS", NULL},
  	{"ENV_PATH", NULL},
+ 	{"ENV_ROOTPATH", NULL},
  	{"ENV_SUPATH", NULL},
- 	{"ERASECHAR", NULL},
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -187,10 +187,13 @@ CHFN_RESTRICT		rwh
+ # If set to DES, DES-based algorithm will be used for encrypting password (default)
+ # Overrides the MD5_CRYPT_ENAB option
+ #
++# ENCRYPT_METHOD_NIS is used by pam_unix_passwd.so.
++#
+ # Note: If you use PAM, it is recommended to use a value consistent with
+ # the PAM modules configuration.
+ #
+ #ENCRYPT_METHOD DES
++#ENCRYPT_METHOD_NIS DES
+ 
+ #
+ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
diff --git a/getdef-new-defs.patch b/getdef-new-defs.patch
deleted file mode 100644
index 0c5dd41..0000000
--- a/getdef-new-defs.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Index: lib/getdef.c
-===================================================================
---- lib/getdef.c.orig
-+++ lib/getdef.c
-@@ -91,6 +91,7 @@ static struct itemdef def_table[] = {
- 	{"FAKE_SHELL", NULL},
- 	{"GID_MAX", NULL},
- 	{"GID_MIN", NULL},
-+	{"GROUPADD_CMD", NULL},
- 	{"HUSHLOGIN_FILE", NULL},
- 	{"KILLCHAR", NULL},
- 	{"LOGIN_RETRIES", NULL},
-@@ -126,7 +127,10 @@ static struct itemdef def_table[] = {
- 	{"UID_MAX", NULL},
- 	{"UID_MIN", NULL},
- 	{"UMASK", NULL},
-+	{"USERADD_CMD", NULL},
- 	{"USERDEL_CMD", NULL},
-+	{"USERDEL_PRECMD", NULL},
-+	{"USERDEL_POSTCMD", NULL},
- 	{"USERGROUPS_ENAB", NULL},
- #ifndef USE_PAM
- 	PAMDEFS
-@@ -149,6 +153,10 @@ static struct itemdef knowndef_table[] =
- #ifdef USE_PAM
- 	PAMDEFS
- #endif
-+	/* Used by /bin/login */
-+	{"MOTD_FILE", NULL},
-+	{"ENV_PATH", NULL},
-+	{"ENV_ROOTPATH", NULL},
- 	{NULL, NULL}
- };
- 
diff --git a/shadow-login_defs-check.sh b/shadow-login_defs-check.sh
new file mode 100644
index 0000000..2b4fa26
--- /dev/null
+++ b/shadow-login_defs-check.sh
@@ -0,0 +1,256 @@
+#!/bin/bash
+
+# login.defs and lib/getdef.c contain support for third party variables.
+# It also contains support for variables that are unusable in installations with PAM support enabled.
+# This script generates a list of used and unused variables in login.defs
+# with respect to the current configuration.
+# Arguments: arguments of osc build
+# If the shadow-login_defs-check-unused.lst is generated, you should
+# update login.defs.
+
+set -o errexit
+
+echo "Preparing..."
+
+# Check for required commands
+which quilt >/dev/null
+which osc >/dev/null
+
+# login.defs is shared with util-linux login, su and runuser.
+# Extract list of referenced variables.
+if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
+	echo "Checking out util-linux..."
+	osc co openSUSE:Factory util-linux
+	cd openSUSE:Factory/util-linux
+	quilt setup -d BUILD util-linux.spec
+	cd BUILD/*
+	quilt push -a
+	cd ../../../..
+fi
+
+echo "Extracting variables from util-linux..."
+cd openSUSE:Factory/util-linux/BUILD/*
+(
+	grep -rh getlogindefs . |
+		sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
+	grep -rh logindefs_setenv . |
+		sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
+) |
+	LC_ALL=C sort -u >../../../../shadow-login_defs-check-util-linux.lst
+cd ../../../..
+
+# login.defs is shared pam_unix*.so, pam_faildelay.so and pam_umask.so.
+# Extract list of referenced variables.
+if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
+	echo "Checking out pam..."
+	osc co openSUSE:Factory pam
+	cd openSUSE:Factory/pam
+	quilt setup -d BUILD pam.spec
+	cd BUILD/*
+	quilt push -a
+	cd ../../../..
+fi
+
+echo "Extracting variables from pam..."
+cd openSUSE:Factory/pam/BUILD/*
+grep -rh LOGIN_DEFS . |
+	sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
+	LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
+cd ../../../..
+
+if ! test -f shadow-login_defs-check-build/stamp ; then
+	echo "Performing preprocessing of shadow by osc..."
+	if ! test -f shadow.spec.shadow-login_defs-check-save ; then
+		cp -a shadow.spec shadow.spec.shadow-login_defs-check-save
+
+# In case of shadow, variables extraction is more complicated. The list
+# depends on configure options, so we have to perform a fake build and
+# extract variables from prepreocessed sources.
+		patch <<EOF
+--- shadow.spec
++++ shadow.spec
+@@ -131,1 +131,1 @@
+-make
++make V=1 -k CPPFLAGS="-E"
+EOF
+	fi
+
+	osc build "$@" || :
+	echo "This build command was expected to fail."
+	echo ""
+	mv shadow.spec.shadow-login_defs-check-save shadow.spec
+
+	BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
+	BUILD_DIR=$(osc lbl | sed -n 's/^.* cd //p' | head -n1)
+	rm -rf shadow-login_defs-check-build
+	mkdir shadow-login_defs-check-build
+	cp -a "$BUILD_ROOT/$BUILD_DIR"/shadow-* shadow-login_defs-check-build/
+	touch shadow-login_defs-check-build/stamp
+fi
+
+echo "Extracting list of deleted binaries..."
+sed -n 's~rm %{buildroot}/%{_\(s\|\)bindir}/\(.*\)$~\2~p' <shadow.spec >shadow-login_defs-check-deleted.lst
+
+# The build above is optional only for case of failure or edits in the
+# code below. If any other build was performed, don't expect correct
+# results.
+
+cd shadow-login_defs-check-build/shadow-*
+
+echo "Extracting variables from etc/login.defs..."
+# Extract variables referenced in login.defs, both active and commented out.
+sed -n "s/^#//;s/\([A-Z0-9_]*\)[[:space:]].*$/\1/p" <etc/login.defs | sed '/^$/d' | uniq | sed '/^$/d' >../../shadow-login_defs-check-login_defs.lst
+LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst
+
+echo "Extracting variables from lib/getdef.c..."
+# Extract variables referenced in lib/getdef.c using current defines.
+sed -n 's/^\(},\|\) {"\([A-Z0-9_]*\)", /\2/p' <lib/getdef.o >../../shadow-login_defs-check-getdef.lst
+LC_ALL=C sort -u ../../shadow-login_defs-check-getdef.lst >../../shadow-login_defs-check-getdef-sorted.lst
+
+echo "Extracting variables from shadow..."
+# Extract variables referenced in preprocessed files.
+grep -r '\(getdef[a-z_]*\|call_script\|is_listed\) *( *"[A-Za-z0-9_]*"' |
+	grep '[^ ]*\.o:' >../../shadow-login_defs-check-shadow.log
+
+cd ../..
+
+export RC=0
+echo ""
+echo ""
+echo "Performing checks..."
+
+sed '
+	s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
+'  <shadow-login_defs-check-shadow.log | LC_ALL=C sort -u >../../shadow-login_defs-check-shadow-all.lst
+
+sed 's%^\(.*\)%/^.*\\\/\1\.o:/d%' <shadow-login_defs-check-deleted.lst >shadow-login_defs-check-deleted.sed
+sed -f shadow-login_defs-check-deleted.sed <shadow-login_defs-check-shadow.log |
+	sed '
+	s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
+' | LC_ALL=C sort -u  >shadow-login_defs-check-shadow-used.lst
+
+if ! test -s shadow-login_defs-check-deleted.sed ; then
+	echo "  BUG: Empty shadow-login_defs-check-deleted.sed Results will be unreliable!"
+	if test $RC -le 4 ; then export RC=4 ; fi
+fi
+
+echo ""
+echo "Checking that variables in login.defs are referred only once..."
+if test $(wc -l shadow-login_defs-check-login_defs.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-login_defs-sorted.lst | sed 's/ .*//') ; then
+	echo "  ERROR: Some variable referred at more places of login.defs!"
+	LC_ALL=C sort shadow-login_defs-check-login_defs.lst >shadow-login_defs-check-login_defs-sorted-nu.lst
+	diff shadow-login_defs-check-login_defs-sorted-nu.lst shadow-login_defs-check-login_defs-sorted.lst
+	if test $RC -le 3 ; then export RC=3 ; fi
+fi
+
+echo ""
+echo "Checking that variables in lib/getdef.c are referred only once..."
+if test $(wc -l shadow-login_defs-check-getdef.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-getdef-sorted.lst | sed 's/ .*//') ; then
+	echo "  ERROR: Some variable referred at more places of lib/getdef.c!"
+	LC_ALL=C sort shadow-login_defs-check-getdef.lst >shadow-login_defs-check-getdef-sorted-nu.lst
+	diff shadow-login_defs-check-getdef-sorted-nu.lst shadow-login_defs-check-getdef-sorted.lst
+	if test $RC -le 3 ; then export RC=3 ; fi
+fi
+
+cat shadow-login_defs-check-shadow-used.lst shadow-login_defs-check-util-linux.lst shadow-login_defs-check-pam.lst | LC_ALL=C sort -u >shadow-login_defs-check-all-used.lst
+# RC inside pipe cannot be read directly. Use 3 for a real stdout inside the pipe, and use stdout for RC.
+exec 3>&1
+function report_packages() {
+	echo -n " ("
+	grep -l $1 shadow-login_defs-check-{shadow-used,util-linux,pam}.lst |
+		sed 's/shadow-login_defs-check-//;s/\.lst//;s/-used//;s/$/, /;$s/, $//' |
+		tr -d '\n'
+	echo -n ")"
+}
+
+# Extracting variables from shadow is not capable to identify compiled-but-unused library code.
+# This function will identify known false matches.
+function falsematch() {
+	case "$1" in
+# MAIL_* used by library call mailcheck() used only by login.c that is deleted in the spec.
+	MAIL_* ) return 0 ;;
+# FTMP_FILE used by library call failtmp() used only by login.c that is deleted in the spec.
+	FTMP_FILE ) return 0 ;;
+# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
+	ISSUE_FILE ) return 0 ;;
+	* ) return 1 ;;
+	esac
+}
+
+echo ""
+echo "Checking that all used variables are covered by login.defs..."
+RC=$(cat shadow-login_defs-check-all-used.lst | (
+	while read ; do
+		if falsematch "$REPLY" ; then
+			echo "  FALSE MATCH: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
+			continue
+		fi
+		if ! grep -q -x "$REPLY" shadow-login_defs-check-login_defs-sorted.lst ; then
+			echo "  NOTICE: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
+			if test $RC -le 2 ; then RC=2 ; fi
+		fi
+	done
+	echo $RC
+) )
+
+echo ""
+echo "Checking that all used variables are covered by lib/getdef.c..."
+RC=$(cat shadow-login_defs-check-all-used.lst | (
+	while read ; do
+		if falsematch "$REPLY" ; then continue ; fi
+		if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
+			echo "  ERROR: Variable $REPLY is missing in the parser$(report_packages $REPLY)" >&3
+			if test $RC -le 3 ; then RC=3 ; fi
+		fi
+	done
+	echo $RC
+) )
+
+echo ""
+echo "Checking that all used variables referred in login.defs are valid..."
+RC=$(cat shadow-login_defs-check-login_defs.lst | (
+	while read ; do
+		if ! grep -q -x "$REPLY" shadow-login_defs-check-all-used.lst ; then
+			echo "  ERROR: Failed to find reference for $REPLY" >&3
+			if test $RC -le 3 ; then RC=3 ; fi
+		fi
+		if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
+			echo "  BUG: Parser does not contain reference for $REPLY" >&3
+			if test $RC -le 4 ; then RC=4 ; fi
+		fi
+	done
+	echo $RC
+) )
+
+
+echo ""
+echo ""
+echo "All checks finished."
+echo -n "Result: "
+case $RC in
+0) echo "OK." ;;
+1) echo "Notices only. Action is optional." ;;
+2) echo "Warnings only. Evaluation is needed." ;;
+3) echo "Errors found. Fix is recommended." ;;
+4) echo "Fatal error. Fix has to be done." ;;
+esac
+
+if test $RC -ge 1 ; then
+	exit 1
+fi
+
+echo "
+If you ported shadow-util-linux.patch to the new util-linux version,
+please submit these updates:
+Change in util-linux.spec:"
+sed -n 's/^Version:[[:space:]]*/Requires:       login_defs-support-for-util-linux >= /p' <openSUSE\:Factory/util-linux/util-linux.spec
+echo "Change in shadow.spec:"
+sed -n 's/^Version:[[:space:]]*/Provides:       login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
+
+echo "
+If you ported encryption_method_nis.patch to the new pam version,
+please submit these updates:
+Change in pam.spec:"
+sed -n 's/^Version:[[:space:]]*/Requires:       login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
+echo "Change in shadow.spec:"
+sed -n 's/^Version:[[:space:]]*/Provides:       login_defs-support-for-pam = /p' <openSUSE\:Factory/pam/pam.spec
diff --git a/shadow-login_defs-comments.patch b/shadow-login_defs-comments.patch
new file mode 100644
index 0000000..87ffead
--- /dev/null
+++ b/shadow-login_defs-comments.patch
@@ -0,0 +1,87 @@
+Improve comments in login.defs.
+
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -3,8 +3,6 @@
+ # Some variables are used by login(1), su(1) and runuser(1) from util-linux
+ # package as well pam pam_unix(8) from pam package.
+ #
+-#	$Id$
+-#
+ 
+ #
+ # Delay in seconds before being allowed another attempt after a login failure
+@@ -79,11 +77,14 @@ ENV_PATH	/bin:/usr/bin
+ ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
+ #ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
+ 
+-# If this variable is set to "yes", su will always set path. every su
+-# call will overwrite the PATH variable.
++# If this variable is set to "yes" (default is "no"), su will always set
++# path. every su call will overwrite the PATH variable.
+ #
+ # Per default, only "su -" will set a new PATH.
+ #
++# The recommended value is "yes". The default "no" behavior could have
++# a security implication in applications that use commands without path.
++#
+ ALWAYS_SET_PATH	no
+ 
+ #
+@@ -123,6 +124,11 @@ PASS_WARN_AGE	7
+ #
+ # Min/max values for automatic uid selection in useradd(8)
+ #
++# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
++# UIDs for dynamically allocated administrative and system accounts.
++# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
++# allocated user accounts.
++#
+ UID_MIN			 1000
+ UID_MAX			60000
+ # System accounts
+@@ -136,6 +142,11 @@ SUB_UID_COUNT		    65536
+ #
+ # Min/max values for automatic gid selection in groupadd(8)
+ #
++# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
++# GIDs for dynamically allocated administrative and system groups.
++# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
++# allocated groups.
++#
+ GID_MIN			 1000
+ GID_MAX			60000
+ # System accounts
+@@ -165,7 +176,6 @@ LOGIN_TIMEOUT		60
+ CHFN_RESTRICT		rwh
+ 
+ #
+-# Only works if compiled with MD5_CRYPT defined:
+ # If set to "yes", new passwords will be encrypted using the MD5-based
+ # algorithm compatible with the one used by recent releases of FreeBSD.
+ # It supports passwords of unlimited length and longer salt strings.
+@@ -180,7 +190,6 @@ CHFN_RESTRICT		rwh
+ #MD5_CRYPT_ENAB	no
+ 
+ #
+-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+ # If set to MD5, MD5-based algorithm will be used for encrypting password
+ # If set to SHA256, SHA256-based algorithm will be used for encrypting password
+ # If set to SHA512, SHA512-based algorithm will be used for encrypting password
+@@ -196,6 +205,14 @@ CHFN_RESTRICT		rwh
+ #ENCRYPT_METHOD_NIS DES
+ 
+ #
++# Number of rounds for salt.
++# Default values:
++# Minimum number of rounds.
++#SHA_CRYPT_MIN_ROUNDS 1000
++# Maximum number of rounds.
++#SHA_CRYPT_MAX_ROUNDS 999999999
++
++#
+ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+ #
+ # Define the number of SHA rounds.
diff --git a/shadow-login_defs-suse.patch b/shadow-login_defs-suse.patch
new file mode 100644
index 0000000..cb090cb
--- /dev/null
+++ b/shadow-login_defs-suse.patch
@@ -0,0 +1,137 @@
+Set login.defs defaults for SUSE Linux.
+
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -3,6 +3,9 @@
+ # Some variables are used by login(1), su(1) and runuser(1) from util-linux
+ # package as well pam pam_unix(8) from pam package.
+ #
++# For more, see login.defs(5). Please note that SUSE supports only variables
++# listed here! Not listed variables from login.defs(5) have no effect.
++#
+ 
+ #
+ # Delay in seconds before being allowed another attempt after a login failure
+@@ -53,8 +56,8 @@ MOTD_FILE	/etc/motd
+ # user's name or shell are found in the file.  If not a full pathname, then
+ # hushed mode will be enabled if the file exists in the user's home directory.
+ #
+-HUSHLOGIN_FILE	.hushlogin
+-#HUSHLOGIN_FILE	/etc/hushlogins
++#HUSHLOGIN_FILE	.hushlogin
++HUSHLOGIN_FILE	/etc/hushlogins
+ 
+ # If this variable is set to "yes", hostname will be suppressed in the
+ # login: prompt.
+@@ -73,9 +76,9 @@ HUSHLOGIN_FILE	.hushlogin
+ # ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
+ # (and falback for login).
+ #
+-ENV_PATH	/bin:/usr/bin
+-ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
+-#ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
++ENV_PATH	/usr/local/bin:/bin:/usr/bin
++ENV_ROOTPATH	/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
++#ENV_SUPATH	/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+ 
+ # If this variable is set to "yes" (default is "no"), su will always set
+ # path. every su call will overwrite the PATH variable.
+@@ -99,7 +102,7 @@ ALWAYS_SET_PATH	no
+ # set TTYPERM to either 622 or 600.
+ #
+ TTYGROUP	tty
+-TTYPERM		0600
++TTYPERM		0620
+ 
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
+@@ -132,8 +135,8 @@ PASS_WARN_AGE	7
+ UID_MIN			 1000
+ UID_MAX			60000
+ # System accounts
+-SYS_UID_MIN		  101
+-SYS_UID_MAX		  999
++SYS_UID_MIN		  100
++SYS_UID_MAX		  499
+ # Extra per user uids
+ SUB_UID_MIN		   100000
+ SUB_UID_MAX		600100000
+@@ -150,8 +153,8 @@ SUB_UID_COUNT		    65536
+ GID_MIN			 1000
+ GID_MAX			60000
+ # System accounts
+-SYS_GID_MIN		  101
+-SYS_GID_MAX		  999
++SYS_GID_MIN		  100
++SYS_GID_MAX		  499
+ # Extra per user group ids
+ SUB_GID_MIN		   100000
+ SUB_GID_MAX		600100000
+@@ -160,7 +163,7 @@ SUB_GID_COUNT		    65536
+ #
+ # Max number of login(1) retries if password is bad
+ #
+-LOGIN_RETRIES		5
++LOGIN_RETRIES		3
+ 
+ #
+ # Max time in seconds for login(1)
+@@ -176,18 +179,9 @@ LOGIN_TIMEOUT		60
+ CHFN_RESTRICT		rwh
+ 
+ #
+-# If set to "yes", new passwords will be encrypted using the MD5-based
+-# algorithm compatible with the one used by recent releases of FreeBSD.
+-# It supports passwords of unlimited length and longer salt strings.
+-# Set to "no" if you need to copy encrypted passwords to other systems
+-# which don't understand the new algorithm.  Default is "no".
+-#
+-# Note: If you use PAM, it is recommended to use a value consistent with
+-# the PAM modules configuration.
+-#
+-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
++# This variable is deprecated. Use ENCRYPT_METHOD instead!
+ #
+-#MD5_CRYPT_ENAB	no
++#MD5_CRYPT_ENAB	DO_NOT_USE
+ 
+ #
+ # If set to MD5, MD5-based algorithm will be used for encrypting password
+@@ -201,8 +195,8 @@ CHFN_RESTRICT		rwh
+ # Note: If you use PAM, it is recommended to use a value consistent with
+ # the PAM modules configuration.
+ #
+-#ENCRYPT_METHOD DES
+-#ENCRYPT_METHOD_NIS DES
++ENCRYPT_METHOD SHA512
++ENCRYPT_METHOD_NIS DES
+ 
+ #
+ # Number of rounds for salt.
+@@ -271,7 +265,7 @@ USERDEL_POSTCMD         /usr/sbin/userde
+ #
+ # This also enables userdel(8) to remove user groups if no members exist.
+ #
+-USERGROUPS_ENAB yes
++USERGROUPS_ENAB no
+ 
+ #
+ # If set to a non-zero number, the shadow utilities will make sure that
+@@ -290,13 +284,13 @@ USERGROUPS_ENAB yes
+ # This option is overridden with the -M or -m flags on the useradd(8)
+ # command-line.
+ #
+-#CREATE_HOME     yes
++CREATE_HOME     no
+ 
+ #
+ # Force use shadow, even if shadow passwd & shadow group files are
+ # missing.
+ #
+-#FORCE_SHADOW    yes
++FORCE_SHADOW    no
+ 
+ #
+ # User/group names must match the following regex expression.
diff --git a/shadow-login_defs.patch b/shadow-login_defs-unused-by-pam.patch
similarity index 52%
rename from shadow-login_defs.patch
rename to shadow-login_defs-unused-by-pam.patch
index f70c903..4fbae3f 100644
--- a/shadow-login_defs.patch
+++ b/shadow-login_defs-unused-by-pam.patch
@@ -1,17 +1,14 @@
+Remove variables that are present in login.defs, but shadow with the
+current configuration (e. g. with PAM) does not use them.
+
+shadow-login_defs-unused-check.sh makes possible to verify that it is
+still up to date.
+
 Index: etc/login.defs
 ===================================================================
 --- etc/login.defs.orig
 +++ etc/login.defs
-@@ -1,8 +1,5 @@
- #
- # /etc/login.defs - Configuration control definitions for the shadow package.
--#
--#	$Id$
--#
- 
- #
- # Delay in seconds before being allowed another attempt after a login failure
-@@ -12,11 +9,6 @@
+@@ -12,11 +12,6 @@
  FAIL_DELAY		3
  
  #
@@ -23,7 +20,7 @@ Index: etc/login.defs
  # Enable display of unknown usernames when login(1) failures are recorded.
  #
  LOG_UNKFAIL_ENAB	no
-@@ -27,34 +19,6 @@ LOG_UNKFAIL_ENAB	no
+@@ -27,34 +22,6 @@ LOG_UNKFAIL_ENAB	no
  LOG_OK_LOGINS		no
  
  #
@@ -58,7 +55,7 @@ Index: etc/login.defs
  # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
  # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
  #
-@@ -82,75 +46,31 @@ MOTD_FILE	/etc/motd
+@@ -82,46 +49,12 @@ MOTD_FILE	/etc/motd
  #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
  
  #
@@ -105,12 +102,10 @@ Index: etc/login.defs
  # If defined, file which inhibits all the usual chatter during the login
  # sequence.  If a full pathname, then hushed mode will be enabled if the
  # user's name or shell are found in the file.  If not a full pathname, then
- # hushed mode will be enabled if the file exists in the user's home directory.
+@@ -131,21 +64,6 @@ HUSHLOGIN_FILE	.hushlogin
+ #HUSHLOGIN_FILE	/etc/hushlogins
+ 
  #
--HUSHLOGIN_FILE	.hushlogin
--#HUSHLOGIN_FILE	/etc/hushlogins
--
--#
 -# If defined, either a TZ environment parameter spec or the
 -# fully-rooted pathname of a file containing such a spec.
 -#
@@ -124,33 +119,12 @@ Index: etc/login.defs
 -ENV_HZ		HZ=100
 -# For Linux/Alpha...
 -#ENV_HZ		HZ=1024
-+# HUSHLOGIN_FILE	.hushlogin
-+HUSHLOGIN_FILE	/etc/hushlogins
- 
- #
+-
+-#
  # *REQUIRED*  The default PATH settings, for superuser and normal users.
  #
  # (they are minimal, add the rest in the shell startup files)
- ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
--ENV_PATH	PATH=/bin:/usr/bin
-+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin
-+
-+#
-+# The default PATH settings for root (used by login):
-+#
-+ENV_ROOTPATH            /sbin:/bin:/usr/sbin:/usr/bin
- 
- #
- # Terminal permissions
-@@ -164,24 +84,20 @@ ENV_PATH	PATH=/bin:/usr/bin
- # set TTYPERM to either 622 or 600.
- #
- TTYGROUP	tty
--TTYPERM		0600
-+TTYPERM		0620
- 
- #
- # Login configuration initializations:
+@@ -171,17 +89,13 @@ TTYPERM		0600
  #
  #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
  #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
@@ -168,7 +142,7 @@ Index: etc/login.defs
  
  # Default initial "umask" value used by login(1) on non-PAM enabled systems.
  # Default "umask" value for pam_umask(8) on PAM enabled systems.
-@@ -197,35 +113,25 @@ UMASK		022
+@@ -197,28 +111,13 @@ UMASK		022
  #
  #	PASS_MAX_DAYS	Maximum number of days a password may be used.
  #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
@@ -196,50 +170,8 @@ Index: etc/login.defs
 -#
  # Min/max values for automatic uid selection in useradd(8)
  #
-+# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
-+# UIDs for dynamically allocated administrative and system accounts.
-+# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
-+# allocated user accounts.
-+#
  UID_MIN			 1000
- UID_MAX			60000
- # System accounts
--SYS_UID_MIN		  101
--SYS_UID_MAX		  999
-+SYS_UID_MIN		  100
-+SYS_UID_MAX		  499
- # Extra per user uids
- SUB_UID_MIN		   100000
- SUB_UID_MAX		600100000
-@@ -234,11 +140,16 @@ SUB_UID_COUNT		    65536
- #
- # Min/max values for automatic gid selection in groupadd(8)
- #
-+# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
-+# GIDs for dynamically allocated administrative and system groups.
-+# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
-+# allocated groups.
-+#
- GID_MIN			 1000
- GID_MAX			60000
- # System accounts
--SYS_GID_MIN		  101
--SYS_GID_MAX		  999
-+SYS_GID_MIN		  100
-+SYS_GID_MAX		  499
- # Extra per user group ids
- SUB_GID_MIN		   100000
- SUB_GID_MAX		600100000
-@@ -247,7 +158,7 @@ SUB_GID_COUNT		    65536
- #
- # Max number of login(1) retries if password is bad
- #
--LOGIN_RETRIES		5
-+LOGIN_RETRIES		3
- 
- #
- # Max time in seconds for login(1)
-@@ -255,28 +166,6 @@ LOGIN_RETRIES		5
+@@ -255,28 +154,6 @@ LOGIN_RETRIES		5
  LOGIN_TIMEOUT		60
  
  #
@@ -268,7 +200,7 @@ Index: etc/login.defs
  # Which fields may be changed by regular users using chfn(1) - use
  # any combination of letters "frwh" (full name, room number, work
  # phone, home phone).  If not defined, no changes are allowed.
-@@ -285,28 +174,6 @@ CHFN_AUTH		yes
+@@ -285,13 +162,6 @@ CHFN_AUTH		yes
  CHFN_RESTRICT		rwh
  
  #
@@ -279,35 +211,27 @@ Index: etc/login.defs
 -#LOGIN_STRING		"%s's Password: "
 -
 -#
--# Only works if compiled with MD5_CRYPT defined:
--# If set to "yes", new passwords will be encrypted using the MD5-based
--# algorithm compatible with the one used by recent releases of FreeBSD.
--# It supports passwords of unlimited length and longer salt strings.
--# Set to "no" if you need to copy encrypted passwords to other systems
--# which don't understand the new algorithm.  Default is "no".
--#
--# Note: If you use PAM, it is recommended to use a value consistent with
--# the PAM modules configuration.
--#
--# This variable is deprecated. You should use ENCRYPT_METHOD instead.
--#
--#MD5_CRYPT_ENAB	no
--
--#
- # Only works if compiled with ENCRYPTMETHOD_SELECT defined:
- # If set to MD5, MD5-based algorithm will be used for encrypting password
- # If set to SHA256, SHA256-based algorithm will be used for encrypting password
-@@ -317,7 +184,8 @@ CHFN_RESTRICT		rwh
- # Note: If you use PAM, it is recommended to use a value consistent with
- # the PAM modules configuration.
- #
--#ENCRYPT_METHOD DES
-+ENCRYPT_METHOD SHA512
-+ENCRYPT_METHOD_NIS DES
+ # Only works if compiled with MD5_CRYPT defined:
+ # If set to "yes", new passwords will be encrypted using the MD5-based
+ # algorithm compatible with the one used by recent releases of FreeBSD.
+@@ -336,29 +206,12 @@ CHFN_RESTRICT		rwh
+ # SHA_CRYPT_MAX_ROUNDS 5000
  
  #
- # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-@@ -353,16 +221,12 @@ CHFN_RESTRICT		rwh
+-# List of groups to add to the user's supplementary group set
+-# when logging in from the console (as determined by the CONSOLE
+-# setting).  Default is none.
+-#
+-# Use with caution - it is possible for users to gain permanent
+-# access to these groups, even when not logged in from the console.
+-# How to do it is left as an exercise for the reader...
+-#
+-#CONSOLE_GROUPS		floppy:audio:cdrom
+-
+-#
+ # Should login be allowed if we can't cd to the home directory?
+ # Default is no.
+ #
  DEFAULT_HOME	yes
  
  #
@@ -320,68 +244,3 @@ Index: etc/login.defs
  # If defined, this command is run when removing a user.
  # It should remove any at/cron/print jobs etc. owned by
  # the user to be removed (passed as the first argument).
- #
-+# See USERDEL_PRECMD/POSTCMD below.
-+#
- #USERDEL_CMD	/usr/sbin/userdel_local
- 
- #
-@@ -372,7 +236,7 @@ ENVIRON_FILE	/etc/environment
- #
- # This also enables userdel(8) to remove user groups if no members exist.
- #
--USERGROUPS_ENAB yes
-+USERGROUPS_ENAB no
- 
- #
- # If set to a non-zero number, the shadow utilities will make sure that
-@@ -391,10 +255,47 @@ USERGROUPS_ENAB yes
- # This option is overridden with the -M or -m flags on the useradd(8)
- # command-line.
- #
--#CREATE_HOME     yes
-+CREATE_HOME     no
- 
- #
- # Force use shadow, even if shadow passwd & shadow group files are
- # missing.
- #
--#FORCE_SHADOW    yes
-+FORCE_SHADOW    no
-+
-+#
-+# User/group names must match the following regex expression.
-+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
-+# but be aware that the result could depend on the locale settings.
-+#
-+#CHARACTER_CLASS                [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
-+CHARACTER_CLASS         [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
-+
-+#
-+# If defined, this command is run when adding a group.
-+# It should rebuild any NIS database etc. to add the
-+# new created group.
-+#
-+GROUPADD_CMD             /usr/sbin/groupadd.local
-+
-+#
-+# If defined, this command is run when adding a user.
-+# It should rebuild any NIS database etc. to add the
-+# new created account.
-+#
-+USERADD_CMD             /usr/sbin/useradd.local
-+
-+#
-+# If defined, this command is run before removing a user.
-+# It should remove any at/cron/print jobs etc. owned by
-+# the user to be removed.
-+#
-+USERDEL_PRECMD          /usr/sbin/userdel-pre.local
-+
-+#
-+# If defined, this command is run after removing a user.
-+# It should rebuild any NIS database etc. to remove the
-+# account from it.
-+#
-+USERDEL_POSTCMD         /usr/sbin/userdel-post.local
-+
diff --git a/shadow-util-linux.patch b/shadow-util-linux.patch
new file mode 100644
index 0000000..1c5e558
--- /dev/null
+++ b/shadow-util-linux.patch
@@ -0,0 +1,119 @@
+Add variables referred by util-linux login, runuser and su, but not by
+shadow.
+
+Delete variables used by shadow implementation of login, su and runuser
+that has no use in util-linux implementation.
+
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -1,5 +1,7 @@
+ #
+ # /etc/login.defs - Configuration control definitions for the shadow package.
++# Some variables are used by login(1), su(1) and runuser(1) from util-linux
++# package as well pam pam_unix(8) from pam package.
+ #
+ #	$Id$
+ #
+@@ -17,15 +19,8 @@ FAIL_DELAY		3
+ LOG_UNKFAIL_ENAB	no
+ 
+ #
+-# Enable logging of successful logins
++# Enable "syslog" logging of  newgrp(1) and sg(1) activity.
+ #
+-LOG_OK_LOGINS		no
+-
+-#
+-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
+-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
+-#
+-SYSLOG_SU_ENAB		yes
+ SYSLOG_SG_ENAB		yes
+ 
+ #
+@@ -63,12 +58,33 @@ MOTD_FILE	/etc/motd
+ HUSHLOGIN_FILE	.hushlogin
+ #HUSHLOGIN_FILE	/etc/hushlogins
+ 
++# If this variable is set to "yes", hostname will be suppressed in the
++# login: prompt.
++#LOGIN_PLAIN_PROMPT	no
++
+ #
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+ # (they are minimal, add the rest in the shell startup files)
+-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+-ENV_PATH	PATH=/bin:/usr/bin
++#
++# ENV_PATH: The default PATH settings for non-root.
++#
++# ENV_ROOTPATH: The default PATH settings for root
++# (used by login, su and runuser).
++#
++# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
++# (and falback for login).
++#
++ENV_PATH	/bin:/usr/bin
++ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
++#ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
++
++# If this variable is set to "yes", su will always set path. every su
++# call will overwrite the PATH variable.
++#
++# Per default, only "su -" will set a new PATH.
++#
++ALWAYS_SET_PATH	no
+ 
+ #
+ # Terminal permissions
+@@ -84,19 +100,6 @@ ENV_PATH	PATH=/bin:/usr/bin
+ TTYGROUP	tty
+ TTYPERM		0600
+ 
+-#
+-# Login configuration initializations:
+-#
+-#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+-#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+-#
+-# The ERASECHAR and KILLCHAR are used only on System V machines.
+-#
+-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+-#
+-ERASECHAR	0177
+-KILLCHAR	025
+-
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
+ # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+Index: lib/getdef.c
+===================================================================
+--- lib/getdef.c.orig
++++ lib/getdef.c
+@@ -77,6 +77,7 @@ struct itemdef {
+ 
+ #define NUMDEFS	(sizeof(def_table)/sizeof(def_table[0]))
+ static struct itemdef def_table[] = {
++	{"ALWAYS_SET_PATH", NULL},
+ 	{"CHARACTER_CLASS", NULL},
+ 	{"CHFN_RESTRICT", NULL},
+ 	{"CONSOLE_GROUPS", NULL},
+@@ -85,6 +86,7 @@ static struct itemdef def_table[] = {
+ 	{"DEFAULT_HOME", NULL},
+ 	{"ENCRYPT_METHOD", NULL},
+ 	{"ENV_PATH", NULL},
++	{"ENV_ROOTPATH", NULL},
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
+@@ -93,6 +95,7 @@ static struct itemdef def_table[] = {
+ 	{"GID_MIN", NULL},
+ 	{"HUSHLOGIN_FILE", NULL},
+ 	{"KILLCHAR", NULL},
++	{"LOGIN_PLAIN_PROMPT", NULL},
+ 	{"LOGIN_RETRIES", NULL},
+ 	{"LOGIN_TIMEOUT", NULL},
+ 	{"LOG_OK_LOGINS", NULL},
diff --git a/shadow.changes b/shadow.changes
index 2e95800..f6d2567 100644
--- a/shadow.changes
+++ b/shadow.changes
@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Tue Apr 30 22:27:14 CEST 2019 - sbrabec@suse.com
+
+- Split shadow-login_defs.patch hunks to its logical components
+  (bsc#1121197):
+  * shadow-login_defs-unused-by-pam.patch
+  * shadow-login_defs-comments.patch
+  * shadow-login_defs-util-linux.patch
+  * shadow-login_defs-suse.patch
+  * Move appropriate hunks to chkname-regex.patch and
+    encryption_method_nis.patch
+  * Remove GROUPADD_CMD that is not supported (bsc#1121197#c14).
+- Split getdef-new-defs.patch hunks to its logical components
+  (bsc#1121197):
+  * encryption_method_nis.patch
+  * chkname-regex.patch
+  * shadow-util-linux.patch
+    Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT.
+  * useradd-script.patch, userdel-script.patch
+  * Remove duplicated definitions of MOTD_FILE and ENV_PATH.
+- Add shadow-login_defs-unused-check.sh to allow verification of
+  login.defs variable usage (bsc#1121197).
+- Add virtual symbols for login.defs compatibility (bsc#1121197).
+
 -------------------------------------------------------------------
 Wed Jan 23 09:35:01 UTC 2019 - adam.majer@suse.de
 
diff --git a/shadow.spec b/shadow.spec
index d7363bd..0c19d14 100644
--- a/shadow.spec
+++ b/shadow.spec
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -33,18 +33,37 @@ Source6:        shadow.service
 Source7:        shadow.timer
 Source42:       https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
 Source43:       %{name}.keyring
-Patch0:         shadow-login_defs.patch
+# SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
+Source44:       shadow-login_defs-check.sh
+# PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM.
+Patch0:         shadow-login_defs-unused-by-pam.patch
+# PATCH-FEATURE-SUSE userdel-script.patch kukuk@suse.com -- Add support for USERDEL_PRECMD and USERDEL_POSTCMD.
 Patch1:         userdel-script.patch
+# PATCH-FEATURE-SUSE useradd-script.patch kukuk@suse.com -- Add support for USERADD_CMD.
 Patch2:         useradd-script.patch
+# PATCH-FEATURE-SUSE chkname-regex.patch kukuk@suse.com -- Username restriction by regex.
 Patch3:         chkname-regex.patch
+# PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
 Patch4:         useradd-default.patch
-Patch5:         getdef-new-defs.patch
+# PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
+Patch5:         shadow-util-linux.patch
+# PATCH-FEATURE-FEDORA shadow-4.1.5.1-userdel-helpfix.patch christian.brauner@mailbox.org -- Give a hint about what happens when you force the removal of a user.
 Patch6:         shadow-4.1.5.1-userdel-helpfix.patch
+# PATCH-FIX-FEDORA shadow-4.1.5.1-userdel-helpfix.patch kukuk@suse.com -- Fix error message.
 Patch7:         shadow-4.1.5.1-logmsg.patch
+# PATCH-FEATURE-SUSE encryption_method_nis.patch kukuk@suse.com -- Add support for ENCRYPT_METHOD_NIS used by SUSE patch in pam (pam_unix).
 Patch10:        encryption_method_nis.patch
+# PATCH-FIX-SUSE useradd-mkdirs.patch bnc865563 tbehrens@suse.com -- Create all parts of the path.
 Patch11:        useradd-mkdirs.patch
+# PATCH-FIX-SUSE shadow-4.6.0-fix-usermod-prefix-crash.patch https://github.com/shadow-maint/shadow/issues/110 mvetter@suse.com -- Fixes crash in usermod when called with --prefix.
 Patch12:        shadow-4.6.0-fix-usermod-prefix-crash.patch
+# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
+Patch13:        shadow-login_defs-comments.patch
+# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
+Patch14:        shadow-login_defs-suse.patch
+# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
 Patch20:        disable_new_audit_function.patch
+# PATCH-FEATURE-SUSE btrfs-subvolumes.patch fate316134 adam.majer@suse.de -- Add support for btrfs subvolumes for user homes.
 Patch21:        btrfs-subvolumes.patch
 BuildRequires:  audit-devel > 2.3
 BuildRequires:  autoconf
@@ -62,6 +81,13 @@ Requires(pre):  user(root)
 PreReq:         permissions
 Provides:       pwdutils = 3.2.20
 Obsoletes:      pwdutils <= 3.2.19
+# Virtual provides for supported variables in login.defs.
+# It prevents references to unknown variables.
+# Upgrade them only if shadow-util-linux.patch or
+# encryption_method_nis.patch has to be ported!
+# Call shadow-login_defs-check.sh before!
+Provides:       login_defs-support-for-pam = 1.3.1
+Provides:       login_defs-support-for-util-linux = 2.33.1
 
 %description
 This package includes the necessary programs for converting plain
@@ -71,7 +97,7 @@ group accounts.
 %prep
 %setup -q -a 1
 %patch0
-%patch1 -p1
+%patch1
 %patch2
 %patch3
 %patch4
@@ -81,6 +107,8 @@ group accounts.
 %patch10
 %patch11 -p1
 %patch12 -p1
+%patch13
+%patch14
 %if 0%{?suse_version} < 1330
 %patch20 -p1
 %endif
diff --git a/useradd-script.patch b/useradd-script.patch
index 22f99e2..880c142 100644
--- a/useradd-script.patch
+++ b/useradd-script.patch
@@ -1,6 +1,38 @@
---- src/useradd.c
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -212,6 +212,13 @@ CHFN_RESTRICT		rwh
+ DEFAULT_HOME	yes
+ 
+ #
++# If defined, this command is run when adding a user.
++# It should rebuild any NIS database etc. to add the
++# new created account.
++#
++USERADD_CMD             /usr/sbin/useradd.local
++
++#
+ # If defined, this command is run when removing a user.
+ # It should remove any at/cron/print jobs etc. owned by
+ # the user to be removed (passed as the first argument).
+Index: lib/getdef.c
+===================================================================
+--- lib/getdef.c.orig
++++ lib/getdef.c
+@@ -125,6 +125,7 @@ static struct itemdef def_table[] = {
+ 	{"UID_MAX", NULL},
+ 	{"UID_MIN", NULL},
+ 	{"UMASK", NULL},
++	{"USERADD_CMD", NULL},
+ 	{"USERDEL_CMD", NULL},
+ 	{"USERDEL_PRECMD", NULL},
+ 	{"USERDEL_POSTCMD", NULL},
+Index: src/useradd.c
+===================================================================
+--- src/useradd.c.orig
 +++ src/useradd.c
-@@ -1982,6 +1982,30 @@ static void create_mail (void)
+@@ -2115,6 +2115,30 @@ static void create_mail (void)
  }
  
  /*
@@ -31,7 +63,7 @@
   * main - useradd command
   */
  int main (int argc, char **argv)
-@@ -2242,6 +2266,7 @@ int main (int argc, char **argv)
+@@ -2390,6 +2414,7 @@ int main (int argc, char **argv)
  	nscd_flush_cache ("passwd");
  	nscd_flush_cache ("group");
  
diff --git a/userdel-script.patch b/userdel-script.patch
index 1aae489..e4b93a0 100644
--- a/userdel-script.patch
+++ b/userdel-script.patch
@@ -1,7 +1,51 @@
-diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
---- shadow-4.6/src/userdel.c	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.6.new/src/userdel.c	2018-05-14 16:13:43.996280216 +0200
-@@ -125,7 +125,7 @@
+Index: lib/getdef.c
+===================================================================
+--- lib/getdef.c.orig
++++ lib/getdef.c
+@@ -126,6 +126,8 @@ static struct itemdef def_table[] = {
+ 	{"UID_MIN", NULL},
+ 	{"UMASK", NULL},
+ 	{"USERDEL_CMD", NULL},
++	{"USERDEL_PRECMD", NULL},
++	{"USERDEL_POSTCMD", NULL},
+ 	{"USERGROUPS_ENAB", NULL},
+ #ifndef USE_PAM
+ 	PAMDEFS
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -216,9 +216,25 @@ DEFAULT_HOME	yes
+ # It should remove any at/cron/print jobs etc. owned by
+ # the user to be removed (passed as the first argument).
+ #
++# See also USERDEL_PRECMD and USERDEL_POSTCMD below.
++#
+ #USERDEL_CMD	/usr/sbin/userdel_local
+ 
+ #
++# If defined, this command is run before removing a user.
++# It should remove any at/cron/print jobs etc. owned by
++# the user to be removed.
++#
++USERDEL_PRECMD          /usr/sbin/userdel-pre.local
++
++#
++# If defined, this command is run after removing a user.
++# It should rebuild any NIS database etc. to remove the
++# account from it.
++#
++USERDEL_POSTCMD         /usr/sbin/userdel-post.local
++
++#
+ # Enable setting of the umask group bits to be the same as owner bits
+ # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+ # the same as gid, and username is the same as the primary group name.
+Index: src/userdel.c
+===================================================================
+--- src/userdel.c.orig
++++ src/userdel.c
+@@ -125,7 +125,7 @@ static void close_files (void);
  static void fail_exit (int);
  static void open_files (void);
  static void update_user (void);
@@ -10,7 +54,7 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
  
  #ifdef EXTRA_CHECK_HOME_DIR
  static bool path_prefix (const char *, const char *);
-@@ -767,13 +767,13 @@
+@@ -767,13 +767,13 @@ static void update_user (void)
   *	cron, at, or print jobs.
   */
  
@@ -26,7 +70,7 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
  	if (NULL == cmd) {
  		return;
  	}
-@@ -1213,9 +1213,10 @@
+@@ -1213,9 +1213,10 @@ int main (int argc, char **argv)
  	}
  
  	/*
@@ -35,20 +79,20 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
 +	 * Do the hard stuff - open the files, remove the user entries,
 +	 * remove the home directory, then close and update the files.
  	 */
-+	call_script ("USERDEL_PRECMD", user_name); 
++	call_script ("USERDEL_PRECMD", user_name);
  	open_files ();
  	update_user ();
  	update_groups ();
-@@ -1319,7 +1320,7 @@
+@@ -1319,7 +1320,7 @@ int main (int argc, char **argv)
  	 * the entry from /etc/passwd.
  	 */
  	if(prefix[0] == '\0')
 -		user_cancel (user_name);
-+		call_script ("USERDEL_CMD", user_name); 
++		call_script ("USERDEL_CMD", user_name);
  	close_files ();
  
  #ifdef WITH_TCB
-@@ -1329,6 +1330,9 @@
+@@ -1329,6 +1330,9 @@ int main (int argc, char **argv)
  	nscd_flush_cache ("passwd");
  	nscd_flush_cache ("group");