diff --git a/trunk/FS66068.patch b/trunk/FS66068.patch
new file mode 100644
index 0000000..d3eb16c
--- /dev/null
+++ b/trunk/FS66068.patch
@@ -0,0 +1,19 @@
+diff --git a/etc/login.defs b/etc/login.defs
+index 00c0b9e..321778c 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -88,12 +88,12 @@ TTYPERM		0600
+ # 022 is the default value, but 027, or even 077, could be considered
+ # for increased privacy. There is no One True Answer here: each sysadmin
+ # must make up their mind.
+-UMASK		077
++UMASK		022
+ 
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+ # home directories.
+ # If HOME_MODE is not set, the value of UMASK is used to create the mode.
+-#HOME_MODE	0700
++HOME_MODE	0700
+ 
+ #
+ # Password aging controls:
diff --git a/trunk/FS71393.patch b/trunk/FS71393.patch
new file mode 100644
index 0000000..f1243e6
--- /dev/null
+++ b/trunk/FS71393.patch
@@ -0,0 +1,13 @@
+diff --git a/etc/login.defs b/etc/login.defs
+index 321778c..eca62d5 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -164,7 +164,7 @@ CHFN_RESTRICT		rwh
+ # Note: If you use PAM, it is recommended to use a value consistent with
+ # the PAM modules configuration.
+ #
+-ENCRYPT_METHOD SHA512
++ENCRYPT_METHOD YESCRYPT
+ 
+ #
+ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index f79e126..a96dc4b 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -18,6 +18,7 @@ depends=(
   'libxcrypt' 'libcrypt.so'
   'pam' 'libpam.so' 'libpam_misc.so'
 )
+makedepends=('itstool' 'libxslt')
 backup=(
   etc/default/useradd
   etc/login.defs
@@ -27,6 +28,11 @@ options=('!emptydirs')
 install=shadow.install
 source=(
   "https://github.com/shadow-maint/shadow/releases/download/v$pkgver/shadow-$pkgver.tar.xz"{,.asc}
+  shadow-4.8-ignore-login-prompt.patch # From Fedora
+  unsupported-options.patch
+  login.defs-arch.patch
+  FS66068.patch
+  FS71393.patch
   chgpasswd
   chpasswd
   defaults.pam
@@ -38,6 +44,11 @@ source=(
 )
 sha512sums=('12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f'
             'SKIP'
+            'd84846282a6e0c0b8236d1ab9cb0083cace5501ac111d56f70db36749f27a1a1ca652f72d9e2d28763636a4cd63f5ce8dac2f8ed212f34df0197d891c19bb08b'
+            'ab866a076666c421d7d5ec9326d7c2e8299564055e3b21af01f8d1b5204c4857da9114ce5134d9b815fc3ecabfa7e4d462934a2f7ac4662e0ba6d7f5ff6368ca'
+            'd4ea0d94c752831d444f24a27c4e53a8530713da05e404933a14f7d996ff5c939dac99688b5d39884a3ecee1cca4c4567d8208c57e08728d99a9fe90e6646839'
+            '056f518a077a06d730f59a97238e2b439f415dd2d31fbda0fc8540938872b07dabd32e5f4db41572303f92e8c9cba8dae9e7956f037e9b326c481c292ffc0d1c'
+            '86b16bf2489e43527fb2853a8d7d41caf0bbef1015fd2acbc48d1c117a6b533b37154e25421d6c0a8e2825599bb0bb6428c3b24a9f18d6da8bb2e6c1bc01665d'
             'aef316f283a0ba0387afd5bd049b20d748dcfe8aebc5f5ea1ce1308167d6a578ae7d0007a5ed4d9862de7d377851edd2c8771e1fb1076262468078c2c76e42fc'
             'dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df'
             '41c856d893c4157b158d79341fe2b1892be463e17f7a007f1c17397b5625c1d2d5671bc0b37879064ae715a918fb9b05c32d18d1aaa64284cddd8ecbda9b2434'
@@ -49,6 +60,11 @@ sha512sums=('12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def50
             'b681401895de553674cfc7f51809565db03cb4351f85b492460d09abfd703e73c41ba1dfd708964e0f6ea356dc9c929818c62e7d740d55fb795a2e9b7de271fc')
 b2sums=('d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f0b960554c8155af6dc0564c585335b27aecca6538b394a0d58d927588'
         'SKIP'
+        '9cfc5f6d478e9968bc0e918870bdb9255b7ccbd7893a3bcc5432225d82c626dbe043507b13fe97498abab90db816d103f664b9c1c4e57d1b9d1046336e1e5cb8'
+        '2d923622a6ee4a345160698596aaf01ef75345f39c180c7534008b781c748280d895618914e36e6aed39fe3d2c5dc4a4df6d20648e8717b8e57af6e6383c02cd'
+        '8e503b25c145f864016a83a72c376e464c26df5b6839e66f6cdf8f386795d9c54e0d6f04967fe3d7a6a6bd2df63f5d601d9a02f772f6cefbef8d6ca7de1970a5'
+        'd2616e1975360984dfff0dc696281241c43d781d6b38093d49dbec0cc171698aa68103e97c344b65c216ba546347743e2cd51ff612e2d584e2947c4deb4dacd6'
+        'd7e9b17ba251bfab5edd8474058b525c93a7865029ac02d9d2aff9329cf8c2093c92a76491c5e94301db9d8f44b93246637b828e66534767bec8a9c233094cad'
         '31e74eebedf8cb6e5ade36096b4399892d7091b9dce4645fde591f64802dc8befd73ae8019e78f8d326a605b224c7828694d21788bd6073db43c41cf5a9c2805'
         '1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666'
         '5fde901d7d29995523cf261de973cc053265f37cf8fecc5511ccfff35a6ef4308f8cf36dc94e37c8b7604694ffa6ab87331c9b533b3538c6f7d7d911c9f94d19'
@@ -60,6 +76,56 @@ b2sums=('d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f
         '75738ba7705fe4f8c22d07bff738a5c2c3bc0fd44d9aaca170cb4e6e7bb3f1e05f729f6decfaa4dec8a037e09fdea83b3500aaa8d6693fd4ae20d7fb0ede420e')
 validpgpkeys=('66D0387DB85D320F8408166DB175CFA98F192AF2')  # Serge Hallyn <sergeh@kernel.org>
 
+#PAMDEFS are options silently ignored by shadow when built with pam enabled
+#MOTD_FILE is in PAMDEFS but is supported by login from util-linux
+_unsupported_options=(
+                      CHFN_AUTH                  #PAMDEFS
+                      CONSOLE_GROUPS             #Not with pam enabled
+                      CONSOLE                    #Not with pam enabled
+                      CRACKLIB_DICTPATH          #PAMDEFS
+                      ENV_HZ                     #PAMDEFS
+                      ENVIRON_FILE               #PAMDEFS
+                      ENV_TZ                     #PAMDEFS
+                      ERASECHAR                  #Not with login from util-linux
+                      FAILLOG_ENAB               #PAMDEFS
+                      FTMP_FILE                  #PAMDEFS
+                      ISSUE_FILE                 #PAMDEFS
+                      KILLCHAR                   #Not with login from util-linux
+                      LASTLOG_ENAB               #PAMDEFS
+                      LOGIN_STRING               #PAMDEFS
+                      LOG_OK_LOGINS              #Not with login from util-linux
+                      MAIL_CHECK_ENAB            #PAMDEFS
+                      MD5_CRYPT_ENAB             #Not with pam enabled
+                      NOLOGINS_FILE              #PAMDEFS
+                      OBSCURE_CHECKS_ENAB        #PAMDEFS
+                      PASS_ALWAYS_WARN           #PAMDEFS
+                      PASS_CHANGE_TRIES          #PAMDEFS
+                      PASS_MAX_LEN               #PAMDEFS
+                      PASS_MIN_LEN               #PAMDEFS
+                      PORTTIME_CHECKS_ENAB       #PAMDEFS
+                      PREVENT_NO_AUTH            #Not with login or su from util-linux
+                      QUOTAS_ENAB                #PAMDEFS
+                      SULOG_FILE                 #Not with su from util-linux
+                      SU_NAME                    #Not with su from util-linux
+                      SU_WHEEL_ONLY              #PAMDEFS
+                      SYSLOG_SU_ENAB             #PAMDEFS
+                      TTYTYPE_FILE               #Not with login from util-linux
+                      ULIMIT                     #PAMDEFS
+                      )
+
+prepare() {
+  cd "$pkgname-$pkgver"
+  patch -p1 -i ../shadow-4.8-ignore-login-prompt.patch # Do not complain about LOGIN_PLAIN_PROMPT option that is used by login from util-linux.
+  patch -p1 -i ../unsupported-options.patch # Remove uptions not supported due to use of pam or util-linux from login.defs.
+  patch -p1 -i ../login.defs-arch.patch # Set Arch defaults.
+  patch -p1 -i ../FS66068.patch # Changes to login.defs for FS#66068 should be merged into above patch if accepted.
+  patch -p1 -i ../FS71393.patch # Changes to login.defs for FS#71393 should be merged into above patch if accepted.
+  for _option in "${_unsupported_options[@]}"
+  do
+      sed -i -e "/${_option}.xml/d" -e "/\&${_option}\;/d" man/login.defs.5.xml
+  done
+}
+
 build() {
   cd "$pkgname-$pkgver"
 
@@ -78,7 +144,8 @@ build() {
     --with-bcrypt \
     --with-yescrypt \
     --without-selinux \
-    --without-su
+    --without-su \
+    --enable-man \
 
   # prevent excessive overlinking due to libtool
   sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
diff --git a/trunk/login.defs-arch.patch b/trunk/login.defs-arch.patch
new file mode 100644
index 0000000..c6996e9
--- /dev/null
+++ b/trunk/login.defs-arch.patch
@@ -0,0 +1,76 @@
+diff --git a/etc/login.defs b/etc/login.defs
+index 1676c45..00c0b9e 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -1,8 +1,14 @@
+ #
+ # /etc/login.defs - Configuration control definitions for the shadow package.
+ #
+-#	$Id$
++# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
++# If unspecified, some arbitrary (and possibly incorrect) value will
++# be assumed.  All other items are optional - if not specified then
++# the described action or option will be inhibited.
+ #
++# Comment lines (lines beginning with "#") and blank lines are ignored.
++#
++# Modified for Linux.  --marekm
+ 
+ #
+ # Delay in seconds before being allowed another attempt after a login failure
+@@ -34,7 +40,7 @@ SYSLOG_SG_ENAB		yes
+ # If defined, ":" delimited list of "message of the day" files to
+ # be displayed upon login.
+ #
+-MOTD_FILE	/etc/motd
++MOTD_FILE
+ #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
+ 
+ #
+@@ -58,8 +64,8 @@ HUSHLOGIN_FILE	.hushlogin
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+ # (they are minimal, add the rest in the shell startup files)
+-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+-ENV_PATH	PATH=/bin:/usr/bin
++ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
++ENV_PATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+ 
+ #
+ # Terminal permissions
+@@ -82,7 +88,7 @@ TTYPERM		0600
+ # 022 is the default value, but 027, or even 077, could be considered
+ # for increased privacy. There is no One True Answer here: each sysadmin
+ # must make up their mind.
+-UMASK		022
++UMASK		077
+ 
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+ # home directories.
+@@ -106,7 +112,7 @@ PASS_WARN_AGE	7
+ UID_MIN			 1000
+ UID_MAX			60000
+ # System accounts
+-SYS_UID_MIN		  101
++SYS_UID_MIN		  500
+ SYS_UID_MAX		  999
+ # Extra per user uids
+ SUB_UID_MIN		   100000
+@@ -119,7 +125,7 @@ SUB_UID_COUNT		    65536
+ GID_MIN			 1000
+ GID_MAX			60000
+ # System accounts
+-SYS_GID_MIN		  101
++SYS_GID_MIN		  500
+ SYS_GID_MAX		  999
+ # Extra per user group ids
+ SUB_GID_MIN		   100000
+@@ -158,7 +164,7 @@ CHFN_RESTRICT		rwh
+ # Note: If you use PAM, it is recommended to use a value consistent with
+ # the PAM modules configuration.
+ #
+-#ENCRYPT_METHOD DES
++ENCRYPT_METHOD SHA512
+ 
+ #
+ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
diff --git a/trunk/options.patch b/trunk/options.patch
new file mode 100644
index 0000000..d496dd8
--- /dev/null
+++ b/trunk/options.patch
@@ -0,0 +1,503 @@
+diff --git a/etc/login.defs b/etc/login.defs
+index a2f8cd50..eebf0d99 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -11,26 +11,11 @@
+ #
+ FAIL_DELAY		3
+ 
+-#
+-# Enable logging and display of /var/log/faillog login(1) failure info.
+-#
+-FAILLOG_ENAB		yes
+-
+ #
+ # Enable display of unknown usernames when login(1) failures are recorded.
+ #
+ LOG_UNKFAIL_ENAB	no
+ 
+-#
+-# Enable logging of successful logins
+-#
+-LOG_OK_LOGINS		no
+-
+-#
+-# Enable logging and display of /var/log/lastlog login(1) time info.
+-#
+-LASTLOG_ENAB		yes
+-
+ #
+ # Limit the highest user ID number for which the lastlog entries should
+ # be updated.
+@@ -41,48 +26,10 @@ LASTLOG_ENAB		yes
+ #LASTLOG_UID_MAX
+ 
+ #
+-# Enable checking and display of mailbox status upon login.
+-#
+-# Disable if the shell startup files already check for mail
+-# ("mailx -e" or equivalent).
+-#
+-MAIL_CHECK_ENAB		yes
+-
+-#
+-# Enable additional checks upon password changes.
+-#
+-OBSCURE_CHECKS_ENAB	yes
+-
+-#
+-# Enable checking of time restrictions specified in /etc/porttime.
+-#
+-PORTTIME_CHECKS_ENAB	yes
+-
+-#
+-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
+-#
+-QUOTAS_ENAB		yes
+-
+-#
+-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
+-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
++# Enable "syslog" logging of newgrp(1) and sg(1) activity.
+ #
+-SYSLOG_SU_ENAB		yes
+ SYSLOG_SG_ENAB		yes
+ 
+-#
+-# If defined, either full pathname of a file containing device names or
+-# a ":" delimited list of device names.  Root logins will be allowed only
+-# from these devices.
+-#
+-CONSOLE		/etc/securetty
+-#CONSOLE	console:tty01:tty02:tty03:tty04
+-
+-#
+-# If defined, all su(1) activity is logged to this file.
+-#
+-#SULOG_FILE	/var/log/sulog
+-
+ #
+ # If defined, ":" delimited list of "message of the day" files to
+ # be displayed upon login.
+@@ -90,38 +37,6 @@ CONSOLE		/etc/securetty
+ MOTD_FILE	/etc/motd
+ #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
+ 
+-#
+-# If defined, this file will be output before each login(1) prompt.
+-#
+-#ISSUE_FILE	/etc/issue
+-
+-#
+-# If defined, file which maps tty line to TERM environment parameter.
+-# Each line of the file is in a format similar to "vt100  tty01".
+-#
+-#TTYTYPE_FILE	/etc/ttytype
+-
+-#
+-# If defined, login(1) failures will be logged here in a utmp format.
+-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
+-#
+-FTMP_FILE	/var/log/btmp
+-
+-#
+-# If defined, name of file whose presence will inhibit non-root
+-# logins.  The content of this file should be a message indicating
+-# why logins are inhibited.
+-#
+-NOLOGINS_FILE	/etc/nologin
+-
+-#
+-# If defined, the command name to display when running "su -".  For
+-# example, if this is defined as "su" then ps(1) will display the
+-# command as "-su".  If not defined, then ps(1) will display the
+-# name of the shell actually being run, e.g. something like "-sh".
+-#
+-SU_NAME		su
+-
+ #
+ # *REQUIRED*
+ #   Directory where mailboxes reside, _or_ name of file, relative to the
+@@ -139,21 +54,6 @@ MAIL_DIR	/var/spool/mail
+ HUSHLOGIN_FILE	.hushlogin
+ #HUSHLOGIN_FILE	/etc/hushlogins
+ 
+-#
+-# If defined, either a TZ environment parameter spec or the
+-# fully-rooted pathname of a file containing such a spec.
+-#
+-#ENV_TZ		TZ=CST6CDT
+-#ENV_TZ		/etc/tzname
+-
+-#
+-# If defined, an HZ environment parameter spec.
+-#
+-# for Linux/x86
+-ENV_HZ		HZ=100
+-# For Linux/Alpha...
+-#ENV_HZ		HZ=1024
+-
+ #
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+@@ -175,23 +75,6 @@ ENV_PATH	PATH=/bin:/usr/bin
+ TTYGROUP	tty
+ TTYPERM		0600
+ 
+-#
+-# Login configuration initializations:
+-#
+-#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+-#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+-#	ULIMIT		Default "ulimit" value.
+-#
+-# The ERASECHAR and KILLCHAR are used only on System V machines.
+-# The ULIMIT is used only if the system supports it.
+-# (now it works with setrlimit too; ulimit is in 512-byte units)
+-#
+-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+-#
+-ERASECHAR	0177
+-KILLCHAR	025
+-#ULIMIT		2097152
+-
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
+ # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+@@ -211,27 +94,12 @@ UMASK		022
+ #
+ #	PASS_MAX_DAYS	Maximum number of days a password may be used.
+ #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+-#	PASS_MIN_LEN	Minimum acceptable password length.
+ #	PASS_WARN_AGE	Number of days warning given before a password expires.
+ #
+ PASS_MAX_DAYS	99999
+ PASS_MIN_DAYS	0
+-PASS_MIN_LEN	5
+ PASS_WARN_AGE	7
+ 
+-#
+-# If "yes", the user must be listed as a member of the first gid 0 group
+-# in /etc/group (called "root" on most Linux systems) to be able to "su"
+-# to uid 0 accounts.  If the group doesn't exist or is empty, no one
+-# will be able to "su" to uid 0.
+-#
+-SU_WHEEL_ONLY	no
+-
+-#
+-# If compiled with cracklib support, sets the path to the dictionaries
+-#
+-CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
+-
+ #
+ # Min/max values for automatic uid selection in useradd(8)
+ #
+@@ -268,28 +136,6 @@ LOGIN_RETRIES		5
+ #
+ LOGIN_TIMEOUT		60
+ 
+-#
+-# Maximum number of attempts to change password if rejected (too easy)
+-#
+-PASS_CHANGE_TRIES	5
+-
+-#
+-# Warn about weak passwords (but still allow them) if you are root.
+-#
+-PASS_ALWAYS_WARN	yes
+-
+-#
+-# Number of significant characters in the password for crypt().
+-# Default is 8, don't change unless your crypt() is better.
+-# Ignored if MD5_CRYPT_ENAB set to "yes".
+-#
+-#PASS_MAX_LEN		8
+-
+-#
+-# Require password before chfn(1)/chsh(1) can make any changes.
+-#
+-CHFN_AUTH		yes
+-
+ #
+ # Which fields may be changed by regular users using chfn(1) - use
+ # any combination of letters "frwh" (full name, room number, work
+@@ -298,13 +144,6 @@ CHFN_AUTH		yes
+ # 
+ CHFN_RESTRICT		rwh
+ 
+-#
+-# Password prompt (%s will be replaced by user name).
+-#
+-# XXX - it doesn't work correctly yet, for now leave it commented out
+-# to use the default which is just "Password: ".
+-#LOGIN_STRING		"%s's Password: "
+-
+ #
+ # Only works if compiled with MD5_CRYPT defined:
+ # If set to "yes", new passwords will be encrypted using the MD5-based
+@@ -365,29 +204,12 @@ CHFN_RESTRICT		rwh
+ #BCRYPT_MIN_ROUNDS 13
+ #BCRYPT_MAX_ROUNDS 13
+ 
+-#
+-# List of groups to add to the user's supplementary group set
+-# when logging in from the console (as determined by the CONSOLE
+-# setting).  Default is none.
+-#
+-# Use with caution - it is possible for users to gain permanent
+-# access to these groups, even when not logged in from the console.
+-# How to do it is left as an exercise for the reader...
+-#
+-#CONSOLE_GROUPS		floppy:audio:cdrom
+-
+ #
+ # Should login be allowed if we can't cd to the home directory?
+ # Default is no.
+ #
+ DEFAULT_HOME	yes
+ 
+-#
+-# If this file exists and is readable, login environment will be
+-# read from it.  Every line should be in the form name=value.
+-#
+-ENVIRON_FILE	/etc/environment
+-
+ #
+ # If defined, this command is run when removing a user.
+ # It should remove any at/cron/print jobs etc. owned by
+diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
+index 9e95da20..36992c4b 100644
+--- a/man/login.defs.5.xml
++++ b/man/login.defs.5.xml
+@@ -31,67 +31,37 @@
+ -->
+ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN" 
+   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+-<!ENTITY CHFN_AUTH             SYSTEM "login.defs.d/CHFN_AUTH.xml">
+ <!ENTITY CHFN_RESTRICT         SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
+-<!ENTITY CHSH_AUTH             SYSTEM "login.defs.d/CHSH_AUTH.xml">
+-<!ENTITY CONSOLE               SYSTEM "login.defs.d/CONSOLE.xml">
+-<!ENTITY CONSOLE_GROUPS        SYSTEM "login.defs.d/CONSOLE_GROUPS.xml">
+ <!ENTITY CREATE_HOME           SYSTEM "login.defs.d/CREATE_HOME.xml">
+ <!ENTITY DEFAULT_HOME          SYSTEM "login.defs.d/DEFAULT_HOME.xml">
+ <!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
+-<!ENTITY ENV_HZ                SYSTEM "login.defs.d/ENV_HZ.xml">
+ <!ENTITY ENV_PATH              SYSTEM "login.defs.d/ENV_PATH.xml">
+ <!ENTITY ENV_SUPATH            SYSTEM "login.defs.d/ENV_SUPATH.xml">
+-<!ENTITY ENV_TZ                SYSTEM "login.defs.d/ENV_TZ.xml">
+-<!ENTITY ENVIRON_FILE          SYSTEM "login.defs.d/ENVIRON_FILE.xml">
+-<!ENTITY ERASECHAR             SYSTEM "login.defs.d/ERASECHAR.xml">
+ <!ENTITY FAIL_DELAY            SYSTEM "login.defs.d/FAIL_DELAY.xml">
+-<!ENTITY FAILLOG_ENAB          SYSTEM "login.defs.d/FAILLOG_ENAB.xml">
+-<!ENTITY FAKE_SHELL            SYSTEM "login.defs.d/FAKE_SHELL.xml">
+-<!ENTITY FTMP_FILE             SYSTEM "login.defs.d/FTMP_FILE.xml">
+ <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
+ <!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
+ <!ENTITY HUSHLOGIN_FILE        SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
+-<!ENTITY ISSUE_FILE            SYSTEM "login.defs.d/ISSUE_FILE.xml">
+-<!ENTITY KILLCHAR              SYSTEM "login.defs.d/KILLCHAR.xml">
+-<!ENTITY LASTLOG_ENAB          SYSTEM "login.defs.d/LASTLOG_ENAB.xml">
+ <!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
+-<!ENTITY LOG_OK_LOGINS         SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
+ <!ENTITY LOG_UNKFAIL_ENAB      SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
+ <!ENTITY LOGIN_RETRIES         SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
+-<!ENTITY LOGIN_STRING          SYSTEM "login.defs.d/LOGIN_STRING.xml">
+ <!ENTITY LOGIN_TIMEOUT         SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
+-<!ENTITY MAIL_CHECK_ENAB       SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
+ <!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
+ <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
+ <!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
+ <!ENTITY MOTD_FILE             SYSTEM "login.defs.d/MOTD_FILE.xml">
+-<!ENTITY NOLOGINS_FILE         SYSTEM "login.defs.d/NOLOGINS_FILE.xml">
+-<!ENTITY OBSCURE_CHECKS_ENAB   SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml">
+-<!ENTITY PASS_ALWAYS_WARN      SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml">
+-<!ENTITY PASS_CHANGE_TRIES     SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml">
+-<!ENTITY PASS_MAX_LEN          SYSTEM "login.defs.d/PASS_MAX_LEN.xml">
+ <!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
+ <!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
+ <!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
+-<!ENTITY PORTTIME_CHECKS_ENAB  SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml">
+-<!ENTITY QUOTAS_ENAB           SYSTEM "login.defs.d/QUOTAS_ENAB.xml">
+ <!ENTITY SHA_CRYPT_MIN_ROUNDS  SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
+-<!ENTITY SULOG_FILE            SYSTEM "login.defs.d/SULOG_FILE.xml">
+-<!ENTITY SU_NAME               SYSTEM "login.defs.d/SU_NAME.xml">
+-<!ENTITY SU_WHEEL_ONLY         SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
+ <!ENTITY SUB_GID_COUNT         SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
+ <!ENTITY SUB_UID_COUNT         SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
+ <!ENTITY SYS_GID_MAX           SYSTEM "login.defs.d/SYS_GID_MAX.xml">
+ <!ENTITY SYSLOG_SG_ENAB        SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml">
+-<!ENTITY SYSLOG_SU_ENAB        SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
+ <!ENTITY SYS_UID_MAX           SYSTEM "login.defs.d/SYS_UID_MAX.xml">
+ <!ENTITY TCB_AUTH_GROUP        SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
+ <!ENTITY TCB_SYMLINKS          SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
+ <!ENTITY TTYGROUP              SYSTEM "login.defs.d/TTYGROUP.xml">
+-<!ENTITY TTYTYPE_FILE          SYSTEM "login.defs.d/TTYTYPE_FILE.xml">
+ <!ENTITY UID_MAX               SYSTEM "login.defs.d/UID_MAX.xml">
+-<!ENTITY ULIMIT                SYSTEM "login.defs.d/ULIMIT.xml">
+ <!ENTITY UMASK                 SYSTEM "login.defs.d/UMASK.xml">
+ <!ENTITY USERDEL_CMD           SYSTEM "login.defs.d/USERDEL_CMD.xml">
+ <!ENTITY USERGROUPS_ENAB       SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
+@@ -167,45 +137,24 @@
+     <para>The following configuration items are provided:</para>
+ 
+     <variablelist remap='IP'>
+-      &CHFN_AUTH;
+       &CHFN_RESTRICT;
+-      &CHSH_AUTH;
+-      &CONSOLE;
+-      &CONSOLE_GROUPS;
+       &CREATE_HOME;
+       &DEFAULT_HOME;
+       &ENCRYPT_METHOD;
+-      &ENV_HZ;
+       &ENV_PATH;
+       &ENV_SUPATH;
+-      &ENV_TZ;
+-      &ENVIRON_FILE;
+-      &ERASECHAR;
+       &FAIL_DELAY;
+-      &FAILLOG_ENAB;
+-      &FAKE_SHELL;
+-      &FTMP_FILE;
+       &GID_MAX; <!-- documents also GID_MIN -->
+       &HOME_MODE;
+       &HUSHLOGIN_FILE;
+-      &ISSUE_FILE;
+-      &KILLCHAR;
+-      &LASTLOG_ENAB;
+       &LASTLOG_UID_MAX;
+-      &LOG_OK_LOGINS;
+       &LOG_UNKFAIL_ENAB;
+       &LOGIN_RETRIES;
+-      &LOGIN_STRING;
+       &LOGIN_TIMEOUT;
+-      &MAIL_CHECK_ENAB;
+       &MAIL_DIR;
+       &MAX_MEMBERS_PER_GROUP;
+       &MD5_CRYPT_ENAB;
+       &MOTD_FILE;
+-      &NOLOGINS_FILE;
+-      &OBSCURE_CHECKS_ENAB;
+-      &PASS_ALWAYS_WARN;
+-      &PASS_CHANGE_TRIES;
+       &PASS_MAX_DAYS;
+       &PASS_MIN_DAYS;
+       &PASS_WARN_AGE;
+@@ -215,25 +164,16 @@
+         time of account creation. Any changes to these settings won't affect
+         existing accounts.
+       </para>
+-      &PASS_MAX_LEN; <!-- documents also PASS_MIN_LEN -->
+-      &PORTTIME_CHECKS_ENAB;
+-      &QUOTAS_ENAB;
+       &SHA_CRYPT_MIN_ROUNDS; <!-- documents also SHA_CRYPT_MAX_ROUNDS -->
+-      &SULOG_FILE;
+-      &SU_NAME;
+-      &SU_WHEEL_ONLY;
+       &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX -->
+       &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX -->
+       &SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
+       &SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
+       &SYSLOG_SG_ENAB;
+-      &SYSLOG_SU_ENAB;
+       &TCB_AUTH_GROUP;
+       &TCB_SYMLINKS;
+       &TTYGROUP;
+-      &TTYTYPE_FILE;
+       &UID_MAX; <!-- documents also UID_MIN -->
+-      &ULIMIT;
+       &UMASK;
+       &USERDEL_CMD;
+       &USERGROUPS_ENAB;
+@@ -359,35 +299,6 @@
+ 	  <para>LASTLOG_UID_MAX</para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>login</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+-	    ENV_TZ ENVIRON_FILE</phrase>
+-	    ERASECHAR FAIL_DELAY
+-	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+-	    FAKE_SHELL
+-	    <phrase condition="no_pam">FTMP_FILE</phrase>
+-	    HUSHLOGIN_FILE
+-	    <phrase condition="no_pam">ISSUE_FILE</phrase>
+-	    KILLCHAR
+-	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
+-	    LOGIN_RETRIES
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+-	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+-	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+-	    QUOTAS_ENAB</phrase>
+-	    TTYGROUP TTYPERM TTYTYPE_FILE
+-	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
+-	    USERGROUPS_ENAB
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <!-- logoutd: no variables -->
+       <varlistentry>
+ 	<term>newgrp / sg</term>
+ 	<listitem>
+@@ -452,32 +363,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>su</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+-	    ENV_PATH ENV_SUPATH
+-	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+-	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+-	    SULOG_FILE SU_NAME
+-	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+-	    SYSLOG_SU_ENAB
+-	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>sulogin</term>
+-	<listitem>
+-	  <para>
+-	    ENV_HZ
+-	    <phrase condition="no_pam">ENV_TZ</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>useradd</term>
+ 	<listitem>
+@@ -507,22 +392,6 @@
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+-	<term>usermod</term>
+-	<listitem>
+-	  <para>
+-	    LASTLOG_UID_MAX
+-	    MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
+-	    <phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry condition="tcb">
+-	<term>vipw</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="tcb">USE_TCB</phrase>
+-	  </para>
+-	</listitem>
+       </varlistentry>
+     </variablelist>
+   </refsect1>
diff --git a/trunk/shadow-4.8-ignore-login-prompt.patch b/trunk/shadow-4.8-ignore-login-prompt.patch
new file mode 100644
index 0000000..c93aae7
--- /dev/null
+++ b/trunk/shadow-4.8-ignore-login-prompt.patch
@@ -0,0 +1,11 @@
+diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c
+--- shadow-4.8/lib/getdef.c.login-prompt	2020-01-13 10:38:44.852796681 +0100
++++ shadow-4.8/lib/getdef.c	2020-01-13 10:39:54.472612511 +0100
+@@ -98,6 +98,7 @@ static struct itemdef def_table[] = {
+ 	{"LASTLOG_UID_MAX", NULL},
+ 	{"LOGIN_RETRIES", NULL},
+ 	{"LOGIN_TIMEOUT", NULL},
++	{"LOGIN_PLAIN_PROMPT", NULL},
+ 	{"LOG_OK_LOGINS", NULL},
+ 	{"LOG_UNKFAIL_ENAB", NULL},
+ 	{"MAIL_DIR", NULL},