diff -u pam-1.0.1/debian/changelog pam-1.0.1/debian/changelog
--- pam-1.0.1/debian/changelog
+++ pam-1.0.1/debian/changelog
@@ -1,3 +1,11 @@
+pam (1.0.1-9ubuntu1.1) jaunty-security; urgency=low
+
+  * When no profiles are chosen in pam-auth-update, throw an error message
+    and prompt again instead of letting the user end up with an insecure
+    system.  This introduces a new debconf template.  LP: #410171.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 07 Aug 2009 09:32:50 +0100
+
 pam (1.0.1-9ubuntu1) jaunty; urgency=low
 
   * Merge from Debian unstable
diff -u pam-1.0.1/debian/libpam-runtime.postinst pam-1.0.1/debian/libpam-runtime.postinst
--- pam-1.0.1/debian/libpam-runtime.postinst
+++ pam-1.0.1/debian/libpam-runtime.postinst
@@ -1,8 +1,21 @@
 #!/bin/sh -e
 
+. /usr/share/debconf/confmodule
+
+# pam-auth-update is introduced in 1.0.1-2ubuntu1
+# Between 1.0.1-2ubuntu1 and 1.0.1-9ubuntu1.1 it is possible to get empty
+# profiles
+if [ "x$2" != "x" ] ;then
+    if dpkg --compare-versions $2 lt 1.0.1-9ubuntu1.1 && dpkg --compare-versions $2 ge 1.0.1-2ubuntu1 ; then
+	db_get libpam-runtime/profiles
+	if [ "x$RET" = "x" ] ; then
+	    UHOH=1
+	fi
+    fi
+fi
+
 # If the user has removed the config file, respect this sign of dementia
 # -- only create on package install.
-
 force=
 if [ -z "$2" ] || dpkg --compare-versions "$2" lt 1.0.1-6
 then
@@ -30,2 +43,7 @@
 
+if [ -n "$UHOH" ]; then
+	db_input critical libpam-runtime/you-had-no-auth || true
+	db_go
+fi
+
 #DEBHELPER#
diff -u pam-1.0.1/debian/libpam-runtime.templates pam-1.0.1/debian/libpam-runtime.templates
--- pam-1.0.1/debian/libpam-runtime.templates
+++ pam-1.0.1/debian/libpam-runtime.templates
@@ -37,0 +38,25 @@
+Template: libpam-runtime/no_profiles_chosen
+Type: error
+_Description: No PAM profiles have been selected.
+ No PAM profiles have been selected for use on this system.  This would grant
+ all users access without authenticating, and is not allowed.  Please select
+ at least one PAM profile from the available list.
+
+Template: libpam-runtime/you-had-no-auth
+Type: error
+_Description: Your system allowed access without a password!
+ A bug in a previous version of libpam-runtime resulted in no PAM profiles
+ being selected for use on this system.  As a result, access was allowed for
+ a time to all accounts on your system, with or without a correct password.
+ Especially if this system can be accessed from the Internet, it is likely
+ that it has been compromised.  Unless you are familiar with recovering from
+ security failures, viruses, and malicious software, you should re-install
+ this system from scratch or obtain the services of a skilled system
+ administrator.  For more information, see:
+ .
+ http://www.debian.org/security/pam-auth
+ .
+ The bug that allowed this wrong configuration is fixed in the current
+ version of libpam-runtime, and your configuration has now been corrected.
+ We apologize that previous versions of libpam-runtime did not detect and
+ prevent this situation.
diff -u pam-1.0.1/debian/local/pam-auth-update pam-1.0.1/debian/local/pam-auth-update
--- pam-1.0.1/debian/local/pam-auth-update
+++ pam-1.0.1/debian/local/pam-auth-update
@@ -35,6 +35,7 @@
 my $template = 'libpam-runtime/profiles';
 my $errtemplate = 'libpam-runtime/conflicts';
 my $overridetemplate = 'libpam-runtime/override';
+my $blanktemplate = 'libpam-runtime/no_profiles_chosen';
 my $confdir = '/etc/pam.d';
 my $savedir = '/var/lib/pam';
 my (%profiles, @sorted, @enabled, @conflicts, %removals);
@@ -202,7 +203,10 @@
 	}
 	fset($template,'seen','false');
 	set($template, join(', ', @enabled));
-} while (@conflicts);
+	if (!@enabled) {
+		input('high',$blanktemplate);
+	}
+} while (@conflicts || !@enabled);
 
 # the decision has been made about what configs to use, so even if
 # something fails after this, we shouldn't go munging the default