diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index 29cfa64b22d..96debd66e5b 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -1,5 +1,16 @@
-{ stdenv, fetchurl, flex, cracklib }:
+{ stdenv, fetchurl, pkgconfig
 
+# Optional Depdencies
+, cracklib ? null, libaudit ? null, db ? null
+}:
+
+with stdenv;
+let
+  optCracklib = shouldUsePkg cracklib;
+  optLibaudit = shouldUsePkg libaudit;
+  optDb = shouldUsePkg db;
+in
+with stdenv.lib;
 stdenv.mkDerivation rec {
   name = "linux-pam-${version}";
   version = "1.2.0";
@@ -9,37 +20,45 @@ stdenv.mkDerivation rec {
     sha256 = "192y2fgf24a5qsg7rl1mzgw5axs5lg8kqamkfff2x50yjv2ym2yd";
   };
 
-  nativeBuildInputs = [ flex ];
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ optCracklib optLibaudit optDb ];
 
-  buildInputs = [ cracklib ];
+  configureFlags = [
+    (mkOther                        "sysconfdir"      "/etc")
+    (mkOther                        "localstatedir"   "/var")
+    (mkOther                        "includedir"   "\${out}/include/security")
+    (mkEnable false                 "static-modules"  null)
+    (mkEnable true                  "pie"             null)
+    (mkEnable false                 "prelude"         null)
+    (mkEnable false                 "debug"           null)
+    (mkEnable false                 "pamlocking"      null)
+    (mkEnable true                  "read-both-confs" null)
+    (mkEnable true                  "lckpwdf"         null)
+    (mkWith   true                  "xauth"           "/run/current-system/sw/bin/xauth")
+    (mkEnable (optCracklib != null) "cracklib"        null)
+    (mkEnable (optLibaudit != null) "audit"           null)
+    (mkEnable (optDb != null)       "db"              "db")
+    (mkEnable true                  "nis"             null)  # TODO: Consider tirpc support here
+    (mkEnable false                 "selinux"         null)
+    (mkEnable false                 "regenerate-docu" null)
+  ];
 
-  crossAttrs = {
-    propagatedBuildInputs = [ flex.crossDrv cracklib.crossDrv ];
-    preConfigure = preConfigure + ''
-      ar x ${flex.crossDrv}/lib/libfl.a
-      mv libyywrap.o libyywrap-target.o
-      ar x ${flex}/lib/libfl.a
-      mv libyywrap.o libyywrap-host.o
-      export LDFLAGS="$LDFLAGS $PWD/libyywrap-target.o"
-      sed -e 's/@CC@/gcc/' -i doc/specs/Makefile.in
-    '';
-    postConfigure = ''
-      sed -e "s@ $PWD/libyywrap-target.o@ $PWD/libyywrap-host.o@" -i doc/specs/Makefile
-    '';
-  };
+  installFlags = [
+    "sysconfdir=\${out}/etc"
+    "SCONFIGDIR=\${out}/etc/security"
+  ];
 
   postInstall = ''
+    # Prepare unix_chkpwd for setuid wrapping
     mv -v $out/sbin/unix_chkpwd{,.orig}
     ln -sv /var/setuid-wrappers/unix_chkpwd $out/sbin/unix_chkpwd
   '';
 
-  preConfigure = ''
-    configureFlags="$configureFlags --includedir=$out/include/security"
-  '';
-
   meta = {
     homepage = http://ftp.kernel.org/pub/linux/libs/pam/;
     description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user";
-    platforms = stdenv.lib.platforms.linux;
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ wkennington ];
   };
 }