diff --git a/SOURCES/pam-1.1.8-faillock-never.patch b/SOURCES/pam-1.1.8-faillock-never.patch
new file mode 100644
index 0000000..be84329
--- /dev/null
+++ b/SOURCES/pam-1.1.8-faillock-never.patch
@@ -0,0 +1,91 @@
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never	2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c	2016-04-22 14:31:34.239752334 +0200
+@@ -125,17 +125,26 @@ args_parse(pam_handle_t *pamh, int argc,
+ 		}
+ 		else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
+ 			unsigned int temp;
+-			if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
++
++			if (strcmp(argv[i]+12, "never") == 0) {
++				opts->unlock_time = 0;
++			}
++			else if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
+ 				temp > MAX_TIME_INTERVAL) {
+ 				pam_syslog(pamh, LOG_ERR,
+ 					"Bad number supplied for unlock_time argument");
+-        		} else {
++			}
++			else {
+ 				opts->unlock_time = temp;
+ 			}
+ 		}
+ 		else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
+ 			unsigned int temp;
+-			if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
++
++			if (strcmp(argv[i]+17, "never") == 0) {
++				opts->root_unlock_time = 0;
++			}
++			else if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
+ 				temp > MAX_TIME_INTERVAL) {
+ 				pam_syslog(pamh, LOG_ERR,
+ 					"Bad number supplied for root_unlock_time argument");
+@@ -258,8 +267,8 @@ check_tally(pam_handle_t *pamh, struct o
+ 	}
+ 
+ 	if (opts->deny && failures >= opts->deny) {
+-		if ((opts->uid && latest_time + opts->unlock_time < opts->now) ||
+-			(!opts->uid && latest_time + opts->root_unlock_time < opts->now)) {
++		if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
++			(!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
+ #ifdef HAVE_LIBAUDIT
+ 			if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ 				char buf[64];
+@@ -420,11 +429,17 @@ faillock_message(pam_handle_t *pamh, str
+ 			left = opts->latest_time + opts->root_unlock_time - opts->now;
+ 		}
+ 
+-		left /= 60; /* minutes */
++		if (left > 0) {
++			left = (left + 59)/60; /* minutes */
+ 
+-		pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
+-			opts->failures);
+-		pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
++			pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
++				opts->failures);
++			pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
++		}
++		else {
++			pam_info(pamh, _("Account locked due to %d failed logins"),
++				opts->failures);
++		}
+ 	}
+ }
+ 
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never	2016-04-22 15:25:57.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml	2016-04-28 16:43:14.109794294 +0200
+@@ -201,6 +201,21 @@
+                   <replaceable>n</replaceable> seconds after the lock out.
+                   The default is 600 (10 minutes).
+                 </para>
++                <para>
++                  If the <replaceable>n</replaceable> is set to never or 0
++                  the access will not be reenabled at all until administrator
++                  explicitly reenables it with the <command>faillock</command> command.
++                  Note though that the default directory that <emphasis>pam_faillock</emphasis>
++                  uses is usually cleared on system boot so the access will be also reenabled
++                  after system reboot. If that is undesirable a different tally directory
++                  must be set with the <option>dir</option> option.
++                </para>
++                <para>
++                  Also note that it is usually undesirable to permanently lock
++                  out the users as they can become easily a target of denial of service
++                  attack unless the usernames are random and kept secret to potential
++                  attackers.
++                </para>
+               </listitem>
+             </varlistentry>
+             <varlistentry>
diff --git a/SOURCES/pam-1.1.8-lastlog-localtime.patch b/SOURCES/pam-1.1.8-lastlog-localtime.patch
new file mode 100644
index 0000000..8108ff2
--- /dev/null
+++ b/SOURCES/pam-1.1.8-lastlog-localtime.patch
@@ -0,0 +1,22 @@
+diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.localtime Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
+--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.localtime	2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c	2016-04-22 15:24:10.085018141 +0200
+@@ -276,12 +276,12 @@ last_login_read(pam_handle_t *pamh, int
+ 		time_t ll_time;
+ 
+ 		ll_time = last_login.ll_time;
+-		tm = localtime_r (&ll_time, &tm_buf);
+-		strftime (the_time, sizeof (the_time),
+-	        /* TRANSLATORS: "strftime options for date of last login" */
+-			  _(" %a %b %e %H:%M:%S %Z %Y"), tm);
+-
+-		date = the_time;
++		if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) {
++			strftime (the_time, sizeof (the_time),
++		        /* TRANSLATORS: "strftime options for date of last login" */
++				  _(" %a %b %e %H:%M:%S %Z %Y"), tm);
++			date = the_time;
++	    	}
+ 	    }
+ 
+ 	    /* we want & have the host? */
diff --git a/SOURCES/pam-1.1.8-loginuid-log-auditd.patch b/SOURCES/pam-1.1.8-loginuid-log-auditd.patch
new file mode 100644
index 0000000..6ccadc7
--- /dev/null
+++ b/SOURCES/pam-1.1.8-loginuid-log-auditd.patch
@@ -0,0 +1,19 @@
+diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.log-auditd Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c
+--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.log-auditd	2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c	2016-04-22 14:21:35.868204427 +0200
+@@ -195,9 +195,12 @@ _pam_loginuid(pam_handle_t *pamh, int fl
+ 		argv++;
+ 	}
+ 
+-	if (require_auditd)
+-		return check_auditd();
+-	else
++	if (require_auditd) {
++		int rc = check_auditd();
++		if (rc != PAM_SUCCESS)
++			pam_syslog(pamh, LOG_ERR, "required running auditd not detected");
++		return rc;
++	} else
+ #endif
+ 		return PAM_SUCCESS;
+ }
diff --git a/SOURCES/pam-1.1.8-man-delay.patch b/SOURCES/pam-1.1.8-man-delay.patch
new file mode 100644
index 0000000..5a4833a
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-delay.patch
@@ -0,0 +1,30 @@
+diff -up Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml.delay Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml
+--- Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml.delay	2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml	2016-05-30 12:08:40.708053159 +0200
+@@ -39,7 +39,7 @@
+       <citerefentry>
+         <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+       </citerefentry> fail, the failing return to the application is
+-      delayed by an amount of time randomly distributed (by up to 25%)
++      delayed by an amount of time randomly distributed (by up to 50%)
+       about this longest value.
+     </para>
+     <para>
+@@ -135,7 +135,7 @@ void (*delay_fn)(int retval, unsigned us
+ 
+     <para>
+       if the modules do not request a delay, the failure delay will be
+-      between 2.25 and 3.75 seconds.
++      between 1.5 and 4.5 seconds.
+     </para>
+ 
+     <para>
+@@ -150,7 +150,7 @@ module #2:    pam_fail_delay (pamh, 4000
+ 
+     <para>
+       in this case, it is the largest requested value that is used to
+-      compute the actual failed delay: here between 3 and 5 seconds.
++      compute the actual failed delay: here between 2 and 6 seconds.
+     </para>
+   </refsect1>
+ 
diff --git a/SOURCES/pam-1.1.8-man-environment.patch b/SOURCES/pam-1.1.8-man-environment.patch
new file mode 100644
index 0000000..d869211
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-environment.patch
@@ -0,0 +1,78 @@
+diff -up Linux-PAM-1.1.8/modules/pam_env/Makefile.am.environment Linux-PAM-1.1.8/modules/pam_env/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_env/Makefile.am.environment	2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/Makefile.am	2016-04-22 14:10:49.921649262 +0200
+@@ -7,7 +7,7 @@ MAINTAINERCLEANFILES = $(MANS) README
+ 
+ EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
+ 
+-man_MANS = pam_env.conf.5 pam_env.8
++man_MANS = pam_env.conf.5 pam_env.8 environment.5
+ 
+ XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
+ 
+@@ -30,6 +30,7 @@ sysconf_DATA = environment
+ if ENABLE_REGENERATE_MAN
+ noinst_DATA = README
+ README: pam_env.8.xml pam_env.conf.5.xml
++environment.5: pam_env.conf.5.xml
+ -include $(top_srcdir)/Make.xml.rules
+ endif
+ 
+diff -up Linux-PAM-1.1.8/modules/pam_env/Makefile.in.environment Linux-PAM-1.1.8/modules/pam_env/Makefile.in
+--- Linux-PAM-1.1.8/modules/pam_env/Makefile.in.environment	2016-04-22 14:14:41.475866891 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/Makefile.in	2016-04-22 14:13:58.239892651 +0200
+@@ -285,7 +285,7 @@ top_srcdir = @top_srcdir@
+ CLEANFILES = *~
+ MAINTAINERCLEANFILES = $(MANS) README
+ EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
+-man_MANS = pam_env.conf.5 pam_env.8
++man_MANS = pam_env.conf.5 pam_env.8 environment.5
+ XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
+ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+@@ -836,6 +836,7 @@ uninstall-man: uninstall-man5 uninstall-
+ 	uninstall-sysconfDATA
+ 
+ @ENABLE_REGENERATE_MAN_TRUE@README: pam_env.8.xml pam_env.conf.5.xml
++@ENABLE_REGENERATE_MAN_TRUE@environment.5: pam_env.conf.5.xml
+ @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
+ 
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.
+diff -up Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml.environment Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml
+--- Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml.environment	2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml	2016-04-22 14:12:49.150335851 +0200
+@@ -12,7 +12,8 @@
+ 
+   <refnamediv>
+     <refname>pam_env.conf</refname>
+-    <refpurpose>the environment variables config file</refpurpose>
++    <refname>environment</refname>
++    <refpurpose>the environment variables config files</refpurpose>
+   </refnamediv>
+ 
+ 
+@@ -58,6 +59,14 @@
+       at front) can be used to mark this line as a comment line.
+     </para>
+ 
++    <para>
++      The <filename>/etc/environment</filename> file specifies
++      the environment variables to be set. The file must consist of simple
++      <emphasis>NAME=VALUE</emphasis> pairs on separate lines.
++      The <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++      module will read the file after the <filename>pam_env.conf</filename>
++      file.
++    </para>
+   </refsect1>
+ 
+   <refsect1 id="pam_env.conf-examples">
+@@ -110,7 +119,8 @@
+     <para>
+       <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+       <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+-      <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++      <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++      <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+     </para>
+   </refsect1>
+ 
diff --git a/SOURCES/pam-1.1.8-relax-audit.patch b/SOURCES/pam-1.1.8-relax-audit.patch
new file mode 100644
index 0000000..8355fa4
--- /dev/null
+++ b/SOURCES/pam-1.1.8-relax-audit.patch
@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.1.8/libpam/pam_audit.c.relax-audit Linux-PAM-1.1.8/libpam/pam_audit.c
+--- Linux-PAM-1.1.8/libpam/pam_audit.c.relax-audit	2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/libpam/pam_audit.c	2016-04-22 15:18:55.692925308 +0200
+@@ -53,7 +53,7 @@ _pam_audit_writelog(pam_handle_t *pamh,
+   pamh->audit_state |= PAMAUDIT_LOGGED;
+ 
+   if (rc < 0) {
+-      if (rc == -EPERM && getuid() != 0)
++      if (rc == -EPERM)
+           return 0;
+       if (errno != old_errno) {
+           old_errno = errno;
diff --git a/SOURCES/pam-1.1.8-succeed-if-large-uid.patch b/SOURCES/pam-1.1.8-succeed-if-large-uid.patch
new file mode 100644
index 0000000..74ec3f3
--- /dev/null
+++ b/SOURCES/pam-1.1.8-succeed-if-large-uid.patch
@@ -0,0 +1,85 @@
+diff -up Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c.large-uid Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c
+--- Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c.large-uid	2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c	2016-07-19 15:00:57.366549150 +0200
+@@ -68,20 +68,20 @@
+  * PAM_SERVICE_ERR if the arguments can't be parsed as numbers. */
+ static int
+ evaluate_num(const pam_handle_t *pamh, const char *left,
+-	     const char *right, int (*cmp)(int, int))
++	     const char *right, int (*cmp)(long long, long long))
+ {
+-	long l, r;
++	long long l, r;
+ 	char *p;
+ 	int ret = PAM_SUCCESS;
+ 
+ 	errno = 0;
+-	l = strtol(left, &p, 0);
++	l = strtoll(left, &p, 0);
+ 	if ((p == NULL) || (*p != '\0') || errno) {
+ 		pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", left);
+ 		ret = PAM_SERVICE_ERR;
+ 	}
+ 
+-	r = strtol(right, &p, 0);
++	r = strtoll(right, &p, 0);
+ 	if ((p == NULL) || (*p != '\0') || errno) {
+ 		pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", right);
+ 		ret = PAM_SERVICE_ERR;
+@@ -96,32 +96,32 @@ evaluate_num(const pam_handle_t *pamh, c
+ 
+ /* Simple numeric comparison callbacks. */
+ static int
+-eq(int i, int j)
++eq(long long i, long long j)
+ {
+ 	return i == j;
+ }
+ static int
+-ne(int i, int j)
++ne(long long i, long long j)
+ {
+ 	return i != j;
+ }
+ static int
+-lt(int i, int j)
++lt(long long i, long long j)
+ {
+ 	return i < j;
+ }
+ static int
+-le(int i, int j)
++le(long long i, long long j)
+ {
+ 	return lt(i, j) || eq(i, j);
+ }
+ static int
+-gt(int i, int j)
++gt(long long i, long long j)
+ {
+ 	return i > j;
+ }
+ static int
+-ge(int i, int j)
++ge(long long i, long long j)
+ {
+ 	return gt(i, j) || eq(i, j);
+ }
+@@ -298,7 +298,7 @@ evaluate(pam_handle_t *pamh, int debug,
+ 	}
+ 	if (strcasecmp(left, "rhost") == 0) {
+ 		const void *rhost;
+-		if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS ||
++		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS ||
+ 			rhost == NULL)
+ 			rhost = "";
+ 		snprintf(buf, sizeof(buf), "%s", (const char *)rhost);
+@@ -306,7 +306,7 @@ evaluate(pam_handle_t *pamh, int debug,
+ 	}
+ 	if (strcasecmp(left, "tty") == 0) {
+ 		const void *tty;
+-		if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS ||
++		if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS ||
+ 			tty == NULL)
+ 			tty = "";
+ 		snprintf(buf, sizeof(buf), "%s", (const char *)tty);
diff --git a/SOURCES/pam-1.1.8-unix-expiry.patch b/SOURCES/pam-1.1.8-unix-expiry.patch
new file mode 100644
index 0000000..7e0e9f0
--- /dev/null
+++ b/SOURCES/pam-1.1.8-unix-expiry.patch
@@ -0,0 +1,134 @@
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry	2016-03-03 09:58:52.677684261 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c	2016-03-03 09:58:52.712685101 +0100
+@@ -244,6 +244,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
+ 	} else
+ 		retval = check_shadow_expiry(pamh, spent, &daysleft);
+ 
++	if (on(UNIX_NO_PASS_EXPIRY, ctrl)) {
++		const void *pretval = NULL;
++		int authrv = PAM_AUTHINFO_UNAVAIL; /* authentication not called */
++
++		if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
++			&& pretval)
++			authrv = *(const int *)pretval;
++
++		if (authrv != PAM_SUCCESS
++			&& (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED))
++			retval = PAM_SUCCESS;
++	}
++
+ 	switch (retval) {
+ 	case PAM_ACCT_EXPIRED:
+ 		pam_syslog(pamh, LOG_NOTICE,
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry	2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c	2016-03-03 09:58:52.712685101 +0100
+@@ -82,14 +82,13 @@
+ 
+ #define AUTH_RETURN						\
+ do {								\
+-	if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) {		\
++	if (ret_data) {						\
+ 		D(("recording return code for next time [%d]",	\
+ 					retval));		\
+ 		*ret_data = retval;				\
+ 		pam_set_data(pamh, "unix_setcred_return",	\
+ 		             (void *) ret_data, setcred_free);	\
+-	} else if (ret_data)					\
+-	  free (ret_data);                                      \
++	}							\
+ 	D(("done. [%s]", pam_strerror(pamh, retval)));		\
+ 	return retval;						\
+ } while (0)
+@@ -115,9 +114,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ 	ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
+ 
+ 	/* Get a few bytes so we can pass our return value to
+-	   pam_sm_setcred(). */
+-	if (on(UNIX_LIKE_AUTH, ctrl))
+-		ret_data = malloc(sizeof(int));
++	   pam_sm_setcred() and pam_sm_acct_mgmt(). */
++	ret_data = malloc(sizeof(int));
+ 
+ 	/* get the user'name' */
+ 
+@@ -194,20 +192,24 @@ pam_sm_authenticate(pam_handle_t *pamh,
+  */
+ 
+ int
+-pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
+-		int argc UNUSED, const char **argv UNUSED)
++pam_sm_setcred (pam_handle_t *pamh, int flags,
++		int argc, const char **argv)
+ {
+ 	int retval;
+ 	const void *pretval = NULL;
++	unsigned int ctrl;
+ 
+ 	D(("called."));
+ 
++	ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
++
+ 	retval = PAM_SUCCESS;
+ 
+ 	D(("recovering return code from auth call"));
+ 	/* We will only find something here if UNIX_LIKE_AUTH is set --
+ 	   don't worry about an explicit check of argv. */
+-	if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
++	if (on(UNIX_LIKE_AUTH, ctrl)
++	    && pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
+ 	    && pretval) {
+ 	        retval = *(const int *)pretval;
+ 		pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry	2016-03-03 09:58:52.710685053 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml	2016-03-03 09:58:52.712685101 +0100
+@@ -346,6 +346,25 @@
+           </para>
+         </listitem>
+       </varlistentry>
++      <varlistentry>
++        <term>
++          <option>no_pass_expiry</option>
++        </term>
++        <listitem>
++          <para>
++            When set ignore password expiration as defined by the
++            <emphasis>shadow</emphasis> entry of the user. The option has an
++            effect only in case <emphasis>pam_unix</emphasis> was not used
++            for the authentication or it returned authentication failure
++            meaning that other authentication source or method succeeded.
++            The example can be public key authentication in
++            <emphasis>sshd</emphasis>. The module will return
++            <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual
++            <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or
++            <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>.
++          </para>
++        </listitem>
++      </varlistentry>
+     </variablelist>
+     <para>
+       Invalid arguments are logged with  <citerefentry>
+diff -up Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry Linux-PAM-1.1.8/modules/pam_unix/support.h
+--- Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry	2016-03-03 09:58:52.712685101 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/support.h	2016-03-03 10:00:31.642061166 +0100
+@@ -97,8 +97,9 @@ typedef struct {
+ 					   password hash algorithms */
+ #define UNIX_BLOWFISH_PASS       26	/* new password hashes will use blowfish */
+ #define UNIX_MIN_PASS_LEN        27	/* min length for password */
++#define UNIX_NO_PASS_EXPIRY      28     /* Don't check for password expiration if not used for authentication */
+ /* -------------- */
+-#define UNIX_CTRLS_              28	/* number of ctrl arguments defined */
++#define UNIX_CTRLS_              29	/* number of ctrl arguments defined */
+ 
+ #define UNIX_DES_CRYPT(ctrl)	(off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+ 
+@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
+ /* UNIX_ALGO_ROUNDS */     {"rounds=",         _ALL_ON_,          0100000000, 0},
+ /* UNIX_BLOWFISH_PASS */   {"blowfish",    _ALL_ON_^(0260420000), 0200000000, 1},
+ /* UNIX_MIN_PASS_LEN */    {"minlen=",		_ALL_ON_,         0400000000, 0},
++/* UNIX_NO_PASS_EXPIRY */  {"no_pass_expiry",  _ALL_ON_,         02000000000, 0},
+ };
+ 
+ #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
diff --git a/SPECS/pam.spec b/SPECS/pam.spec
index f6f1c57..0cbf153 100644
--- a/SPECS/pam.spec
+++ b/SPECS/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.8
-Release: 12%{?dist}.1
+Release: 18%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -56,6 +56,14 @@ Patch41: pam-1.1.8-limits-check-process.patch
 Patch42: pam-1.1.8-limits-docfix.patch
 Patch43: pam-1.1.8-audit-user-mgmt.patch
 Patch44: pam-1.1.8-cve-2015-3238.patch
+Patch45: pam-1.1.8-unix-expiry.patch
+Patch46: pam-1.1.8-man-environment.patch
+Patch47: pam-1.1.8-loginuid-log-auditd.patch
+Patch48: pam-1.1.8-faillock-never.patch
+Patch49: pam-1.1.8-relax-audit.patch
+Patch50: pam-1.1.8-lastlog-localtime.patch
+Patch51: pam-1.1.8-man-delay.patch
+Patch52: pam-1.1.8-succeed-if-large-uid.patch
 
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@@ -145,6 +153,14 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch42 -p1 -b .docfix
 %patch43 -p1 -b .audit-user-mgmt
 %patch44 -p1 -b .password-limit
+%patch45 -p1 -b .expiry
+%patch46 -p1 -b .man-environment
+%patch47 -p1 -b .log-auditd
+%patch48 -p1 -b .never
+%patch49 -p1 -b .relax-audit
+%patch50 -p1 -b .localtime
+%patch51 -p1 -b .delay
+%patch52 -p1 -b .large-uid
 
 %build
 autoreconf -i
@@ -393,7 +409,25 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
-* Tue Aug  4 2015 Tomáš Mráz <tmraz@redhat.com> 1.1.8-12.1
+* Tue Jul 19 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-18
+- pam_succeed_if: fix handling of large uids, tty, and rhost
+
+* Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-17
+- fix pam_fail_delay() manual page (#1130053)
+
+* Thu Apr 28 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-15
+- pam_faillock: support permanent locking of user with
+  unlock_time=never option
+
+* Fri Apr 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-14
+- pam_unix: add no_pass_expiry option for ignoring password
+  expiration in crond and sshd with public key authentication
+- add manual page for environment(5) (#1110257)
+- pam_loginuid: log if auditd not detected
+- always ignore audit error when -EPERM is returned (#1287800)
+- pam_lastlog: fix possible NULL dereference when localtime fails (#1313537)
+
+* Tue Aug  4 2015 Tomáš Mráz <tmraz@redhat.com> 1.1.8-13
 - fix CVE-2015-3238 - DoS due to blocking pipe with very long password
 
 * Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-12