diff --git a/templates/shadow-enable-pam.diff b/templates/shadow-enable-pam.diff
new file mode 100644
index 00000000000..f8666984ee0
--- /dev/null
+++ b/templates/shadow-enable-pam.diff
@@ -0,0 +1,239 @@
+--- etc/login.defs.orig	2008-12-16 03:07:47.000000000 +0100
++++ etc/login.defs	2008-12-16 03:11:46.000000000 +0100
+@@ -12,7 +12,7 @@ FAIL_DELAY		3
+ #
+ # Enable logging and display of /var/log/faillog login failure info.
+ #
+-FAILLOG_ENAB		yes
++#FAILLOG_ENAB		yes
+ 
+ #
+ # Enable display of unknown usernames when login failures are recorded.
+@@ -27,7 +27,7 @@ LOG_OK_LOGINS		no
+ #
+ # Enable logging and display of /var/log/lastlog login time info.
+ #
+-LASTLOG_ENAB		yes
++#LASTLOG_ENAB		yes
+ 
+ #
+ # Enable checking and display of mailbox status upon login.
+@@ -35,22 +35,22 @@ LASTLOG_ENAB		yes
+ # Disable if the shell startup files already check for mail
+ # ("mailx -e" or equivalent).
+ #
+-MAIL_CHECK_ENAB		yes
++#MAIL_CHECK_ENAB		yes
+ 
+ #
+ # Enable additional checks upon password changes.
+ #
+-OBSCURE_CHECKS_ENAB	yes
++#OBSCURE_CHECKS_ENAB	yes
+ 
+ #
+ # Enable checking of time restrictions specified in /etc/porttime.
+ #
+-PORTTIME_CHECKS_ENAB	yes
++#PORTTIME_CHECKS_ENAB	yes
+ 
+ #
+ # Enable setting of ulimit, umask, and niceness from passwd gecos field.
+ #
+-QUOTAS_ENAB		yes
++#QUOTAS_ENAB		yes
+ 
+ #
+ # Enable "syslog" logging of su activity - in addition to sulog file logging.
+@@ -64,7 +64,7 @@ SYSLOG_SG_ENAB		yes
+ # a ":" delimited list of device names.  Root logins will be allowed only
+ # upon these devices.
+ #
+-CONSOLE		/etc/securetty
++#CONSOLE		/etc/securetty
+ #CONSOLE	console:tty01:tty02:tty03:tty04
+ 
+ #
+@@ -76,7 +76,7 @@ CONSOLE		/etc/securetty
+ # If defined, ":" delimited list of "message of the day" files to
+ # be displayed upon login.
+ #
+-MOTD_FILE	/etc/motd
++#MOTD_FILE	/etc/motd
+ #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
+ 
+ #
+@@ -94,14 +94,14 @@ MOTD_FILE	/etc/motd
+ # If defined, login failures will be logged here in a utmp format.
+ # last, when invoked as lastb, will read /var/log/btmp, so...
+ #
+-FTMP_FILE	/var/log/btmp
++#FTMP_FILE	/var/log/btmp
+ 
+ #
+ # If defined, name of file whose presence which will inhibit non-root
+ # logins.  The contents of this file should be a message indicating
+ # why logins are inhibited.
+ #
+-NOLOGINS_FILE	/etc/nologin
++#NOLOGINS_FILE	/etc/nologin
+ 
+ #
+ # If defined, the command name to display when running "su -".  For
+@@ -116,7 +116,7 @@ SU_NAME		su
+ #   Directory where mailboxes reside, _or_ name of file, relative to the
+ #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+ #
+-MAIL_DIR	/var/spool/mail
++#MAIL_DIR	/var/spool/mail
+ #MAIL_FILE	.mail
+ 
+ #
+@@ -139,7 +139,7 @@ HUSHLOGIN_FILE	.hushlogin
+ # If defined, an HZ environment parameter spec.
+ #
+ # for Linux/x86
+-ENV_HZ		HZ=100
++#ENV_HZ		HZ=100
+ # For Linux/Alpha...
+ #ENV_HZ		HZ=1024
+ 
+@@ -147,8 +147,8 @@ ENV_HZ		HZ=100
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+ # (they are minimal, add the rest in the shell startup files)
+-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+-ENV_PATH	PATH=/bin:/usr/bin
++#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
++#ENV_PATH	PATH=/bin:/usr/bin
+ 
+ #
+ # Terminal permissions
+@@ -193,7 +193,7 @@ UMASK		022
+ #
+ PASS_MAX_DAYS	99999
+ PASS_MIN_DAYS	0
+-PASS_MIN_LEN	5
++#PASS_MIN_LEN	5
+ PASS_WARN_AGE	7
+ 
+ #
+@@ -202,12 +202,12 @@ PASS_WARN_AGE	7
+ # to uid 0 accounts.  If the group doesn't exist or is empty, no one
+ # will be able to "su" to uid 0.
+ #
+-SU_WHEEL_ONLY	no
++#SU_WHEEL_ONLY	no
+ 
+ #
+ # If compiled with cracklib support, where are the dictionaries
+ #
+-CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
++#CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
+ 
+ #
+ # Min/max values for automatic uid selection in useradd
+@@ -240,12 +240,12 @@ LOGIN_TIMEOUT		60
+ #
+ # Maximum number of attempts to change password if rejected (too easy)
+ #
+-PASS_CHANGE_TRIES	5
++#PASS_CHANGE_TRIES	5
+ 
+ #
+ # Warn about weak passwords (but still allow them) if you are root.
+ #
+-PASS_ALWAYS_WARN	yes
++#PASS_ALWAYS_WARN	yes
+ 
+ #
+ # Number of significant characters in the password for crypt().
+@@ -257,7 +257,7 @@ PASS_ALWAYS_WARN	yes
+ #
+ # Require password before chfn/chsh can make any changes.
+ #
+-CHFN_AUTH		yes
++#CHFN_AUTH		yes
+ 
+ #
+ # Which fields may be changed by regular users using chfn - use
+@@ -339,7 +339,7 @@ DEFAULT_HOME	yes
+ # If this file exists and is readable, login environment will be
+ # read from it.  Every line should be in the form name=value.
+ #
+-ENVIRON_FILE	/etc/environment
++#ENVIRON_FILE	/etc/environment
+ 
+ #
+ # If defined, this command is run when removing a user.
+--- etc/pam.d/login.orig	2008-12-16 03:29:36.000000000 +0100
++++ etc/pam.d/login	2008-12-16 03:29:56.000000000 +0100
+@@ -1,11 +1,13 @@
+-#%PAM-1.0
++auth        requisite      pam_nologin.so
+ auth		required	pam_securetty.so
+-auth		include		system-auth
+-account		required	pam_nologin.so
+-account		include		system-auth
+-password	include		system-auth
+-session		required	pam_selinux.so close
+-session		include		system-auth
+-session		required	pam_loginuid.so
+-session		optional	pam_console.so
+-session		required	pam_selinux.so open
++auth        required       pam_unix.so
++account     required       pam_access.so
++account     required       pam_unix.so
++session     required       pam_env.so
++session     required       pam_motd.so
++session     required       pam_limits.so
++session     optional       pam_mail.so      dir=/var/mail standard
++session     optional       pam_lastlog.so
++session     required       pam_unix.so
++password    required       pam_cracklib.so  retry=3
++password    required       pam_unix.so      md5 shadow use_authtok
+--- etc/pam.d/passwd.orig	2008-12-16 03:30:36.000000000 +0100
++++ etc/pam.d/passwd	2008-12-16 03:30:52.000000000 +0100
+@@ -1,4 +1,6 @@
+-#%PAM-1.0
+-auth		include		system-auth
+-account		include		system-auth
+-password	include		system-auth
++password    required       pam_cracklib.so  type=Linux retry=1 \
++                                            difok=5 diffignore=23 minlen=9 \
++                                            dcredit=1 ucredit=1 lcredit=1 \
++                                            ocredit=1 \
++                                            dictpath=/lib/cracklib/pw_dict
++password    required       pam_unix.so      md5 shadow use_authtok
+--- etc/pam.d/su.orig	2008-12-16 03:31:25.000000000 +0100
++++ etc/pam.d/su	2008-12-16 03:31:35.000000000 +0100
+@@ -1,13 +1,7 @@
+-#%PAM-1.0
+ auth		sufficient	pam_rootok.so
+-# Uncomment the following line to implicitly trust users in the "wheel" group.
+-#auth		sufficient	pam_wheel.so trust use_uid
+-# Uncomment the following line to require a user to be in the "wheel" group.
+-auth		required	pam_wheel.so use_uid
+-auth		include		system-auth
+-account		include		system-auth
+-password	include		system-auth
+-session		required	pam_selinux.so close
+-session		include		system-auth
+-session		required	pam_selinux.so open multiple
++auth        required        pam_unix.so
++account     required        pam_unix.so
++session     optional        pam_mail.so     dir=/var/mail standard
+ session		optional	pam_xauth.so
++session     required        pam_env.so
++session     required        pam_unix.so
+--- etc/pam.d/chage.orig	2008-12-16 03:32:38.000000000 +0100
++++ etc/pam.d/chage	2008-12-16 03:32:56.000000000 +0100
+@@ -1,4 +1,5 @@
+-#%PAM-1.0
+ auth		sufficient	pam_rootok.so
+-account		required	pam_permit.so
+-password	include		system-auth
++auth        required        pam_unix.so
++account     required        pam_unix.so
++session     required        pam_unix.so
++password    required        pam_permit.so
diff --git a/templates/shadow.tmpl b/templates/shadow.tmpl
new file mode 100644
index 00000000000..3ffff0921da
--- /dev/null
+++ b/templates/shadow.tmpl
@@ -0,0 +1,42 @@
+# Template file for 'shadow'
+pkgname=shadow
+version=4.1.2.2
+patch_files="$pkgname-enable-pam.diff"
+distfiles="ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/$pkgname-$version.tar.bz2"
+build_style=gnu_configure
+configure_args="--libdir=/lib --mandir=/usr/share/man --enable-shared
+ --disable-static --with-libpam --without-selinux"
+make_install_target="DESTDIR=$XBPS_DESTDIR/$pkgname-$version install"
+short_desc="Shadow password file utilities"
+maintainer="Juan RP <xtraeme@gmail.com>"
+checksum=378fbfb0e8bb8c87be239fccd692818871f763206bb7d881744f4fa72dc6b491
+long_desc="
+ Shadow password file utilities for GNU/Linux."
+
+conf_files="/etc/pam.d/usermod /etc/pam.d/userdel /etc/pam.d/useradd
+ /etc/pam.d/su /etc/pam.d/passwd /etc/pam.d/newusers /etc/pam.d/login
+ /etc/pam.d/groupmod /etc/pam.d/groupmems /etc/pam.d/groupdel
+ /etc/pam.d/groupadd /etc/pam.d/chsh /etc/pam.d/chpasswd
+ /etc/pam.d/chgpasswd /etc/pam.d/chfn /etc/pam.d/chage /etc/defaults/useradd
+ /etc/login.defs"
+build_depends="linux-pam-1.0.2"
+run_depends="glibc-2.8 $build_depends"
+
+pre_build()
+{
+	# Don't install the groups cmd, we use the one from coreutils.
+	cd $wrksrc && \
+		sed -i 's/groups$(EXEEXT) //' src/Makefile && \
+		find man -name Makefile -exec sed -i 's/groups\.1 / /' {}
+}
+
+post_install()
+{
+	local destdir=$XBPS_DESTDIR/$pkgname-$version
+
+	# Use the same auth file for all these cmds.
+	for f in chpasswd chgpasswd groupadd groupdel groupmems \
+		 groupmod newusers useradd userdel usermod; do
+		install -m644 $destdir/etc/pam.d/chage $destdir/etc/pam.d/${f}
+	done
+}