Fri Feb 7 22:32:38 UTC 202020200207223238

a/kernel-firmware-20200206_5351afe-noarch-1.txz:  Upgraded.
ap/ghostscript-9.50-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
ap/gutenprint-5.3.3-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
ap/nano-4.8-x86_64-1.txz:  Upgraded.
ap/screen-4.8.0-x86_64-1.txz:  Upgraded.
ap/vim-8.2.0224-x86_64-1.txz:  Upgraded.
d/cvs-1.11.23-x86_64-4.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
d/strace-5.5-x86_64-1.txz:  Upgraded.
kde/kdelibs-4.14.38-x86_64-6.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/gtk+2-2.24.32-x86_64-3.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/gtk+3-3.24.13-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/libsoup-2.68.3-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/libssh-0.9.3-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/loudmouth-1.5.3-x86_64-4.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/neon-0.30.2-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
n/cifs-utils-6.10-x86_64-2.txz:  Rebuilt.
  Recompiled to build cifs.upcall.
n/curl-7.68.0-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
n/cyrus-sasl-2.1.27-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
xap/vim-gvim-8.2.0224-x86_64-1.txz:  Upgraded.

79 files changed, 1010 insertions, 95 deletions

diff --git a/source/a/libcgroup/libcgroup.SlackBuild b/source/a/libcgroup/libcgroup.SlackBuild
index 00fc2be8..e5ff9b4c 100755
--- a/source/a/libcgroup/libcgroup.SlackBuild
+++ b/source/a/libcgroup/libcgroup.SlackBuild
@@ -80,6 +80,15 @@ zcat $CWD/libcgroup.conf.diff.gz | patch -p1 --verbose || exit 1
 # Apply combined patches from git, including for an infinate loop bug:
 zcat $CWD/libcgroup.loop.diff.gz | patch -p1 --verbose || exit 1
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--enable-pam --enable-pam-module-dir=/lib/security"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--disable-pam"
+fi
+
 chown -R root:root .
 find . \
   \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
@@ -97,7 +106,8 @@ CFLAGS="$SLKCFLAGS" \
   --libdir=/usr/lib${LIBDIRSUFFIX} \
   --mandir=/usr/man \
   --infodir=/usr/info \
-  --disable-pam \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --disable-static \
   --build=$ARCH-slackware-linux || exit 1
 
diff --git a/source/a/shadow/doinst.sh b/source/a/shadow/doinst.sh
index a7bf2ee4..ce3e8116 100644
--- a/source/a/shadow/doinst.sh
+++ b/source/a/shadow/doinst.sh
@@ -10,8 +10,29 @@ config() {
   # Otherwise, we leave the .new copy for the admin to consider...
 }
 
+# First, check for PAM:
+if [ -r etc/pam.d/login.new ]; then
+  # If there's an existing /etc/login.defs that contains an obsolete option
+  # intended for a non-pam system, rename it to back it up and allow the
+  # pam-enabled login.defs to be installed automatically:
+  if grep -q "^LASTLOG_ENAB" etc/login.defs 1> /dev/null 2> /dev/null ; then
+    mv etc/login.defs etc/login.defs.non-pam.backup
+  fi
+else # Same thing, but in reverse for a non-pam system:
+  if ! grep -q "^LASTLOG_ENAB" etc/login.defs 1> /dev/null 2> /dev/null ; then
+    mv etc/login.defs etc/login.defs.pam.backup
+  fi
+fi
+
 config etc/default/useradd.new
-config etc/login.access.new
 config etc/login.defs.new
 config var/log/faillog.new
 rm -f var/log/faillog.new
+if [ -r etc/login.access.new ]; then
+  config etc/login.access.new
+fi
+for configfile in chage.new chfn.new chgpasswd.new chpasswd.new chsh.new groupadd.new groupdel.new groupmems.new groupmod.new login.new newusers.new other.new passwd.new postlogin.new su-l.new su.new system-auth.new useradd.new userdel.new usermod.new ; do
+  if [ -r etc/pam.d/$configfile ]; then
+    config etc/pam.d/$configfile
+  fi
+done
diff --git a/source/a/shadow/login.defs.pam b/source/a/shadow/login.defs.pam
new file mode 100644
index 00000000..cc15db6a
--- /dev/null
+++ b/source/a/shadow/login.defs.pam
@@ -0,0 +1,287 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+#	$Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+#
+FAIL_DELAY		3
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE		/etc/securetty
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR	/var/spool/mail
+#MAIL_FILE	.mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH     PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ENV_PATH       PATH=/usr/local/bin:/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP	tty
+TTYPERM		0620
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+
+#
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories if HOME_MODE is not set.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up their mind.
+UMASK           022
+
+#
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE      0700
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+SYS_UID_MIN		  101
+SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+SYS_GID_MIN		  101
+SYS_GID_MAX		  999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		frwh
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm.  Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB	no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+ENCRYPT_METHOD SHA256
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# Only works if ENCRYPT_METHOD is set to BCRYPT.
+#
+# Define the number of BCRYPT rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, 13 rounds will be attempted.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#BCRYPT_MIN_ROUNDS 13
+#BCRYPT_MAX_ROUNDS 13
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# Most of these groups are self-explanatory, but in the case of
+# "lp", it is because group lp is needed to use a scanner that
+# is part of a multifunction printer.
+#
+# Note that users are added to these default groups only when
+# logging into a shell with /bin/login, not when using a login
+# manager such as kdm.  In that case, users who should have
+# hardware access must be added to the appropriate groups
+# when the user is added with adduser or useradd, or by editing
+# /etc/group directly, preferably using "vigr"
+#
+CONSOLE_GROUPS         floppy:audio:cdrom:video:lp:scanner
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-nul number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permit to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP	0
+
+#
+# If useradd should create home directories for users by default (non
+# system users only)
+# This option is overridden with the -M or -m flags on the useradd command
+# line.
+#
+#CREATE_HOME     yes
+
diff --git a/source/a/shadow/login.defs b/source/a/shadow/login.defs.shadow
index 022dd36f..022dd36f 100644
--- a/source/a/shadow/login.defs
+++ b/source/a/shadow/login.defs.shadow
diff --git a/source/a/shadow/pam.d/chage b/source/a/shadow/pam.d/chage
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chage
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/chfn b/source/a/shadow/pam.d/chfn
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chfn
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/chgpasswd b/source/a/shadow/pam.d/chgpasswd
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chgpasswd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/chpasswd b/source/a/shadow/pam.d/chpasswd
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chpasswd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/chsh b/source/a/shadow/pam.d/chsh
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chsh
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/groupadd b/source/a/shadow/pam.d/groupadd
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/groupadd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/groupdel b/source/a/shadow/pam.d/groupdel
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/groupdel
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/groupmems b/source/a/shadow/pam.d/groupmems
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/groupmems
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/groupmod b/source/a/shadow/pam.d/groupmod
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/groupmod
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/login b/source/a/shadow/pam.d/login
new file mode 100644
index 00000000..eb312199
--- /dev/null
+++ b/source/a/shadow/pam.d/login
@@ -0,0 +1,11 @@
+#%PAM-1.0
+auth		required	pam_securetty.so
+auth		include		system-auth
+auth		include		postlogin
+account		required	pam_nologin.so
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		include		postlogin
+session		required	pam_loginuid.so
+session		optional	pam_ck_connector.so nox11
diff --git a/source/a/shadow/pam.d/newusers b/source/a/shadow/pam.d/newusers
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/newusers
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/other b/source/a/shadow/pam.d/other
new file mode 100644
index 00000000..57282493
--- /dev/null
+++ b/source/a/shadow/pam.d/other
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session    include      system-auth
diff --git a/source/a/shadow/pam.d/passwd b/source/a/shadow/pam.d/passwd
new file mode 100644
index 00000000..67f8ff54
--- /dev/null
+++ b/source/a/shadow/pam.d/passwd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
diff --git a/source/a/shadow/pam.d/postlogin b/source/a/shadow/pam.d/postlogin
new file mode 100644
index 00000000..9777b897
--- /dev/null
+++ b/source/a/shadow/pam.d/postlogin
@@ -0,0 +1,4 @@
+#%PAM-1.0
+session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session     [default=1]   pam_lastlog.so nowtmp showfailed
+session     optional      pam_lastlog.so silent noupdate showfailed
diff --git a/source/a/shadow/pam.d/su b/source/a/shadow/pam.d/su
new file mode 100644
index 00000000..c7c81487
--- /dev/null
+++ b/source/a/shadow/pam.d/su
@@ -0,0 +1,11 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		optional	pam_xauth.so
diff --git a/source/a/shadow/pam.d/su-l b/source/a/shadow/pam.d/su-l
new file mode 100644
index 00000000..656a139a
--- /dev/null
+++ b/source/a/shadow/pam.d/su-l
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		include		su
+account		include		su
+password	include		su
+session		optional	pam_keyinit.so force revoke
+session		include		su
diff --git a/source/a/shadow/pam.d/system-auth b/source/a/shadow/pam.d/system-auth
new file mode 100644
index 00000000..5fa10c80
--- /dev/null
+++ b/source/a/shadow/pam.d/system-auth
@@ -0,0 +1,96 @@
+#%PAM-1.0
+#
+# Most of these PAM modules have man pages included, like 
+# PAM_UNIX(8) for example.
+#
+
+##################
+# Authentication #
+##################
+#
+# To set a limit on failed authentications, the tallying modules
+# can be enabled.
+#
+auth        required      pam_env.so
+auth        required      pam_tally2.so
+#
+auth        sufficient    pam_unix.so likeauth nullok
+auth        required      pam_deny.so
+auth        optional      pam_gnome_keyring.so
+
+##################
+# Account checks #
+##################
+#
+# Only root can login if file /etc/nologin exists.
+# This is equivalent to NOLOGINS_FILE on login.defs
+#
+account     required      pam_nologin.so
+#
+# Enable restrictions by time, specified in /etc/security/time.conf
+# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs
+#
+account     required	  pam_time.so		
+account     required      pam_unix.so
+account     sufficient    pam_succeed_if.so uid < 100 quiet
+account     required      pam_permit.so
+
+#####################
+# Password handling #
+#####################
+#
+# If you have CrackLib installed and enabled
+#
+# Passwords will be checked against a huge dictionary and need to
+# have at least 6 characters (cracklib can't use 5). Some options
+# of cracklib modules are:
+#
+# difok		Number of characters that needs to be different 
+#		between old and new characters
+# minlen	Password minimal length
+# retry		How many times the user can try bad new passwords
+# dcredit,ocredit,ucredit,lcredit
+#		Digiti, Others, Uppercase, Lowercase characters
+#		Positive numbers marks the max number of credits given
+#		by one character class. With dcredit=5 and minlen=6, you
+#		can't use a full numeric password because more than 5
+#		digit characters doesn't count credits to achieve the
+#		minimal length
+#		Negative numbers determine that a password needs to have
+#		at least N characters
+#
+# You can see many other pam_cracklib options at pam_cracklib(8) manpage
+# 
+# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib
+# in sharing the password stack. See pam_unix(8) for more details.
+#
+# If you need to use CrackLib to enforce your passwords, uncomment 
+# two statements:
+#password    requisite     pam_cracklib.so retry=3 minlen=6 \
+#			  difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5
+#password    sufficient    pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
+#
+# --
+# A less intense option for cracklib, is:
+#password    requisite     pam_cracklib.so retry=3
+#password    sufficient    pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
+# --
+# The default is the "traditional" way without CrackLib.
+# Passwords need to have at least 8 characters. If you are using Cracklib,
+# please comment the next statement.
+password    sufficient    pam_unix.so nullok sha512 shadow minlen=8
+
+# ATTENTION: keep the line for pam_deny.so
+password    required      pam_deny.so
+
+#########################
+# Session Configuration #
+#########################
+#
+# This applies the limits specified in /etc/security/limits.conf
+#
+session     required      pam_limits.so
+session     required      pam_unix.so
+#session     required      pam_lastlog.so showfailed
+#session     optional      pam_mail.so standard
+session     optional      pam_gnome_keyring.so auto_start
diff --git a/source/a/shadow/pam.d/useradd b/source/a/shadow/pam.d/useradd
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/useradd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/userdel b/source/a/shadow/pam.d/userdel
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/userdel
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/pam.d/usermod b/source/a/shadow/pam.d/usermod
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/usermod
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/source/a/shadow/shadow.SlackBuild b/source/a/shadow/shadow.SlackBuild
index 4264a24d..360da370 100755
--- a/source/a/shadow/shadow.SlackBuild
+++ b/source/a/shadow/shadow.SlackBuild
@@ -51,12 +51,16 @@ PKG=$TMP/package-shadow
 
 if [ "$ARCH" = "i586" ]; then
   SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "s390" ]; then
   SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "x86_64" ]; then
   SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
 else
   SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
 fi
 
 rm -rf $PKG
@@ -66,6 +70,15 @@ rm -rf shadow-$VERSION
 tar xvf $CWD/shadow-$VERSION.tar.xz || exit 1
 cd shadow-$VERSION
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--with-libpam"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--enable-shadowgrp --without-libcrack"
+fi
+
 # Apply some patches taken from the svn trunk that
 # fix some of the more serious bugs in 4.1.4.3:
 for patch in $CWD/patches/*.diff.gz ; do
@@ -109,7 +122,8 @@ CFLAGS="$SLKCFLAGS" \
   --enable-man \
   --enable-subordinate-ids \
   --disable-shared \
-  --without-libcrack \
+  $SHADOW_OPTIONS \
+  $PAM_OPTIONS \
   --build=$ARCH-slackware-linux
 
 #  --enable-utmpx   # defaults to 'no'
@@ -134,16 +148,42 @@ mkdir -p $PKG/bin $PKG/sbin
 )
 mv $PKG/usr/sbin/nologin $PKG/sbin/nologin
 
+if [ ! -z "$PAM_OPTIONS" ]; then
+  # Don't ship the login utilities. We'll be using the ones from util-linux:
+  for file in /bin/login /bin/su /sbin/runuser /usr/bin/chfn /usr/bin/chsh \
+    /usr/man/man1/chfn.1.gz /usr/man/man1/chsh.1.gz /usr/man/man1/login.1.gz \
+    /usr/man/man1/runuser.1.gz /usr/man/man1/su.1.gz \
+    /usr/share/bash-completion/completions/chfn \
+    /usr/share/bash-completion/completions/chsh \
+    /usr/share/bash-completion/completions/su ; do
+    rm -f $PKG${file}
+  done
+  # Install config files in /etc/pam.d/. We'll use our own copies... I'm not
+  # sure that I trust upstream enough to let them handle this stuff.
+  rm -rf $PKG/etc/pam.d
+  mkdir -p $PKG/etc/pam.d
+  for file in $CWD/pam.d/* ; do
+    cp -a ${file} $PKG/etc/pam.d/
+  done
+  # Ensure correct perms/ownership on files in /etc/pam.d/:
+  chown root:root $PKG/etc/pam.d/*
+  chmod 644 $PKG/etc/pam.d/*
+  # Don't clobber existing config files:
+  find $PKG/etc/pam.d -type f -exec mv {} {}.new \;
+  # Install a login.defs with unsurprising defaults:
+  rm -f $PKG/etc/login.defs
+  zcat $CWD/login.defs.pam.gz > $PKG/etc/login.defs.new
+else # not using PAM
+  mv $PKG/etc/login.access $PKG/etc/login.access.new
+  # Install a login.defs with unsurprising defaults:
+  rm -f $PKG/etc/login.defs
+  zcat $CWD/login.defs.shadow.gz > $PKG/etc/login.defs.new
+fi
+
 # /bin/groups is provided by coreutils.
 rm -f $PKG/bin/groups
 find $PKG -name groups.1 -exec rm {} \+
 
-# Install a login.defs with unsurprising defaults:
-rm -f $PKG/etc/login.defs
-zcat $CWD/login.defs.gz > $PKG/etc/login.defs.new
-
-mv $PKG/etc/login.access $PKG/etc/login.access.new
-
 # I don't think this works well enough to recommend it.
 #mv $PKG/etc/limits $PKG/etc/limits.new
 rm -f $PKG/etc/limits
@@ -197,4 +237,3 @@ zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
 
 cd $PKG
 /sbin/makepkg -l y -c n $TMP/shadow-$VERSION-$ARCH-$BUILD.txz
-
diff --git a/source/a/shadow/shadow.login.display.short.hostname.diff b/source/a/shadow/shadow.login.display.short.hostname.diff
index ad5c3eba..53a22f8b 100644
--- a/source/a/shadow/shadow.login.display.short.hostname.diff
+++ b/source/a/shadow/shadow.login.display.short.hostname.diff
@@ -1,5 +1,6 @@
---- ./libmisc/loginprompt.c.orig	2014-03-01 12:59:51.000000000 -0600
-+++ ./libmisc/loginprompt.c	2017-11-21 18:17:27.492000123 -0600
+diff -u -r --new-file shadow-4.8.1.orig/libmisc/loginprompt.c shadow-4.8.1/libmisc/loginprompt.c
+--- shadow-4.8.1.orig/libmisc/loginprompt.c	2019-07-23 10:26:08.000000000 -0500
++++ shadow-4.8.1/libmisc/loginprompt.c	2020-02-06 17:29:43.386954096 -0600
 @@ -99,6 +99,15 @@
  			}
  		}
@@ -16,3 +17,22 @@
  		printf (prompt, buf);
  		(void) fflush (stdout);
  	}
+diff -u -r --new-file shadow-4.8.1.orig/src/login.c shadow-4.8.1/src/login.c
+--- shadow-4.8.1.orig/src/login.c	2020-01-12 07:58:49.000000000 -0600
++++ shadow-4.8.1/src/login.c	2020-02-06 17:29:33.191954722 -0600
+@@ -761,6 +761,15 @@
+ 
+ 		/* Make the login prompt look like we want it */
+ 		if (gethostname (hostn, sizeof (hostn)) == 0) {
++			/* Trim away everything after the first '.': */
++			int i = 0;
++			while (hostn[i] != '\0' && i < sizeof(hostn) - 1) {
++				if (hostn[i] == '.') {
++					hostn[i] = '\0';
++					break;
++				}
++				i++;
++			}
+ 			snprintf (loginprompt,
+ 			          sizeof (loginprompt),
+ 			          _("%s login: "), hostn);
diff --git a/source/a/shadow/slack-desc b/source/a/shadow/slack-desc
index 7263ee77..cb249741 100644
--- a/source/a/shadow/slack-desc
+++ b/source/a/shadow/slack-desc
@@ -8,12 +8,12 @@
       |-----handy-ruler------------------------------------------------------|
 shadow: shadow (shadow password suite)
 shadow:
-shadow: This set of login related programs utilizes an alternate, non-readable
-shadow: file to contain the actual encrypted passwords. This is presumed to 
-shadow: increase system security by increasing the difficulty with which 
-shadow: system crackers obtain encrypted passwords. It was written by 
-shadow: Julianne Frances Haugh and the Linux port is maintained by Tomasz
-shadow: Kloczko.
+shadow: This package includes the necessary programs for handling account
+shadow: information in the shadow password format, plus programs for managing
+shadow: user and group accounts. It was written by Julianne Frances Haugh and
+shadow: the Linux port is maintained by Tomasz Kloczko.
 shadow:
 shadow: Homepage: https://github.com/shadow-maint/shadow
 shadow:
+shadow:
+shadow:
diff --git a/source/a/util-linux/util-linux.SlackBuild b/source/a/util-linux/util-linux.SlackBuild
index 8d6ff21c..662eb75c 100755
--- a/source/a/util-linux/util-linux.SlackBuild
+++ b/source/a/util-linux/util-linux.SlackBuild
@@ -82,6 +82,13 @@ find . \
  \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
  -exec chmod 644 {} \+
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  LOGIN_OPTIONS=""
+else
+  LOGIN_OPTIONS="--disable-login"
+fi
+
 # Changing the fdisk -l output (this was done prior to util-linux-ng) broke
 # our installation scripts, so we have changed the name of partition type
 # 83 back to "Linux swap":
@@ -119,7 +126,7 @@ configure_with_python(){
   --enable-pg \
   --enable-raw \
   --enable-rename \
-  --disable-login \
+  $LOGIN_OPTIONS \
   --enable-schedutils \
   --enable-wall \
   --enable-write \
@@ -136,13 +143,13 @@ CFLAGS="$SLKCFLAGS" \
   configure_with_python 2 || exit 1
 
 make $NUMJOBS || make || exit 1
-make install DESTDIR=$PKG || exit 1
+make install $NUMJOBS DESTDIR=$PKG || exit 1
 
 # Build python3 bindings for libmount:
 make clean
 CFLAGS="$SLKCFLAGS" \
   configure_with_python 3 || exit 1
-make \
+make $NUMJOBS \
   install-pylibmountexecLTLIBRARIES \
   install-pylibmountexecPYTHON \
   DESTDIR=$PKG || exit 1
diff --git a/source/ap/cups/cups.SlackBuild b/source/ap/cups/cups.SlackBuild
index de09891b..60ff31fc 100755
--- a/source/ap/cups/cups.SlackBuild
+++ b/source/ap/cups/cups.SlackBuild
@@ -81,6 +81,15 @@ cd cups-$VERSION || exit 1
 
 sed -i.orig -e 's#$exec_prefix/lib/cups#$libdir/cups#g' configure
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--enable-pam"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--disable-pam"
+fi
+
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
 ./configure \
@@ -89,7 +98,8 @@ CXXFLAGS="$SLKCFLAGS" \
   --enable-gnutls=yes \
   --enable-cdsassl=no \
   --docdir=/usr/doc \
-  --disable-pam \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --disable-avahi \
   --disable-dnssd \
   --build=$ARCH-slackware-linux || exit 1
@@ -97,6 +107,13 @@ CXXFLAGS="$SLKCFLAGS" \
 make $NUMJOBS || exit 1
 make BUILDROOT=$PKG install || exit 1
 
+if [ ! -z "$PAM_OPTIONS" ]; then
+  # Allow pam config files to be edited by root:
+  chmod 644 $PKG/etc/pam.d/*
+  # Make PAM file .new:
+  mv $PKG/etc/pam.d/cups $PKG/etc/pam.d/cups.new
+fi
+
 # Blacklist the usblp module just to make sure that it doesn't cause
 # any problems:
 mkdir -p $PKG/lib/modprobe.d
diff --git a/source/ap/cups/doinst.sh b/source/ap/cups/doinst.sh
index 6807cc3a..d0349bca 100644
--- a/source/ap/cups/doinst.sh
+++ b/source/ap/cups/doinst.sh
@@ -13,6 +13,9 @@ for file in etc/cups/*.new ; do
   config $file
 done
 config etc/dbus-1/system.d/cups.conf.new
+if [ -r etc/pam.d/cups.new ]; then
+  config etc/pam.d/cups.new
+fi
 
 # This file will just have to go.  It appeared for a while during a -current
 # devel period and has never been part of a stable release.
diff --git a/source/ap/ghostscript/ghostscript.SlackBuild b/source/ap/ghostscript/ghostscript.SlackBuild
index 614896e0..ae199f6b 100755
--- a/source/ap/ghostscript/ghostscript.SlackBuild
+++ b/source/ap/ghostscript/ghostscript.SlackBuild
@@ -27,7 +27,7 @@ if [ -r gnu-ghostscript-*.tar.?z ]; then
   SRCPREFIX="gnu-"
 fi
 VERSION=${VERSION:-$(echo $SRCPREFIX$PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
diff --git a/source/ap/gutenprint/gutenprint.SlackBuild b/source/ap/gutenprint/gutenprint.SlackBuild
index bd952390..75fb110e 100755
--- a/source/ap/gutenprint/gutenprint.SlackBuild
+++ b/source/ap/gutenprint/gutenprint.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=gutenprint
 VERSION=${VERSION:-$(echo gutenprint-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
diff --git a/source/ap/hplip/hplip.SlackBuild b/source/ap/hplip/hplip.SlackBuild
index cf0d963f..a6882040 100755
--- a/source/ap/hplip/hplip.SlackBuild
+++ b/source/ap/hplip/hplip.SlackBuild
@@ -83,6 +83,13 @@ zcat $CWD/setup.py.lc_all.c.diff.gz | patch -p1 --verbose || exit 1
 # Fix a few .py files lacking #!/usr/bin/python3:
 zcat $CWD/hplip.python3.shebang.diff.gz | patch -p1 --verbose || exit 1
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  unset SHADOW_OPTIONS
+else
+  SHADOW_OPTIONS="--enable-shadow-build"
+fi
+
 chown -R root:root .
 find . \
  \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
@@ -133,7 +140,7 @@ PYTHON=/usr/bin/python3 \
   --with-hpppddir=/usr/share/ppd/HP \
   --with-drvdir=/usr/share/cups/drv/HP \
   --enable-hpijs-install \
-  --enable-shadow-build \
+  $SHADOW_OPTIONS \
   --enable-scan-build \
   --enable-gui-build \
   --enable-fax-build \
diff --git a/source/ap/lxc/lxc.SlackBuild b/source/ap/lxc/lxc.SlackBuild
index d44f5a88..589e3ca6 100755
--- a/source/ap/lxc/lxc.SlackBuild
+++ b/source/ap/lxc/lxc.SlackBuild
@@ -193,7 +193,7 @@ fi
 
 mkdir -p $PKG/install
 cat $CWD/slack-desc > $PKG/install/slack-desc
-cat $CWD/doinst.sh > $PKG/install/doinst.sh
+zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
 
 cd $PKG
 /sbin/makepkg -l y -c n $TMP/$PKGNAM-$(echo $VERSION | tr - _)-$ARCH-$BUILD.txz
diff --git a/source/ap/screen/doinst.sh b/source/ap/screen/doinst.sh
new file mode 100644
index 00000000..c71460ad
--- /dev/null
+++ b/source/ap/screen/doinst.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+config() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+config etc/screenrc.new
+config etc/skel/.screenrc.new
+if [ -r etc/pam.d/screen.new ]; then
+  config etc/pam.d/screen.new
+fi
+# This is probably safer than leaving the hidden .new file...  maybe?
+rm -f etc/skel/.screenrc.new
diff --git a/source/ap/screen/screen.SlackBuild b/source/ap/screen/screen.SlackBuild
index dc7f2ded..ee5b24ae 100755
--- a/source/ap/screen/screen.SlackBuild
+++ b/source/ap/screen/screen.SlackBuild
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2008, 2009, 2010, 2011, 2013, 2014, 2015, 2016, 2018, 2019  Patrick J. Volkerding, Sebeka, Minnesota, USA
+# Copyright 2008, 2009, 2010, 2011, 2013, 2014, 2015, 2016, 2018, 2019, 2020  Patrick J. Volkerding, Sebeka, Minnesota, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -46,12 +46,16 @@ fi
 
 if [ "$ARCH" = "i586" ]; then
   SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "s390" ]; then
   SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "x86_64" ]; then
   SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
 else
   SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
 fi
 
 TMP=${TMP:-/tmp}
@@ -86,6 +90,15 @@ done
 # the console from being properly cleared when detaching from a screen session:
 zcat $CWD/60-revert-screenrc-change.diff.gz | patch -p1 --verbose || exit 1
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--enable-pam"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--disable-pam"
+fi
+
 # Configure:
 CFLAGS="$SLKCFLAGS" \
 ./configure \
@@ -97,7 +110,8 @@ CFLAGS="$SLKCFLAGS" \
   --with-sys-screenrc=/etc/screenrc \
   --with-pty-mode=0620 \
   --with-pty-group=5 \
-  --disable-pam \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --enable-telnet \
   --disable-socket-dir \
   --enable-use-locale \
@@ -125,6 +139,12 @@ chmod 755 $PKG/usr/bin/screen-$VERSION
 mkdir -p $PKG/etc/skel
 cat etc/etcscreenrc > $PKG/etc/screenrc.new
 cat etc/screenrc > $PKG/etc/skel/.screenrc.new
+
+if [ ! -z "$PAM_OPTIONS" ]; then
+  mkdir -p $PKG/etc/pam.d
+  cat $CWD/screen.pam > $PKG/etc/pam.d/screen.new
+fi
+
 rm -f $PKG/usr/info/dir
 gzip -9 $PKG/usr/info/*
 gzip -9 $PKG/usr/man/man1/*
@@ -135,26 +155,8 @@ cp -a COPYING ChangeLog HACKING INSTALL NEWS README TODO \
   $PKG/usr/doc/screen-$VERSION
 mkdir -p $PKG/install
 cat $CWD/slack-desc > $PKG/install/slack-desc
-cat << EOF > $PKG/install/doinst.sh
-#!/bin/bash
-config() {
-  NEW="\$1"
-  OLD="\$(dirname \$NEW)/\$(basename \$NEW .new)"
-  # If there's no config file by that name, mv it over:
-  if [ ! -r \$OLD ]; then
-    mv \$NEW \$OLD
-  elif [ "\$(cat \$OLD | md5sum)" = "\$(cat \$NEW | md5sum)" ]; then # toss the redundant copy
-    rm \$NEW
-  fi
-  # Otherwise, we leave the .new copy for the admin to consider...
-}
-config etc/screenrc.new
-config etc/skel/.screenrc.new
-# This is probably safer than leaving the hidden .new file...  maybe?
-rm -f etc/skel/.screenrc.new
-EOF
+zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
 
 # Build package:
 cd $PKG
 makepkg -l y -c n $TMP/screen-$VERSION-$ARCH-$BUILD.txz
-
diff --git a/source/ap/screen/screen.pam b/source/ap/screen/screen.pam
new file mode 100644
index 00000000..d286fe2a
--- /dev/null
+++ b/source/ap/screen/screen.pam
@@ -0,0 +1,5 @@
+#%PAM-1.0
+
+auth		required	pam_securetty.so debug
+auth		include		system-auth
+
diff --git a/source/ap/sudo/sudo.SlackBuild b/source/ap/sudo/sudo.SlackBuild
index 9bdcb652..a47e63e6 100755
--- a/source/ap/sudo/sudo.SlackBuild
+++ b/source/ap/sudo/sudo.SlackBuild
@@ -74,6 +74,15 @@ find . \
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--enable-pam-session --with-pam=yes"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--disable-pam-session --with-pam=no"
+fi
+
 CFLAGS="$SLKCFLAGS" \
 ./configure \
   --prefix=/usr \
@@ -81,8 +90,8 @@ CFLAGS="$SLKCFLAGS" \
   --mandir=/usr/man \
   --docdir=/usr/doc/sudo-$VERSION \
   --with-env-editor \
-  --disable-pam-session \
-  --with-pam=no \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --with-rundir=/run/sudo \
   --with-vardir=/var/db/sudo \
   --with-insults \
diff --git a/source/d/cvs/cvs.SlackBuild b/source/d/cvs/cvs.SlackBuild
index 491ff48a..3a11f439 100755
--- a/source/d/cvs/cvs.SlackBuild
+++ b/source/d/cvs/cvs.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=cvs
 VERSION=1.11.23
-BUILD=${BUILD:-3}
+BUILD=${BUILD:-4}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
diff --git a/source/kde/build/kdelibs b/source/kde/build/kdelibs
index 7ed6ff82..1e8b3149 100644
--- a/source/kde/build/kdelibs
+++ b/source/kde/build/kdelibs
@@ -1 +1 @@
-5
+6
diff --git a/source/kde/doinst.sh/kde-workspace b/source/kde/doinst.sh/kde-workspace
index 5834cc55..796b2956 100644
--- a/source/kde/doinst.sh/kde-workspace
+++ b/source/kde/doinst.sh/kde-workspace
@@ -13,6 +13,12 @@ config() {
   # Otherwise, we leave the .new copy for the admin to consider...
 }
 
+config etc/kde/kdm/backgroundrc.new
+config etc/kde/kdm/kdmrc.new
+if [ -r etc/pam.d/kde.new ]; then
+  config etc/pam.d/kde.new
+fi
+
 if [ -x usr/bin/update-desktop-database ]; then
   usr/bin/update-desktop-database usr/share/applications >/dev/null 2>&1
 fi
@@ -20,6 +26,3 @@ fi
 if [ -x usr/bin/update-mime-database ]; then
   usr/bin/update-mime-database usr/share/mime >/dev/null 2>&1
 fi
-
-config etc/kde/kdm/backgroundrc.new
-config etc/kde/kdm/kdmrc.new
diff --git a/source/kde/post-install/kde-workspace.post-install b/source/kde/post-install/kde-workspace.post-install
index f6e0c236..8dbc910d 100644
--- a/source/kde/post-install/kde-workspace.post-install
+++ b/source/kde/post-install/kde-workspace.post-install
@@ -45,7 +45,6 @@ if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
   cp -a $CWD/post-install/kde-workspace/config/kde.pamd $PKG/etc/pam.d/kde.new
   chown root:root $PKG/etc/pam.d/kde.new
   chmod 644 $PKG/etc/pam.d/kde.new
-  echo "config etc/pam.d/kde.new" >> $PKG/install/doinst.sh
 fi
 
 # Move the KDM files someplace FHS compliant:
diff --git a/source/l/ConsoleKit2/ConsoleKit2.SlackBuild b/source/l/ConsoleKit2/ConsoleKit2.SlackBuild
index 2a7df01c..ea604833 100755
--- a/source/l/ConsoleKit2/ConsoleKit2.SlackBuild
+++ b/source/l/ConsoleKit2/ConsoleKit2.SlackBuild
@@ -4,7 +4,7 @@
 
 # Copyright 2009, 2015  Robby Workman, Northport, Alabama, USA
 # Copyright 2010, 2015  Eric Hameleers, Eindhoven, NL
-# Copyright 2010, 2018  Patrick J. Volkerding, Sebeka, MN, USA
+# Copyright 2010, 2018, 2020  Patrick J. Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -102,6 +102,15 @@ find . \
 
 autoreconf -vif
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--enable-pam-module=yes"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--enable-pam-module=no"
+fi
+
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
 ./configure \
@@ -114,7 +123,8 @@ CXXFLAGS="$SLKCFLAGS" \
   --with-rundir=/var/run \
   --with-pid-file=/var/run/ConsoleKit/pid \
   --enable-docbook-docs \
-  --enable-pam-module=no \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --enable-udev-acl \
   --disable-static \
   --build=$TARGET || exit 1
diff --git a/source/l/glibc/glibc.SlackBuild b/source/l/glibc/glibc.SlackBuild
index f9366001..8074f3d8 100755
--- a/source/l/glibc/glibc.SlackBuild
+++ b/source/l/glibc/glibc.SlackBuild
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2006, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019  Patrick J. Volkerding, Sebeka, MN, USA
+# Copyright 2006, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020  Patrick J. Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -242,11 +242,13 @@ CFLAGS="-g $OPTIMIZ" \
   --without-cvs \
   $TARGET-slackware-linux
 
-make $NUMJOBS || make || exit 1
-make install install_root=$PKG || exit 1
+make $NUMJOBS || exit 1
+make $NUMJOBS install install_root=$PKG || exit 1
 # Don't use this, as it makes the i18n package WAY bigger:
 #make localedata/install-locale-files DESTDIR=$PKG || exit 1
-make localedata/install-locales install_root=$PKG DESTDIR=$PKG || exit 1
+# This is ugly run in parallel, and seems to hang at the end. But it actually
+# completes much faster. :)
+make $NUMJOBS localedata/install-locales install_root=$PKG DESTDIR=$PKG || exit 1
 
 # We've always had an sln symlink in /bin, so let's make sure it
 # remains there so as not to break any scripts that might need it:
diff --git a/source/l/gnome-keyring/gnome-keyring.SlackBuild b/source/l/gnome-keyring/gnome-keyring.SlackBuild
index dcef5be1..ea20ec8b 100755
--- a/source/l/gnome-keyring/gnome-keyring.SlackBuild
+++ b/source/l/gnome-keyring/gnome-keyring.SlackBuild
@@ -103,6 +103,11 @@ for i in $( find $PKG/usr/man -type l ) ; do
   rm $i
 done
 
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  # Handle launching via pam_gnome_keyring.so instead:
+  rm $PKG/etc/xdg/autostart/gnome-keyring-*.desktop
+fi
+
 mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
 cp -a \
   AUTHORS README* COPYING* HACKING INSTALL NEWS \
diff --git a/source/l/gtk+2/gtk+2.SlackBuild b/source/l/gtk+2/gtk+2.SlackBuild
index 7eff8c4c..c21fefc1 100755
--- a/source/l/gtk+2/gtk+2.SlackBuild
+++ b/source/l/gtk+2/gtk+2.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=gtk+2
 VERSION=${VERSION:-$(echo gtk+-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
 
 NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
 
diff --git a/source/l/gtk+3/gtk+3.SlackBuild b/source/l/gtk+3/gtk+3.SlackBuild
index d5985a8d..17ce4676 100755
--- a/source/l/gtk+3/gtk+3.SlackBuild
+++ b/source/l/gtk+3/gtk+3.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=gtk+3
 VERSION=${VERSION:-$(echo gtk+-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
 
diff --git a/source/l/libsoup/libsoup.SlackBuild b/source/l/libsoup/libsoup.SlackBuild
index 63d04f5a..9881d8b9 100755
--- a/source/l/libsoup/libsoup.SlackBuild
+++ b/source/l/libsoup/libsoup.SlackBuild
@@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=libsoup
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 if [ -z "$ARCH" ]; then
   case "$( uname -m )" in
diff --git a/source/l/libssh/libssh.SlackBuild b/source/l/libssh/libssh.SlackBuild
index 12176d97..778f67f6 100755
--- a/source/l/libssh/libssh.SlackBuild
+++ b/source/l/libssh/libssh.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=libssh
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
 
diff --git a/source/l/loudmouth/loudmouth.SlackBuild b/source/l/loudmouth/loudmouth.SlackBuild
index d51cdcc4..b12ab603 100755
--- a/source/l/loudmouth/loudmouth.SlackBuild
+++ b/source/l/loudmouth/loudmouth.SlackBuild
@@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=loudmouth
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-3}
+BUILD=${BUILD:-4}
 
 NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
 
diff --git a/source/l/neon/neon.SlackBuild b/source/l/neon/neon.SlackBuild
index 10d9b2e1..0d7becd3 100755
--- a/source/l/neon/neon.SlackBuild
+++ b/source/l/neon/neon.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=neon
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
diff --git a/source/l/polkit/doinst.sh b/source/l/polkit/doinst.sh
index 887bb792..ebcfef74 100644
--- a/source/l/polkit/doinst.sh
+++ b/source/l/polkit/doinst.sh
@@ -11,6 +11,9 @@ config() {
 }
 config etc/polkit-1/rules.d/20-plugdev-group-mount-override.rules.new
 config etc/polkit-1/rules.d/10-org.freedesktop.NetworkManager.rules.new
+if [ -r etc/pam.d/polkit-1.new ]; then
+  config etc/pam.d/polkit-1.new
+fi
 
 # Make sure the polkitd user and group exist:
 if ! grep -q "^polkitd:" etc/passwd ; then
diff --git a/source/l/polkit/polkit.SlackBuild b/source/l/polkit/polkit.SlackBuild
index 6de6b565..a9a21576 100755
--- a/source/l/polkit/polkit.SlackBuild
+++ b/source/l/polkit/polkit.SlackBuild
@@ -89,6 +89,15 @@ if ! grep -q "^polkitd:" /etc/passwd ; then
   useradd -c "PolicyKit daemon owner" -d /var/lib/polkit -u 87 -g polkitd -s /bin/false polkitd
 fi
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--with-authfw=pam --with-pam-module-dir=/lib/security"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--with-authfw=shadow"
+fi
+
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
 ./configure \
@@ -105,7 +114,8 @@ CXXFLAGS="$SLKCFLAGS" \
   --enable-introspection \
   --enable-libsystemd-login=no \
   --enable-libelogind=no \
-  --with-authfw=shadow \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --enable-verbose-mode \
   --with-os-type=Slackware \
   --build=$ARCH-slackware-linux || exit 1
@@ -125,6 +135,11 @@ mkdir -p $PKG/var/lib/polkit
 cat $CWD/10-org.freedesktop.NetworkManager.rules > $PKG/etc/polkit-1/rules.d/10-org.freedesktop.NetworkManager.rules.new
 cat $CWD/20-plugdev-group-mount-override.rules > $PKG/etc/polkit-1/rules.d/20-plugdev-group-mount-override.rules.new
 
+if [ ! -z "$PAM_OPTIONS" ]; then
+  # Make the PAM file .new:
+  mv $PKG/etc/pam.d/polkit-1 $PKG/etc/pam.d/polkit-1.new
+fi
+
 # Strip binaries:
 find $PKG | xargs file | grep -e "executable" -e "shared object" \
   | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
diff --git a/source/l/system-config-printer/system-config-printer.SlackBuild b/source/l/system-config-printer/system-config-printer.SlackBuild
index 498f1d3b..795febb1 100755
--- a/source/l/system-config-printer/system-config-printer.SlackBuild
+++ b/source/l/system-config-printer/system-config-printer.SlackBuild
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Copyright 2010, 2011, 2012  Eric Hameleers, Eindhoven, NL
-# Copyright 2010, 2011, 2012, 2013, 2018  Patrick J. Volkerding, Sebeka, MN, USA
+# Copyright 2010, 2011, 2012, 2013, 2018, 2020  Patrick J. Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 #   Permission to use, copy, modify, and distribute this software for
@@ -122,9 +122,11 @@ python3 -O -m compileall "${PKG}/usr/share/system-config-printer"
 mkdir -p $PKG/lib
 mv $PKG/etc/udev $PKG/lib/
 
-# Slackware does not use PAM.  Instead, your user must be in group 'lp'.
-sed -i -e 's/at_console="true"/group="lp"/g' \
-  $PKG/etc/dbus-1/system.d/com.redhat.NewPrinterNotification.conf
+if [ ! -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  # Looks like PAM is not installed. Instead, your user must be in group 'lp'.
+  sed -i -e 's/at_console="true"/group="lp"/g' \
+    $PKG/etc/dbus-1/system.d/com.redhat.NewPrinterNotification.conf
+fi
 
 # Don't clobber the configuration file:
 mv $PKG/etc/dbus-1/system.d/com.redhat.NewPrinterNotification.conf{,.new}
diff --git a/source/n/cifs-utils/cifs-utils.SlackBuild b/source/n/cifs-utils/cifs-utils.SlackBuild
index a73c85fd..58a2c8a4 100755
--- a/source/n/cifs-utils/cifs-utils.SlackBuild
+++ b/source/n/cifs-utils/cifs-utils.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=cifs-utils
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
diff --git a/source/n/curl/curl.SlackBuild b/source/n/curl/curl.SlackBuild
index bb4f4c6d..a286ac6d 100755
--- a/source/n/curl/curl.SlackBuild
+++ b/source/n/curl/curl.SlackBuild
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2008, 2009, 2010, 2011, 2013, 2014, 2016, 2017, 2018  Patrick J. Volkerding, Sebeka, MN, USA
+# Copyright 2008, 2009, 2010, 2011, 2013, 2014, 2016, 2017, 2018, 2020  Patrick J. Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=curl
 VERSION=${VERSION:-$(echo curl-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
@@ -87,6 +87,7 @@ CFLAGS="$SLKCFLAGS" \
   --mandir=/usr/man \
   --with-ca-bundle=/usr/share/curl/ca-bundle.crt \
   --with-libssh2 \
+  --with-gssapi \
   --enable-static=no \
   $SSLOPT || exit 1
 
diff --git a/source/n/cyrus-sasl/cyrus-sasl.SlackBuild b/source/n/cyrus-sasl/cyrus-sasl.SlackBuild
index d833a63b..fbdb54b4 100755
--- a/source/n/cyrus-sasl/cyrus-sasl.SlackBuild
+++ b/source/n/cyrus-sasl/cyrus-sasl.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=cyrus-sasl
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | cut -f 3- -d - | rev | cut -f 3- -d . | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
diff --git a/source/n/dovecot/dovecot.SlackBuild b/source/n/dovecot/dovecot.SlackBuild
index b3e65db8..ac457aa7 100755
--- a/source/n/dovecot/dovecot.SlackBuild
+++ b/source/n/dovecot/dovecot.SlackBuild
@@ -93,8 +93,10 @@ rm -rf $PKGNAM-ce-$VERSION
 tar xvf $CWD/$PKGNAM-$VERSION.tar.?z || exit 1
 cd $PKGNAM-$VERSION || exit 1
 
-# Ship config set up for authentication from /etc/passwd and /etc/shadow.
-zcat $CWD/dovecot.default.shadow.auth.diff.gz | patch -p1 --verbose || exit 1
+if [ ! -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then # no PAM
+  # Ship config set up for authentication from /etc/passwd and /etc/shadow.
+  zcat $CWD/dovecot.default.shadow.auth.diff.gz | patch -p1 --verbose || exit 1
+fi
 
 # Since this package installs working config files in /etc/dovecot, there isn't
 # any need to send people to /usr/doc. Also, make sure that TLS is recommended.
diff --git a/source/n/netatalk/doinst.sh b/source/n/netatalk/doinst.sh
index 939e530f..6cc08633 100644
--- a/source/n/netatalk/doinst.sh
+++ b/source/n/netatalk/doinst.sh
@@ -22,3 +22,7 @@ config etc/rc.d/rc.atalk.new
 config etc/netatalk/afp.conf.new
 config etc/netatalk/dbus-session.conf.new
 config etc/netatalk/extmap.conf.new
+
+if [ -r etc/pam.d/netatalk.new ]; then
+  config etc/pam.d/netatalk.new
+fi
diff --git a/source/n/netatalk/netatalk.SlackBuild b/source/n/netatalk/netatalk.SlackBuild
index 8e77c3ed..7295fdd2 100755
--- a/source/n/netatalk/netatalk.SlackBuild
+++ b/source/n/netatalk/netatalk.SlackBuild
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2008, 2009, 2012, 2015, 2018  Patrick J. Volkerding, Sebeka, MN, USA
+# Copyright 2008, 2009, 2012, 2015, 2018, 2019, 2020  Patrick J. Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -28,8 +28,6 @@ PKGNAM=netatalk
 VERSION=${VERSION:-$(echo netatalk-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
 BUILD=${BUILD:-2}
 
-NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
-
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
   case "$( uname -m )" in
@@ -48,6 +46,8 @@ if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
   exit 0
 fi
 
+NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
+
 if [ "$ARCH" = "i586" ]; then
   SLKCFLAGS="-O2 -march=i586 -mtune=i686"
   LIBDIRSUFFIX=""
@@ -78,6 +78,15 @@ find . \
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--with-pam-confdir=/etc/pam.d --with-pam --enable-ddp"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--with-shadow"
+fi
+
 # use the system libevent, because the internal one won't compile
 # with openssl 1.1.  Also skip pam and kerberos (for now).
 CFLAGS="$SLKCFLAGS" \
@@ -89,8 +98,8 @@ CFLAGS="$SLKCFLAGS" \
   --libexecdir=/usr/sbin \
   --localstatedir=/var \
   --disable-static \
-  --with-shadow \
-  --disable-static \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --with-libevent=system \
   --with-dbus-sysconf-dir=/etc/dbus-1/system.d/ \
   --with-dbus-daemon=/usr/bin/dbus-daemon \
@@ -132,6 +141,10 @@ cat $CWD/slack-desc > $PKG/install/slack-desc
   done
 )
 
+if [ ! -z "$PAM_OPTIONS" ]; then
+  mv $PKG/etc/pam.d/netatalk $PKG/etc/pam.d/netatalk.new
+fi
+
 mkdir -p $PKG/usr/doc/netatalk-$VERSION
 cp -a \
   AUTHORS CONTRIBUTORS COPYING* COPYRIGHT NEWS VERSION \
diff --git a/source/n/openssh/doinst.sh b/source/n/openssh/doinst.sh
index 08536ff6..ba1d1cdd 100644
--- a/source/n/openssh/doinst.sh
+++ b/source/n/openssh/doinst.sh
@@ -21,6 +21,9 @@ preserve_perms() {
   config ${NEW}
 }
 
+if [ -r etc/pam.d/sshd.new ]; then
+  config etc/pam.d/sshd.new
+fi
 config etc/default/sshd.new
 config etc/ssh/ssh_config.new
 config etc/ssh/sshd_config.new
diff --git a/source/n/openssh/openssh.SlackBuild b/source/n/openssh/openssh.SlackBuild
index 6b634a23..3c614d87 100755
--- a/source/n/openssh/openssh.SlackBuild
+++ b/source/n/openssh/openssh.SlackBuild
@@ -2,7 +2,7 @@
 
 # Copyright 2000 BSDi, Inc. Concord, CA, USA
 # Copyright 2001, 2002, 2003, 2004  Slackware Linux, Inc. Concord, CA, USA
-# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018  Patrick J. Volkerding, Sebeka, MN, USA
+# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018, 2020  Patrick J. Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -54,16 +54,22 @@ fi
 
 if [ "$ARCH" = "i586" ]; then
   SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "s390" ]; then
   SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "x86_64" ]; then
   SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
 elif [ "$ARCH" = "arm" ]; then
   SLKCFLAGS="-O2 -march=armv4 -mtune=xscale"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "armel" ]; then
   SLKCFLAGS="-O2 -march=armv4t"
+  LIBDIRSUFFIX=""
 else
   SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
 fi
 
 # Clean target location:
@@ -80,6 +86,17 @@ chown -R root:root .
 # Restore support for tcpwrappers:
 zcat $CWD/openssh.tcp_wrappers.diff.gz | patch -p1 --verbose || exit 1
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--with-pam --with-kerberos5"
+  unset SHADOW_OPTIONS
+  # Enable PAM in sshd_config:
+  zcat $CWD/sshd_config-pam.diff.gz | patch -p1 --verbose || exit 1
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--without-pam"
+fi
+
 autoreconf -vif
 
 # Compile package:
@@ -88,7 +105,8 @@ CFLAGS="$SLKCFLAGS" \
   --prefix=/usr \
   --mandir=/usr/man \
   --sysconfdir=/etc/ssh \
-  --without-pam \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --with-md5-passwords \
   --with-libedit \
   --with-tcp-wrappers \
@@ -170,6 +188,12 @@ fi
   cat $CWD/rc.sshd > etc/rc.d/rc.sshd.new
   chmod 755 etc/rc.d/rc.sshd.new
 
+  if [ ! -z "$PAM_OPTIONS" ]; then
+    # Add the pam stuff:
+    mkdir -p etc/pam.d
+    cat $CWD/sshd.pam > etc/pam.d/sshd.new
+  fi
+
   # Copy runtime installation files:
   mkdir -p install
   zcat $CWD/doinst.sh.gz > install/doinst.sh
diff --git a/source/n/openssh/sshd.pam b/source/n/openssh/sshd.pam
new file mode 100644
index 00000000..0c465192
--- /dev/null
+++ b/source/n/openssh/sshd.pam
@@ -0,0 +1,14 @@
+#%PAM-1.0
+# pam_securetty.so is commented out since sshd already does a good job of
+# protecting itself. You may uncomment it if you like, but then you may
+# need to add additional consoles to /etc/securetty if you want to allow
+# root logins on them, such as: ssh, pts/0, :0, etc
+#auth		required	pam_securetty.so
+auth		include		system-auth
+auth		include		postlogin
+account		required	pam_nologin.so
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		include		postlogin
+session		required	pam_loginuid.so
diff --git a/source/n/openssh/sshd_config-pam.diff b/source/n/openssh/sshd_config-pam.diff
new file mode 100644
index 00000000..d5198c2f
--- /dev/null
+++ b/source/n/openssh/sshd_config-pam.diff
@@ -0,0 +1,12 @@
+diff -Nur openssh-6.6p1.orig/sshd_config openssh-6.6p1/sshd_config
+--- openssh-6.6p1.orig/sshd_config	2014-01-12 02:20:47.000000000 -0600
++++ openssh-6.6p1/sshd_config	2014-07-26 17:28:35.993833123 -0500
+@@ -94,7 +94,7 @@
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+-#UsePAM no
++UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
diff --git a/source/n/openvpn/openvpn.SlackBuild b/source/n/openvpn/openvpn.SlackBuild
index ca2eb028..21406b8b 100755
--- a/source/n/openvpn/openvpn.SlackBuild
+++ b/source/n/openvpn/openvpn.SlackBuild
@@ -81,6 +81,15 @@ find . \
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--enable-plugin-auth-pam"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--disable-plugin-auth-pam"
+fi
+
 if [ ! -x configure ]; then
   autoreconf -vif
 fi
@@ -96,12 +105,22 @@ CXXFLAGS="$SLKCFLAGS" \
   --docdir=/usr/doc/openvpn-${VERSION} \
   --enable-lzo \
   --enable-iproute2 \
-  --disable-plugin-auth-pam \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --build=$ARCH-slackware-linux || exit 1
 
 make $NUMJOBS || make || exit 1
 make install-strip DESTDIR=$PKG || exit 1
 
+if [ ! -z "$PAM_OPTIONS" ]; then
+  # Make openvpn-auth-pam.so:
+  make -C plugin/auth-pam
+  strip --strip-unneeded plugin/auth-pam/openvpn-auth-pam.so
+  mkdir -p $PKG/usr/lib${LIBDIRSUFFIX}
+  cp -a plugin/auth-pam/openvpn-auth-pam.so $PKG/usr/lib${LIBDIRSUFFIX}/
+  mv plugin/auth-pam/README plugin/auth-pam/README.pam
+fi
+
 # Create a decent config directory. openvpn doesn't have one by
 # default, nor does it have a single config file.
 mkdir -p $PKG/etc/openvpn/{certs,keys}
diff --git a/source/n/popa3d/popa3d.SlackBuild b/source/n/popa3d/popa3d.SlackBuild
index be51f237..511b8aa9 100755
--- a/source/n/popa3d/popa3d.SlackBuild
+++ b/source/n/popa3d/popa3d.SlackBuild
@@ -56,7 +56,12 @@ rm -rf popa3d-$VERSION
 tar xvf $CWD/popa3d-$VERSION.tar.?z || exit 1
 cd popa3d-$VERSION || exit 1
 
-zcat $CWD/popa3d.diff.gz | patch -p1 --verbose --backup --suffix=.orig || exit 1
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  zcat $CWD/popa3d.pam.diff.gz | patch -p1 --verbose --backup --suffix=.orig || exit 1
+else
+  zcat $CWD/popa3d.shadow.diff.gz | patch -p1 --verbose --backup --suffix=.orig || exit 1
+fi
 
 chown -R root:root .
 find . \
diff --git a/source/n/popa3d/popa3d.pam.diff b/source/n/popa3d/popa3d.pam.diff
new file mode 100644
index 00000000..c0b64384
--- /dev/null
+++ b/source/n/popa3d/popa3d.pam.diff
@@ -0,0 +1,66 @@
+diff -up ../popa3d-1.0.3.orig/Makefile ./Makefile
+--- ../popa3d-1.0.3.orig/Makefile	2006-03-05 05:36:54.000000000 -0500
++++ ./Makefile	2018-09-18 12:56:05.412312376 -0400
+@@ -5,26 +5,26 @@ MKDIR = mkdir -p
+ INSTALL = install -c
+ CFLAGS = -Wall -O2 -fomit-frame-pointer
+ # You may use OpenSSL's MD5 routines instead of the ones supplied here
+-#CFLAGS += -DHAVE_OPENSSL
++CFLAGS += -DHAVE_OPENSSL
+ LDFLAGS = -s
+ LIBS =
+ # Linux with glibc, FreeBSD, NetBSD
+-#LIBS += -lcrypt
++LIBS += -lcrypt
+ # HP-UX trusted system
+ #LIBS += -lsec
+ # Solaris (POP_STANDALONE, POP_VIRTUAL)
+ #LIBS += -lsocket -lnsl
+ # PAM
+-#LIBS += -lpam
++LIBS += -lpam
+ # TCP wrappers
+ #LIBS += -lwrap
+ # libwrap may also want this
+ #LIBS += -lnsl
+ # OpenSSL (-DHAVE_OPENSSL)
+-#LIBS += -lcrypto
++LIBS += -lcrypto
+ 
+ DESTDIR =
+-PREFIX = /usr/local
++PREFIX = /usr
+ SBINDIR = $(PREFIX)/sbin
+ MANDIR = $(PREFIX)/man
+ 
+Common subdirectories: ../popa3d-1.0.3.orig/md5 and ./md5
+diff -up ../popa3d-1.0.3.orig/params.h ./params.h
+--- ../popa3d-1.0.3.orig/params.h	2006-03-05 08:18:32.000000000 -0500
++++ ./params.h	2018-09-18 12:55:55.953210742 -0400
+@@ -13,7 +13,7 @@
+ /*
+  * Are we going to be a standalone server or start via an inetd clone?
+  */
+-#define POP_STANDALONE			0
++#define POP_STANDALONE			1
+ 
+ #if POP_STANDALONE
+ 
+@@ -103,7 +103,7 @@
+  * A pseudo-user to run as before authentication.  The user and its UID
+  * must not be used for any other purpose.
+  */
+-#define POP_USER			POP_SERVER
++#define POP_USER			"pop"
+ 
+ /*
+  * An empty directory to chroot to before authentication.  The directory
+@@ -191,7 +191,7 @@
+  *
+  * #undef this for qmail-style $HOME/Mailbox mailboxes.
+  */
+-#define MAIL_SPOOL_PATH			"/var/mail"
++#define MAIL_SPOOL_PATH			"/var/spool/mail"
+ 
+ #ifndef MAIL_SPOOL_PATH
+ /*
diff --git a/source/n/popa3d/popa3d.diff b/source/n/popa3d/popa3d.shadow.diff
index 773f9085..773f9085 100644
--- a/source/n/popa3d/popa3d.diff
+++ b/source/n/popa3d/popa3d.shadow.diff
diff --git a/source/n/ppp/doinst.sh b/source/n/ppp/doinst.sh
index 54facc41..3a74db67 100644
--- a/source/n/ppp/doinst.sh
+++ b/source/n/ppp/doinst.sh
@@ -10,6 +10,11 @@ config() {
   fi
   # Otherwise, we leave the .new copy for the admin to consider...
 }
+
+if [ -r etc/pam.d/ppp.new ]; then
+  config etc/pam.d/ppp.new
+fi
+
 config etc/ppp/chap-secrets.new
 config etc/ppp/options.new
 config etc/ppp/pap-secrets.new
diff --git a/source/n/ppp/ppp.SlackBuild b/source/n/ppp/ppp.SlackBuild
index 8c1a9dd9..13b21fb3 100755
--- a/source/n/ppp/ppp.SlackBuild
+++ b/source/n/ppp/ppp.SlackBuild
@@ -86,13 +86,25 @@ zcat $CWD/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch.gz | patch -p1
 
 zcat $CWD/ppp.glibc228.diff.gz | patch -p1 --verbose || exit 1
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="USE_PAM=y"
+else
+  unset PAM_OPTIONS
+fi
+
 ./configure \
   --prefix=/usr \
   --libdir=/usr/lib${LIBDIRSUFFIX} || exit 1
 
-make $NUMJOBS || make || exit 1
+make $PAM_OPTIONS $NUMJOBS || make || exit 1
 make install DESTDIR=$PKG/usr || exit 1
 
+if [ ! -z "$PAM_OPTIONS" ]; then
+  mkdir -p $PKG/etc/pam.d
+  cat pppd/ppp.pam > $PKG/etc/pam.d/ppp.new
+fi
+
 # Install PPP config files:
 mkdir -p $PKG/etc/ppp
 cp -a etc.ppp/* $PKG/etc/ppp
diff --git a/source/n/samba/samba.SlackBuild b/source/n/samba/samba.SlackBuild
index 76bc3c47..c7e364d4 100755
--- a/source/n/samba/samba.SlackBuild
+++ b/source/n/samba/samba.SlackBuild
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2008, 2009, 2010, 2012, 2013, 2015, 2016, 2017, 2018  Patrick J. Volkerding, Sebeka, Minnesota, USA
+# Copyright 2008, 2009, 2010, 2012, 2013, 2015, 2016, 2017, 2018, 2019, 2020  Patrick J. Volkerding, Sebeka, Minnesota, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -100,6 +100,15 @@ find . \
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--with-pam --with-pammodulesdir=/lib/security --with-system-mitkrb5 --with-experimental-mit-ad-dc"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--without-pam"
+fi
+
 # Some of these options could be auto-detected, but declaring them
 # here doesn't hurt and helps document what features we're trying to
 # build in.
@@ -133,7 +142,8 @@ CFLAGS="$SLKCFLAGS" \
   --with-winbind \
   --with-ldap \
   --with-ads \
-  --without-pam \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --build=$TARGET || exit 1
   # Gives errors:
   #--builtin-libraries=replace,ccan \
diff --git a/source/n/vsftpd/doinst.sh b/source/n/vsftpd/doinst.sh
index f915774f..25161226 100644
--- a/source/n/vsftpd/doinst.sh
+++ b/source/n/vsftpd/doinst.sh
@@ -9,6 +9,9 @@ config() {
   fi
   # Otherwise, we leave the .new copy for the admin to consider...
 }
+if [ -r etc/pam.d/vsftpd.new ]; then
+  config etc/pam.d/vsftpd.new
+fi
 config etc/vsftpd.conf.new
 config etc/logrotate.d/vsftpd.new
 rm -f etc/logrotate.d/vsftpd.new
diff --git a/source/n/vsftpd/vsftpd.SlackBuild b/source/n/vsftpd/vsftpd.SlackBuild
index 870050f2..2f7f1209 100755
--- a/source/n/vsftpd/vsftpd.SlackBuild
+++ b/source/n/vsftpd/vsftpd.SlackBuild
@@ -26,8 +26,6 @@ PKGNAM=vsftpd
 VERSION=${VERSION:-$(echo ${PKGNAM}-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
 BUILD=${BUILD:-5}
 
-NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
-
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
   case "$( uname -m )" in
@@ -46,6 +44,8 @@ if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
   exit 0
 fi
 
+NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
+
 if [ "$ARCH" = "x86_64" ]; then
   LIBDIRSUFFIX="64"
 else
@@ -92,6 +92,11 @@ cat vsftpd.8 | gzip -9c > $PKG/usr/man/man8/vsftpd.8.gz
 mkdir -p $PKG/etc
 cat vsftpd.conf > $PKG/etc/vsftpd.conf.new
 
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  mkdir -p $PKG/etc/pam.d
+  cat RedHat/vsftpd.pam > $PKG/etc/pam.d/vsftpd.new
+fi
+
 mkdir -p $PKG/etc/logrotate.d
 zcat $CWD/vsftpd.log.gz > $PKG/etc/logrotate.d/vsftpd.new
 
diff --git a/source/x/x11/configure/xdm b/source/x/x11/configure/xdm
new file mode 100644
index 00000000..1c7dc7cc
--- /dev/null
+++ b/source/x/x11/configure/xdm
@@ -0,0 +1,19 @@
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  XDM_PAM_OPTION="--with-pam"
+else
+  unset XDM_PAM_OPTION
+fi
+
+CFLAGS=$SLKCFLAGS \
+CXXFLAGS=$SLKCFLAGS \
+./configure \
+  --prefix=/usr \
+  --libdir=/usr/lib${LIBDIRSUFFIX} \
+  --sysconfdir=/etc \
+  --localstatedir=/var \
+  --infodir=/usr/info \
+  --mandir=/usr/man \
+  --docdir=/usr/doc/${PKGNAME}-${MODULAR_PACKAGE_VERSION} \
+  $XDM_PAM_OPTION \
+  --disable-static \
+  --build=$ARCH-slackware-linux
diff --git a/source/x/x11/doinst.sh/xdm b/source/x/x11/doinst.sh/xdm
index 871a3897..68c356c5 100644
--- a/source/x/x11/doinst.sh/xdm
+++ b/source/x/x11/doinst.sh/xdm
@@ -9,6 +9,11 @@ config() {
   fi
   # Otherwise, we leave the .new copy for the admin to consider...
 }
+
+if [ -r etc/pam.d/xdm.new ]; then
+  config etc/pam.d/xdm.new
+fi
+
 for conffile in \
   Xaccess Xreset Xresources Xservers Xsession Xsetup_0 Xstartup Xwilling \
   GiveConsole TakeConsole xdm-config ../app-defaults/Chooser ;
diff --git a/source/x/x11/post-install/xdm.post-install b/source/x/x11/post-install/xdm.post-install
index 8410a8fa..31b390d8 100644
--- a/source/x/x11/post-install/xdm.post-install
+++ b/source/x/x11/post-install/xdm.post-install
@@ -14,6 +14,11 @@ mv $PKG/etc/X11/xdm/Xsetup_0 $PKG/usr/doc/xdm-$MODULAR_PACKAGE_VERSION/Xsetup_0.
 cp -a $CWD/post-install/xdm/Xsession $PKG/etc/X11/xdm/Xsession
 cp -a $CWD/post-install/xdm/Xsetup_0 $PKG/etc/X11/xdm/Xsetup_0
 
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  mkdir -p $PKG/etc/pam.d
+  cat $CWD/post-install/xdm/xdm.pamd > $PKG/etc/pam.d/xdm.new
+fi
+
 chown root:root $PKG/etc/X11/xdm/Xsession $PKG/etc/X11/xdm/Xsetup_0
 chmod 0755 $PKG/etc/X11/xdm/Xsession $PKG/etc/X11/xdm/Xsetup_0
 
diff --git a/source/x/x11/post-install/xdm/xdm.pamd b/source/x/x11/post-install/xdm/xdm.pamd
new file mode 100644
index 00000000..a3b9decf
--- /dev/null
+++ b/source/x/x11/post-install/xdm/xdm.pamd
@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth		include		system-auth
+account		required	pam_nologin.so
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		required	pam_loginuid.so
+session		optional	pam_ck_connector.so
+session		include		postlogin
diff --git a/source/xap/xlockmore/doinst.sh b/source/xap/xlockmore/doinst.sh
index 3c7968d9..0b372dbc 100644
--- a/source/xap/xlockmore/doinst.sh
+++ b/source/xap/xlockmore/doinst.sh
@@ -11,4 +11,6 @@ config() {
   # Otherwise, we leave the .new copy for the admin to consider...
 }
 
-config etc/pam.d/xlock.new
+if [ -r etc/pam.d/xlock.new ]; then
+  config etc/pam.d/xlock.new
+fi
diff --git a/source/xap/xscreensaver/doinst.sh b/source/xap/xscreensaver/doinst.sh
index f2744d09..8f79143c 100644
--- a/source/xap/xscreensaver/doinst.sh
+++ b/source/xap/xscreensaver/doinst.sh
@@ -11,5 +11,6 @@ config() {
   # Otherwise, we leave the .new copy for the admin to consider...
 }
 
-config etc/pam.d/xscreensaver.new
-
+if [ -r etc/pam.d/xscreensaver.new ]; then
+  config etc/pam.d/xscreensaver.new
+fi