diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
index 68daeb0d38..df4f7606de 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
@@ -1,30 +1 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
-
-AUX default/useradd 96 SHA256 31aa2cbe4a34a9f7d4d134c1fecd007c9bbf4d40e19d0dcddbcd396f1853b490 SHA512 87b01ac88c2065392fa988871489d8403ef93341b4cfbadb4504f39a2a3396ddef756efc6378868d00627a58a1feb9612eb52a8135558a211a09c6a9ccf3404f WHIRLPOOL 9022a371e34e96a4c3193f24752979da27cdcd60aec1c8db1d2b427ab880b16917578ddcb4d8af02fd1d0eedc6b346cf43d7ae892e8580321e32e50f5498980b
-AUX login_defs_pam.sed 479 SHA256 587239d5b1425c5766f10cea5352b325699fb35829d9375bda68bbfd74f1d839 SHA512 c4bda7776b5a0bdaa8e7e36c09fb005699cf8b1ef5b474021f7e95d98e62a39aebd354dcc8ad0c49316e8e5d0123429b893c3ff9e4024c18ac0e25b4ab4b45ed WHIRLPOOL a6c5ce16824dde56b4ae899cb9b8effc9b7d61133e88e262a22a5e0db080c85ead15d6d9a13c5583b6e55b368ffd890bf037a3957ce6071b370dd7fb50d63bf4
-AUX pam.d-include/passwd 144 SHA256 8c54d2e3aab50b2a8d3d36aa37f7d7bb32c15d9a3af9a10b7ec5b5ffcff9a5fb SHA512 31611a08d97cd2c129f18d451a555ff6c781f91603c77fc0c66ff406b5fa4a97db19ae4ce104816a6324529d10e131de0d5329646bdab2abc8dc3ee5b82b057f WHIRLPOOL 879370adfb6a78c0acdeebf2c10a503d94925c34dceadb8677693f6c34e4e973f2584b221a9a81fdf23f084c430bbafa23a03440c1a95c798b58faedf4d412bd
-AUX pam.d-include/shadow 152 SHA256 7fc1ccca85d2b1ac4dad9909792453c8d26e9aeab48c620d861a92b9355ac69f SHA512 d07611c350d0d6f3386db5080c80a84e4135cf33e44fd3a390cb1092e034f9bd2a69495fadd4bda6ede9962e9658e77f2c8e12d3189cdcda6c7b3c607336f0c3 WHIRLPOOL 2b5282f983b5bf52c0311c2153dba2d12f6c07ae803d1723010bf4bbf4962d120aea026d32b1f3b062778da5222e7cb16dc39660e53b72173fba723a57b616de
-AUX securetty 262 SHA256 9bc3c187d5535ebe83cf22129b7189a9d8e4c05520af187bff6cff4d8f083c67 SHA512 d841f00a4c83e9672ec3620cdff73f2cd02a1a9e883115b329720b5f6ffbf6faa0ff8ac975f1494f7ad07f0ffa91f6eb983a617e604af67dd46062069b09f7f2 WHIRLPOOL 4b7ee107532d1a2e528745c5e3dcb770fc54f7f2a7dcc0f706613e5623f9a5521ee808900a5ffeb68073d9787ebe08606e6eaf95cdb400c9490b0da3614deaa8
-AUX shadow-4.1.3-dots-in-usernames.patch 302 SHA256 2299ffaec204d20e00d791bf5b982571c9261a74c7a7b865a9f7cad1cdcb43ba SHA512 ad20fb3f4f0292f39b5da796e41df71e9e8b1b81dd11a99b2d988440c1b435b0061333a0a5a37a909598d5a840a75946e8c59c74426bae7452de88cf673a5f7d WHIRLPOOL f0258b24f7731ab7b15a1fca391593c8bbd6bdf2ddad57af1d7960d05af49bc5b706039caa576646cb3d817d2d4ad8e89526b12fe046301c63c1518d01dcf173
-DIST shadow-4.1.5.1.tar.bz2 2193325 SHA256 aa32333748d68b58ed3a83625f0165e0f6b9dc4639e6377c9300c6bf4fe978fb SHA512 c3bc605de1ca5b774b80d0d92cef5d4c0d5b4a206acadcf5a819f195453093bfe7990d7e32b98799180847ae4fadecfc7876c8ee7297f343acce2230d805d02c WHIRLPOOL 08751597b5b57057f0a3141be97204df49fada25adf0a9f43106a4099ce1b06fec6e90592e43ff1d789bf0a7e16a40b45f29830879ea5c71e9f5a1a81e7a7357
-EBUILD shadow-4.1.5.1-r1.ebuild 5207 SHA256 2739bd1b1e66b820457db309569403700d093e5c9827ba4049d38b9a5727de15 SHA512 1e9bc3b4ac4841f7063482a9075e9be4c1fe5169cbe8f4b5a9ec80447202519d86b5d3048d9fed1176c79c986fdbaff35b82e326f81bd5ece1dc2232bc5b2c8b WHIRLPOOL 7cf7b7e46f523be1bf27b03d3bdc86ae517443ca0207d1da7a19242d60663a1ec6238b746efcc3cbdee7b8cc5f871e992b44b353be5448c905317eb68cb7aa8d
-MISC ChangeLog 49968 SHA256 a4f337564abe7d82ada5602da29c2bacb3ca12b27e53be22a4e64bf3668d38e7 SHA512 acc13cdbcdf8fceb4188293e73d6846329d25ce35d48d64a5e77007b8b9ae6886d84b766fa8e9f0c649fbbbf3208bc8ab9bd31e4ebf06d7b4add31d94ed6ac2f WHIRLPOOL bf5a26c7cac759588de738da08af9e705ccaed386f4e406d72d8cc53ade2e01c64fc503a515b85864442a73e3a7e1b9adf5b7b8701197f75cf83cb9a2931a14c
-MISC metadata.xml 374 SHA256 1675a5791603e79e431df63215162737553fa8018360b026739ac3284bca54b2 SHA512 0bb65b45fa94ddea89f7e0a879fd996b3f363b3e58eb6cbd71251fd79416667f103af4bac0c87f3ba240e0ce3f323c77ce7be9f6ea92c13d619ff8cef8797add WHIRLPOOL e7f4f5d975440fe71dbb35dee4394aa808fce7b5e58ac64d162418a47ed99cb002c7622563be4f6800967d6b8530d29dbd895e431c78f75a5cdf490b8c1afc45
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.22 (GNU/Linux)
-
-iQIcBAEBCAAGBQJS2geZAAoJEPGu1DbS6WIAtZwP/1OPB3ldDGurvxfVY3OPdSaQ
-vMK8nwn2UUMTXmNOZByzs5hLrc59IALAJTm6Nan+fN9gpWRVbQhtKTPbyGsgITly
-tkNz4Hx/nJ5EILG1aKTCn0lL3Xtt/VGR72E/JEWjm4pC7Drt3rbJNCof4mXsGxFm
-pYYMOu+3wjNWyAi5gGHzKYRdPL5vkpTRb2BeW+KKuAGNBfiFHIHBZ+uw1TRCjl2D
-kI2aTcQFUY7DUA2eHquW4DXzxj5LA7thPSO8HTXN+XiIjdu1JaYf8qBAzjRU/Md1
-7I+jdI9dta07bu+y3hM1Cz8XJTL0JpXU70LFqDDRc2YtQScXUq6YiLiYnhIcnYa8
-4/pXzMa+vsNsUQn8tQW9oVfOCY4wZF7NruLaB9lVbNlDZWWUFagTrn2zHQwvryxb
-lS0ifiop9R6J3yReIQ+L3xh9TeUk9B7DBImlOvzepisweBC0vVfeqoXPtMeJWCHm
-9K8aDv07iiMZrgLvMORWNkbu8QZZK2eY8boEWfdpZwSdkhjyht4k5rYW7mnBx1vY
-/AdfN0Hphyl5dUsDWHsy6vcgl4naXGT/iFJOUlIIHdW+IQfycQpKUtPGe5TPeSoN
-Ki5tZetXrbs4qvthmmY18xHiXiY8p2wry5TYxNgKs5Ahvn4bKSKoFYR0U3u2+eA8
-OirqXzVPet88OQwCfPhI
-=rMXY
------END PGP SIGNATURE-----
+DIST shadow-4.4.tar.gz 3706812 SHA256 2398fe436e548786c17ec387b4c41f5339f72ec9ee2f3f7a6e0cc2cb240bb482 SHA512 c1e0f65a4fbd0f9d8de38e488b4a374cac5c476180e233269fc666988d9201c0dcc694605c5e54d54f81039c2e30c95b14c12f10adef749a45cc31f0b4b5d5a6 WHIRLPOOL a22fc0f90ec0623cbbcef253378a16ad605cf71345074880e3fd12fb5914058d3e721f378730c9684497cc597595b7defc7e710206268ae320a090c8c35fd41e
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-load_defaults.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-load_defaults.patch
new file mode 100644
index 0000000000..4c0b84f680
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-load_defaults.patch
@@ -0,0 +1,37 @@
+From 507f96cdeb54079fb636c7ce21e371f7a16a520e Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 25 Aug 2016 11:20:34 +0200
+Subject: [PATCH] Fix regression in useradd not loading defaults properly.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The get_defaults() has to be called before processing the flags.
+
+Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
+---
+ src/useradd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index fefa234..6c43e7e 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2027,6 +2027,8 @@ int main (int argc, char **argv)
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+ 
++	get_defaults ();
++
+ 	process_flags (argc, argv);
+ 
+ #ifdef ENABLE_SUBIDS
+@@ -2036,8 +2038,6 @@ int main (int argc, char **argv)
+ 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+ #endif				/* ENABLE_SUBIDS */
+ 
+-	get_defaults ();
+-
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ 	{
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-prototypes.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-prototypes.patch
new file mode 100644
index 0000000000..5209a2988f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-prototypes.patch
@@ -0,0 +1,42 @@
+https://github.com/shadow-maint/shadow/pull/53
+
+From 32c0b283ef5d68b63e4ec05fb22ed0db938fea67 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 5 Dec 2016 17:15:29 -0500
+Subject: [PATCH] include getdef.h for getdef_bool prototype
+
+Otherwise we get build warnings like:
+sgroupio.c:255:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration]
+shadowio.c:131:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration]
+---
+ lib/sgroupio.c | 1 +
+ lib/shadowio.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/lib/sgroupio.c b/lib/sgroupio.c
+index f2685779a12b..5423626a01da 100644
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -40,6 +40,7 @@
+ #include "prototypes.h"
+ #include "defines.h"
+ #include "commonio.h"
++#include "getdef.h"
+ #include "sgroupio.h"
+ 
+ /*@null@*/ /*@only@*/struct sgrp *__sgr_dup (const struct sgrp *sgent)
+diff --git a/lib/shadowio.c b/lib/shadowio.c
+index 6e44ab24d69c..5fa3d312bbf9 100644
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -40,6 +40,7 @@
+ #include <shadow.h>
+ #include <stdio.h>
+ #include "commonio.h"
++#include "getdef.h"
+ #include "shadowio.h"
+ #ifdef WITH_TCB
+ #include <tcb.h>
+-- 
+2.11.0.rc2
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch
new file mode 100644
index 0000000000..45667c8e4b
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch
@@ -0,0 +1,29 @@
+fix from upstream
+
+From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sun, 18 Sep 2016 21:31:18 -0500
+Subject: [PATCH] su.c: fix missing length argument to snprintf
+
+---
+ src/su.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 0c50a9456afd..93ffd2fbe2b4 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void)
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+-		snprintf (kill_msg, _(" ...killed.\n"));
+-		snprintf (wait_msg, _(" ...waiting for child to terminate.\n"));
++		snprintf (kill_msg, 256, _(" ...killed.\n"));
++		snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
+ 
+ 		(void) signal (SIGALRM, kill_child);
+ 		(void) alarm (2);
+-- 
+2.11.0.rc2
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.1.5.1-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.4.ebuild
similarity index 73%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.1.5.1-r5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.4.ebuild
index 3fe3909301..76c4a8d942 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.1.5.1-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.4.ebuild
@@ -1,14 +1,14 @@
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.1.5.1-r1.ebuild,v 1.16 2014/01/18 04:48:18 vapier Exp $
+# $Id$
 
-EAPI=4
+EAPI="5"
 
-inherit eutils libtool toolchain-funcs pam multilib systemd
+inherit eutils libtool pam multilib systemd
 
 DESCRIPTION="Utilities to deal with user accounts"
-HOMEPAGE="http://shadow.pld.org.pl/ http://pkg-shadow.alioth.debian.org/"
-SRC_URI="http://pkg-shadow.alioth.debian.org/releases/${P}.tar.bz2"
+HOMEPAGE="https://github.com/shadow-maint/shadow http://pkg-shadow.alioth.debian.org/"
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.gz"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
@@ -27,12 +27,20 @@ RDEPEND="acl? ( sys-apps/acl )
 	nls? ( virtual/libintl )
 	xattr? ( sys-apps/attr )"
 DEPEND="${RDEPEND}
+	app-arch/xz-utils
 	nls? ( sys-devel/gettext )"
 RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20120417 )"
+	pam? ( >=sys-auth/pambase-20150213 )"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-4.1.3-dots-in-usernames.patch
+	"${FILESDIR}"/${P}-su-snprintf.patch
+	"${FILESDIR}"/${P}-prototypes.patch
+	"${FILESDIR}"/${P}-load_defaults.patch
+)
 
 src_prepare() {
-	epatch "${FILESDIR}"/${PN}-4.1.3-dots-in-usernames.patch #22920
+	epatch "${PATCHES[@]}"
 	epatch_user
 	elibtoolize
 }
@@ -58,11 +66,17 @@ src_configure() {
 
 set_login_opt() {
 	local comment="" opt=$1 val=$2
-	[[ -z ${val} ]] && comment="#"
-	sed -i -r \
-		-e "/^#?${opt}/s:.*:${comment}${opt} ${val}:" \
-		"${D}"/usr/share/shadow/login.defs
-	local res=$(grep "^${comment}${opt}" "${D}"/usr/share/shadow/login.defs)
+	if [[ -z ${val} ]]; then
+		comment="#"
+		sed -i \
+			-e "/^${opt}\>/s:^:#:" \
+			"${ED}"/usr/share/shadow/login.defs || die
+	else
+		sed -i -r \
+			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
+			"${ED}"/usr/share/shadow/login.defs || die
+	fi
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs)
 	einfo ${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}
 }
 
@@ -74,10 +88,10 @@ src_install() {
 	#   Currently, libshadow.a is for internal use only, so if you see
 	#   -lshadow in a Makefile of some other package, it is safe to
 	#   remove it.
-	rm -f "${D}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
+	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
 
 	# Remove files from /etc, they will be symlinks to /usr instead.
-	rm -f "${D}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
+	rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
 
 	# CoreOS: break shadow.conf into two files so that we only have to apply
 	# etc-shadow.conf in the initrd.
@@ -105,7 +119,7 @@ src_install() {
 		amd64|x86)	devs="hvc0";;
 	esac
 	if [[ -n ${devs} ]]; then
-		printf '%s\n' ${devs} >> "${D}"/usr/share/shadow/securetty
+		printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty
 	fi
 
 	# needed for 'useradd -D'
@@ -117,15 +131,14 @@ src_install() {
 	newins etc/login.defs login.defs
 	dosym ../usr/share/shadow/login.defs /etc/login.defs
 
+	set_login_opt CREATE_HOME yes
 	if ! use pam ; then
 		set_login_opt MAIL_CHECK_ENAB no
 		set_login_opt SU_WHEEL_ONLY yes
 		set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict
 		set_login_opt LOGIN_RETRIES 3
 		set_login_opt ENCRYPT_METHOD SHA512
-
-		# CoreOS: increase the minimum password length to eight
-		set_login_opt PASS_MIN_LEN 8
+		set_login_opt CONSOLE
 	else
 		dopamd "${FILESDIR}"/pam.d-include/shadow
 
@@ -139,9 +152,10 @@ src_install() {
 		done
 
 		# comment out login.defs options that pam hates
-		local opt
+		local opt sed_args=()
 		for opt in \
 			CHFN_AUTH \
+			CONSOLE \
 			CRACKLIB_DICTPATH \
 			ENV_HZ \
 			ENVIRON_FILE \
@@ -160,25 +174,28 @@ src_install() {
 			SU_WHEEL_ONLY
 		do
 			set_login_opt ${opt}
+			sed_args+=( -e "/^#${opt}\>/b pamnote" )
 		done
-
-		sed -i -f "${FILESDIR}"/login_defs_pam.sed \
-			"${D}"/usr/share/shadow/login.defs
+		sed -i "${sed_args[@]}" \
+			-e 'b exit' \
+			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
+			-e ': exit' \
+			"${ED}"/usr/share/shadow/login.defs || die
 
 		# remove manpages that pam will install for us
 		# and/or don't apply when using pam
-		find "${D}"/usr/share/man \
+		find "${ED}"/usr/share/man \
 			'(' -name 'limits.5*' -o -name 'suauth.5*' ')' \
-			-exec rm {} +
+			-delete
 
 		# Remove pam.d files provided by pambase.
-		rm "${D}"/etc/pam.d/{login,passwd,su} || die
+		rm "${ED}"/etc/pam.d/{login,passwd,su} || die
 	fi
 
 	# Remove manpages that are handled by other packages
-	find "${D}"/usr/share/man \
+	find "${ED}"/usr/share/man \
 		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
-		-exec rm {} +
+		-delete
 
 	dodoc ChangeLog NEWS TODO
 	newdoc README README.download
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r99.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20150213.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r99.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20150213.ebuild