diff --git a/SOURCES/pam-1.1.8-faillock-never.patch b/SOURCES/pam-1.1.8-faillock-never.patch
new file mode 100644
index 0000000..be84329
--- /dev/null
+++ b/SOURCES/pam-1.1.8-faillock-never.patch
@@ -0,0 +1,91 @@
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never 2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2016-04-22 14:31:34.239752334 +0200
+@@ -125,17 +125,26 @@ args_parse(pam_handle_t *pamh, int argc,
+ }
+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
+ unsigned int temp;
+- if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
++
++ if (strcmp(argv[i]+12, "never") == 0) {
++ opts->unlock_time = 0;
++ }
++ else if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for unlock_time argument");
+- } else {
++ }
++ else {
+ opts->unlock_time = temp;
+ }
+ }
+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
+ unsigned int temp;
+- if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
++
++ if (strcmp(argv[i]+17, "never") == 0) {
++ opts->root_unlock_time = 0;
++ }
++ else if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for root_unlock_time argument");
+@@ -258,8 +267,8 @@ check_tally(pam_handle_t *pamh, struct o
+ }
+
+ if (opts->deny && failures >= opts->deny) {
+- if ((opts->uid && latest_time + opts->unlock_time < opts->now) ||
+- (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) {
++ if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
++ (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
+ #ifdef HAVE_LIBAUDIT
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ char buf[64];
+@@ -420,11 +429,17 @@ faillock_message(pam_handle_t *pamh, str
+ left = opts->latest_time + opts->root_unlock_time - opts->now;
+ }
+
+- left /= 60; /* minutes */
++ if (left > 0) {
++ left = (left + 59)/60; /* minutes */
+
+- pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
+- opts->failures);
+- pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
++ pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
++ opts->failures);
++ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
++ }
++ else {
++ pam_info(pamh, _("Account locked due to %d failed logins"),
++ opts->failures);
++ }
+ }
+ }
+
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never 2016-04-22 15:25:57.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2016-04-28 16:43:14.109794294 +0200
+@@ -201,6 +201,21 @@
+ <replaceable>n</replaceable> seconds after the lock out.
+ The default is 600 (10 minutes).
+ </para>
++ <para>
++ If the <replaceable>n</replaceable> is set to never or 0
++ the access will not be reenabled at all until administrator
++ explicitly reenables it with the <command>faillock</command> command.
++ Note though that the default directory that <emphasis>pam_faillock</emphasis>
++ uses is usually cleared on system boot so the access will be also reenabled
++ after system reboot. If that is undesirable a different tally directory
++ must be set with the <option>dir</option> option.
++ </para>
++ <para>
++ Also note that it is usually undesirable to permanently lock
++ out the users as they can become easily a target of denial of service
++ attack unless the usernames are random and kept secret to potential
++ attackers.
++ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
diff --git a/SOURCES/pam-1.1.8-lastlog-localtime.patch b/SOURCES/pam-1.1.8-lastlog-localtime.patch
new file mode 100644
index 0000000..8108ff2
--- /dev/null
+++ b/SOURCES/pam-1.1.8-lastlog-localtime.patch
@@ -0,0 +1,22 @@
+diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.localtime Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
+--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.localtime 2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2016-04-22 15:24:10.085018141 +0200
+@@ -276,12 +276,12 @@ last_login_read(pam_handle_t *pamh, int
+ time_t ll_time;
+
+ ll_time = last_login.ll_time;
+- tm = localtime_r (&ll_time, &tm_buf);
+- strftime (the_time, sizeof (the_time),
+- /* TRANSLATORS: "strftime options for date of last login" */
+- _(" %a %b %e %H:%M:%S %Z %Y"), tm);
+-
+- date = the_time;
++ if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) {
++ strftime (the_time, sizeof (the_time),
++ /* TRANSLATORS: "strftime options for date of last login" */
++ _(" %a %b %e %H:%M:%S %Z %Y"), tm);
++ date = the_time;
++ }
+ }
+
+ /* we want & have the host? */
diff --git a/SOURCES/pam-1.1.8-loginuid-log-auditd.patch b/SOURCES/pam-1.1.8-loginuid-log-auditd.patch
new file mode 100644
index 0000000..6ccadc7
--- /dev/null
+++ b/SOURCES/pam-1.1.8-loginuid-log-auditd.patch
@@ -0,0 +1,19 @@
+diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.log-auditd Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c
+--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.log-auditd 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2016-04-22 14:21:35.868204427 +0200
+@@ -195,9 +195,12 @@ _pam_loginuid(pam_handle_t *pamh, int fl
+ argv++;
+ }
+
+- if (require_auditd)
+- return check_auditd();
+- else
++ if (require_auditd) {
++ int rc = check_auditd();
++ if (rc != PAM_SUCCESS)
++ pam_syslog(pamh, LOG_ERR, "required running auditd not detected");
++ return rc;
++ } else
+ #endif
+ return PAM_SUCCESS;
+ }
diff --git a/SOURCES/pam-1.1.8-man-delay.patch b/SOURCES/pam-1.1.8-man-delay.patch
new file mode 100644
index 0000000..5a4833a
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-delay.patch
@@ -0,0 +1,30 @@
+diff -up Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml.delay Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml
+--- Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml.delay 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml 2016-05-30 12:08:40.708053159 +0200
+@@ -39,7 +39,7 @@
+ <citerefentry>
+ <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> fail, the failing return to the application is
+- delayed by an amount of time randomly distributed (by up to 25%)
++ delayed by an amount of time randomly distributed (by up to 50%)
+ about this longest value.
+ </para>
+ <para>
+@@ -135,7 +135,7 @@ void (*delay_fn)(int retval, unsigned us
+
+ <para>
+ if the modules do not request a delay, the failure delay will be
+- between 2.25 and 3.75 seconds.
++ between 1.5 and 4.5 seconds.
+ </para>
+
+ <para>
+@@ -150,7 +150,7 @@ module #2: pam_fail_delay (pamh, 4000
+
+ <para>
+ in this case, it is the largest requested value that is used to
+- compute the actual failed delay: here between 3 and 5 seconds.
++ compute the actual failed delay: here between 2 and 6 seconds.
+ </para>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-man-environment.patch b/SOURCES/pam-1.1.8-man-environment.patch
new file mode 100644
index 0000000..d869211
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-environment.patch
@@ -0,0 +1,78 @@
+diff -up Linux-PAM-1.1.8/modules/pam_env/Makefile.am.environment Linux-PAM-1.1.8/modules/pam_env/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_env/Makefile.am.environment 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/Makefile.am 2016-04-22 14:10:49.921649262 +0200
+@@ -7,7 +7,7 @@ MAINTAINERCLEANFILES = $(MANS) README
+
+ EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
+
+-man_MANS = pam_env.conf.5 pam_env.8
++man_MANS = pam_env.conf.5 pam_env.8 environment.5
+
+ XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
+
+@@ -30,6 +30,7 @@ sysconf_DATA = environment
+ if ENABLE_REGENERATE_MAN
+ noinst_DATA = README
+ README: pam_env.8.xml pam_env.conf.5.xml
++environment.5: pam_env.conf.5.xml
+ -include $(top_srcdir)/Make.xml.rules
+ endif
+
+diff -up Linux-PAM-1.1.8/modules/pam_env/Makefile.in.environment Linux-PAM-1.1.8/modules/pam_env/Makefile.in
+--- Linux-PAM-1.1.8/modules/pam_env/Makefile.in.environment 2016-04-22 14:14:41.475866891 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/Makefile.in 2016-04-22 14:13:58.239892651 +0200
+@@ -285,7 +285,7 @@ top_srcdir = @top_srcdir@
+ CLEANFILES = *~
+ MAINTAINERCLEANFILES = $(MANS) README
+ EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
+-man_MANS = pam_env.conf.5 pam_env.8
++man_MANS = pam_env.conf.5 pam_env.8 environment.5
+ XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
+ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+@@ -836,6 +836,7 @@ uninstall-man: uninstall-man5 uninstall-
+ uninstall-sysconfDATA
+
+ @ENABLE_REGENERATE_MAN_TRUE@README: pam_env.8.xml pam_env.conf.5.xml
++@ENABLE_REGENERATE_MAN_TRUE@environment.5: pam_env.conf.5.xml
+ @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
+
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.
+diff -up Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml.environment Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml
+--- Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml.environment 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml 2016-04-22 14:12:49.150335851 +0200
+@@ -12,7 +12,8 @@
+
+ <refnamediv>
+ <refname>pam_env.conf</refname>
+- <refpurpose>the environment variables config file</refpurpose>
++ <refname>environment</refname>
++ <refpurpose>the environment variables config files</refpurpose>
+ </refnamediv>
+
+
+@@ -58,6 +59,14 @@
+ at front) can be used to mark this line as a comment line.
+ </para>
+
++ <para>
++ The <filename>/etc/environment</filename> file specifies
++ the environment variables to be set. The file must consist of simple
++ <emphasis>NAME=VALUE</emphasis> pairs on separate lines.
++ The <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ module will read the file after the <filename>pam_env.conf</filename>
++ file.
++ </para>
+ </refsect1>
+
+ <refsect1 id="pam_env.conf-examples">
+@@ -110,7 +119,8 @@
+ <para>
+ <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-relax-audit.patch b/SOURCES/pam-1.1.8-relax-audit.patch
new file mode 100644
index 0000000..8355fa4
--- /dev/null
+++ b/SOURCES/pam-1.1.8-relax-audit.patch
@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.1.8/libpam/pam_audit.c.relax-audit Linux-PAM-1.1.8/libpam/pam_audit.c
+--- Linux-PAM-1.1.8/libpam/pam_audit.c.relax-audit 2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/libpam/pam_audit.c 2016-04-22 15:18:55.692925308 +0200
+@@ -53,7 +53,7 @@ _pam_audit_writelog(pam_handle_t *pamh,
+ pamh->audit_state |= PAMAUDIT_LOGGED;
+
+ if (rc < 0) {
+- if (rc == -EPERM && getuid() != 0)
++ if (rc == -EPERM)
+ return 0;
+ if (errno != old_errno) {
+ old_errno = errno;
diff --git a/SOURCES/pam-1.1.8-succeed-if-large-uid.patch b/SOURCES/pam-1.1.8-succeed-if-large-uid.patch
new file mode 100644
index 0000000..74ec3f3
--- /dev/null
+++ b/SOURCES/pam-1.1.8-succeed-if-large-uid.patch
@@ -0,0 +1,85 @@
+diff -up Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c.large-uid Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c
+--- Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c.large-uid 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c 2016-07-19 15:00:57.366549150 +0200
+@@ -68,20 +68,20 @@
+ * PAM_SERVICE_ERR if the arguments can't be parsed as numbers. */
+ static int
+ evaluate_num(const pam_handle_t *pamh, const char *left,
+- const char *right, int (*cmp)(int, int))
++ const char *right, int (*cmp)(long long, long long))
+ {
+- long l, r;
++ long long l, r;
+ char *p;
+ int ret = PAM_SUCCESS;
+
+ errno = 0;
+- l = strtol(left, &p, 0);
++ l = strtoll(left, &p, 0);
+ if ((p == NULL) || (*p != '\0') || errno) {
+ pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", left);
+ ret = PAM_SERVICE_ERR;
+ }
+
+- r = strtol(right, &p, 0);
++ r = strtoll(right, &p, 0);
+ if ((p == NULL) || (*p != '\0') || errno) {
+ pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", right);
+ ret = PAM_SERVICE_ERR;
+@@ -96,32 +96,32 @@ evaluate_num(const pam_handle_t *pamh, c
+
+ /* Simple numeric comparison callbacks. */
+ static int
+-eq(int i, int j)
++eq(long long i, long long j)
+ {
+ return i == j;
+ }
+ static int
+-ne(int i, int j)
++ne(long long i, long long j)
+ {
+ return i != j;
+ }
+ static int
+-lt(int i, int j)
++lt(long long i, long long j)
+ {
+ return i < j;
+ }
+ static int
+-le(int i, int j)
++le(long long i, long long j)
+ {
+ return lt(i, j) || eq(i, j);
+ }
+ static int
+-gt(int i, int j)
++gt(long long i, long long j)
+ {
+ return i > j;
+ }
+ static int
+-ge(int i, int j)
++ge(long long i, long long j)
+ {
+ return gt(i, j) || eq(i, j);
+ }
+@@ -298,7 +298,7 @@ evaluate(pam_handle_t *pamh, int debug,
+ }
+ if (strcasecmp(left, "rhost") == 0) {
+ const void *rhost;
+- if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS ||
++ if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS ||
+ rhost == NULL)
+ rhost = "";
+ snprintf(buf, sizeof(buf), "%s", (const char *)rhost);
+@@ -306,7 +306,7 @@ evaluate(pam_handle_t *pamh, int debug,
+ }
+ if (strcasecmp(left, "tty") == 0) {
+ const void *tty;
+- if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS ||
++ if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS ||
+ tty == NULL)
+ tty = "";
+ snprintf(buf, sizeof(buf), "%s", (const char *)tty);
diff --git a/SOURCES/pam-1.1.8-unix-expiry.patch b/SOURCES/pam-1.1.8-unix-expiry.patch
new file mode 100644
index 0000000..7e0e9f0
--- /dev/null
+++ b/SOURCES/pam-1.1.8-unix-expiry.patch
@@ -0,0 +1,134 @@
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry 2016-03-03 09:58:52.677684261 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c 2016-03-03 09:58:52.712685101 +0100
+@@ -244,6 +244,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
+ } else
+ retval = check_shadow_expiry(pamh, spent, &daysleft);
+
++ if (on(UNIX_NO_PASS_EXPIRY, ctrl)) {
++ const void *pretval = NULL;
++ int authrv = PAM_AUTHINFO_UNAVAIL; /* authentication not called */
++
++ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
++ && pretval)
++ authrv = *(const int *)pretval;
++
++ if (authrv != PAM_SUCCESS
++ && (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED))
++ retval = PAM_SUCCESS;
++ }
++
+ switch (retval) {
+ case PAM_ACCT_EXPIRED:
+ pam_syslog(pamh, LOG_NOTICE,
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c 2016-03-03 09:58:52.712685101 +0100
+@@ -82,14 +82,13 @@
+
+ #define AUTH_RETURN \
+ do { \
+- if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \
++ if (ret_data) { \
+ D(("recording return code for next time [%d]", \
+ retval)); \
+ *ret_data = retval; \
+ pam_set_data(pamh, "unix_setcred_return", \
+ (void *) ret_data, setcred_free); \
+- } else if (ret_data) \
+- free (ret_data); \
++ } \
+ D(("done. [%s]", pam_strerror(pamh, retval))); \
+ return retval; \
+ } while (0)
+@@ -115,9 +114,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
+
+ /* Get a few bytes so we can pass our return value to
+- pam_sm_setcred(). */
+- if (on(UNIX_LIKE_AUTH, ctrl))
+- ret_data = malloc(sizeof(int));
++ pam_sm_setcred() and pam_sm_acct_mgmt(). */
++ ret_data = malloc(sizeof(int));
+
+ /* get the user'name' */
+
+@@ -194,20 +192,24 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ */
+
+ int
+-pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
+- int argc UNUSED, const char **argv UNUSED)
++pam_sm_setcred (pam_handle_t *pamh, int flags,
++ int argc, const char **argv)
+ {
+ int retval;
+ const void *pretval = NULL;
++ unsigned int ctrl;
+
+ D(("called."));
+
++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
++
+ retval = PAM_SUCCESS;
+
+ D(("recovering return code from auth call"));
+ /* We will only find something here if UNIX_LIKE_AUTH is set --
+ don't worry about an explicit check of argv. */
+- if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
++ if (on(UNIX_LIKE_AUTH, ctrl)
++ && pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
+ && pretval) {
+ retval = *(const int *)pretval;
+ pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry 2016-03-03 09:58:52.710685053 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml 2016-03-03 09:58:52.712685101 +0100
+@@ -346,6 +346,25 @@
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>no_pass_expiry</option>
++ </term>
++ <listitem>
++ <para>
++ When set ignore password expiration as defined by the
++ <emphasis>shadow</emphasis> entry of the user. The option has an
++ effect only in case <emphasis>pam_unix</emphasis> was not used
++ for the authentication or it returned authentication failure
++ meaning that other authentication source or method succeeded.
++ The example can be public key authentication in
++ <emphasis>sshd</emphasis>. The module will return
++ <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual
++ <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or
++ <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>.
++ </para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ <para>
+ Invalid arguments are logged with <citerefentry>
+diff -up Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry Linux-PAM-1.1.8/modules/pam_unix/support.h
+--- Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry 2016-03-03 09:58:52.712685101 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/support.h 2016-03-03 10:00:31.642061166 +0100
+@@ -97,8 +97,9 @@ typedef struct {
+ password hash algorithms */
+ #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
+ #define UNIX_MIN_PASS_LEN 27 /* min length for password */
++#define UNIX_NO_PASS_EXPIRY 28 /* Don't check for password expiration if not used for authentication */
+ /* -------------- */
+-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+
+@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
+ /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+ /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
+ /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
diff --git a/SPECS/pam.spec b/SPECS/pam.spec
index f6f1c57..0cbf153 100644
--- a/SPECS/pam.spec
+++ b/SPECS/pam.spec
@@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.8
-Release: 12%{?dist}.1
+Release: 18%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -56,6 +56,14 @@ Patch41: pam-1.1.8-limits-check-process.patch
Patch42: pam-1.1.8-limits-docfix.patch
Patch43: pam-1.1.8-audit-user-mgmt.patch
Patch44: pam-1.1.8-cve-2015-3238.patch
+Patch45: pam-1.1.8-unix-expiry.patch
+Patch46: pam-1.1.8-man-environment.patch
+Patch47: pam-1.1.8-loginuid-log-auditd.patch
+Patch48: pam-1.1.8-faillock-never.patch
+Patch49: pam-1.1.8-relax-audit.patch
+Patch50: pam-1.1.8-lastlog-localtime.patch
+Patch51: pam-1.1.8-man-delay.patch
+Patch52: pam-1.1.8-succeed-if-large-uid.patch
%define _pamlibdir %{_libdir}
%define _moduledir %{_libdir}/security
@@ -145,6 +153,14 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch42 -p1 -b .docfix
%patch43 -p1 -b .audit-user-mgmt
%patch44 -p1 -b .password-limit
+%patch45 -p1 -b .expiry
+%patch46 -p1 -b .man-environment
+%patch47 -p1 -b .log-auditd
+%patch48 -p1 -b .never
+%patch49 -p1 -b .relax-audit
+%patch50 -p1 -b .localtime
+%patch51 -p1 -b .delay
+%patch52 -p1 -b .large-uid
%build
autoreconf -i
@@ -393,7 +409,25 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
-* Tue Aug 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.1.8-12.1
+* Tue Jul 19 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-18
+- pam_succeed_if: fix handling of large uids, tty, and rhost
+
+* Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-17
+- fix pam_fail_delay() manual page (#1130053)
+
+* Thu Apr 28 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-15
+- pam_faillock: support permanent locking of user with
+ unlock_time=never option
+
+* Fri Apr 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-14
+- pam_unix: add no_pass_expiry option for ignoring password
+ expiration in crond and sshd with public key authentication
+- add manual page for environment(5) (#1110257)
+- pam_loginuid: log if auditd not detected
+- always ignore audit error when -EPERM is returned (#1287800)
+- pam_lastlog: fix possible NULL dereference when localtime fails (#1313537)
+
+* Tue Aug 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.1.8-13
- fix CVE-2015-3238 - DoS due to blocking pipe with very long password
* Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-12