sys-auth/pambase: Sync with Gentoo

It's from Gentoo commit f32e281b3b124b273302ddffeb06c0e6f20852e9. Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
2025-11-14 07:01:32 +01:00 · 2025-10-16 17:07:54 +02:00 · 2025-10-16 17:07:54 +02:00 · 14c8a7bc0c
commit 14c8a7bc0c
parent c9573f1f79
8 changed files with 619 additions and 26 deletions
--- a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/Manifest
@ -0,0 +1,3 @@
+DIST pambase-20250826.tar.bz2 4925 BLAKE2B c6929aa506b94b9215bd2c686fd9965d6c3a77f36c7a2d114ca5b2c39a30e2209a84408ee855559837d54161e359723889b89bb9c048bb36b00c7156495968fc SHA512 c9bc07ac617891ddab6f2a8358b10899462d9b54fcc3642d222dd2402914f24225854103b6c581aa2041fb0feb0f94688e07aad10ab94c3a629b4cd2937bd785
+DIST pambase-20250906.tar.bz2 4972 BLAKE2B b65da13a265d5a3df1e84546a8f6e1447d7ea5a40fe4a44488691c4a182cf4b3d13d20ce85778f549d217ebf4b4511e71f5f285b34edf9e9e18bab50b0d22c82 SHA512 639d87169fafb0e44401104ade7dfaa7a5d6bd473d9e4e3c35a0fb87aaf73a383d406ee05944a3190750e55e59decd867ab3f773664f9fb787f40acc05826d1c
+DIST pambase-20251013.tar.bz2 4963 BLAKE2B c2eb355819c28a6b41e8aea843c176769fa53519cb357239712165f0bf507bc21132d732fd2600d9354e2031e55da30beb676f1da854ce4bda687b8de006641a SHA512 968d82e817b209d66ea1719493539ff363a844795efd8584690a4ca9b5f932f5f5a9e8352747b590ae6ffba332a9a7d8e2a224af26bc3a6bdf012736daca9e6c
--- a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/README.md
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/README.md
@ -1,10 +0,0 @@
-This is a not-really-a-fork of gentoo's `sys-auth/pambase`
-package. The main reasons for having it in `coreos-overlay` are:
-
-1. The `sys-apps/baselayout` package replaced it, so this package
-   became a stub.
-
-2. The stub is needed for compatibility with gentoo packages that
-   depend on pambase. When updating some package that depends on a
-   greater version of pambase than this stub provides, simply bump the
-   version of the the stub, so the dependency can be satisfied.
--- a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/metadata.xml
@ -1,7 +1,105 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+	</maintainer>
+	<maintainer type="person">
+		<email>sam@gentoo.org</email>
+		<name>Sam James</name>
+	</maintainer>
+	<use>
+		<flag name="elogind">
+			Use pam_elogind module to register user sessions with elogind.
+		</flag>
+		<flag name="systemd">
+			Use pam_systemd module to register user sessions in the systemd
+			control group hierarchy.
+		</flag>
+		<flag name="homed">
+			Use pam_systemd_home module to manage home directories with
+			the systemd-homed service
+		</flag>
+		<flag name="debug">
+			Enable debug information logging on syslog(3) for all the
+			modules supporting this in the system authentication and system
+			login stacks.
+		</flag>
+		<flag name="passwdqc">
+			Enable pam_passwdqc module on system auth stack for password
+			quality validation. This module produces warnings, rejecting 
+			or providing example passwords when changing your system password.
+			It is used by default by OpenWall GNU/*/Linux and by FreeBSD.
+		</flag>
+		<flag name="pwhistory">
+			Enable pam_pwhistory module on system auth stack to save
+			the last passwords for each user in order to force password
+			change history and keep the user from alternating between
+			the same password too frequently.
+		</flag>
+		<flag name="pwquality">
+			Enable pam_pwquality module on system auth stack for passwd
+			quality validation. It is used by default by Fedora GNU/*/Linux.
+		</flag>
+		<flag name="mktemp">
+			Enable pam_mktemp module on system auth stack for session
+			handling. This module creates a private temporary directory for
+			the user, and sets TMP and TMPDIR accordingly.
+		</flag>
+		<flag name="pam_ssh">
+			Enable pam_ssh module on system auth stack for authentication
+			and session handling. This module will accept as password the
+			passphrase of a private SSH key (one of ~/.ssh/id_rsa,
+			~/.ssh/id_dsa or ~/.ssh/identity), and will spawn an ssh-agent
+			instance to cache the open key.
+		</flag>
+		<flag name="sha512">
+			Switch Linux-PAM's pam_unix module to use sha512 for passwords
+			hashes rather than MD5. This option requires
+			<pkg>sys-libs/pam</pkg> version 1.0.1 built against
+			<pkg>sys-libs/glibc</pkg> version 2.7, if it's built against an
+			earlier version, it will silently be ignored, and MD5 hashes
+			will be used. All the passwords changed after this USE flag is
+			enabled will be saved to the shadow file hashed using SHA512
+			function. The password previously saved will be left
+			untouched. Please note that while SHA512-hashed passwords will
+			still be recognised if the USE flag is removed, the shadow file
+			will not be compatible with systems using an earlier glibc
+			version.
+		</flag>
+		<flag name="sssd">
+			Add System Security Services Daemon (<pkg>sys-auth/sssd</pkg>) support
+			via pam_sss.
+		</flag>
+		<flag name="yescrypt">
+			Switch Linux-PAM's pam_unix module to use yescrypt for passwords hashes rather than MD5
+		</flag>
+		<flag name="pam_krb5">
+			Enable pam_krb5 module on system auth stack, as an alternative
+			to pam_unix. If Kerberos authentication succeeds, only pam_unix
+			will be ignorde, and all the other modules will proceed as usual,
+			including Gnome Keyring and other session modules. It requires
+			<pkg>sys-libs/pam</pkg> as PAM implementation.
+		</flag>
+		<flag name="minimal">
+			Disables the standard PAM modules that provide extra information
+			to users on login; this includes pam_lastlog, pam_motd, pam_mail
+			and other similar modules. This might not be a good idea on 
+			a multi-user system but could reduce slightly the overhead on
+			single-user non-networked systems.
+		</flag>
+		<flag name="nullok">
+			Enable the nullok option with the pam_unix module. This allows
+			people to login with blank passwords.
+		</flag>
+		<flag name="securetty">
+			Enable pam_securetty module in the login stack. Not generally
+			relevant anymore as the login stack only refers to local logins
+			and local terminals imply secure access in the first place.
+		</flag>
+	</use>
 	<upstream>
-		<remote-id type="github">flatcar/baselayout</remote-id>
+		<remote-id type="gentoo">proj/pambase</remote-id>
+		<remote-id type="github">gentoo/pambase</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20220214.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20220214.ebuild
@ -1,14 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DESCRIPTION="Compatibility ebuild stub for Flatcar"
-HOMEPAGE="https://github.com/flatcar/baselayout"
-
-LICENSE="metapackage"
-SLOT="0"
-KEYWORDS="amd64 arm arm64 x86"
-
-RDEPEND=">=sys-apps/baselayout-3.6
-	>=sys-libs/pam-1.4"
--- a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250826.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250826.ebuild
@ -0,0 +1,129 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..13} )
+
+inherit edo pam python-any-r1 readme.gentoo-r1
+
+DESCRIPTION="PAM base configuration files"
+HOMEPAGE="https://github.com/gentoo/pambase"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="
+		https://anongit.gentoo.org/git/proj/pambase.git
+		https://github.com/gentoo/pambase.git
+	"
+else
+	SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2"
+
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86"
+fi
+
+LICENSE="MIT"
+SLOT="0"
+IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt"
+
+RESTRICT="binchecks"
+
+REQUIRED_USE="
+	?? ( elogind systemd )
+	?? ( passwdqc pwquality )
+	?? ( sha512 yescrypt )
+	pwhistory? ( || ( passwdqc pwquality ) )
+	homed? ( !pam_krb5 )
+	pam_krb5? ( !homed )
+"
+
+MIN_PAM_REQ=1.4.0
+
+RDEPEND="
+	>=sys-libs/pam-${MIN_PAM_REQ}
+	elogind? ( sys-auth/elogind[pam] )
+	gnome-keyring? ( gnome-base/gnome-keyring[pam] )
+	mktemp? ( sys-auth/pam_mktemp )
+	pam_krb5? (
+		>=sys-libs/pam-${MIN_PAM_REQ}
+		sys-auth/pam_krb5
+	)
+	caps? ( sys-libs/libcap[pam] )
+	pam_ssh? ( sys-auth/pam_ssh )
+	passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 )
+	pwquality? ( dev-libs/libpwquality[pam] )
+	selinux? ( sys-libs/pam[selinux] )
+	sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
+	homed? ( sys-apps/systemd[homed] )
+	systemd? ( sys-apps/systemd[pam] )
+	yescrypt? ( sys-libs/libxcrypt[system] )
+	sssd? ( sys-auth/sssd )
+"
+BDEPEND="
+	$(python_gen_any_dep '
+		dev-python/jinja2[${PYTHON_USEDEP}]
+	')
+"
+
+python_check_deps() {
+	python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]"
+}
+
+src_configure() {
+	local crypt=md5
+	# TODO: sha256, blowfish, gost_yescrypt
+	use sha512 && crypt=sha512
+	use yescrypt && crypt=yescrypt
+
+	local pamargs=(
+		# Not all 'upstream' options are (currently) wired up
+		# in the ebuild.
+		#
+		# TODO: pam_shells
+		$(usev caps '--caps')
+		$(usev debug '--debug')
+		$(usev elogind '--elogind')
+		$(usev gnome-keyring '--gnome-keyring')
+		$(usev homed '--homed')
+		$(usev minimal '--minimal')
+		$(usev mktemp '--mktemp')
+		$(usev nullok '--nullok')
+		$(usev pam_krb5 '--krb5')
+		$(usev pam_ssh '--pam-ssh')
+		$(usev passwdqc '--passwdqc')
+		$(usev pwhistory '--pwhistory')
+		$(usev pwquality '--pwquality')
+		$(usev securetty '--securetty')
+		$(usev selinux '--selinux')
+		$(usex systemd '--systemd' '--openrc')
+		$(usev sssd '--sssd')
+
+		--encrypt=${crypt}
+	)
+
+	edo ${EPYTHON} ./${PN}.py "${pamargs[@]}"
+}
+
+src_test() { :; }
+
+src_install() {
+	local DOC_CONTENTS
+
+	if use passwdqc; then
+		DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf
+				page and then edit the /etc/security/passwdqc.conf file"
+	fi
+
+	if use pwquality; then
+		DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf
+				page and then edit the /etc/security/pwquality.conf file"
+	fi
+
+	{ use passwdqc || use pwquality; } && readme.gentoo_create_doc
+
+	dopamd -r stack/.
+}
+
+pkg_postinst() {
+	{ use passwdqc || use pwquality; } && readme.gentoo_print_elog
+}
--- a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250906.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250906.ebuild
@ -0,0 +1,129 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..14} )
+
+inherit edo pam python-any-r1 readme.gentoo-r1
+
+DESCRIPTION="PAM base configuration files"
+HOMEPAGE="https://github.com/gentoo/pambase"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="
+		https://anongit.gentoo.org/git/proj/pambase.git
+		https://github.com/gentoo/pambase.git
+	"
+else
+	SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2"
+
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86"
+fi
+
+LICENSE="MIT"
+SLOT="0"
+IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt"
+
+RESTRICT="binchecks"
+
+REQUIRED_USE="
+	?? ( elogind systemd )
+	?? ( passwdqc pwquality )
+	?? ( sha512 yescrypt )
+	pwhistory? ( || ( passwdqc pwquality ) )
+	homed? ( !pam_krb5 )
+	pam_krb5? ( !homed )
+"
+
+MIN_PAM_REQ=1.4.0
+
+RDEPEND="
+	>=sys-libs/pam-${MIN_PAM_REQ}
+	elogind? ( sys-auth/elogind[pam] )
+	gnome-keyring? ( gnome-base/gnome-keyring[pam] )
+	mktemp? ( sys-auth/pam_mktemp )
+	pam_krb5? (
+		>=sys-libs/pam-${MIN_PAM_REQ}
+		sys-auth/pam_krb5
+	)
+	caps? ( sys-libs/libcap[pam] )
+	pam_ssh? ( sys-auth/pam_ssh )
+	passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 )
+	pwquality? ( dev-libs/libpwquality[pam] )
+	selinux? ( sys-libs/pam[selinux] )
+	sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
+	homed? ( sys-apps/systemd[homed] )
+	systemd? ( sys-apps/systemd[pam] )
+	yescrypt? ( sys-libs/libxcrypt[system] )
+	sssd? ( sys-auth/sssd )
+"
+BDEPEND="
+	$(python_gen_any_dep '
+		dev-python/jinja2[${PYTHON_USEDEP}]
+	')
+"
+
+python_check_deps() {
+	python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]"
+}
+
+src_configure() {
+	local crypt=md5
+	# TODO: sha256, blowfish, gost_yescrypt
+	use sha512 && crypt=sha512
+	use yescrypt && crypt=yescrypt
+
+	local pamargs=(
+		# Not all 'upstream' options are (currently) wired up
+		# in the ebuild.
+		#
+		# TODO: pam_shells
+		$(usev caps '--caps')
+		$(usev debug '--debug')
+		$(usev elogind '--elogind')
+		$(usev gnome-keyring '--gnome-keyring')
+		$(usev homed '--homed')
+		$(usev minimal '--minimal')
+		$(usev mktemp '--mktemp')
+		$(usev nullok '--nullok')
+		$(usev pam_krb5 '--krb5')
+		$(usev pam_ssh '--pam-ssh')
+		$(usev passwdqc '--passwdqc')
+		$(usev pwhistory '--pwhistory')
+		$(usev pwquality '--pwquality')
+		$(usev securetty '--securetty')
+		$(usev selinux '--selinux')
+		$(usex systemd '--systemd' '--openrc')
+		$(usev sssd '--sssd')
+
+		--encrypt=${crypt}
+	)
+
+	edo ${EPYTHON} ./${PN}.py "${pamargs[@]}"
+}
+
+src_test() { :; }
+
+src_install() {
+	local DOC_CONTENTS
+
+	if use passwdqc; then
+		DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf
+				page and then edit the /etc/security/passwdqc.conf file"
+	fi
+
+	if use pwquality; then
+		DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf
+				page and then edit the /etc/security/pwquality.conf file"
+	fi
+
+	{ use passwdqc || use pwquality; } && readme.gentoo_create_doc
+
+	dopamd -r stack/.
+}
+
+pkg_postinst() {
+	{ use passwdqc || use pwquality; } && readme.gentoo_print_elog
+}
--- a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20251013.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20251013.ebuild
@ -0,0 +1,129 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..14} )
+
+inherit edo pam python-any-r1 readme.gentoo-r1
+
+DESCRIPTION="PAM base configuration files"
+HOMEPAGE="https://github.com/gentoo/pambase"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="
+		https://anongit.gentoo.org/git/proj/pambase.git
+		https://github.com/gentoo/pambase.git
+	"
+else
+	SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2"
+
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86"
+fi
+
+LICENSE="MIT"
+SLOT="0"
+IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt"
+
+RESTRICT="binchecks"
+
+REQUIRED_USE="
+	?? ( elogind systemd )
+	?? ( passwdqc pwquality )
+	?? ( sha512 yescrypt )
+	pwhistory? ( || ( passwdqc pwquality ) )
+	homed? ( !pam_krb5 )
+	pam_krb5? ( !homed )
+"
+
+MIN_PAM_REQ=1.4.0
+
+RDEPEND="
+	>=sys-libs/pam-${MIN_PAM_REQ}
+	elogind? ( sys-auth/elogind[pam] )
+	gnome-keyring? ( gnome-base/gnome-keyring[pam] )
+	mktemp? ( sys-auth/pam_mktemp )
+	pam_krb5? (
+		>=sys-libs/pam-${MIN_PAM_REQ}
+		sys-auth/pam_krb5
+	)
+	caps? ( sys-libs/libcap[pam] )
+	pam_ssh? ( sys-auth/pam_ssh )
+	passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 )
+	pwquality? ( dev-libs/libpwquality[pam] )
+	selinux? ( sys-libs/pam[selinux] )
+	sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
+	homed? ( sys-apps/systemd[homed] )
+	systemd? ( sys-apps/systemd[pam] )
+	yescrypt? ( sys-libs/libxcrypt[system] )
+	sssd? ( sys-auth/sssd )
+"
+BDEPEND="
+	$(python_gen_any_dep '
+		dev-python/jinja2[${PYTHON_USEDEP}]
+	')
+"
+
+python_check_deps() {
+	python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]"
+}
+
+src_configure() {
+	local crypt=md5
+	# TODO: sha256, blowfish, gost_yescrypt
+	use sha512 && crypt=sha512
+	use yescrypt && crypt=yescrypt
+
+	local pamargs=(
+		# Not all 'upstream' options are (currently) wired up
+		# in the ebuild.
+		#
+		# TODO: pam_shells
+		$(usev caps '--caps')
+		$(usev debug '--debug')
+		$(usev elogind '--elogind')
+		$(usev gnome-keyring '--gnome-keyring')
+		$(usev homed '--homed')
+		$(usev minimal '--minimal')
+		$(usev mktemp '--mktemp')
+		$(usev nullok '--nullok')
+		$(usev pam_krb5 '--krb5')
+		$(usev pam_ssh '--pam-ssh')
+		$(usev passwdqc '--passwdqc')
+		$(usev pwhistory '--pwhistory')
+		$(usev pwquality '--pwquality')
+		$(usev securetty '--securetty')
+		$(usev selinux '--selinux')
+		$(usex systemd '--systemd' '--openrc')
+		$(usev sssd '--sssd')
+
+		--encrypt=${crypt}
+	)
+
+	edo ${EPYTHON} ./${PN}.py "${pamargs[@]}"
+}
+
+src_test() { :; }
+
+src_install() {
+	local DOC_CONTENTS
+
+	if use passwdqc; then
+		DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf
+				page and then edit the /etc/security/passwdqc.conf file"
+	fi
+
+	if use pwquality; then
+		DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf
+				page and then edit the /etc/security/pwquality.conf file"
+	fi
+
+	{ use passwdqc || use pwquality; } && readme.gentoo_create_doc
+
+	dopamd -r stack/.
+}
+
+pkg_postinst() {
+	{ use passwdqc || use pwquality; } && readme.gentoo_print_elog
+}
--- a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-999999999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-999999999.ebuild
@ -0,0 +1,129 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..14} )
+
+inherit edo pam python-any-r1 readme.gentoo-r1
+
+DESCRIPTION="PAM base configuration files"
+HOMEPAGE="https://github.com/gentoo/pambase"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="
+		https://anongit.gentoo.org/git/proj/pambase.git
+		https://github.com/gentoo/pambase.git
+	"
+else
+	SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2"
+
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+LICENSE="MIT"
+SLOT="0"
+IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt"
+
+RESTRICT="binchecks"
+
+REQUIRED_USE="
+	?? ( elogind systemd )
+	?? ( passwdqc pwquality )
+	?? ( sha512 yescrypt )
+	pwhistory? ( || ( passwdqc pwquality ) )
+	homed? ( !pam_krb5 )
+	pam_krb5? ( !homed )
+"
+
+MIN_PAM_REQ=1.4.0
+
+RDEPEND="
+	>=sys-libs/pam-${MIN_PAM_REQ}
+	elogind? ( sys-auth/elogind[pam] )
+	gnome-keyring? ( gnome-base/gnome-keyring[pam] )
+	mktemp? ( sys-auth/pam_mktemp )
+	pam_krb5? (
+		>=sys-libs/pam-${MIN_PAM_REQ}
+		sys-auth/pam_krb5
+	)
+	caps? ( sys-libs/libcap[pam] )
+	pam_ssh? ( sys-auth/pam_ssh )
+	passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 )
+	pwquality? ( dev-libs/libpwquality[pam] )
+	selinux? ( sys-libs/pam[selinux] )
+	sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
+	homed? ( sys-apps/systemd[homed] )
+	systemd? ( sys-apps/systemd[pam] )
+	yescrypt? ( sys-libs/libxcrypt[system] )
+	sssd? ( sys-auth/sssd )
+"
+BDEPEND="
+	$(python_gen_any_dep '
+		dev-python/jinja2[${PYTHON_USEDEP}]
+	')
+"
+
+python_check_deps() {
+	python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]"
+}
+
+src_configure() {
+	local crypt=md5
+	# TODO: sha256, blowfish, gost_yescrypt
+	use sha512 && crypt=sha512
+	use yescrypt && crypt=yescrypt
+
+	local pamargs=(
+		# Not all 'upstream' options are (currently) wired up
+		# in the ebuild.
+		#
+		# TODO: pam_shells
+		$(usev caps '--caps')
+		$(usev debug '--debug')
+		$(usev elogind '--elogind')
+		$(usev gnome-keyring '--gnome-keyring')
+		$(usev homed '--homed')
+		$(usev minimal '--minimal')
+		$(usev mktemp '--mktemp')
+		$(usev nullok '--nullok')
+		$(usev pam_krb5 '--krb5')
+		$(usev pam_ssh '--pam-ssh')
+		$(usev passwdqc '--passwdqc')
+		$(usev pwhistory '--pwhistory')
+		$(usev pwquality '--pwquality')
+		$(usev securetty '--securetty')
+		$(usev selinux '--selinux')
+		$(usex systemd '--systemd' '--openrc')
+		$(usev sssd '--sssd')
+
+		--encrypt=${crypt}
+	)
+
+	edo ${EPYTHON} ./${PN}.py "${pamargs[@]}"
+}
+
+src_test() { :; }
+
+src_install() {
+	local DOC_CONTENTS
+
+	if use passwdqc; then
+		DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf
+				page and then edit the /etc/security/passwdqc.conf file"
+	fi
+
+	if use pwquality; then
+		DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf
+				page and then edit the /etc/security/pwquality.conf file"
+	fi
+
+	{ use passwdqc || use pwquality; } && readme.gentoo_create_doc
+
+	dopamd -r stack/.
+}
+
+pkg_postinst() {
+	{ use passwdqc || use pwquality; } && readme.gentoo_print_elog
+}