diff --git a/etc/Makefile b/etc/Makefile
index 9f38a4bd5052..3e09565bb76b 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -1,12 +1,13 @@
 #	from: @(#)Makefile	5.11 (Berkeley) 5/21/91
-#	$Id: Makefile,v 1.178 1998/10/06 19:24:14 phk Exp $
+#	$Id: Makefile,v 1.179 1998/10/08 06:12:04 markm Exp $
 
 SUBDIR=	sendmail
 
 BIN1=   aliases amd.map crontab csh.cshrc csh.login csh.logout dm.conf \
 	fbtab ftpusers gettytab group hosts host.conf hosts.equiv hosts.lpd \
 	inetd.conf auth.conf login.conf login.access motd modems networks \
-	newsyslog.conf phones pccard.conf.sample printcap profile protocols \
+	newsyslog.conf pam.conf phones pccard.conf.sample \
+	printcap profile protocols \
 	rc rc.atm rc.conf rc.devfs rc.firewall rc.local rc.network rc.pccard \
 	rc.serial rc.shutdown etc.${MACHINE_ARCH}/rc.${MACHINE_ARCH} \
 	remote security services shells syslog.conf \
diff --git a/etc/pam.conf b/etc/pam.conf
new file mode 100644
index 000000000000..3f66affcbcb5
--- /dev/null
+++ b/etc/pam.conf
@@ -0,0 +1,23 @@
+# Configuration file for Pluggable Authentication Modules (PAM).
+#
+# This file controls the authentication methods that login and other
+# utilities use.  See pam(8) for a description of its format.
+#
+# Note: the final entry must say "required" -- otherwise, things don't
+# work quite right.  If you delete the final entry, be sure to change
+# "sufficient" to "required" in the entry before it.
+#
+# $FreeBSD$
+
+# If the user can authenticate with S/Key, that's sufficient.
+login	auth	sufficient	pam_skey.so
+
+# Check skey.access to make sure it is OK to let the user type in
+# a cleartext password.  If not, then fail right here.
+login	auth	requisite	pam_cleartext_pass_ok.so
+
+# If you want KerberosIV authentication, uncomment the next line:
+#login	auth	sufficient	pam_kerberosIV.so		try_first_pass
+
+# Traditional getpwnam() authentication.
+login	auth	required	pam_unix.so			try_first_pass