summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/NEWS85
-rw-r--r--debian/README.debian13
-rw-r--r--debian/README.source8
-rw-r--r--debian/TODO7
-rw-r--r--debian/changelog2539
-rw-r--r--debian/changelog.old13
-rw-r--r--debian/clean3
-rw-r--r--debian/compat1
-rw-r--r--debian/control104
-rw-r--r--debian/copyright67
-rw-r--r--debian/libpam-cracklib.install2
-rw-r--r--debian/libpam-cracklib.lintian-overrides5
-rw-r--r--debian/libpam-cracklib.manpages1
-rw-r--r--debian/libpam-cracklib.postinst9
-rw-r--r--debian/libpam-cracklib.prerm9
-rw-r--r--debian/libpam-doc.doc-base.admin-guide14
-rw-r--r--debian/libpam-doc.doc-base.applications-guide17
-rw-r--r--debian/libpam-doc.doc-base.modules-guide14
-rw-r--r--debian/libpam-doc.install3
-rw-r--r--debian/libpam-modules-bin.install6
-rw-r--r--debian/libpam-modules-bin.lintian-overrides6
-rw-r--r--debian/libpam-modules-bin.manpages3
-rw-r--r--debian/libpam-modules.examples2
-rw-r--r--debian/libpam-modules.install2
-rw-r--r--debian/libpam-modules.lintian-overrides13
-rw-r--r--debian/libpam-modules.manpages2
-rw-r--r--debian/libpam-modules.postinst28
-rw-r--r--debian/libpam-modules.preinst16
-rw-r--r--debian/libpam-modules.templates9
-rw-r--r--debian/libpam-runtime.dirs1
-rw-r--r--debian/libpam-runtime.install7
-rw-r--r--debian/libpam-runtime.links1
-rw-r--r--debian/libpam-runtime.lintian-overrides9
-rw-r--r--debian/libpam-runtime.manpages5
-rw-r--r--debian/libpam-runtime.postinst45
-rw-r--r--debian/libpam-runtime.postrm11
-rw-r--r--debian/libpam-runtime.prerm9
-rw-r--r--debian/libpam-runtime.templates47
-rw-r--r--debian/libpam0g-dev.examples5
-rw-r--r--debian/libpam0g-dev.install.in2
-rw-r--r--debian/libpam0g-dev.links.in3
-rw-r--r--debian/libpam0g-dev.manpages1
-rw-r--r--debian/libpam0g.docs2
-rw-r--r--debian/libpam0g.install1
-rw-r--r--debian/libpam0g.lintian-overrides8
-rw-r--r--debian/libpam0g.postinst200
-rw-r--r--debian/libpam0g.symbols12
-rw-r--r--debian/libpam0g.templates38
-rw-r--r--debian/local/Debian-PAM-MiniPolicy145
-rw-r--r--debian/local/common-account26
-rw-r--r--debian/local/common-account.md5sums2
-rw-r--r--debian/local/common-auth26
-rw-r--r--debian/local/common-auth.md5sums3
-rw-r--r--debian/local/common-password34
-rw-r--r--debian/local/common-password.md5sums6
-rw-r--r--debian/local/common-session25
-rw-r--r--debian/local/common-session-noninteractive25
-rw-r--r--debian/local/common-session-noninteractive.md5sums1
-rw-r--r--debian/local/common-session.md5sums3
-rw-r--r--debian/local/other16
-rw-r--r--debian/local/pam-auth-update700
-rw-r--r--debian/local/pam-auth-update.8101
-rw-r--r--debian/local/pam.conf15
-rw-r--r--debian/local/pam_getenv123
-rw-r--r--debian/pam-configs/cracklib9
-rw-r--r--debian/pam-configs/unix23
-rw-r--r--debian/patches-applied/007_modules_pam_unix462
-rw-r--r--debian/patches-applied/008_modules_pam_limits_chroot132
-rw-r--r--debian/patches-applied/021_nis_cleanup44
-rw-r--r--debian/patches-applied/022_pam_unix_group_time_miscfixes22
-rw-r--r--debian/patches-applied/026_pam_unix_passwd_unknown_user33
-rw-r--r--debian/patches-applied/027_pam_limits_better_init_allow_explicit_root253
-rw-r--r--debian/patches-applied/031_pam_include72
-rw-r--r--debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL22
-rw-r--r--debian/patches-applied/036_pam_wheel_getlogin_considered_harmful145
-rw-r--r--debian/patches-applied/040_pam_limits_log_failure36
-rw-r--r--debian/patches-applied/045_pam_dispatch_jump_is_ignore31
-rw-r--r--debian/patches-applied/054_pam_security_abstract_securetty_handling199
-rw-r--r--debian/patches-applied/055_pam_unix_nullok_secure224
-rw-r--r--debian/patches-applied/PAM-manpage-section1610
-rw-r--r--debian/patches-applied/cve-2011-4708.patch27
-rw-r--r--debian/patches-applied/do_not_check_nis_accidentally22
-rw-r--r--debian/patches-applied/fix-man-crud22144
-rw-r--r--debian/patches-applied/glibc-2_16-compilation-fix.patch30
-rw-r--r--debian/patches-applied/hurd_no_setfsuid77
-rw-r--r--debian/patches-applied/lib_security_multiarch_compat71
-rw-r--r--debian/patches-applied/no_PATH_MAX_on_hurd22
-rw-r--r--debian/patches-applied/pam-loginuid-in-containers136
-rw-r--r--debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch25
-rw-r--r--debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch25
-rw-r--r--debian/patches-applied/series26
-rw-r--r--debian/patches-applied/sys-types-include.patch21
-rw-r--r--debian/patches-applied/update-motd168
-rw-r--r--debian/po/POTFILES.in3
-rw-r--r--debian/po/bg.po226
-rw-r--r--debian/po/ca.po241
-rw-r--r--debian/po/cs.po226
-rw-r--r--debian/po/da.po229
-rw-r--r--debian/po/de.po235
-rw-r--r--debian/po/es.po270
-rw-r--r--debian/po/eu.po236
-rw-r--r--debian/po/fi.po231
-rw-r--r--debian/po/fr.po240
-rw-r--r--debian/po/gl.po225
-rw-r--r--debian/po/it.po229
-rw-r--r--debian/po/ja.po224
-rw-r--r--debian/po/nl.po235
-rw-r--r--debian/po/pl.po231
-rw-r--r--debian/po/pt.po235
-rw-r--r--debian/po/pt_BR.po226
-rw-r--r--debian/po/ro.po227
-rw-r--r--debian/po/ru.po230
-rw-r--r--debian/po/sk.po227
-rw-r--r--debian/po/sv.po269
-rw-r--r--debian/po/templates.pot191
-rw-r--r--debian/po/tr.po217
-rw-r--r--debian/po/vi.po262
-rw-r--r--debian/po/zh_CN.po211
-rwxr-xr-xdebian/rules66
-rw-r--r--debian/source.lintian-overrides3
-rw-r--r--debian/watch3
121 files changed, 36418 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 00000000..c6c4f7f0
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,85 @@
+pam (1.1.2-1) unstable; urgency=low
+
+ * Name of option for minimum Unix password length has changed
+
+ The Debian-specific 'min=n' option to pam_unix for specifying minimum
+ lengths for new passwords has been replaced by a new upstream option
+ called 'minlen=n'. If you are using 'min=n' in
+ /etc/pam.d/common-password, this will be migrated to the new option name
+ for you on upgrade. If you have configured pam_unix password changing
+ elsewhere on your system, such as in a PAM profile under
+ /usr/share/pam-configs or in other files in /etc/pam.d, you will need to
+ update them by hand for this change.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 31 Aug 2010 23:09:30 -0700
+
+pam (1.1.0-3) unstable; urgency=low
+
+ * pam_rhosts_auth module obsolete, symlink removed
+
+ The pam_rhosts_auth module was dropped upstream prior to the lenny
+ release and a compatibility symlink provided in the libpam-modules
+ package, pointing at the new (and not 100% compatible) pam_rhosts
+ module. This symlink has now been dropped. If you still have
+ references to pam_rhosts_auth in your /etc/pam.d/* config files, you
+ will need to fix these, since they no longer work.
+
+ For information on using pam_rhosts, see the pam_rhosts(8) manpage.
+
+ -- Steve Langasek <vorlon@debian.org> Wed, 02 Sep 2009 16:17:16 -0700
+
+pam (1.1.0-1) unstable; urgency=low
+
+ * pam_cracklib no longer checks for reuse of old passwords
+
+ The pam_cracklib module no longer checks /etc/security/opasswd to see
+ if the proposed password is one that was previously used. This
+ functionality has been split out into a new module, pam_pwhistory.
+
+ The pam_unix module still does its own check of /etc/security/opasswd,
+ so if you are using this module you should not need to change anything.
+
+ * Change in handling of /etc/shadow fields
+
+ The Debian PAM package included a patch to treat a value of 0 in certain
+ fields in /etc/shadow as the same as an empty field. This patch has
+ been dropped, since it caused the behavior of pam_unix to differ from
+ both that of PAM upstream and that of the shadow package.
+
+ The main consequences of this change are that:
+
+ - a "0" in the sp_expire field will be treated as a date of Jan 1, 1970
+ instead of a "never expires" value, so users with this set will be
+ unable to log in
+
+ - a "0" in the sp_inact field will indicate that the user should not be
+ allowed to change an expired password at all, instead of being allowed
+ to change an expired at any time after the expiry.
+
+ See Debian bug #308229 for more information about this change.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 25 Aug 2009 00:13:57 -0700
+
+pam (0.99.7.1-5) unstable; urgency=low
+
+ * Default Unix minimum password length has changed
+
+ Previous versions of pam_unix on Debian had a built-in minimum password
+ length of 1 character, and a minimum password length configured in
+ /etc/pam.d/common-password of 4 characters. This differed from the
+ upstream default of 6 characters. This has been changed, so the
+ default /etc/pam.d/common-password no longer overrides the compile-time
+ default and the compile-time default has been raised to 6 characters.
+ If you are using pam_unix but are not using the default
+ /etc/pam.d/common-password file, it is recommended that you drop any
+ min= options to pam_unix from your config unless you have stronger
+ local password requirements that the upstream default.
+
+ The password length 'max' option has also been deprecated in this
+ version because it was never written to work as suggested in the
+ documentation. If you are using pam_unix but are not using the default
+ /etc/pam.d/common-password file, you should remove any old max= options
+ to pam_unix from your config as this option will be considered an error
+ in future versions of pam.
+
+ -- Steve Langasek <vorlon@debian.org> Sat, 01 Sep 2007 21:27:11 -0700
diff --git a/debian/README.debian b/debian/README.debian
new file mode 100644
index 00000000..b5360492
--- /dev/null
+++ b/debian/README.debian
@@ -0,0 +1,13 @@
+PAM for Debian
+--------------
+
+PAM (Pluggable Authentication Modules) provides system administrators with a
+powerful method of controlling system access and methods of authentication.
+
+The documentation for PAM is packaged in the "libpam-doc" package. The
+"Linux-PAM System Administrator's Guide" covers configuring PAM, what
+modules are available etc. The documentation also includes "The Linux-PAM
+Application Developers' Guide" and "The Linux-PAM Module Writers' Guide".
+
+The Debian default configuration is to emulate the old UNIX authentication.
+
diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 00000000..de10a628
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,8 @@
+This package uses quilt to manage all modifications to the upstream
+source. Changes are stored in the source package as diffs in
+debian/patches-applied and applied during the build. Please see:
+
+ /usr/share/doc/quilt/README.source
+
+for more information on how to apply the patches, modify patches, or
+remove a patch.
diff --git a/debian/TODO b/debian/TODO
new file mode 100644
index 00000000..056d95a9
--- /dev/null
+++ b/debian/TODO
@@ -0,0 +1,7 @@
+- make pam_unix.so modules have some means of allowing other than root
+ to auth users via unix_chkpwd (maybe unix_chkpwd needs a secure conf
+ file?)
+- Put in some of the Hurd related fixes
+- Build-Depend-Indep on fop and install PDF docs, and add them to
+ doc-base. This depends on fop being patched to build using Java in
+ main so it can move out of contrib.
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 00000000..7665f13d
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,2539 @@
+pam (1.1.5-1) UNRELEASED; urgency=medium
+
+ * New upstream release.
+ - 027_pam_limits_better_init_allow_explicit_root: support for reading
+ /proc/1/limits is upstream, this patch now only handles the policy
+ of resetting limits by default and not applying glob limits to root.
+ - debian/patches/fix-manpage-crud: fix all the xsltproc breakage in a
+ single place, to keep the other patches clean.
+ - debian/patches/pam_env-fix-overflow.patch, pam_env-fix-dos.patch:
+ drop, included upstream.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 13 Jan 2014 22:40:56 -0800
+
+pam (1.1.3-11) unstable; urgency=low
+
+ [ Wookey ]
+ * Disable libaudit for stage1 bootstrap.
+
+ [ Steve Langasek ]
+ * debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
+ Ignore failure in user namespaces.
+ * Use [linux-any] in build-deps, instead of hard-coding a list of
+ non-Linux archs. Closes: #634516.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 14 Jan 2014 03:33:31 +0000
+
+pam (1.1.3-10) unstable; urgency=low
+
+ * Fix pam-auth-update handling of trailing blank lines in the fields of
+ profiles. LP: #1160288.
+ * Reintroduce libaudit support now that libaudit has been multiarched.
+ Closes: #699159.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 20 Oct 2013 15:30:46 -0700
+
+pam (1.1.3-9) unstable; urgency=low
+
+ * Revert libaudit support for now, because libaudit isn't multiarched yet
+ in unstable so this regresses cross-installability. Reopens bug
+ #699159.
+ * Add an or'ed dependency on cdebconf, which also implements the
+ xloadtemplatefile extension that prevents us from depending on just
+ 'debconf-2.0'. Thanks to Régis Boudin <regis@boudin.name> for the info.
+ Closes: #677278.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 12 Feb 2013 23:06:30 +0000
+
+pam (1.1.3-8) unstable; urgency=low
+
+ * Confirm NMU for bug #611136; thanks to Michael Gilbert.
+ - As a side effect, there will no longer be errors from reading the
+ .pam_environment twice since we are now reading it 0 times.
+ LP: #955032.
+ * Adjust the pam_env documentation to match the module behavior resulting
+ from the previous security upload. Closes: #693995.
+ * debian/rules: never regenerate manpages at build time; this may cause
+ build skew that breaks the world in a multiarch context. LP: #1095887.
+ * debian/patches-applied/glibc-2_16-compilation-fix.patch: fix missing
+ include causing build failure with eglibc 2.16. Thanks to Daniel
+ Schepler <dschepler@gmail.com>. Closes: #693450.
+ * Ditch autoconf patch in favor of a build-dependency on dh-autoreconf,
+ which will let us keep up-to-date with newer autotools. In the present
+ instance, this gets us aarch64 support.
+ * Install pam_timestamp_check - and while we're at it, move the manpage
+ to the correct binary package. Closes: #648695.
+ * Update lintian overrides to suppress some noise about hardening and
+ manpages.
+ * Enable audit support, by popular demand. This should have no major
+ impact unless you're also running auditd; but I reserve the right to
+ disable this again in the event that this causes a performance hit or
+ breaks upgrades (since the dependency is pulled into libpam, not just
+ into pam_tty_audit). Closes: #699159, LP: #937005.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 12 Feb 2013 05:36:29 +0000
+
+pam (1.1.3-7.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix cve-2010-4708: user-configurable .pam_environment allows
+ administrator-level changes without root access (closes: #611136).
+
+ -- Michael Gilbert <mgilbert@debian.org> Sun, 29 Apr 2012 02:23:26 -0400
+
+pam (1.1.3-7) unstable; urgency=low
+
+ * Updated debconf translations:
+ - Danish, thanks to Joe Dalton <joedalton2@yahoo.dk> (closes: #648382)
+ - French, thanks to Jean-Baka Domelevo Entfellner <domelevo@gmail.com>
+ (closes: #649850)
+ - Dutch, thanks to Jeroen Schot <schot@A-Eskwadraat.nl>
+ (closes: #650755)
+ - Russian, thanks to Yuri Kozlov <yuray@komyakino.ru> (closes: #650867)
+ - Portuguese, thanks to Pedro Ribeiro <p.m42.ribeiro@gmail.com>
+ (closes: #652493)
+ - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #653407)
+ - Spanish, thanks to Javier Fernandez-Sanguino Peña <jfs@debian.org>
+ (closes: #654043)
+ - Bulgarian, thanks to Damyan Ivanov <dmn@debian.org> (closes: #656518)
+ - Slovak, thanks to Ivan Masár <helix84@centrum.sk> (closes: #656521)
+ - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #656834)
+ - Polish, thanks to Michał Kułach <michalkulach@gmail.com>
+ (closes: #657476)
+ - Catalan, thanks to Innocent De Marchi <tangram.peces@gmail.com>
+ (closes: #657489)
+ - Czech, thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>
+ (closes: #657578)
+ - Swedish, thanks to Martin Bagge <brother@bsnet.se> (closes: #651349)
+
+ -- Steve Langasek <vorlon@debian.org> Sat, 28 Jan 2012 10:57:49 -0800
+
+pam (1.1.3-6) unstable; urgency=low
+
+ * debian/patches-applied/hurd_no_setfsuid: we don't want to check all
+ setre*id() calls; we know that there are situations where some of these
+ may fail but we don't care. As long as the last setre*id() call in each
+ set succeeds, that's the state we mean to be in.
+ * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
+ keeps libpam loaded persistently at runtime, so it's not necessary to
+ force a kdm restart on ABI bump. Which is good, since restarting kdm
+ now seems to also log users out of running sessions, which we rather
+ want to avoid. Closes: #632673, LP: #744944.
+ * debian/patches-applied/update-motd: set a sane umask before calling
+ run-parts, and restore the old mask afterwards, so /run/motd gets
+ consistent permissions. LP: #871943.
+ * debian/patches-applied/update-motd: new module option for pam_motd,
+ 'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
+ LP: #805423.
+ * debian/libpam0g.templates, debian/libpam0g.postinst: add a new question,
+ libraries/restart-without-asking, that allows admins to accept the
+ service restarts once for all so that they don't have to repeatedly
+ say "ok". LP: #745004.
+ * debian/libpam-runtime.templates, debian/local/pam-auth-update: add a
+ new 'title' template, so pam-auth-update doesn't give a blank title
+ when called outside of a maintainer script. LP: #882794.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 06 Nov 2011 19:43:14 -0800
+
+pam (1.1.3-5) unstable; urgency=low
+
+ [ Kees Cook ]
+ * debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use
+ setresgid() to wipe out saved-gid just in case.
+ * debian/patches-applied/008_modules_pam_limits_chroot:
+ - fix off-by-one when parsing configuration file.
+ - when using chroot, chdir() to root to lose links to old tree.
+ * debian/patches-applied/022_pam_unix_group_time_miscfixes,
+ debian/patches-applied/026_pam_unix_passwd_unknown_user,
+ debian/patches-applied/054_pam_security_abstract_securetty_handling:
+ improve descriptions.
+ * debian/patches-applied/{007_modules_pam_unix,055_pam_unix_nullok_secure}:
+ drop unneeded no-op change to reduce delta from upstream.
+ * debian/patches-applied/hurd_no_setfsuid: check all set*id() calls.
+ * debian/patches-applied/update-motd: correctly clear environment when
+ building motd.
+ * debian/patches-applied/pam_env-fix-overflow.patch: fix stack overflow
+ in environment file parsing (CVE-2011-3148).
+ * debian/patches-applied/pam_env-fix-dos.patch: fix DoS in environment
+ file parsing (CVE-2011-3149).
+
+ -- Steve Langasek <vorlon@debian.org> Thu, 27 Oct 2011 21:33:57 -0700
+
+pam (1.1.3-4) unstable; urgency=low
+
+ * Make sure shared library links are also installed to the multiarch
+ directory, not just the .a files; otherwise the static libs get found
+ first by the linker. Thanks to Russ Allbery for catching this.
+ Closes: #642952.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 25 Sep 2011 22:33:55 +0000
+
+pam (1.1.3-3) unstable; urgency=low
+
+ * Look for /etc/init.d/postgresql, not /etc/init.d/postgresql-8.{2,3},
+ for service restarts; the latter are obsolete since squeeze.
+ Closes: #631511.
+ * Move debian/libpam0g-dev.install to debian/libpam0g-dev.install.in
+ and substitute the multiarch path at build time, so our .a files go to
+ the multiarch dir instead of to /usr/lib. Thanks to Riku Voipio for
+ pointing out the bug.
+ * debian/control: adjust the package descriptions, as the current ones
+ use some awkward language that's gone unnoticed for a long time. Thanks
+ to Martin Eberhard Schauer <Martin.E.Schauer@gmx.de> for pointing this
+ out. Closes: #633863.
+ * Build-depend on debhelper 8.9.4 and bump debian/compat to 9 for
+ dpkg-buildflags integration, and drop manual setting of -g -O options in
+ CFLAGS now that we can let dh do it for us
+ * Don't set --sbindir when calling configure; upstream takes care of this
+ for us
+
+ -- Steve Langasek <vorlon@debian.org> Sat, 24 Sep 2011 20:08:56 +0000
+
+pam (1.1.3-2) unstable; urgency=low
+
+ [ Kees Cook ]
+ * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
+ - only report about unknown kernel rlimits when "debug" is set
+ (Closes: 625226, LP: #794531).
+
+ [ Steve Langasek ]
+ * Build for multiarch. Closes: #463420.
+ * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
+ don't reset the process niceness for root; since it's root, they can
+ still renice to a lower nice level if they need to and changing the
+ nice level by default is unexpected behavior. Closes: #594377.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 21 Jun 2011 11:41:12 -0700
+
+pam (1.1.3-1) unstable; urgency=low
+
+ * New upstream release.
+ - Fixes CVE-2010-3853, executing namespace.init with an insecure
+ environment set by the caller. Closes: #608273.
+ - Fixes CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435.
+ Closes: #599832.
+ * Port hurd_no_setfsuid patch to new pam_modutil_{drop,restore}_priv
+ interface; now possibly upstreamable
+ * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
+ set a better default RLIMIT_MEMLOCK value for BSD kernels. Thanks to
+ Petr Salinger for the fix. Closes: #602902.
+ * bump the minimum version check in maintainer scripts for the restart
+ handling.
+
+ -- Steve Langasek <vorlon@debian.org> Sat, 04 Jun 2011 03:10:50 -0700
+
+pam (1.1.2-3) unstable; urgency=low
+
+ [ Kees Cook ]
+ * 027_pam_limits_better_init_allow_explicit_root: load rlimit defaults
+ from the kernel (via /proc/1/limits), instead of continuing to hardcode
+ the settings internally. Fall back to internal defaults when the kernel
+ rlimits are not found. Closes: #620302. (LP: #746655, #391761)
+
+ * Updated debconf translations:
+ - Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
+ (closes: #601197)
+ - Dutch, thanks to Eric Spreen <erispre@gmail.com> (closes: #605592)
+ - Danish, thanks to Joe Dalton <joedalton2@yahoo.dk> (closes: #606739)
+ - Catalan, thanks to Innocent De Marchi <tangram.peces@gmail.com>
+ (closes: #622786)
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 01 May 2011 01:49:11 -0700
+
+pam (1.1.2-2) unstable; urgency=low
+
+ * debian/patches-applied/hurd_no_setfsuid: handle some new calls to
+ setfsuid in pam_xauth that I overlooked, so that the build works again
+ on non-Linux. Closes: #613630.
+
+ -- Steve Langasek <vorlon@debian.org> Wed, 16 Feb 2011 09:27:11 -0800
+
+pam (1.1.2-1) unstable; urgency=low
+
+ * New upstream release.
+ - Add support for NSS groups to pam_group. Closes: #589019,
+ LP: #297408.
+ - Support cross-building the package. Thanks to Neil Williams
+ <codehelp@debian.org> for the patch. Closes: #284854.
+ * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit
+ interface. Closes: #579402.
+ * Drop patches conditional_module,_conditional_man and
+ mkhomedir_linking.patch, which are included upstream.
+ * debian/patches/hurd_no_setfsuid: pam_env and pam_mail now also use
+ setfsuid, so patch them to be likewise Hurd-safe.
+ * Update debian/source.lintian-overrides to clean up some spurious
+ warnings.
+ * debian/libpam-modules.postinst: if any 'min=n' options are found in
+ /etc/pam.d/common-password, convert them on upgrade to 'minlen=n' for
+ compatibility with upstream.
+ * debian/NEWS: document the disappearance of 'min=n', in case users have
+ encoded this option elsewhere outside of /etc/pam.d/common-password.
+ * debian/patches/007_modules_pam_unix: drop compatibility handling of
+ 'max=' no-op; use of this option will now log an error, as warned three
+ years ago.
+ * Bump Standards-Version to 3.9.1.
+ * Add lintian overrides for a few more spurious warnings.
+ * debian/patches-applied/no_PATH_MAX_on_hurd: define PATH_MAX for
+ compatibility when it's not already set. Closes: #552043.
+ * debian/local/pam-auth-update: Don't try to pass embedded newlines to
+ debconf; backslash-escape them instead and use CAPB escape.
+ * debian/local/pam-auth-update: sort additional module options before
+ writing them out, so that we don't wind up with a different config file
+ on every invocation. Thanks to Jim Paris <jim@jtan.com> for the patch.
+ Closes: #594123.
+ * debian/libpam-runtime.{postinst,templates}: since 1.1.2-1 is targeted
+ for post-squeeze, we don't need to support upgrades from 1.0.1-6 to
+ 1.0.1-10 anymore. Drop the debconf error note about having configured
+ your system with a lack of authentication, so that translators don't
+ spend any more time on it.
+ * Updated debconf translations:
+ - Swedish, thanks to Martin Bagge <brother@bsnet.se> (closes: #575875)
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 15 Feb 2011 23:21:41 -0800
+
+pam (1.1.1-7) UNRELEASED; urgency=low
+
+ * Updated debconf translations:
+ - Italian, thanks to Nicole B. <damn3dg1rl@gmail.com> (closes: #602112)
+
+ -- Steve Langasek <vorlon@debian.org> Wed, 17 Nov 2010 16:53:46 -0800
+
+pam (1.1.1-6.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix pending l10n issues. Debconf translations:
+ - Czech (Miroslav Kure). Closes: #598329
+ - Slovak (Ivan Masár). Closes: #600164
+ - Japanese (Kenshi Muto). Closes: #600247
+ - Finnish (Esko Arajärvi). Closes: #600641
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 19 Oct 2010 07:30:49 +0200
+
+pam (1.1.1-6) unstable; urgency=low
+
+ * Updated debconf translations:
+ - Swedish, thanks to Martin Bagge <brother@bsnet.se> (closes: #575875)
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 05 Sep 2010 23:36:35 -0700
+
+pam (1.1.1-5) unstable; urgency=low
+
+ * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit
+ interface. Closes: #579402.
+ * Update debian/source.lintian-overrides to clean up some spurious
+ warnings.
+ * Bump Standards-Version to 3.9.1.
+ * Add lintian overrides for a few more spurious warnings.
+ * debian/patches-applied/no_PATH_MAX_on_hurd: define PATH_MAX for
+ compatibility when it's not already set. Closes: #552043.
+ * debian/local/pam-auth-update: Don't try to pass embedded newlines to
+ debconf; backslash-escape them instead and use CAPB escape.
+ * debian/local/pam-auth-update: sort additional module options before
+ writing them out, so that we don't wind up with a different config file
+ on every invocation. Thanks to Jim Paris <jim@jtan.com> for the patch.
+ Closes: #594123.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 05 Sep 2010 12:42:34 -0700
+
+pam (1.1.1-4) unstable; urgency=low
+
+ * debian/patches/conditional_module,_conditional_man: if we don't have the
+ libraries required for building pam_tty_audit, we shouldn't install the
+ manpage either. LP: #588547.
+ * Updated debconf translations:
+ - Portuguese, thanks to Eder L. Marques <eder@edermarques.net>
+ (closes: #581746)
+ - Spanish, thanks to Javier Fernandez-Sanguino Peña <jfs@debian.org>
+ (closes: #592172)
+ - Galician, thanks to Jorge Barreiro <yortx.barry@gmail.com>
+ (closes: #592808)
+ * Don't pass --version-script options when linking executables,
+ only when linking libraries. Thanks to Julien Cristau
+ <jcristau@debian.org> for the fix. Closes: #582362.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 15 Aug 2010 21:53:46 -0700
+
+pam (1.1.1-3) unstable; urgency=low
+
+ * pam-auth-update: fix a bug in our handling of module options when the
+ module name contains digits, caused by a buggy regexp. :/ Partially
+ addresses LP #369575.
+ * Install /sbin/pam_tally2 in the libpam-modules package; thanks to
+ Olivier BONHOMME <obonhomme@nerim.net> for reporting. Closes: #554010.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 25 Apr 2010 05:53:44 -0700
+
+pam (1.1.1-2) unstable; urgency=low
+
+ * Document the new symbols added in 1.1.1 in debian/libpam0g.symbols, and
+ raise the minimum version for the service restarting code.
+ Closes: #568480.
+
+ -- Steve Langasek <vorlon@debian.org> Wed, 17 Feb 2010 23:21:23 -0800
+
+pam (1.1.1-1) unstable; urgency=low
+
+ * New upstream version.
+ - restore proper netgroup handling in pam_access.
+ Closes: #567385, LP: #513955.
+ * Drop patches pam.d-manpage-section, namespace_with_awk_not_gawk, and
+ pam_securetty_tty_check_before_user_check, which are included upstream.
+ * debian/patches/026_pam_unix_passwd_unknown_user: don't return
+ PAM_USER_UNKNOWN on password change of a user that has no shadow entry,
+ upstream now implements auto-creating the shadow entry in this case.
+ * Updated debconf translations:
+ - French, thanks to Jean-Baka Domelevo Entfellner <domelevo@gmail.com>
+ (closes: #547039)
+ - Bulgarian, thanks to Damyan Ivanov <dmn@debian.org> (closes: #562835)
+ * debian/patches/sys-types-include.patch: fix pam_modutil.h so that it can
+ be included directly, without having to include sys/types.h first.
+ Closes: #556203.
+ * Add postgresql-8.3 to the list of services in need of restart on upgrade.
+ Closes: #563674.
+ * And drop postgresql-{7.4,8.1} from the list, neither of which is present
+ in stable.
+ * debian/patches/007_modules_pam_unix: recognize that *all* of the password
+ hashes other than traditional crypt handle passwords >8 chars in length.
+ LP: #356766.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 01 Feb 2010 02:04:33 -0800
+
+pam (1.1.0-4) unstable; urgency=low
+
+ * debian/patches/pam_securetty_tty_check_before_user_check: new patch,
+ to make pam_securetty always return success on a secure tty regardless
+ of what username was passed. Thanks to Nicolas François
+ <nicolas.francois@centraliens.net> for the patch. Closes: #537848
+ * debian/local/pam-auth-update: only reset the seen flag on the template
+ when there's new information; this avoids reprompting users for the same
+ information on upgrade, regardless of the debconf priority used.
+ Closes: #544805.
+ * libpam0g no longer depends on libpam-runtime; packages that use
+ /etc/pam.d/common-* must depend directly on libpam-runtime, and most do
+ (including the Essential: yes ones), so let's break this circular
+ dependency. Closes: #545086, LP: #424566.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 14 Sep 2009 18:47:25 -0700
+
+pam (1.1.0-3) unstable; urgency=low
+
+ * Bump debian/compat to 7, so we can use sane contents in debian/*.install
+ * Switch all packages over to dh_install
+ * Rename debian/*.lintian to debian/*.lintian-overrides and use dh_lintian
+ * Move installation logic out of debian/rules into individual .install
+ files
+ * Drop superfluous options to dh_installchangelogs, dh_shlibdeps
+ * Use debian/clean instead of rm -f'ing files in debian/rules clean target
+ * Drop ./configure options that are no-ops
+ * Drop the /lib/security/pam_unix_*.so symlinks, which have been deprecated
+ now for 10 years and are not used at all if pam-auth-update is in play.
+ * Drop the pam_rhosts_auth.so symlink as well, and document in NEWS.Debian
+ that this is now obsolete.
+ * Drop stale content from README.debian: some of this should have been in
+ NEWS.Debian instead (but is so old it's not worth putting it there now),
+ some of it is obsolete by the change in package VCS.
+ * Convert debian/rules to debhelper 7 and add versioned build-dependencies
+ on debhelper and quilt to suit.
+ * Drop CFLAGS that we don't need anymore (-fPIC, -D_REENTRANT,
+ -D_GNU_SOURCE).
+ * Explicitly add -O0 to CFLAGS when noopt is set.
+ * debian/patches/autoconf.patch: pull ltmain.sh in, to fix some spurious
+ library linkage in the modules.
+ * Move pam_cracklib manpage to the libpam-cracklib package, and add the
+ requisite Replaces
+ * Drop dh_makeshlibs -V; everything from lenny on should use the .symbols
+ file instead, making the shlibs redundant so we don't need to care what
+ version gets listed there.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 07 Sep 2009 18:47:45 -0700
+
+pam (1.1.0-2) unstable; urgency=low
+
+ [ Steve Langasek ]
+ * debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patch
+ to call setregid() instead of always returning an error on username
+ mismatch in unix_chkpwd, needed in the SELinux case and in some corner
+ cases with the broken_shadow option. Thanks to Michael Spang for the
+ analysis. Closes: #543589.
+ * fix the PAM mini-policy to not tell app maintainers that they don't need
+ to depend on libpam-modules if they reference modules from there.
+ * make libpam-runtime depend on libpam-modules (>= 1.0.1-6) - nothing else
+ guarantees that we have pam_unix available for use by pam-auth-update.
+ * Use /bin/sh instead of /bin/bash for libpam0g.postinst, since we've
+ confirmed there are no longer any bashisms there. Closes: #519973.
+ * Clean up the libpam0g postinst a bit; invoke-rc.d has been a guaranteed
+ interface for two stable release cycles now
+ * debian/patches/namespace_with_awk_not_gawk: fix the sample
+ namespace.init script's dependency on non-POSIX features of gawk, since
+ we don't use gawk by default. Closes: #518908.
+ * Updated debconf translations:
+ - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #544464)
+
+ [ Kees Cook ]
+ * debian/local/common-password, debian/pam-configs/unix: switch from "md5"
+ to "sha512" as password crypt default.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 31 Aug 2009 14:21:27 -0700
+
+pam (1.1.0-1) unstable; urgency=low
+
+ * New upstream version.
+ - pam_access no longer does DNS lookups when we know we're comparing
+ with a tty name or a service name. Closes: #376209.
+ - fixes for manpage spelling. Closes: #488690.
+ - fix evaluation of or'ed list of users in time.conf and group.conf.
+ Closes: #326407, #514423.
+ * Drop patches pam_unix_thread-safe_save_old_password.patch,
+ pam_env_ignore_garbage.patch, dont_freeze_password_chain,
+ pam_1.0.4_mindays, pam_mail-fix-quiet, pam_unix-chkpwd-wait, and
+ cve-2009-0887-libpam-pam_misc.patch, which are included upstream.
+ * Trim pam.d-manpage-section patch, which was mostly but not completely
+ applied upstream.
+ * Update debian/libpam0g.symbols for new extension.
+ * Bump the shlibs version as well, for our dpkg-shlibdeps fallback.
+ * And bump the version checks in the libpam-modules {pre,post}inst, so that
+ the necessary services get restarted for any modules that need the new
+ symbols.
+ * Add /sbin/mkhomedir_helper to libpam-modules.
+ * Document that pam_cracklib no longer checks /etc/security/opasswd.
+ Closes: #263767.
+ * debian/patches/007_modules_pam_unix: drop divergence from upstream
+ that treats "0" as a special value in various fields in /etc/shadow,
+ and document this in debian/NEWS. Thanks to Nicolas François
+ <nicolas.francois@centraliens.net> for the detailed analysis.
+ Closes: #308229.
+ * Updated debconf translations:
+ - French, thanks to Jean-Baka Domelevo Entfellner <domelevo@gmail.com>
+ (closes: #521266)
+ * Build with LDFLAGS=-Wl,-z,defs to guard against the possibility of
+ any undefined symbols (due to typos or otherwise) at build time.
+ Closes: #102311.
+ * On upgrade from versions before 1.1.0-1, if
+ /etc/pam.d/common-session-noninteractive has not been created (because
+ the user declined use of pam-auth-update), create it by copying
+ /etc/pam.d/common-session. Closes: #543401.
+ * debian/patches/fix-man-crud: new patch, fix "undefined macro" errors in
+ manpages caused by oddities of toolchain used when generating them
+ upstream.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 25 Aug 2009 20:35:26 -0700
+
+pam (1.0.1-11) unstable; urgency=low
+
+ * debian/libpam-runtime.postinst: bump the --force version check to
+ 1.0.1-11, to allow for a new common-session-noninteractive config file;
+ and include md5sum checking logic that will work the same with old
+ unmanaged and new managed /etc/pam.d/common-* files.
+ * debian/local/common-{auth,account,session,password}.md5sums: document
+ the known md5sums for the new managed files.
+ * debian/local/common-session-noninteractive{,.md5sums},
+ debian/local/pam-auth-update: split out a session-noninteractive include
+ file, so that we can at last distinguish between interactive and
+ non-interactive PAM sessions at a policy level. Closes: #169930,
+ LP: #287715.
+ * debian/local/pam-auth-update: prune md5sums for unsupported upgrade
+ paths (intrepid pre-release -> karmic/squeeze)
+ * Clean up the PAM mini-policy, which hasn't been touched in a number of
+ years and was looking a bit crufty
+ * debian/libpam-runtime.templates: correctly tag the URL as a
+ non-translatable string.
+ * Updated debconf translations:
+ - Swedish, thanks to Martin Bagge <brother@bsnet.se> (closes: #541399)
+ - Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt>
+ (closes: #541108)
+ - Russian, thanks to Yuri Kozlov <yuray@komyakino.ru> (closes: #541094)
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 23 Aug 2009 18:07:11 -0700
+
+pam (1.0.1-10) unstable; urgency=high
+
+ [ Steve Langasek ]
+ * Updated debconf translations:
+ - Finnish, thanks to Esko Arajärvi <edu@iki.fi> (closes: #520785)
+ - Russian, thanks to Yuri Kozlov <yuray@komyakino.ru> (closes: #521874)
+ - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #521530)
+ - Basque, thanks to Piarres Beobide <pi+debian@beobide.net>
+ (closes: #524285)
+ * When no profiles are chosen in pam-auth-update, throw an error message
+ and prompt again instead of letting the user end up with an insecure
+ system. This introduces a new debconf template. Closes: #519927,
+ LP: #410171.
+
+ [ Kees Cook ]
+ * Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes
+ for MINDAYS-Field regression (closes: #514437).
+ * debian/control: add missing misc:Depends for packages that need it.
+
+ [ Sam Hartman ]
+ * Remove conflicts information for transitions prior to woody release
+ * Fix lintian overrides for libpam-runtime
+ * Overrides for lintian finding quilt patches
+ * pam_mail-fix-quiet: patch from Andreas Henriksson
+ applied upstream to fix quiet option of pam_mail, Closes: #439268
+
+ [ Dustin Kirkland ]
+ * debian/patches/update-motd: run the update-motd scripts in pam_motd;
+ render update-motd obsolete, LP: #399071
+
+ [ Sam Hartman ]
+ * cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem
+ (CVE-2009-0887) (Closes: #520115)
+
+ -- Steve Langasek <vorlon@debian.org> Thu, 06 Aug 2009 17:54:32 +0100
+
+pam (1.0.1-9) unstable; urgency=low
+
+ * Move the pam module packages to section 'admin'.
+ * 027_pam_limits_better_init_allow_explicit_root: defaults need to be
+ declared as LIMITS_DEF_DEFAULT instead of LIMITS_DEF_ALL, otherwise
+ global limits will fail to be applied. LP: #314222.
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 20 Mar 2009 19:48:47 -0700
+
+pam (1.0.1-8) unstable; urgency=low
+
+ * Updated debconf translations:
+ - Bulgarian, thanks to Damyan Ivanov <dmn@debian.org> (closes: #518121)
+ - Spanish, thanks to Javier Fernandez-Sanguino Peña <jfs@debian.org>
+ (closes: #518214)
+ - Swedish, thanks to Martin Bagge <brother@bsnet.se> (closes: #518324)
+ - Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
+ (closes: #518329)
+ - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #518335)
+ - Slovak, thanks to Ivan Masár <helix84@centrum.sk> (closes: #518341)
+ - Czech, thanks to Miroslav Kure <kurem@debian.cz> (closes: #518992)
+ - Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt>
+ (closes: #519204)
+ - Galician, thanks to Marce Villarino <mvillarino@users.sourceforge.net>
+ (closes: #519447)
+ - Romanian, thanks to Eddy Petrișor <eddy.petrisor@gmail.com>
+ (closes: #520552)
+ * 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK
+ limit correctly to match the kernel default, which is not RLIM_INFINITY.
+ Closes: #472629.
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 20 Mar 2009 18:15:07 -0700
+
+pam (1.0.1-7) unstable; urgency=low
+
+ * 027_pam_limits_better_init_allow_explicit_root:
+ - fix the patch so that our limit resets are actually *applied*,
+ which has apparently been broken for who knows how long!
+ - shadow the finite kernel defaults for RLIMIT_SIGPENDING and
+ RLIMIT_MSGQUEUE as well, so that the preceding change doesn't
+ suddenly expose systems to DoS or other issues.
+ - include documentation in the patch, giving examples of how to set
+ limits for root. Thanks to Jonathan Marsden.
+ * pam-auth-update: swap out known md5sums from intrepid pre-release
+ versions with the md5sums from the released intrepid version
+ * pam-auth-update: set the umask, so we don't accidentally mark
+ /etc/pam.d/common-* unreadable. Thanks to Martin Krafft for catching.
+ Closes: #518042.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 03 Mar 2009 17:18:42 -0800
+
+pam (1.0.1-6) unstable; urgency=low
+
+ * Updated debconf translations:
+ - Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
+ * New patch dont_freeze_password_chain, cherry-picked from upstream:
+ don't always follow the same path through the password stack on
+ the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
+ pass; this Linux-PAM deviation from the original PAM spec causes a
+ number of problems, in particular causing wrong return values when
+ using the refactored pam-auth-update stack. LP: #303515, #305882.
+ * debian/local/pam-auth-update (et al): new interface for managing
+ /etc/pam.d/common-*, using drop-in config snippets provided by module
+ packages.
+
+ -- Steve Langasek <vorlon@debian.org> Sat, 28 Feb 2009 13:36:57 -0800
+
+pam (1.0.1-5) unstable; urgency=low
+
+ * Build-conflict with libxcrypt-dev, which otherwise pulls libxcrypt in as
+ a dependency of libpam-modules if it's installed during the build.
+ Thanks to Larry Doolittle for catching.
+ * Don't refer to gnome-screensaver in the debconf template; it isn't
+ actually affected by the libpam symbol issue because it forks a separate
+ process to display the screensaver dialog.
+ * Have libpam-modules Pre-Depend on ${misc:Depends}, so that we can
+ warn users about needing to disable xscreensaver and xlockmore
+ before libpam-modules is unpacked. Closes: #502140, LP: #256238.
+ * Updated debconf translations for the new template:
+ - Italian, thanks to David Paleino <d.paleino@gmail.com>
+ - Simplified Chinese, thanks to Deng Xiyue
+ <manphiz-guest@users.alioth.debian.org> (closes: #510371)
+ - Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt>
+ - Swedish, thanks to Martin Bagge <brother@bsnet.se> (closes: #510379)
+ - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #510380)
+ - Finnish, thanks to Esko Arajärvi <edu@iki.fi> (closes: #510382)
+ - Spanish, thanks to Javier Fernandez-Sanguino Peña <jfs@debian.org>
+ (closes: #510389)
+ - Galician, thanks to Marce Villarino <mvillarino@gmail.com>
+ - Slovak, thanks to helix84 <helix84@centrum.sk> (closes: #510412)
+ - Bulgarian, thanks to Damyan Ivanov <dmn@debian.org>
+ - Czech, thanks to Miroslav Kure <<kurem@upcase.inf.upol.cz>
+ (closes: #510608)
+ - French, thanks to Steve Petruzzello <dlist@bluewin.ch>
+ - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #510617)
+ - Basque, thanks to Piarres Beobide <pi+debian@beobide.net>
+ (closes: #510699)
+ - Russian, thanks to Yuri Kozlov <yuray@komyakino.ru> (closes: #510701)
+ - Turkish, thanks to Mert Dirik <mertdirik@gmail.com> (closes: #510707)
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 06 Jan 2009 00:05:13 -0800
+
+pam (1.0.1-4) unstable; urgency=high
+
+ * High-urgency upload for RC bugfix.
+
+ [ Julien Cristau ]
+ * pam_unix-chkpwd-wait: don't assume that the unix_chkpwd process exits
+ normally; if it was killed by a signal, we don't want to accept the
+ password. Closes: #495879.
+
+ [ Steve Langasek ]
+ * 007_modules_pam_unix: update the manpage at the same time as the xml
+ source (grr, autogenerated files in source packages). Closes: #495804.
+ * 055_pam_unix_nullok_secure: also don't call the helper at all from
+ _unix_blankpasswd when we can detect that null passwords are disallowed,
+ to avoid causing spammy logs on successful authentications.
+ Closes: #496620.
+ * debian/rules: call chgrp *before* calling chmod, lest the sgid bit
+ on unix_chkpwd be cleared during the build when using -rsudo.
+ Closes: #496983.
+
+ -- Steve Langasek <vorlon@debian.org> Thu, 28 Aug 2008 22:59:23 -0700
+
+pam (1.0.1-3) unstable; urgency=high
+
+ * 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL
+ tty argument, since this will cause our helper to segfault instead of
+ returning a useful value. Thanks to Troy Davis for the report.
+ Closes: #495806.
+
+ -- Steve Langasek <vorlon@debian.org> Wed, 20 Aug 2008 11:55:47 -0700
+
+pam (1.0.1-2) unstable; urgency=low
+
+ * 007_modules_pam_unix: update the documentation to correctly document
+ the default minimum password length is 6, not 1.
+ * Look for cups instead of cupsys as an init script name when restarting
+ services; thanks to Stephen Olander-Waters for pointing this out.
+ Closes: #492977.
+ * Update the Debian PAM mini-policy to remove references to the
+ long-obsolete pam_pwdb, and clarify the relationship between pam_stack
+ and @include.
+ * Drop various bits of unused cruft from the debian/ directory.
+ * Drop libpam-runtime.preinst, only used for upgrades from woody to sarge
+ to deal with modified conffiles.
+ * Build-Conflict with libdb4.2-dev, which satisfies the libdb-dev
+ build-dependency but causes pam_userdb to be silently omitted.
+ Closes: #493574.
+ * 054_pam_security_abstract_securetty_handling: move the warning log about
+ an insecure tty back to pam_securetty proper; we don't want to generate
+ log messages every time pam_unix is called as non-root.
+ Closes: #493283. As a side-effect, pam_unix no longer logs any warnings
+ about NULL password + insecure tty, but I don't think this is critical.
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 08 Aug 2008 10:47:26 -0700
+
+pam (1.0.1-1) unstable; urgency=low
+
+ * New upstream version.
+ - pam_limits: bound RLIMIT_NICE from below. Closes: #403718.
+ - pam_mail: set the MAIL variable even when .hushlogin is set.
+ Closes: #421010.
+ - new minclass option introduced for pam_cracklib. Closes: #454237.
+ - fix a failure to check the string length when matching usernames in
+ pam_group. Closes: #444427.
+ - fix setting shell security context in pam_selinux. Closes: #451722.
+ - use --disable-audit, to avoid libaudit being linked in
+ accidentally
+ - pam_unix now supports SHA-256 and SHA-512 password hashes.
+ Closes: #484249, LP: #245786.
+ - pam_rhosts_auth is dropped upstream (closes: #382987); add a compat
+ symlink to pam_rhosts to support upgrades for a release, and give a
+ warning in NEWS.Debian.
+ - new symbol in libpam.so.0, pam_modutil_audit_write; shlibs bump, and
+ do another round of service restarts on upgrade.
+ - pam_unix helper is now called whenever an unprivileged process
+ tries and fails to query a user's account status. Closes: #367834.
+ * Drop patches 006_docs_cleanup, 015_hurd_portability,
+ 019_pam_listfile_quiet, 024_debian_cracklib_dict_path, 038_support_hurd,
+ 043_pam_unix_unknown_user_not_alert, 046_pam_group_example,
+ no_pthread_mutexes, limits_wrong_strncpy, misc_conv_allow_sigint.patch,
+ pam_tally_audit.patch, 057_pam_unix_passwd_OOM_check, and
+ 065_pam_unix_cracklib_disable which have been merged upstream.
+ * Patch 022_pam_unix_group_time_miscfixes: partially merged upstream;
+ now is really just "pam_group_miscfixes".
+ * Patch 007_modules_pam_unix partially superseded upstream; stripping
+ hpux-style expiry information off of password fields is now supported.
+ * New patch pam_unix_thread-safe_save_old_password.patch, to make sure all
+ our getpwnam() use in pam_unix is thread-safe (fixes an upstream
+ regression)
+ * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream
+ regression which prevents sgid shadow apps from being able to authenticate
+ any more because the module forces use of the helper and the helper won't
+ allow authentication of arbitrary users. This change does mean we're
+ going to be noisier for the time being in an SELinux environment, which
+ should be addressed but is not a regression on Debian.
+ * New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an
+ upstream change that causes unix_chkpwd to assume that setuid(getuid())
+ is sufficient to drop permissions and attempt any authentication on
+ behalf of the user.
+ * The password-changing helper functionality for SELinux systems has been
+ split out into a separate unix_update binary, so at long last we can
+ change unix_chkpwd to be sgid shadow instead of suid root.
+ Closes: #155583.
+ - Update the lintian override to match.
+ * Install the new unix_update helper into libpam-modules.
+ * Use a pristine upstream tarball instead of repacking; requires various
+ changes to debian/rules and debhelper files.
+ * Replace the Vcs-Svn field with a Vcs-Bzr field; jumping ship from svn,
+ and how!
+ * Debconf translations:
+ - Romanian, thanks to Igor Stirbu <igor.stirbu@gmail.com>
+ (closes: #491821)
+ * Add libpam0g.symbols, for finer-grained package dependencies with
+ dpkg-gensymbols.
+ * Fix debian/copyright to list the known copyright holders
+ * Fix up the doc-base sections for the libpam-doc documentation, "Apps"
+ should not be part of the section name
+ * Also fix up whitespace issues in the doc-base abstracts
+ * Fix a typo in the libpam0g-dev description.
+ * 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY is also
+ invalid for RLIMIT_NOFILE, so when resetting the limits for a new session,
+ use the kernel default of 1024 instead. Closes: #404836.
+ * Create /etc/environment on initial install of libpam-modules (or on
+ upgrade from an old version), to quell warnings in the logs about it
+ being missing. Closes: #442049.
+ * 026_pam_unix_passwd_unknown_user: drop a redundant, and broken, check for
+ the NSS source of our user; this was preventing password changes for NIS
+ users, which otherwise should have worked. Closes: #203222, LP: #9224.
+ * New patch do_not_check_nis_accidentally: respect the 'nis' option
+ (set or unset) when looking up the user's password entry for password
+ changes. Thanks to Quentin Godfroy <godfroy@clipper.ens.fr> for the
+ patch. Closes: #469635.
+ * Drop patch 049_pam_unix_sane_locking, which upon review is not needed;
+ it reduces the length of time we hold the lock, but at the expense of
+ being able to enforce minimum times between password changes.
+ * debian/watch: upstream has hit 1.0, so we're no longer in a "pre"
+ directory. Fix up the regex for uscan.
+ * Fix the libpam0g-dev examples directory to not include a gratuitous
+ .cvsignore file.
+ * New patch, pam.d-manpage-section, to fix the manpage references to
+ point to section 5 instead of section 8.
+ * Update patch PAM-manpage-section to fix the references to pam(7) from
+ other manpages. Closes: #470137.
+ * Add debian/README.source documenting that this package uses quilt.
+ * Bump Standards-Version to 3.8.0.
+ * Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanks
+ to Tomas Mraz <tmraz@redhat.com> for indirectly bringing this to my
+ attention
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 28 Jul 2008 13:56:26 -0700
+
+pam (0.99.7.1-7) unstable; urgency=medium
+
+ * Medium-urgency upload for RC bugfix
+ * Debconf translations:
+ - Italian, thanks to David Paleino <d.paleino@gmail.com> (closes: #483913)
+ - Slovak, thanks to Ivan Masár <helix84@centrum.sk> (closes: #488908)
+ - Turkish, thanks to Mert Dirik <mertdirik@gmail.com> (closes: #490880)
+ - Basque, thanks to Piarres Beobide <pi+debian@beobide.net>
+ (closes: #473975)
+ * Drop the 'XS' from Vcs-Svn/Vcs-Browser, since these are now officially
+ recognized fields.
+ * Add a Homepage field. Closes: #473338.
+ * Drop -DCRACKLIB_DICTS from CFLAGS, since the referenced define is no
+ longer provided by cracklib2-dev 2.8 and above. This requires a
+ build-dependency on the corresponding version of libcrack2-dev.
+ Closes: #490236.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 21 Jul 2008 11:49:59 -0700
+
+pam (0.99.7.1-6) unstable; urgency=low
+
+ * Debconf translations:
+ - Updated Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
+ (closes: #444437)
+ - Updated Spanish, thanks to Javier Fernández-Sanguino Peña
+ <jfs@debian.org> (closes: #444479)
+ - Updated German, thanks to Sven Joachim <svenjoac@gmx.de>
+ (closes: #444566)
+ - Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net> (closes: #444758)
+ - Updated Czech, thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>
+ (closes: #445022)
+ - French, thanks to Cyril Brulebois <cyril.brulebois@enst-bretagne.fr>
+ (closes: #445869)
+ - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #446584)
+ - Dutch, thanks to Bart Cornelis <cobaco@skolelinux.no> (closes: #448930)
+ - Basque, thanks to Piarres Beobide <pi@beobide.net> (closes: #457042)
+ - Updated Finnish, thanks to Esko Arajärvi <edu@iki.fi> (closes: #458264)
+ - Swedish, thanks to Christer Andersson <klamm@comhem.se>
+ (closes: #457674)
+ * Make sure the "audit" option is specified in octal instead of in decimal,
+ so that it doesn't randomly set other options. Thanks to Corey Wright
+ <undefined@pobox.com> for the catch. Closes: #446327.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 16 Mar 2008 02:06:28 -0700
+
+pam (0.99.7.1-5) unstable; urgency=low
+
+ * More lintian overrides, related to debconf prompting in the postinst
+ * Debconf translations:
+ - Brazilian Portuguese, thanks to Eder L. Marques <frolic@debian-ce.org>
+ (closes: #440385)
+ - Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com>
+ (closes: #440390, #440953, #444039)
+ - Bulgarian, thanks to Damyan Ivanov <dam@modsoftsys.com>
+ (closes: #441863)
+ - Finnish, thanks to Esko Arajärvi <edu@iki.fi> (closes: #443720)
+ - Simplified Chinese, thanks to Ming Hua
+ <minghua-guest@users.alioth.debian.org> (closes: #443924)
+ - Updated Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt>
+ - Updated Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
+ (closes: #440800)
+ - Updated German, thanks to Sven Joachim <svenjoac@gmx.de>
+ - Updated Spanish, thanks to Javier Fernández-Sanguino Peña
+ <jfs@debian.org>
+ - Updated Czech, thanks to Miroslav Kure <kurem@debian.cz>
+ (closes: #441325)
+ * Further cleanups of 007_modules_pam_unix -- don't use a global variable
+ for pass_min_len, don't gratuitously move the length checking into the
+ "obscure" checks, and internationalize the error strings.
+ * Stop overriding the built-in default minimum password length in
+ /etc/pam.d/common-password, and also drop the "max" option which has now
+ been obsoleted.
+ * Fix up the comments in /etc/pam.d/common-password to make it clear that
+ the options are specific to pam_unix. Closes: #414559.
+ * Patch 038: fix another thinko in the getline handling. Closes: #442276.
+ * If there are active X logins, don't restart kdm, wdm, and xdm by default;
+ instead, display a debconf error if they haven't been restarted.
+ Closes: #441843.
+ * Drop the local patch for Linux capabilities in pam_limits; Linux
+ capabilities are not generally useful in a PAM context, and the PAM
+ capabilities patch has been broken through much of its life.
+ Closes: #440130.
+ * -Wl,-z,defs was never enabled correctly, drop it since upstream is
+ already using -no-undefined
+ * Pass --build and --host args to ./configure as necessary, for
+ cross-building support.
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 28 Sep 2007 00:17:00 -0700
+
+pam (0.99.7.1-4) unstable; urgency=low
+
+ * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted
+ to fix the library skew, only reloaded; special-case this daemon in the
+ postinst and remove the mention of it from the debconf template, also
+ tightening the language of the debconf template in the process.
+ Closes: #440074.
+ * Add courier-authdaemon to the list of services that need to be
+ restarted; thanks to Micah Anderson for reporting.
+ * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over
+ garbage lines in /etc/environment and log an error, instead of failing
+ with an obscure error; and ignore any PAM_BAD_ITEM values returned
+ by pam_putenv(), since this is the expected error return when trying
+ to delete a non-existent var. Closes: #439984.
+ * Yet another thinko in hurd_no_setfsuid and in
+ 029_pam_limits_capabilities; this code should really be Hurd-safe at
+ last...
+ * getline() returns -1 on EOF, not 0; check this appropriately, to fix
+ an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl
+ <springl-rhosts@bfw-online.de> for the fix. Closes: #440019.
+ * Use ${misc:Depends} for libpam0g, so we get a proper dependency on
+ debconf.
+ * 019_pam_listfile_quiet: per discussion with upstream, don't suppress
+ errors about missing files or files with wrong permissions; these are
+ real errors that should not be buried.
+ * Drop the remainder of 061_pam_issue_double_free, not required for the
+ original bugfix.
+ * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that
+ we define CRACKLIB_DICTS in debian/rules.
+ * Drop patch 063_paswd_segv, superseded by a different upstream fix
+ * Split 047_pam_limits_chroot_string_value up between
+ 008_modules_pam_limits_chroot and 029_pam_limits_capabilites
+ * Updates to patch 007_modules_pam_unix: restore the same built-in min
+ password len of 6 that upstream uses; fix a typo panlindrome ->
+ palindrome.
+ * The 'max=' option was never intended to be used to limit maximum password
+ length for users, only to declare what the number of significant
+ characters /is/ for a password. But we don't need a config option to
+ tell us that, we know the answer based on which crypt type we're using,
+ so drop this as a config file option. Closes: #389197.
+ * Debconf translations:
+ - Spanish, thanks to Javier Fernández-Sanguino Peña <jfs@debian.org>
+ - Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
+ - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #440355)
+ - Czech, thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>
+ (closes: #440362)
+ - Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt>
+ (closes: #440368)
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 31 Aug 2007 17:11:05 -0700
+
+pam (0.99.7.1-3) unstable; urgency=low
+
+ * New patch limits_wrong_strncpy: fix unnecessary manipulations of string
+ buffers, including an illegal use of strncpy(). Thanks to Paul Hampson
+ for reporting. Closes: #331278.
+ * New patch misc_conv_allow_sigint.patch: allow SIGINT to be handled by the
+ application, instead of blocking it when misc_conv is in use and
+ preventing users from being able to ^C at any PAM prompt. Closes: #1708.
+ * 024_debian_cracklib_dict_path: default to NULL instead of a specific
+ dictionary path when none is defined for consistency with the new upstream
+ version of cracklib, and define our path in debian/rules.
+ * 055_pam_unix_nullok_secure: document the pam_unix "nullok_secure" option,
+ a prereq for forwarding this patch upstream. Closes: #325974.
+ * Create /etc/security/opasswd on new installs or on upgrades from
+ 0.99.7.1-2 or below, so that users that enable the remember=<n> option to
+ pam_unix aren't left unable to change passwords. Closes: #95324.
+ * Fix a couple of thinkos in hurd_no_setfsuid, that were preventing the code
+ from compiling on the Hurd still. Thanks to Michael Banck for the catch.
+ * Fix a memory leak in the pam_limits capabilities patch: always
+ cap_free() the cap_t before returning from pam_sm_open_session().
+ Closes: #153157.
+ * libpam0g.postinst, libpam0g.templates: on upgrades from versions
+ prior to 0.99.7.1-3, restart known PAM-using services so that they
+ get the new libpam symbols, since otherwise the newer PAM modules
+ will fail to load. Postinst taken from libssl0.9.8; thanks to
+ Christoph Martin for the fine example! Closes: #439835.
+ * Build-depend on po-debconf to support l10n of the debconf questions
+ from the above.
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 28 Aug 2007 06:33:33 -0700
+
+pam (0.99.7.1-2) unstable; urgency=low
+
+ * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz
+ for their extensive work in helping to prepare for this update in Debian.
+ Closes: #360460.
+ - now uses autoconf for library detection, so SELinux should not be
+ unconditionally enabled on non-Linux archs. Closes: #333141.
+ - pam_mail notice handling has been completely reworked, so there should
+ no longer be missing spaces in the messages. Closes: #119689.
+ - with libtool and autoconf, now behaves "sensibly" on unknown
+ platforms. Closes: #165067.
+ - the source now builds without warnings. Closes: #212165.
+ - uses automake instead of hand-rolled makefiles with indentation
+ bugs. Closes: #241661, #328084.
+ - pam_mkhomedir now creates directories recursively as needed.
+ Closes: #178225.
+ - pam_listfile now supports being used as a session module too.
+ Closes: #416665.
+ - misspelled pam_userdb log message has been corrected. Closes: #305058.
+ - the current pam_strerror manpage no longer mentions "Unknown
+ Linux-PAM error". Closes: #220157.
+ - the text documentation no longer uses ANSI bold sequences.
+ Closes: #181451.
+ - pam_localuser now supports being used as a session module.
+ Closes: #412484.
+ - package no longer fails to build with dash as /bin/sh.
+ Closes: #331208.
+ - All modules should now be documented in the system administrator
+ guide. Closes: #350620.
+ - pam_userdb now logs an error instead of segfaulting when no db=
+ option is provided. Closes: #436005.
+ - pam_time now warns on a missing tty instead of erroring out,
+ making it possible to use the module with non-console services.
+ Closes: #127931.
+ - upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install
+ accordingly
+ - bump the shlibs
+ - the 'test.c' example no longer exists
+ - add /usr/share/locale to libpam-runtime.
+ - CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an
+ arbitrary username, and then only when SELinux is active.
+ Closes: #336344.
+ * Mark myself as primary maintainer as previously discussed with Sam, and
+ add Roger as an uploader.
+ * Refactor to use quilt.
+ * Update to Standards-Version 3.7.2.
+ * Drop unnecessary build-dependency on patch, which is
+ build-essential (and no longer invoked directly).
+ * Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus,
+ 018_man_fixes, 030_makefile_link_against_libpam,
+ 037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd,
+ 050_configure_in_gnu and 052_pam_unix_no_openlog, which have been
+ superseded upstream.
+ * Drop patches 005_pam_limits_099_6,
+ 012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes,
+ 048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv,
+ 060_pam_tally_segv and 062_c++_safe_headers, which have been integrated
+ upstream.
+ * Patch 057: SELinux support is merged upstream, leaving only an
+ unrelated OOM check for pam_unix_passwd. Rename as
+ 057_pam_unix_passwd_OOM_check.
+ * Patches 006, 008, 036: update for the switch from SGML to XML.
+ * Patch 007: update for the switch from SGML to XML; drop some log
+ messages that were already added upstream; update for the pam_modutil
+ changes; tighten the flag handling of the 'obscure' option; drop bogus
+ check in unix_chkpwd for null passwords. Also fix a grammar error
+ along the way. Closes: #362855.
+ * Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch
+ pam_cracklib.c instead to use the default dictpath already available
+ from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead
+ of AC_CHECK_HEADER, so crack.h is actually included. Also remove
+ unnecessary string copies, which break on the Hurd due to PATH_MAX.
+ * Patch 038: partially merged/superseded upstream; also add new Hurd
+ fix for pam_xauth.
+ * Patch 061: partially merged upstream
+ * Use ${binary:Version} instead of ${Source-Version} in
+ debian/control.
+ * Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm},
+ debian/libpam0g.{postinst,prerm}, and
+ debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these
+ just fine without our help.
+ * Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl
+ and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra,
+ groff, and opensp.
+ * Also build-depend on flex for libfl.a.
+ * Updates for documentation handling:
+ - move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide,
+ and invoke dh_installdocs instead of installing these by hand.
+ - drop libpam-doc.{postinst,prerm}, which are no longer needed.
+ - add an install target to debian/rules, and have binary-indep depend on
+ it instead of trying to install doc files individually from the source
+ tree
+ - consequently, drop libpam-doc.dirs as well which is no longer needed
+ and no longer accurate
+ - add debian/libpam-doc.install for moving the docs to the right place,
+ and also replace libpam-runtime.files with libpam-runtime.install;
+ for the moment this means we're using both dh_movefiles and
+ dh_install...
+ - libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further
+ cleaning up debian/rules
+ * Drop debian/libpam0g.links, no longer needed because upstream now has a
+ working install target which creates the library symlinks
+ * Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so
+ symlinks by hand, no longer provided upstream.
+ * debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage
+ belongs in section 7, not in section 8.
+ * Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime.
+ * debian/patches-applied/autoconf.patch: move all changes to autotools
+ generated files into a single patch at the end of the stack.
+ - don't touch configure in debian/rules, the quilt patch takes care
+ of this for us.
+ * New patch 064_pam_unix_cracklib_dictpath: correctly define
+ CRACKLIB_DICTS, since this is not defined by configure. Thanks to Jan
+ Christoph Nordholz.
+ * New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable
+ cracklib support in pam_unix. Thanks to Christoph Nordholz.
+ * debian/rules:
+ - Rename OS_CFLAGS to CFLAGS.
+ - kill off references to unused variables
+ - make binary-arch also depend on the install target, and streamline the
+ rules
+ - fix up the clean target to not ignore errors; thanks to Roger Leigh
+ - drop the local module_check target in favor of using -Wl,-z,defs
+ in LDFLAGS to enforce correct linkage of all objects at build time
+ * Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage.
+ * libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally
+ for consistency.
+ * Update to debhelper V5.
+ * Don't ship Makefiles as part of the libpam0g-dev examples.
+ * libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages:
+ put all the manpages in the correct packages. Closes: #411812,
+ #62193, #313486, #300773, #330545, #184270.
+ * Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything
+ because we aren't trying to ship empty directories in the packages
+ * Build-Conflict with fop, to avoid unreproducible builds of pdf
+ documentation from a tool in contrib.
+ * libpam-cracklib should depend on a real wordlist package, per policy;
+ use wamerican as the default.
+ * Drop local/pam-undocumented.7 from the package, since we no longer have
+ a reason to ship it
+ * Add lintian overrides for known false-positives
+ * Conflicts/Replaces/Provides libpam-umask, now included upstream.
+ Closes: #436222.
+ * Upstream no longer marks unix_chkpwd suid-root for us, so set the perms
+ by hand in debian/rules. In the process, unix_chkpwd is now writable
+ by the owner, as expected by policy. Closes: #368100.
+ * Migrate from db4.3 to db4.6; once again, no administrator action should
+ be needed for upgrading on-disk database formats. Closes: #354309.
+ * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to
+ Laurent Bigonville for the hint. Closes: #439038.
+ * Add a watch file for use with uscan; thanks to Laurent Bigonville for
+ this patch as well. Closes: #439040.
+ * Rewrite of 031_pam_include, fixing a memory leak and letting us drop
+ patch 056_no_label_at_end; thanks to Jan Christoph Nordholz
+ <hesso@pool.math.tu-berlin.de> for this much-improved version!
+ * New patch no_pthread_mutexes: don't use pthread mutexes in
+ pam_modutil functions, they're not needed because pam handles
+ themselves should not be used concurrently by multiple threads and
+ using pthreads causes problems for portable linking.
+ * New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around
+ using setreuid instead.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 26 Aug 2007 19:15:09 -0700
+
+pam (0.79-4) unstable; urgency=medium
+
+ * Medium-urgency upload; at least one RC bugfix, but also a
+ significant number of changes, hence not urgency=high.
+ * Move libpam-modules and libpam0g to Section: libs and libpam-runtime
+ to section: admin, to match the overrides in the archive.
+ * Move old changelog entries (well, entry) that don't follow the current
+ format to debian/changelog.old, since there's no way to figure out a
+ timestamp for an 8-year-old upload, and this is the most effective
+ way to clear a glut of lintian warnings.
+ * Fix the formatting of the libpam-cracklib package description.
+ * Patch 010: remove parts of the patch that aren't necessary for C++
+ compatibility.
+ * Patch 060: fix a segfault in pam_tally caused by misuse of
+ pam_get_data(); already fixed upstream. Closes: #335273.
+ * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse)
+ of strdup (similar to patch 059). Already fixed upstream.
+ Closes: #327272.
+ * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs.
+ Closes: #352329.
+ * Patch 005: sync pam_limits with upstream:
+ - support "-" (unlimited) for all limit types except process priority.
+ - support the additional aliases "-1", "unlimited", and "infinity" for
+ clearing the limits; closes: #122400, #149027.
+ - restrict the range of process priority, login count, and system login
+ count settings to (INT_MIN,INT_MAX) (heh).
+ - special-case RLIM_INFINITY when applying multipliers to values from
+ the config.
+ - document maxsyslogins in the default limits.conf; closes: #149883.
+ - use the current process priority as a default instead of resetting to
+ 0; closes: #241663.
+ - add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO
+ settings in Linux 2.6.12 and above; closes: #313542, #313588.
+ - allow imposing limits on uid=0.
+ * Patch 027: only set RLIM_INFINITY as the default for the limits where
+ we know this is sensible, so that recompiling in an environment with new
+ limits doesn't create a security hole -- as happened with RLIMIT_NICE and
+ RLIMIT_RTPRIO! Thanks to Ville Hallik for the initial patch.
+ Closes: #388431.
+ * Patch 029, 047: Fix up the broken pam_limits capabilities patch so it
+ actually works -- which may well be a first... Closes: #318452.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 23 Oct 2006 05:36:08 -0700
+
+pam (0.79-3.2) unstable; urgency=low
+
+ * Non-maintainer upload to fix important bug, that makes passwd segfault
+ when CTRL-D is pressed at the password prompt. Applied the patch
+ provided by Dann Frazier. (Closes: #360657)
+
+ -- Margarita Manterola <marga@debian.org> Sat, 5 Aug 2006 02:11:22 -0300
+
+pam (0.79-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Linux-PAM/libpamc/include/security/pam_client.h,
+ Linux-PAM/libpamc/pamc_converse.c: Apply patch from
+ latest upstream version to remove redefinition of internal
+ glibc/libstdc++ types. Closes: #344447.
+
+ -- Roger Leigh <rleigh@debian.org> Sun, 5 Feb 2006 21:46:59 +0000
+
+pam (0.79-3) unstable; urgency=low
+
+ * Patch 059
+ - Fix a segfault in pam_userdb when the new "crypt=" option
+ is unset, as will be the case for all existing users; already fixed
+ upstream. Closes: #330829.
+ - Fix a memory leak in the same code due to gratuitous strdup()s.
+ * Further regression in pam_env: don't treat a missing /etc/environment
+ as a fatal error, either. Amend patch 058 accordingly. Closes: #330852.
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 30 Sep 2005 01:17:53 -0700
+
+pam (0.79-2) unstable; urgency=low
+
+ The ".c.o: rm -rf $@" release
+ * Fix debian/rules so that make clean doesn't remove ./configure when the
+ timestamp on configure.in is newer (!).
+ * Switch pam_userdb from db3 to db4.3, which according to the libdb
+ maintainers should require no manual intervention for upgrading on-disk
+ database formats. Closes: #165068.
+ * Patch 058: yes, of course we want to read /etc/environment by
+ default. Grr! Revert upstream change which disables this for no
+ apparent reason (closes: #330458).
+ * Tweak selinux rootok code to use the version of the function call that
+ doesn't pollute namespace
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 27 Sep 2005 02:44:36 -0700
+
+pam (0.79-1) unstable; urgency=low
+
+ * New upstream version (closes: #284954, #300775).
+ - includes some fixes for typos (closes: #319026).
+ - pam_unix should now be LSB 3.0-compliant (closes: #323982).
+ - fixes segfaults in libpam on config file syntax errors
+ (closes: #330097).
+ * Drop patches 000_bootstrap, 004_libpam_makefile_static_works,
+ 011_pam_access, 013_pam_filter_termio_to_termios, 017_misc_fixes,
+ 025_pam_group_conffile_name, 028_pam_mail_delete_only_when_set,
+ 033_use_gcc_not_ld, 034_pam_dispatch_ignore_PAM_IGNORE,
+ 035_pam_unix_security, 039_pam_mkhomedir_no_maxpathlen_required,
+ 041_call_bootstrap, 042_pam_mkhomedir_dest_not_source_for_errors,
+ 051_32_bit_pam_lastlog_ll_time, and
+ 053_pam_unix_user_known_returns_user_unknown which have been
+ integrated upstream.
+ * Merge one last bit of patch 053 into patch 043, where it should have
+ been in the first place
+ * Patch 057: SELinux support:
+ - add support to pam_unix for copying SELinux security contexts when
+ writing out new passwd/shadow files and creating lockfiles
+ - support calling unix_chkpwd if opening /etc/shadow fails due to
+ SELinux permissions
+ - allow unix_chkpwd to authenticate for any user when in an SELinux
+ context (hurray!); we depend on SELinux policies to prevent the
+ helper's use as a brute force tool
+ - also support querying user expiration info via unix_chkpwd
+ - misc cleanup: clean up file descriptors when invoking unix_chkpwd
+ (closes: #248310)
+ - make pam_rootok check the SELinux passwd class permissions, not just
+ the uid
+ - add new pam_selinux module (closes: #249499)
+ * Build-depend on libselinux1-dev.
+ * Fix pam_getenv, so that it can read the actual format of /etc/environment
+ instead of trying to read it using the syntax of
+ /etc/security/pam_env.conf; thanks to Colin Watson for the patch.
+ Closes: #327876.
+ * Set LC_COLLATE=C when using alphabetic range expressions in
+ debian/rules; bah, so *that's* what kept happening to my README file
+ when trying to build out of svn! Closes: #295296.
+ * Add a reference to the text of the GPL to debian/copyright.
+
+ -- Steve Langasek <vorlon@debian.org> Sun, 25 Sep 2005 22:08:20 -0700
+
+pam (0.76-23) unstable; urgency=low
+
+ * Fix Gcc 3.4 compilation, Closes: #259634
+ * Note that pam.conf is not read if /etc/pam.d exists, Closes: #248928
+ * Fix typo in pam_env.conf, Closes: #277633
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 10 Jul 2005 16:42:25 -0400
+
+pam (0.76-22) unstable; urgency=medium
+
+ * Add uploaders
+ * Document location of repository
+ * Fix options containing arguments in pam_unix, Closes: #254904
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 28 Jun 2004 14:28:08 -0400
+
+pam (0.76-21) unstable; urgency=medium
+
+ * Fix patch 055 again because -20 was broken and didn't actually fix the
+ problem.
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 4 May 2004 21:37:38 -0400
+
+pam (0.76-20) unstable; urgency=medium
+
+ * Update to patch 55 to only check securetty when we are sure the
+ password is null, Closes: #243698
+ * Medium urgency because the version now in testing has confusing and
+ verbose log messages.
+ * Include pam_getenv script which hopefully will be used by some people
+ somewhere for some purpose
+
+ -- Sam Hartman <hartmans@debian.org> Wed, 28 Apr 2004 22:51:18 -0400
+
+pam (0.76-19) unstable; urgency=low
+
+ * Oops, too busy testing the upgrade from woody to make sure the upgrade
+ from -16 to -18 worked. Thanks to all those who reported,
+ Closes: #243413
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 13 Apr 2004 16:08:54 -0400
+
+pam (0.76-18) unstable; urgency=low
+
+ * Manipulate conffiles to avoid unnecessary prompt in woody to sarge
+ upgrade, Closes: #218318
+
+ -- Sam Hartman <hartmans@debian.org> Sat, 10 Apr 2004 18:10:35 -0400
+
+pam (0.76-17) unstable; urgency=low
+
+ * common-password now includes length restrictions and cracklib
+ examples, Closes: #227681, #237537
+ * Patch 054: abstract out the logic from pam_securetty to determine if a
+ tty is in /etc/securetty into a library function
+ * Patch 55: Add nullok_secure option to pam_unix. If set, then null
+ passwords are accepted from terminals in /etc/securetty.
+ * common-auth now includes nullok_secure, Closes: #228114
+
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 4 Apr 2004 23:10:11 -0400
+
+pam (0.76-16) unstable; urgency=low
+
+ * Patch 51 from the x86-64 folks to support 32-bit ll_time in
+ pam_lastlog even if time_t is 64-bits
+ * Don't call openlog in pam_unix (patch 52), Closes: #213566
+ * Return PAM_USER_UNKNOWN for unknown users in pam_unix (patch 53), Closes: #204506
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 23 Mar 2004 22:26:04 -0500
+
+pam (0.76-15) unstable; urgency=low
+
+ * Fix description of libpam-runtime, Closes: #209755
+ * Fix description of libpam-cracklib, Closes: #210014
+ * Depend on libc6-dev|libc-dev not libc6-dev, Closes: #212354
+ * Clean up binaries, Thanks Russell, Closes: #212158
+ * Depend on sufficiently new cracklib2-dev, Closes: #214092
+ * Treate GNU/* as GNU for OS variable to make pam_limits compile,
+ (patch 050) Closes: #220980
+ * No longer build-depend on latex2html, Closes: #221318
+ * Allow : in tty specification for pam_group, (patch 048) Closes: #220439
+ * Pull in locking patch from Linux-PAM CVS; this ended up causing
+ 021_pam_nis_locking to be reworked and that patch now no longer
+ contains locking fixes, but just NIS cleanup in general. See
+ 049_pam_unix_sane_locking for the locking changes, Closes: #220158
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 12 Jan 2004 02:23:59 -0500
+
+pam (0.76-14) unstable; urgency=low
+
+ * Pull in NMU diff from 13.1, Closes: #186011
+ * Split out common-password into its own file, Closes: #207497
+ * Make other a conffile again and update to @include stuff
+ * Add missing symlink, Closes: #196605
+ * Remove undocumented manpages
+ * Update PAM mini-policy
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 1 Sep 2003 18:08:54 -0400
+
+pam (0.76-13.1) unstable; urgency=low
+
+ * NMU with maintainer's permission.
+ * Add three new config files (/etc/pam.d/common-{auth,account,session})
+ to libpam-runtime. Other packages which depend on libpam-runtime
+ can now @include these files from their own PAM configs.
+ * Convert /etc/pam.d/other from a conffile to a non-conffile config
+ file. Closes: #186011.
+ * Remove empty libpam-runtime.prerm script (debhelper will autocreate if needed)
+
+ -- Steve Langasek <vorlon@debian.org> Tue, 19 Aug 2003 19:41:03 -0500
+
+pam (0.76-13) unstable; urgency=low
+
+ * Nope, that dependency didn't work, so let's remove it. If we run into other module versioning issues, I now have an arm build environment to debug with. Closes: #198618
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 7 Jul 2003 00:22:34 -0400
+
+pam (0.76-12) unstable; urgency=low
+
+ * Fix group.conf example, (patch 046) Closes: #197080
+ * Ignore module return value in jumps, (patch 045) Closes: #176693
+ * Accept string value for chroot limit, thanks Andrei Pelinescu-Onciul,
+ Patch (047), Closes: #196903
+ * Depend on libpam-modules instead of conflicting with older versions.
+ This creates a circular dependency between libpam0g and
+ libpam-modules. James says this works fine; we hope he's right.
+ Closes: #196949
+ -- Sam Hartman <hartmans@debian.org> Sat, 21 Jun 2003 17:19:29 -0400
+
+pam (0.76-11) unstable; urgency=low
+
+ * Don't allow db4 to satisfy build-depends because it doesn't actually
+ work, and sometimes building with it would be wrong.
+ * Don't depend on libpcap-dev on Debian BSD
+ * Conflict with old libpam-modules, Closes: #191906
+ * Incorrect username should not be logged at alert (patch 43),
+ Closes: #175900
+ * Patch to support FreeBSD (patch 44, thanks Robert), Closes: #191906
+
+ -- Sam Hartman <hartmans@debian.org> Sat, 31 May 2003 19:55:26 -0400
+
+pam (0.76-10) unstable; urgency=low
+
+ * Don't double list conffiles, Closes: #190954
+ * Only install example sources not executables, Closes: #185286
+ * Display correct directory in error message for pam_mkhomedir, patch
+ 042 thanks to Akira TAGOH, Closes: #165240
+ * Don't log EPERM when setting NOFILE limit as Linux doesn't let you
+ set that to -1, Closes: #180310
+ * Add newline to end of distributed time.conf, Closes: #172229
+ * Up our standards version and support noopt in DEB_BUILD_OPTIONS
+
+ -- Sam Hartman <hartmans@debian.org> Sat, 3 May 2003 22:28:37 -0400
+
+pam (0.76-9) unstable; urgency=low
+
+ * Fix pam_rhosts hurd patch so it actually works, Closes: #172914
+ * Fix patch 040 not to clobber errno when logging the error fails,
+ Closes: #172186
+ * Fix dependency for linuxdoc-tools, Closes: #173097
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 15 Dec 2002 17:10:58 -0500
+
+pam (0.76-8) unstable; urgency=low
+
+ * Have makefile appropriately depend on bootstrap-libpam
+ * Install pam minipolicy, Closes: #167798
+ * Don't segfault if ttyname is null; this avoids the segfault but does
+ not actually make pam_issue useful for ssh. I believe the way
+ pam_issue works is fundamentally incompatible with what sshd expects
+ from PAM (patch 037), Closes: #153152
+ * We actually fixed passwords containing , in 0.76-6, but failed to
+ document it. They do work, Closes: #164713
+ * Note that /etc/pam.d/other is a fall back for each service
+ * Patches from Michal 'hramrach' Suchanek" <hramrach_l@centrum.cz> to
+ make HURD work, Closes: #165066 (patch 038 and 039)
+ * Don't depend on gs and other doc prep tools for build-depends, just
+ build-depends-indep, Closes: #165065
+ * Patch from Eric Anderson <anderse@hpl.hp.com> to log failures of
+ setrlimit (patch 040), Closes: #169836
+ * Build pam_limits on hurd, Closes: #165190
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 24 Nov 2002 22:04:28 -0500
+
+pam (0.76-7) unstable; urgency=low
+
+ * Fix handling of pam_ignore in case where we're skipping modules;
+ update to patch 034
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 20 Oct 2002 21:49:22 -0400
+
+pam (0.76-6) unstable; urgency=low
+
+ * The "No, I don't think I actually want any of what upstream is
+ smoking" release
+ * If this were already in testing, this would be an severity emergency
+ upload
+ * pam_unix currently treats * in shadow file as no password not
+ disabled; major security issue; fixed in upstream CVS, (patch 035) Closes: #164659
+ * OK, I think this actually fixes the rest of the manpage symlinks,
+ Closes: #163839, #164298
+ * You don't want to use getlogin for pam_wheel because utmp may be wrong or for xterm have no entry, pull forward patch from the 0.72 packages (patch 036), Closes: #163787
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 15 Oct 2002 10:44:56 -0400
+
+pam (0.76-5) unstable; urgency=low
+
+ * Fix library links from 0.75 to 0.76
+ * Ignore PAM_IGNORE in _pam_dispatch_aux (patch 34), Closes: #163841
+ * Fix man page symlinks, Closes: #163839
+
+ -- Sam Hartman <hartmans@debian.org> Fri, 11 Oct 2002 01:08:06 -0400
+
+pam (0.76-4) unstable; urgency=low
+
+ * Upstream correctly states that one should use gcc not ld when
+ linking and then hapilly proceeds to actually use ld, fixed, Closes: #163711
+
+ * Remove experimental warning from readme, Closes: 163742
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 7 Oct 2002 23:45:53 -0400
+
+pam (0.76-3) unstable; urgency=low
+
+ * Oops, let's try building -fpic. This currently builds everything
+ -fpic which is somewhat wrong, but doing more than that requires
+ significant build system hacking (touch every makefile for dynamic
+ objects), so it will wait, Closes: #163600
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 6 Oct 2002 23:33:12 -0400
+
+pam (0.76-2) unstable; urgency=low
+
+ * Link against appropriate libraries so we find the symbols we need,
+ Closes: #162175
+ * The if everyone's going to complain when I upload broken software to
+ experimental release, I might as well upload to unstable and give them
+ something worth actually complaining about release.
+ * Also the remove the scourge of dbs release
+ * Include patch 034 from the 0.72 packages, meaning that we've included
+ all the patches we need before release
+ * Reject the patch to pam_wheel as I cannot find out what reasonable
+ thing it was trying to do and it seemed broken
+ * libpam-cracklib should depend on wordlist so it actually works;
+ thanks Olaf Meeuwissen,
+ Closes: #112965
+ * Merge build-depends and build-depends-indep because I'm a bad person
+ and was too lazy to make docs build in a separate pass. I'll deal in
+ a few versions.
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 6 Oct 2002 18:52:13 -0400
+
+pam (0.76-1) experimental; urgency=low
+
+ * New upstream version
+ * Upstream includes fix to not break cron, Closes: 160566
+ * New Upstream correctly handles priority < 0 for pam_limits, Closes: #126251
+ * .cvsignores removed, Closes: #159961
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 22 Sep 2002 16:11:35 -0400
+
+pam (0.75-3) experimental; urgency=low
+
+ * Apply patch 027 pam_limits so that we initialize to wide open not
+ current limits.
+ * In pam_mail, don't complain about deleting environment variable if
+ we never set it, Closes: #58429
+ * Don't set default max procs limit in pam_limits, Closes: #116874
+ * libpam-runtime now arch all since it has no arch-specific files,
+ Closes: #132545
+ * Update mini policy to reflect confusion on debian-devel
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 16 Jul 2002 09:30:50 -0400
+
+pam (0.75-2) experimental; urgency=low
+
+ * Fix pam_userdb to build and to build against db3, fixes patch 020
+ * Fix upstream makefile so pam_group has valid configuration, closes: #148657
+ * time.conf reference to logoutd removed, closes: #143801
+ * The static library contains all the appropriate symbols in this
+ version. You may find the complete lack of PAM modules somewhat
+ frustrating; currently the static pam library is only useful if you
+ register your own modules. Fixing this would require annoying hacking
+ on the upstream build system, closes: #103495
+ * unix_chkpwd.8 typo fixes thanks to dancer@anthill.echidna.id.au,
+ Closes: #139949
+ * Since we're working on the new upstream version, we also have the new docs, closes: #147763
+ * Patch from Martin Schwenke <martin@meltin.net> to only change
+ passwords in pam_unix when they exist in the password file; hopefully
+ does not break NIS, closes: #135990
+ * Another patch from Martin to return PAM_USER_UNKNOWN if we ever
+ actually do get into the password changing routine only to find that
+ we have no password to change, closes: #135604
+ * .cvsignore no longer installed, closes: #120795
+ * We're using debhelper 3, just in time to be obselete, Closes: #93414
+
+ -- Sam Hartman <hartmans@debian.org> Sat, 8 Jun 2002 18:04:40 -0400
+
+pam (0.75-1) experimental; urgency=low
+
+ * Preliminary test packages
+ * New upstream version
+ * Hopefully works mostly the same as 0.72 except for upstream bug
+ fixes and for the fact that pam_limits is fairly broken right now.
+ * If it breaks you are lucky if you get to keep both pieces release.
+
+ -- Sam Hartman <hartmans@debian.org> Sat, 25 May 2002 22:57:57 -0400
+
+pam (0.72-35) unstable; urgency=medium
+
+ * Fix like_auth to make libpam-krb5 and libpam-heimdal actually useful,
+ patch from RISKO Gergely , closes: #126251
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 21 Jan 2002 15:20:22 -0500
+
+pam (0.72-34) unstable; urgency=medium
+
+ * Note that HOME may not be useful in pam_environment, closes: #109281
+ * Don't smash case domains (groups/users) in pam_limits, closes: #119893
+ * Remove double the from description, closes: #107705
+ * Fix typo on mail message, closes: #119689
+ * Medium since these are small fixes that should go into woody
+
+ -- Sam Hartman <hartmans@debian.org> Fri, 23 Nov 2001 21:24:20 -0500
+
+pam (0.72-33) unstable; urgency=low
+
+ * Fix pam_mail to look in /var/mail not /var/spool/mail, thanks mjb.
+
+ -- Sam Hartman <hartmans@debian.org> Thu, 11 Oct 2001 15:44:32 -0400
+
+pam (0.72-32) unstable; urgency=medium
+
+ * This should probably get into testing before freeze; medium.
+ * Patch from Volker Stolz to fix bug in previous pam_group patch,
+ closes: #111854
+
+ -- Sam Hartman <hartmans@debian.org> Sat, 22 Sep 2001 06:32:29 -0400
+
+pam (0.72-31) unstable; urgency=low
+
+ * Add support for credential reinitialization in pam_group, closes: #108697
+
+ -- Sam Hartman <hartmans@debian.org> Fri, 31 Aug 2001 13:16:39 -0400
+
+pam (0.72-30) unstable; urgency=low
+
+ * Include patch from robbe@orcus.priv.at to build pam_limits on hurd,
+ closes: #103556
+ * Start installing limits.conf for hurd (may not work quite right)
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 16 Jul 2001 09:35:51 -0400
+
+pam (0.72-29) unstable; urgency=low
+
+ * Correctly declare uint32 type for ia64, closes: #104584
+
+ -- Sam Hartman <hartmans@debian.org> Sat, 14 Jul 2001 01:30:39 -0400
+
+pam (0.72-28) unstable; urgency=low
+
+ * Fix scanf string so pam_limits chroot works, closes: #100812
+ * Only log unknown user at warning, not alert, closes: #95220
+ * By default do complete matches not substring matches for pam_time.
+ You can include explicit wildcard for substring, closes: #66152
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 3 Jul 2001 17:31:45 -0400
+
+pam (0.72-27) unstable; urgency=low
+
+ * Fix typo in last patch
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 25 Jun 2001 18:27:42 -0400
+
+pam (0.72-26) unstable; urgency=low
+
+ * Block SIGCHLD when calling unix password verification program, patch from mdz@debian.org, fixes pam part of #97977
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 25 Jun 2001 08:47:12 -0400
+
+pam (0.72-25) unstable; urgency=medium
+
+ * Depend on opensp, working around #89063, closes: #100125
+ * This is urgency medium to get docs back into testing.
+
+ -- Sam Hartman <hartmans@debian.org> Fri, 8 Jun 2001 11:44:12 -0400
+
+pam (0.72-24) unstable; urgency=low
+
+ * New NIS double locking and root password patch from Philippe Troin
+ <phil@fifi.org>, fixes bug in unreleased patch submitted for
+ 0.72-23. Also improves changing root password so it does something;
+ ongoing discussion on whether this is right.
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 21 May 2001 08:06:05 -0400
+
+pam (0.72-23) unstable; urgency=low
+
+ * Patch from Benoit Gaussen <ben@trez42.net> , Don't trim from , to end
+ of string in user input, only trim from salt
+ grabbed from passwd file, closes: #96779
+ * Fix NIS double locking, closes: #96736
+
+ -- Sam Hartman <hartmans@debian.org> Wed, 16 May 2001 15:46:34 -0400
+
+pam (0.72-22) unstable; urgency=low
+
+ * Fix pam.8 to be pam.7, closes: #92874
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 17 Apr 2001 23:04:04 -0400
+
+pam (0.72-21) unstable; urgency=low
+
+ * Don't depend on libcap for hurd, closes: #91998
+ * Don't list scurity/limits.conf as a conffile for hurd
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 9 Apr 2001 12:30:18 -0400
+
+pam (0.72-20) unstable; urgency=low
+
+ * Install pam-undocumented in -runtime not -dev, closes: #93063
+ * Mark pam-runtime as replacing files from -dev in case you installed
+ -19 and have pam-undocumented in the wrong place
+
+ -- Sam Hartman <hartmans@debian.org> Fri, 6 Apr 2001 06:38:15 -0400
+
+
+
+pam (0.72-19) unstable; urgency=low
+
+ * New maintainer, closes: #92353
+ * Install pam-undocumented; somehow it was not installed in -18
+
+ -- Sam Hartman <hartmans@debian.org> Wed, 4 Apr 2001 21:32:17 -0400
+
+pam (0.72-18) unstable; urgency=low
+
+ * pam_securetty: log failed tty checks. Normally this was only done if
+ the "debug" option was on...do it regardless now, closes: #89390
+ * Get rid of log message for when "root" is not applied to group checks.
+ closes: #88825
+ * Add quiet option to pam_listfile, closes: #84428
+ * pam(8) should be pam(7), pam.conf(8) should be pam.conf(5), closes:
+ #89322
+ * Added groff to Build-Depends-Indep, closes: #88794
+
+ -- Ben Collins <bcollins@debian.org> Sun, 25 Mar 2001 21:40:32 -0500
+
+pam (0.72-17) unstable; urgency=low
+
+ * Fixed login in pam_limits where the max logins could be ignored.
+
+ -- Ben Collins <bcollins@debian.org> Fri, 9 Mar 2001 09:14:48 -0500
+
+pam (0.72-16) unstable; urgency=low
+
+ * New pam limits cap patch from Topi Miettinen
+ <Topi.Miettinen@koti.tpo.fi>, closes: #88401, #88406, #88525, #88399,
+ #86197
+ * pwdb no longer used, closes: #59917
+ * fix patch 023 for gethostbyname build failure, closes: #86156
+ * Make sure unix_chkpwd gets installed as suid root, closes: #88519
+ * Fix whatis parse of manpages, closes: #86203
+ * pam_listfile, fix arg parsing when arg does not contain '=', closes:
+ #86070
+
+ -- Ben Collins <bcollins@debian.org> Sun, 4 Mar 2001 22:45:58 -0500
+
+pam (0.72-15) unstable; urgency=low
+
+ * Doh, added build-depends for libcap, closes: #85352
+ * Change section of libpam-cracklib from admin to libs to match
+ overrides.
+
+ -- Ben Collins <bcollins@debian.org> Fri, 9 Feb 2001 09:06:40 -0500
+
+pam (0.72-14) unstable; urgency=low
+
+ * Added fix to pam_access for gethostname decleration. closes: #82100
+ * Just name the lib/security directory instead of all the modules
+ seperately for dh_movefiles. closes: #76119
+ * Fix pam_env corruption, closes: #66849, #77229
+ * Add patch to allow recursive /etc/skel copy in pam_mkhomedir, closes:
+ #67211
+ * remove dh_suidregister call, added conflict for old suidregister
+ package
+ * Applied patch for Linux capabilities in pam_limits, closes: #74176
+ * pam_issue.so works for me, without segv, and even with escapes. This
+ is with login. Note, things like pam_issue do not work with ssh simply
+ because ssh is not able to work in that way (does not support
+ arbiitrary conversations). So if you want it to work there, file a bug
+ on ssh, not on libpam-modules. closes: #77228
+ * unix_chkpwd: check for NULL password, closes: #69960
+
+ -- Ben Collins <bcollins@debian.org> Thu, 8 Feb 2001 11:06:03 -0500
+
+pam (0.72-13) unstable; urgency=low
+
+ * Fix grammar in pam_source.sgml, closes: #78959
+ * pam_undocumented.7: Fix escaped 's, closes: #75987
+ * Fix build ordering, closes: #71442, #80397, #77017
+ * Applied Hurd patch, closes: #76119
+ * Use gcc for linking, not ld. closes: #71941
+ * Pretty sure this was fixed, closes: #67172
+ * Applied spealang fixes to Debian-mini-policy. closes: #80249
+ * Applied patch to allow devfs style terminal devices with pam_group,
+ closes: #77661
+ * Could not reproduce, even using md5 passwords. User, if you still have
+ * this problem, you need to tell me with what service (login, which I
+ tested, sshd, telnet, etc...) and also send me the entire pam.d file
+ for that service. closes: #76087
+ * Fixed awhile back, closes: #72858
+ * Closing this since I am not going to include any modules in this
+ package that aren't in upstream. If someone else wants to package
+ these modules seperately, they can do so. closes: #69550
+ * For correct usage, pam_wheel.so should be used with "sufficient" and
+ not "required". This is documented. If you use "required", then you
+ must also use the "trust" option, but that doesn't give you the
+ results you want. closes: #76236
+
+ -- Ben Collins <bcollins@debian.org> Sun, 31 Dec 2000 05:38:23 -0500
+
+pam (0.72-12) frozen unstable; urgency=low
+
+ * Recompile against db2 for glibc change
+ * Add db2 to build-deps
+
+ -- Ben Collins <bcollins@debian.org> Wed, 27 Sep 2000 12:08:11 -0400
+
+pam (0.72-11) frozen unstable; urgency=low
+
+ * Removed all traces of pwdb in packages. libpwdb has been removed from
+ the archive. This means that the pam_pwdb and pam_radius modules are
+ no longer available (from the libpam-pwdb package).
+ * doc/modules/pam_wheel.sgml: Really spell out that being a member of a
+ group meands the user is listed in /etc/group, closes: #69242
+ * doc/*: s/PAM_AUTHOK_RECOVERY_ERR/PAM_AUTHOK_RECOVER_ERR/g,
+ closes: #64473
+ * pam_wheel: PAM does not distinguish it, the libc calls make the
+ distinction. The users gid is returned in their passwd info, while
+ getgrent() returns only the members of the group listed in /etc/group.
+ This is ok, because if it's really that important, you can actually
+ have it in both places. The fact that it's documented should suffice
+ in making this clear, closes: #69236
+ * Sorry, but seperate modules generally need to be packaged seperately.
+ I don't want to overload this package with everyone's pet module, so I
+ have to put my foot down, closes: #61759
+ * Actually, I'm going to move in Woody to make packages depend more on
+ the defaults in /etc/pam.d/other, so that admins have less to
+ maintain. For one, all packages should not have a password service
+ listed, closes: #70000 (YAY! I got the 70k rollover bug number!)
+ * Sorry, I can't include this. "," is a legitimate char in a password
+ salt/hash. If you can code up something that is super intelligent
+ about lenghts of the field, I can go for it, maybe, closes: #59459
+ * modules/pam_limits: Added chroot feature patch, closes: #61090
+ * modules/pam_access: Allow last field to contain ':', closes: #67291
+ * modules/pam_limits: Allow explicit limits for root, closes: #62448
+ * modules/pam_unix: Do not zero old/new password fields, libpam does
+ this itself, and doing so in the module breaks stacking,
+ closes: #66270
+ * modules/pam_group: Allow alpha *and* numeric in tty field (duh),
+ closes: #63752
+ * modules/pam_access: Enable NIS, closes: #64854
+ * libpam0g-dbg: removed, useless anyway
+
+ -- Ben Collins <bcollins@debian.org> Wed, 30 Aug 2000 18:39:32 -0400
+
+pam (0.72-10) frozen unstable; urgency=low
+
+ * Update build depends
+ * Fixed logic for showing non-existent user names when auth failed in
+ pam_unix.so, closes: #67786 (thanks to Jim Breton for being patient in
+ helping track this down). It would sometimes show them, even if we
+ didn't want to.
+
+ -- Ben Collins <bcollins@debian.org> Thu, 27 Jul 2000 09:17:08 -0400
+
+pam (0.72-9) frozen unstable; urgency=low
+
+ * pam_unix: do not call obscure_msg() of pass_old is NULL,
+ closes: #65321
+ * pam_access: check for from[0] == '\0' so that tty logic is actually
+ used, closes: #65401
+
+ -- Ben Collins <bcollins@debian.org> Wed, 14 Jun 2000 11:38:35 -0400
+
+pam (0.72-8) frozen unstable; urgency=low
+
+ * Build depends added in previous version, closes: #60817, #61439
+ * Allow use of ":0" in group.conf, closes: #61966
+ * Added syslog entry to notify that a user succesfully changed their
+ password, closes: #61724
+ * Make pam_unix compatible with HP-UX style NIS+ password information,
+ patch from ldaffner@rsn.hp.com, closes: #61942
+ * If "audit" is not enabled, don't let pam_unix print the names of
+ unknown users for auth attempts, closes: #61942
+ * Fixed ttyname() parsing in pam_access to match that of the old shadow
+ access.conf s,/dev/,, closes: #61644
+ * Set some sane defaults for pam_limits.so instead of carrying over
+ potentially bad defaults, patch from Peter Paluch
+ <peterp@frcatel.fri.utc.sk> closes: #63230
+ * Allow explicit (e.g. specified specifically for) limits for root,
+ patch from Topi Miettinen <Topi.Miettinen@nic.fi>, closes: #62448
+ * Added information to time.conf about logoutd, which is now enabled via
+ this file.
+ * cracklib maintainer claims this isn't a bug, closes: #54180
+ * fixed control syntax handling which was causing segfaults, closes: #62237
+
+ -- Ben Collins <bcollins@debian.org> Sat, 29 Apr 2000 11:39:59 -0400
+
+pam (0.72-7) frozen unstable; urgency=low
+
+ * pam_limits: fix parsing of users which explicitly removes limits,
+ closes: #59911, #60287
+ * Added build-depends
+
+ -- Ben Collins <bcollins@debian.org> Mon, 20 Mar 2000 16:06:28 -0500
+
+pam (0.72-6) frozen unstable; urgency=low
+
+ * Remove conflict for libpam0g-util from libpam0g and put it in
+ libpam-runtime. This should fix a problem with upgrades that apt
+ experiences, closes: #58677
+
+ -- Ben Collins <bcollins@debian.org> Mon, 28 Feb 2000 14:05:28 -0500
+
+pam (0.72-5) frozen unstable; urgency=low
+
+ * Added obscure password checks to pam_unix. Required for shadow to be
+ able to emulate the pre-PAM setup (referenced in a bug on passwd).
+ * Applied patch from #57800 to fix NIS/NIS+ shadow accounting checks,
+ closes: #57800, #58164
+ * Fixed two typos in the PAM System Administrators Guide,
+ closes: #56578, #56587
+
+ -- Ben Collins <bcollins@debian.org> Mon, 28 Feb 2000 10:58:09 -0500
+
+pam (0.72-4) frozen unstable; urgency=low
+
+ * unix_chkpwd: check for NULL on stdin aswell as 0 reads, closes: #56375
+ * pam_unix/Makefile: removed bashism, closes: #56370
+ * fixed in shadow upload, closes: #49832
+
+ -- Ben Collins <bcollins@debian.org> Sat, 29 Jan 2000 00:27:28 -0500
+
+pam (0.72-3) unstable; urgency=low
+
+ * Added cpluplus wraps in all the headers, closes: #53653
+
+ -- Ben Collins <bcollins@debian.org> Sun, 2 Jan 2000 15:15:40 -0500
+
+pam (0.72-2) unstable; urgency=low
+
+ * Well, this is an odd one. A recompile fixes it. So it must have been a
+ problem from linking with 0.71 when this is version 0.72. All of this
+ build daemons seem to have compiled the latest 0.72, so this should be
+ resolved after this gets recompiled on all of them, closes: #51619, #49584
+ * This is from a very old version (0.56) of libpam0. It is not relevant
+ to the latest version, closes: #47162
+
+ -- Ben Collins <bcollins@debian.org> Sun, 26 Dec 1999 09:10:13 -0500
+
+pam (0.72-1) unstable; urgency=low
+
+ * New upstream source release, lots of patches merged upstream (thanks
+ Andrew).
+ * libpam-doc: now provides pam-doc, closes: #45631
+ * cleanups to the build system
+ * shlibs.local: bumped shlib deps
+
+ -- Ben Collins <bcollins@debian.org> Tue, 14 Dec 1999 11:17:36 -0500
+
+pam (0.71-3) unstable; urgency=low
+
+ * Debian-PAM-MiniPolicy: new document describing how PAM is implemented
+ in Debian
+
+ -- Ben Collins <bcollins@debian.org> Fri, 26 Nov 1999 17:26:40 -0500
+
+pam (0.71-2) unstable; urgency=low
+
+ * pam_listfile: lstat -> stat, closes: #49833
+ * pam_tally: install the pam_tally program, closes: #50314
+ * debian/control: libpam-modules, replaces libpam0g-util, closes: #50716
+
+ -- Ben Collins <bcollins@debian.org> Thu, 25 Nov 1999 21:02:23 -0500
+
+pam (0.71-1) unstable; urgency=low
+
+ * New upstream release, merges lots of patches from the Debian source,
+ also merges the pam_{motd,mkhomedir,issue} modules into the main
+ source. Lots of minor bugs fixed, and compiler warnings
+ * pam_mail: Reimplemented the authentication handlers, so now this works
+ as both (changes nothing in Debian, but was required to get the patch
+ accepted upstream)
+ * general: Lots of small edits to fix compiler warnings
+ * pam_userdb: fixed potential usage of an unitialized value as
+ PAM_AUTHTOK, doesn't look particularly exploitable, but better safe
+ than sorry
+
+ -- Ben Collins <bcollins@debian.org> Mon, 8 Nov 1999 19:21:52 -0500
+
+pam (0.70-4) unstable; urgency=low
+
+ * pam_wheel/pam_wheel.c: change to use getpwuid(getuid()) by default, so
+ avoid the problems associated with getlogin()
+
+ -- Ben Collins <bcollins@debian.org> Mon, 1 Nov 1999 13:33:10 -0500
+
+pam (0.70-3) unstable; urgency=low
+
+ * Applied patch from Herbert Xu to enable PAM_CONV_AGAIN support in
+ pam_ftp, closes: #47288
+
+ -- Ben Collins <bcollins@debian.org> Wed, 13 Oct 1999 13:25:21 -0400
+
+pam (0.70-2) unstable; urgency=low
+
+ * 100_pam_pwdb_security_fix: new patch fixes security problem with
+ regard to NIS accounts
+
+ -- Ben Collins <bcollins@debian.org> Wed, 13 Oct 1999 11:42:41 -0400
+
+pam (0.70-1) unstable; urgency=low
+
+ * New upstream release
+ * Seems there were a lot of fixes merged/matches upstream, looks good,
+ (maybe it's time I start sending my patches in, since the maintainer
+ is active again).
+ * libpamc: new library (libpam client library), this actually used to be
+ in the Debian packages for a few versions, but it was removed upstream.
+ Guess what, it's back :)
+
+ -- Ben Collins <bcollins@debian.org> Sun, 10 Oct 1999 01:07:43 -0400
+
+pam (0.69-11) unstable; urgency=low
+
+ * {pwdb,unix}_chkpwd.8: fixed format to get rid of "no whatis" warnings
+ from mandb, closes: #47004
+ * pam_unix.sgml: new file, documents the pam_unix.so module,
+ closes: #46511
+
+ -- Ben Collins <bcollins@debian.org> Sat, 9 Oct 1999 12:41:58 -0400
+
+pam (0.69-10) unstable; urgency=low
+
+ * libpam/pam_item.c: fixed debug message being in wrong place
+ * 013_pam_issue: new patch, provides issue file parsing for PAM
+ applications (helps to replace lost functionality in login).
+
+ -- Ben Collins <bcollins@debian.org> Wed, 6 Oct 1999 20:30:17 -0400
+
+pam (0.69-9) unstable; urgency=low
+
+ * Fix typo in pam_mail.so module's "no" return
+
+ -- Ben Collins <bcollins@debian.org> Sun, 3 Oct 1999 15:08:56 -0400
+
+pam (0.69-8) unstable; urgency=low
+
+ * docs/modules/pam_mkhomedir.sgml: Fixed module name
+ * changed build system structure
+ * libpam/Makefile: add -lcrypt to the linked libs, closes: #46104
+ * increase shlib deps to 0.69-7, closes: #45801
+ * pam_motd.c: close motd file after reading, closes: #46122
+ * pam_motd.c: fix setting \0 in the wrong place when motd file is
+ zero length, closes: #45686, #45632
+ * pam_unix_acct.c: allow '0' to denote disabled for some expiry fields
+ since chage(1) documents it this way, closes: #45446
+ * pam_mail.c|modules/pam_mail.sgml: added 2 options, one "standard" to
+ give the old style "You have ..." response and "quiet" which only
+ reports new mail for both formats, documented both options,
+ closes: #45670
+ * with the new pam_unix module, this bug is fixed, closes: #42230
+ * pam_limits.c: make sure that we not only ignore limits on root, we
+ also remove them just in case we are su'ing from a limited user to
+ the root account (since as root they can remove the limits anyway),
+ closes: #35302
+
+ -- Ben Collins <bcollins@debian.org> Sun, 3 Oct 1999 12:07:28 -0400
+
+pam (0.69-7) unstable; urgency=low
+
+ * debian/rules: fixed module_check
+ * pam_env/pam_env.c: fixed env parsing to include values wrapped in ''
+ and also allow continued lines with a trailing '\'.
+ * pam_motd,pam_mail: converted to session modules, so that they could
+ be ordered with the lastlog module
+ * updated default pam.d/login to reflect above change (now login looks
+ the same as the non-PAM version, lastlog, then motd, and then mail
+ check)
+ * pam_motd: removed extraneous \n from output
+ * modules/pam_limits/pam_limits.c: Fixed parsing of lines with only
+ "domain -", which was documented as being able to get rid of limits
+ for that user or group.
+ * debian/control: (libpam-cracklib) Added depends for cracklib-runtime,
+ closes: #45488
+ * modules/pam_env.c: Fixed /etc/environment parsing causing segfaults on
+ long lines, closes: #45408
+
+ -- Ben Collins <bcollins@debian.org> Sun, 19 Sep 1999 13:50:40 -0400
+
+pam (0.69-6) unstable; urgency=low
+
+ * Install unix_chkpwd suid root, it's needed for NIS to work without
+ modification to the binary.
+ * modules/pam_limits/pam_limits.c: hmm, some how I got a strange broken
+ patch left over from the source upgrade...removed all but the pwdb
+ purging, closes: #45088
+ * modules/pam_env/pam_env.c: Changed to a debug message, instead of a
+ syslog message when /etc/environment does not exist.
+
+ -- Ben Collins <bcollins@debian.org> Wed, 15 Sep 1999 04:25:21 -0400
+
+pam (0.69-5) unstable; urgency=low
+
+ * Removed libpam0g's preinst check for full paths in the pam.d files,
+ this should really be a lintian check at build (i think the old libpam
+ could not work like this, but hey...things change for the better some
+ times. This PAM works fine like that). closes: #45001
+ +NOTE: Debian packages should not reference modules by the full path
+ so they don't break if I ever decide to move the modules to a different
+ default directory. Only the admin should reference full paths and only
+ for locally installed modules. I have submitted a request to check for
+ this in lintian along with a few other devious things.
+ * debian/patches/008_pam_mkhomedir: Fix title of sgml doc
+ * modules/pam_userdb/Makefile: added patch for building against glibc 2.0
+ (request from Roman Hodek), closes: #45064
+
+ -- Ben Collins <bcollins@debian.org> Tue, 14 Sep 1999 06:12:34 -0400
+
+pam (0.69-4) unstable; urgency=low
+
+ * Link all dynamic modules with libpam. For some reason, alpha doesn't
+ like it when we don't
+
+ -- Ben Collins <bcollins@debian.org> Mon, 13 Sep 1999 06:01:40 -0400
+
+pam (0.69-3) unstable; urgency=low
+
+ * doc/modules/pam_cracklib.sgml: changed to correct path for
+ cracklib_dict reference.
+ * modules/pam_env/pam_env.c: now groks bash style env's from
+ /etc/environment to be compatible with other programs that use it.
+ * modules/pam_securetty/pam_securetty.c: don't just plain fail when
+ root isn't allowed to login, fake a password request just like any
+ good auth module would. Keeps us from letting them know that they
+ are doing something bad :)
+ * modules/pam_{motd,mkhomedir}: merged these two modules into this
+ source, also wrote corresponding sgml files for libpam-doc,
+ closes: #40754
+ * debian/control: Moved libpam0g, libpam-modules and libpam-runtime
+ to base with required priority since login depends on them and
+ policy will require this
+
+ -- Ben Collins <bcollins@debian.org> Sat, 11 Sep 1999 08:06:02 -0400
+
+pam (0.69-2) unstable; urgency=low
+
+ * Modified build so that it uses libs and headers in the build tree
+ rather than on the local system. This involved changint the build
+ order slightly and should make it easier to compile on new archs.
+ * Modified pam_limits so that it was invoked during pam_sm_setcred()
+ instead of during pam_sm_session_open() so that it will work with
+ shadow's su.
+ * Fixed missing symbols in libpam.so, they were caused by it thinking
+ it was supposed to have static modules built in.
+ * Fixed problem where libpam was getting built with -DDEBUG
+ * pam_unix_passwd.c: Changed the perms on shadow to be 0.42 and 0640
+ instead of 0.0 and 0600
+ * unix_chkpwd: fix it not being sgid shadow
+
+ -- Ben Collins <bcollins@debian.org> Thu, 9 Sep 1999 13:52:01 -0400
+
+pam (0.69-1) unstable; urgency=low
+
+ * New upstream source
+ - Now with a new and improved pam_unix module, closes: #38631
+ - Lot's of documentation cleanups
+ * Converted build system to dbs (doogie's build system, aka Adam Heath)
+ * Fixed libpam.so compilation so that it did not link with any of the
+ modules (this was causing lot's of problems, closes; #43913, #40739
+ * modules/pam_ftp/pam_ftp.c: Fixed sizeof, to use strlen,
+ closes: #44054, #41845, #44142, #39129, #39871, #44412
+ * Postscript pages are now generated correctly, closes: #41608
+ * Moved to FHS compliance (including use of debhelper 2.0.40),
+ this also raises the policy version to 3.0.1.1
+ * Don't check the paths in /etc/pam.d files anymore. This is old
+ and causes nothing but complaints, closes: #39747
+ * Build libpam0g-dbg with debuggable static and shared libraries, also
+ enabled the internal DEBUG_REL compile flag for these so that the
+ debugging messages will also be output
+
+ -- Ben Collins <bcollins@debian.org> Tue, 7 Sep 1999 17:45:20 -0400
+
+pam (0.66-10) unstable; urgency=low
+
+ * Added ability for pam_env to parse /etc/environment and updated
+ docs to reflect it
+ * Applied patch for pwdb_chkpwd man page, closes: #38976
+ * Merged pam_unix_*.so modules into one pam_unix.so with symlinks
+ for backward compatibility. This helps centralize this module the
+ same way the pam_pwdb.so is and the way pam_unix.so is on other
+ operating systems (commercial ones specifically).
+ * Closed by pam-apps upload, closes: #38632
+ * Fixed `sgml2latex' syntax, closes: #39119
+ * Added doc-base support, closes: #37627
+
+ -- Ben Collins <bcollins@debian.org> Wed, 16 Jun 1999 01:20:23 -0400
+
+pam (0.66-9.1) unstable; urgency=low
+
+ * SPARC NMU to fix chown symbols when compiling with glibc 2.1.1
+
+ -- Ben Collins <bcollins@debian.org> Tue, 11 May 1999 13:33:33 +0000
+
+pam (0.66-9) unstable; urgency=low
+
+ * Changed the debian/rules to not mess with the library symlinks (ie
+ running ldconfig in the lib dir) and all is well, closes: #36169
+
+ -- Ben Collins <bcollins@debian.org> Sun, 18 Apr 1999 09:09:51 -0400
+
+pam (0.66-8) unstable; urgency=low
+
+ * Compiled with libpam_client.so now (seperate lib in libpam0g)
+ * Made regex for libpam0g postinst a little more specific so it
+ didn't flag false problems. closes: #34626
+ * Applied patch to fix pam_ftp, closes: #35388
+ * Modified pam_mail and pam_lastlog to honor PAM_SILENT in order to
+ enable apps to use hushlogin/PAM_SILENT
+ * Fixed problem with libpam_client.so being static
+
+ -- Ben Collins <bcollins@debian.org> Mon, 15 Mar 1999 20:54:23 -0500
+
+pam (0.66-7) unstable; urgency=low
+
+ * Fixed XCASE in pam_filter.c (not really in glibc 2.1 by default)
+
+ -- Ben Collins <bcollins@debian.org> Sat, 6 Mar 1999 18:46:56 -0500
+
+pam (0.66-6) unstable; urgency=low
+
+ * Removed empty /lib/security/ from libpam0g (is created in
+ libpam-runtime)
+ * Added a depends for libpam-runtime to libpam0g (was supposed to be
+ there, must have deleted it)
+ * Removed empty /usr/bin from libpam-runtime (old directory where
+ upperLOWER was)
+
+ -- Ben Collins <bcollins@debian.org> Wed, 24 Feb 1999 13:14:25 -0500
+
+pam (0.66-5) unstable; urgency=low
+
+ * Removed harcoded libc6 dependency from libpam0g-dev and changed it to
+ libc6-dev. closes: #33615
+ * Added md5 flag for pam_unix_passwd.so
+ * Removed upperLOWER program since it is just an example. Moved it's
+ source to the examples directory in libpam-modules
+ * Fixed documentation of pam_strerror() and examples. closes #31142
+ * Made pam_unix_passwd.so leave /etc/shadow mode 640 and root.shadow
+ after changes
+ * Fixed problem in pam_unix_auth that didn't let you su from a normal
+ user to another normal user (ie. neither one was root)
+ * Closing misc fixed bugs. closes #32809, #32274 (have been fixed,
+ just need closing)
+ * Tested lockvc with pam support, works for normal users (pam_pwdb)
+ closes: #31150
+ * Changed /var/log/wtmp in pam_lastlog docs to reflect correct
+ /var/log/lastlog file. closes: #26544
+ * Added -ldl to libpam.so, so apps don't have to
+
+ -- Ben Collins <bcollins@debian.org> Fri, 19 Feb 1999 18:47:30 -0500
+
+pam (0.66-4) unstable; urgency=low
+
+ * Changed pwdb_chkpwd to sgid shadow instead of suid root since it only
+ needs read permissions to /etc/shadow and not write.
+ * Moved a lot of files arouns to get rid of libpam-runtime dependencies
+ * Put libpam-pwdb into it's own package
+ * Removed -lpwdb links for modules since libpwdb is somewhat buggy (or
+ alteast it's interaction with libpam is)
+ * Fixed bug in pam_unix_passwd.so that caused it to never authenticate
+ the correct passwd, making it so you couldn't change the passwd
+
+ -- Ben Collins <bcollins@debian.org> Tue, 16 Feb 1999 15:50:28 -0500
+
+pam (0.66-3) unstable; urgency=low
+
+ * Fixed defaults in /etc/pam.d/other to be pam_unix_*.so modules instead
+ of the accidental pam_pwdb.so module
+ * Fixed suid of pwdb_chkpwd (had to move dh_fixperms after
+ dh_suidregister)
+ * Added Replaces: libpam0g-util in order to help dpkg upgrade from
+ older packages
+ * Applied glibc 2.1 patch from Christian Meder. closes: #32809
+ * Moved libpam-doc to Section doc. closes: #32274
+
+ -- Ben Collins <bcollins@debian.org> Fri, 12 Feb 1999 02:01:43 -0500
+
+pam (0.66-2) unstable; urgency=low
+
+ * Removed all of the versioned module stuff. Modules are now in
+ /lib/security and stay there. Seems after discussion, that modules may
+ not change as often as thought
+ * Fixed suidregister for pwdb_chkpwd
+ * Fixed incomplete descriptions in control file
+ * This is a kludge to close some bugs since the last upload was yanked
+ before being installed in the archive, closes: #16882, #30862, #7725,
+ #10234, #10406, #12210, #14291, #15528, #15529, #20660, #25330,
+ #29868, #31088, #31128, #9131, #9919, #19383, #5132, #14533, #25915,
+ #28075, #31548, #31191
+
+ -- Ben Collins <bcollins@debian.org> Tue, 2 Feb 1999 12:47:25 -0500
+
+pam (0.66-1) unstable; urgency=low
+
+ * New maintainer
+ * New upstream release. closes: #16882, #30862, #7725
+ * Created a better split of the main lib and the runtime to kill the
+ circular dependencies and make it possible to have two .so version of
+ the library installed for upgrades. closes: #10234, #10406, #12210,
+ bug #14291, #15528, #15529, #20660, #25330, #29868, #31088, #31128,
+ bug #9131, #9919.
+ * Harcoded modules directory prefixed with the .so version, and
+ used alternatives to create the symlink to the 'default' modules
+ directory. libpam will use the full path when specified, but use the
+ versioned modules directory for relative names.
+ * Put libpam0g-cracklib modules back in (own package). This means that
+ cracklib support is _not_ in the static libpam.a, also cracklib
+ support is _not_ in pam_unix_passwd.o, but only in pam_cracklib.so
+ by itself.
+ * Fixed a few typos in the source causing compile errors
+ * Fixed source #include's so that pam _didn't_ have to be installed
+ in order to compile the source ( changed from <> to "" )
+ * Removed empty directories from built packages
+ * Opted not to build examples, only going to put *.c files in examples
+ directory for libpam0g-dev
+ * Moved *.sgml files for modules into their own directory (looks like
+ that is what the original maintainer wanted to do, but it didn't go)
+ * Moved doc build to arch-indep build in rules so that it doesn't get
+ built when specifying -B with debuild/dpkg-buildpackage.
+ * Moved `touch .quiet...' to build-stamp in order to have -B builds not
+ ask about pam.conf
+ * Split out non-standard modules to their own package, so as to make the
+ base install smaller (planning for base inclusion here)
+ * Created small manpage for pwdb_chkpwd. closes: #10941
+ * The Copright file in /usr/doc/*/ was already named copright and not
+ compressed. closes: #14533
+ * Package is now lintian clean. closes #19383, #5132
+ * There is a maintainer now and the patch for #25915 is still included
+ so.... closes: #25915
+ * Added check for editor backup files in /etc/pam.d (*~). closes: #28075
+ * Applied patch for md5.h in pam_pwdb module. closes: #31548
+ * Added support for dhelp in libpam-doc. closes: #31191
+
+ -- Ben Collins <bcollins@debian.org> Wed, 20 Jan 1999 07:09:15 -0500
+
+pam (0.65-0.8) frozen unstable; urgency=high
+
+ * Marked PAM as orphaned, given that there has been no maintainer upload
+ in almost two years.
+ * [defs/debian.defs] Removed superflous cracklib2 dependency.
+ (Urgent as cracklib still has release-critical bugs).
+ (Fixes #30862).
+
+ -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Wed, 20 Jan 1999 09:34:35 +0100
+
+pam (0.65-0.7) frozen unstable; urgency=high
+
+ * Fixed security vulnerability in the pam_unix and pam_tally modules
+ (reported by Michal Zalewski on bugtraq; patch
+ A000-SECURITY-PATCH-0.65-and-below.gz by Andrey V. Savochkin).
+
+ -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Tue, 29 Dec 1998 16:20:18 +0100
+
+pam (0.65-0.6) unstable; urgency=high
+
+ * Fixed distribution of files over the various packages, which was
+ severely messed up.
+ * Added appropriate Replaces: to ensure upgrading from both the hamm
+ version and previous slink versions.
+ * Fixed debug libraries, PAM module loading.
+ * Added examples.
+ * Added a "pam-undocumented" manpage pointing to libpam-doc, and
+ made links for functions without a manpage to that.
+
+ -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Sun, 11 Oct 1998 19:29:40 +0200
+
+pam (0.65-0.5) unstable; urgency=low
+
+ * Rewritten the preinst warning text (it still mentioned the search path).
+
+ -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Fri, 9 Oct 1998 14:23:18 +0200
+
+pam (0.65-0.4) unstable; urgency=high
+
+ * It looks like I misunderstood DEFAULT_MODULE_PATH: Linux-PAM does not
+ currently seem to be easily configured to look for modules in more than
+ one directory. With this version, it's configured to look only in
+ /lib/security .
+
+ -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Fri, 9 Oct 1998 11:43:34 +0200
+
+pam (0.65-0.3) unstable; urgency=medium
+
+ * Moving the PAM modules to /lib/security broke netatalk.
+ Added a preinst script to detect /etc/pam.d files with explicit paths to
+ PAM modules, give a warning about them, and offer to abort the install
+ (Fixes #27514).
+
+ -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Tue, 6 Oct 1998 20:10:43 +0200
+
+pam (0.65-0.2) unstable; urgency=low
+
+ * Argh. The tools didn't recognise -0.1 as a new upstream release, so
+ my previous upload was rejected due to a missing .orig.tar.gz .
+
+ -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Sun, 4 Oct 1998 17:15:09 +0200
+
+pam (0.65-0.1) experimental; urgency=low
+
+ * New upstream version.
+ * Non-maintainer upload.
+ * Major package overhaul; now uses debhelper.
+ * In experimental for now. *Please* provide feedback; if the feedback is
+ positive, we can put this in slink.
+ * Dropped libc5 support.
+ * [libpam/pam_static.c] Fixed compilation: "pamh" was undefined; use "NULL".
+ is this the correct fix?
+ * [defs/debian.defs] New.
+ * [Makefile]
+ * Exit when a make in a subdirectory fails.
+ * Compile statically too.
+ * New variables: LC, LP, LPLIBS, DEFAULT_MODULE_PATH .
+ * [libpam/Makefile]
+ * Use DEFAULT_MODULE_PATH if nonempty.
+ * Link libpam against LPLIBS.
+ * [modules/*/Makefile]
+ * Link the dynamic security objects against libpam and libc
+ (LP and LC).
+ * [modules/pam_pwdb/Makefile]
+ * Link dynamic security objects against libcrypt and libnsl.
+ * [conf/install_conf] Allow for non-interactive install (as the other
+ install_conf scripts already did).
+ * Automatically determine the list of /etc/security/* conffiles.
+ * Moved libpam to /lib, and PAM modules to /lib/security as they will
+ become part of the base system in the future.
+ * Built without cracklib support, to keep the base system smaller.
+ * /sbin/pwdb_chkpwd is undocumented, as is upperLOWER.
+
+ -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Fri, 2 Oct 1998 20:23:27 +0200
+
+pam (0.57b-0.4) unstable; urgency=high
+
+ * Non maintainer upload
+ My previous upload had removed the libc5 stuff from the controlfile
+ messing up things. Change 'Architecture: any' to 'i386 m68k' for those
+ .deb's instead.
+
+ -- Turbo Fredriksson <turbo@debian.org> Thu, 20 Aug 1998 20:06:50 -0400
+
+pam (0.57b-0.3) unstable; urgency=high
+
+ * Non maintainer upload
+ On a glibc2.1 system, XCASE is only defined in the <bits/termios.h>
+ _IF_ '__USE_MISC' or '__USE_UNIX98' is defined.
+
+ -- Turbo Fredriksson <turbo@debian.org> Sun, 16 Aug 1998 22:13:45 -0400
+
+pam (0.57b-0.2) unstable; urgency=high
+
+ * Yet another non-maintainer release.
+ * Zero changes; simply a re-upload due to a rm-trigger happy release
+ ``manager''.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Tue, 17 Mar 1998 19:55:16 +0100
+
+pam (0.57b-0.1) unstable; urgency=medium
+
+ * Non-maintainer release.
+ * debian/control (Standards-Version): Updated to 2.4.0.0.
+ * debian/control (libpam0g-dev): Also conflict with libpam-dbg.
+ * debian/postinst: use case statement instead of if.
+ * debian/rules (COMPAT_ARCHES): removed sparc.
+ * debian/rules (binary-libc6-dev, binary-libc5-altdev): strip static libraries with
+ --strip-debug, not --strip-unneeded.
+ * debian/rules: each package now has it's own doc directory under
+ /usr/doc/, containing at least the copyright file (Policy 5.6).
+ * debian/rules: install files with `install -m 644' not `cp -p' to avoid
+ read-only files.
+ * debian/rules (binary-libc6-util): strip /usr/lib/*/security/*.so with
+ --strip-unneeded.
+ * debian/rules (binary-libc5-util): ditto.
+ * debian/rules (binary-libc5): don't depend on binary-libc5.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Sat, 7 Mar 1998 18:04:19 +0100
+
+pam (0.57b-0) unstable; urgency=medium
+
+ * Non-maintainer release.
+ * New upstream version.
+ * Doesn't use pristine upstream source as the upstream tar ball is broken.
+ * Added libc6 libraries libpam0g, libpam0g-dev, libpam0g-dbg and
+ libpam0g-util. [#11697]
+ * libpam-dev becomes libpam0-altdev, libpam-util -> libpam0-altutil and
+ libpam-dbg is removed.
+ * libpam0 depends on libpam0g because libpam0g contains the pam conffile.
+ * libpam0-util depends on libpam0g-util because libpam0g contains the binary.
+ * Compiled with -D_REENTRANT and link with -lc.
+ * Fixed permissions on shared libraries.
+ * Corrected syntax of /etc/pam.d/other. [#10497, #10758, #12030]
+ * Fixed typos in postinst. [#10474, #11365]
+ * Made /etc/pam.conf a conffile.
+ * Updated URL in copyright file.
+ * Removed over-zelaously installed README* files from libpam-doc.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Sat, 22 Nov 1997 17:54:30 +0100
+
+pam (0.56-2) unstable; urgency=low
+
+ * Added /etc/pam.d/other with policy 'deny'.
+ * Add manual pages for PAM security modules.
+
+ -- Klee Dienes <klee@debian.org> Sat, 15 Mar 1997 22:33:22 -0500
+
+pam (0.56-1) unstable; urgency=low
+
+ * New upstream release.
+ * Converted to new packaging format.
+ * Reorganization of package structure (-dev, -dbg, etc).
+
+ -- Klee Dienes <klee@debian.org> Sat, 8 Mar 1997 01:21:17 -0500
diff --git a/debian/changelog.old b/debian/changelog.old
new file mode 100644
index 00000000..98135ced
--- /dev/null
+++ b/debian/changelog.old
@@ -0,0 +1,13 @@
+pam (0.50-1) unstable; urgency=low
+
+ * added Debian GNU/Linux package maintenance system files.
+ * changes to the installation procedure to fit the Debian packaging
+ system ($PREFIX handling, unconditionally install configuration files,
+ don't run ldconfig after installing the shared libraries).
+ * added documentation in the extradoc directory
+ * commented out all unused entries in etc/pam.conf, etc/secure/group.conf
+ and etc/secure/time.conf
+
+ -- Patrick Weemeeuw <patrick.weemeeuw@kulnet.kuleuven.ac.be>
+
+
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 00000000..18af497a
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1,3 @@
+debian/local/pam_getenv.8
+debian/libpam0g-dev.links
+debian/libpam0g-dev.install
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 00000000..ec635144
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 00000000..cbc6855e
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,104 @@
+Source: pam
+Section: libs
+Priority: optional
+Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org>
+Maintainer: Steve Langasek <vorlon@debian.org>
+Standards-Version: 3.9.1
+Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 8.9.4), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev
+Build-Depends-Indep: xsltproc, libxml2-utils, docbook-xml, docbook-xsl, w3m
+Build-Conflicts-Indep: fop
+Build-Conflicts: libdb4.2-dev, libxcrypt-dev
+Vcs-Bzr: http://bzr.debian.org/bzr/pkg-pam/debian/sid/
+Homepage: http://pam.sourceforge.net/
+
+Package: libpam0g
+Priority: required
+Architecture: any
+Multi-Arch: same
+Replaces: libpam0g-util
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Suggests: libpam-doc
+Description: Pluggable Authentication Modules library
+ Contains the shared library for Linux-PAM, a library that enables the
+ local system administrator to choose how applications authenticate users.
+ In other words, without rewriting or recompiling a PAM-aware application,
+ it is possible to switch between the authentication mechanism(s) it uses.
+ One may entirely upgrade the local authentication system without touching
+ the applications themselves.
+
+Package: libpam-modules
+Section: admin
+Priority: required
+Architecture: any
+Multi-Arch: same
+Pre-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam0g (>= 1.1.3-2),
+ libpam-modules-bin (= ${binary:Version})
+Conflicts: libpam-motd, libpam-mkhomedir, libpam-umask
+Replaces: libpam0g-util, libpam-umask
+Provides: libpam-motd, libpam-mkhomedir, libpam-umask
+Description: Pluggable Authentication Modules for PAM
+ This package completes the set of modules for PAM. It includes the
+ pam_unix.so module as well as some specialty modules.
+
+Package: libpam-modules-bin
+Section: admin
+Priority: required
+Architecture: any
+Multi-Arch: foreign
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Replaces: libpam-modules (<< 1.1.3-8)
+Description: Pluggable Authentication Modules for PAM - helper binaries
+ This package contains helper binaries used by the standard set of PAM
+ modules in the libpam-modules package.
+
+Package: libpam-runtime
+Section: admin
+Priority: required
+Architecture: all
+Multi-Arch: foreign
+Depends: ${misc:Depends}, debconf (>= 1.5.19) | cdebconf, libpam-modules (>= 1.0.1-6)
+Replaces: libpam0g-util, libpam0g-dev
+Conflicts: libpam0g-util
+Description: Runtime support for the PAM library
+ Contains configuration files and directories required for
+ authentication to work on Debian systems. This package is required
+ on almost all installations.
+
+Package: libpam0g-dev
+Section: libdevel
+Priority: optional
+Architecture: any
+Multi-Arch: same
+Depends: ${misc:Depends}, libpam0g (= ${binary:Version}), libc6-dev|libc-dev
+Provides: libpam-dev
+Description: Development files for PAM
+ Contains C header files and development libraries for libpam, the Pluggable
+ Authentication Modules, a library that enables the local system
+ administrator to choose how applications authenticate users.
+ .
+ PAM decouples applications from the authentication mechanism, making it
+ possible to upgrade the authentication system without recompiling or
+ rewriting the applications.
+
+Package: libpam-cracklib
+Section: admin
+Priority: optional
+Architecture: any
+Multi-Arch: same
+Replaces: libpam0g-cracklib, libpam-modules (<< 1.1.0-3)
+Depends: ${misc:Depends}, ${shlibs:Depends}, libpam-runtime (>= 1.0.1-6), cracklib-runtime, wamerican | wordlist
+Description: PAM module to enable cracklib support
+ This package includes libpam_cracklib, a PAM module that tests
+ passwords to make sure they are not too weak during password change.
+
+Package: libpam-doc
+Provides: pam-doc
+Section: doc
+Priority: optional
+Architecture: all
+Depends: ${misc:Depends}
+Description: Documentation of PAM
+ Contains documentation (in HTML, ASCII, and PostScript format) for libpam,
+ the Pluggable Authentication Modules library, a library that enables the
+ local system administrator to choose how applications authenticate users.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 00000000..45201f1d
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,67 @@
+This package was debianized by J.H.M. Dassen (Ray) jdassen@debian.org on
+Wed, 23 Sep 1998 20:29:32 +0200.
+
+It was downloaded from ftp://ftp.kernel.org/pub/linux/libs/pam/pre/
+
+Copyright (C) 1994, 1995, 1996 Olaf Kirch, <okir@monad.swb.de>
+Copyright (C) 1995 Wietse Venema
+Copyright (C) 1995, 2001-2008 Red Hat, Inc.
+Copyright (C) 1996-1999, 2000-2003, 2005 Andrew G. Morgan <morgan@kernel.org>
+Copyright (C) 1996, 1997, 1999 Cristian Gafton <gafton@redhat.com>
+Copyright (C) 1996, 1999 Theodore Ts'o
+Copyright (C) 1996 Alexander O. Yuriev
+Copyright (C) 1996 Elliot Lee
+Copyright (C) 1997 Philip W. Dalrymple <pwd@mdtsoft.com>
+Copyright (C) 1999 Jan Rękorajski
+Copyright (C) 1999 Ben Collins <bcollins@debian.org>
+Copyright (C) 2000-2001, 2003, 2005, 2007 Steve Langasek
+Copyright (C) 2003, 2005 IBM Corporation
+Copyright (C) 2003, 2006 SuSE Linux AG.
+Copyright (C) 2003 Nalin Dahyabhai <nalin@redhat.com>
+Copyright (C) 2005-2008 Thorsten Kukuk <kukuk@thkukuk.de>
+Copyright (C) 2005 Darren Tucker
+
+
+Unless otherwise *explicitly* stated the following text describes the
+licensed conditions under which the contents of this Linux-PAM release
+may be distributed:
+
+-------------------------------------------------------------------------
+Redistribution and use in source and binary forms of Linux-PAM, with
+or without modification, are permitted provided that the following
+conditions are met:
+
+1. Redistributions of source code must retain any existing copyright
+ notice, and this entire permission notice in its entirety,
+ including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce all prior and current
+ copyright notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+3. The name of any author may not be used to endorse or promote
+ products derived from this software without their specific prior
+ written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU General Public License, in which case the provisions of the GNU
+GPL are required INSTEAD OF the above restrictions. (This clause is
+necessary due to a potential conflict between the GNU GPL and the
+restrictions contained in a BSD-style copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+-------------------------------------------------------------------------
+
+On Debian GNU/Linux systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL'.
diff --git a/debian/libpam-cracklib.install b/debian/libpam-cracklib.install
new file mode 100644
index 00000000..55265e5e
--- /dev/null
+++ b/debian/libpam-cracklib.install
@@ -0,0 +1,2 @@
+lib/*/security/pam_cracklib.so
+debian/pam-configs/cracklib usr/share/pam-configs
diff --git a/debian/libpam-cracklib.lintian-overrides b/debian/libpam-cracklib.lintian-overrides
new file mode 100644
index 00000000..c3d6b240
--- /dev/null
+++ b/debian/libpam-cracklib.lintian-overrides
@@ -0,0 +1,5 @@
+# This is afalse positive because it doesn't use any functions that need
+# fortifying. Since we know we have hardening turned on globally, suppress
+# this. If we ever see this warning again for *other* modules, then we know
+# there's a real problem.
+libpam-cracklib: hardening-no-fortify-functions lib/*/security/pam_cracklib.so
diff --git a/debian/libpam-cracklib.manpages b/debian/libpam-cracklib.manpages
new file mode 100644
index 00000000..0660c415
--- /dev/null
+++ b/debian/libpam-cracklib.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man8/pam_cracklib.8
diff --git a/debian/libpam-cracklib.postinst b/debian/libpam-cracklib.postinst
new file mode 100644
index 00000000..cf52f262
--- /dev/null
+++ b/debian/libpam-cracklib.postinst
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+if dpkg --compare-versions "$2" lt 1.0.1-6; then
+ pam-auth-update --package
+fi
+
+#DEBHELPER#
diff --git a/debian/libpam-cracklib.prerm b/debian/libpam-cracklib.prerm
new file mode 100644
index 00000000..1b376409
--- /dev/null
+++ b/debian/libpam-cracklib.prerm
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = remove ]; then
+ pam-auth-update --package --remove cracklib
+fi
+
+#DEBHELPER#
diff --git a/debian/libpam-doc.doc-base.admin-guide b/debian/libpam-doc.doc-base.admin-guide
new file mode 100644
index 00000000..f06d1688
--- /dev/null
+++ b/debian/libpam-doc.doc-base.admin-guide
@@ -0,0 +1,14 @@
+Document: pam-admin-guide
+Title: The Linux-PAM System Administrators' Guide
+Author: Andrew G. Morgan <morgan@linux.kernel.org>
+Abstract: This manual documents what a system administrator needs to know
+ about the Linux-PAM library. It covers the correct syntax of the PAM
+ configuration file and discusses strategies for maintaining a secure system.
+Section: System/Administration
+
+Format: HTML
+Index: /usr/share/doc/libpam-doc/html/Linux-PAM_SAG.html
+Files: /usr/share/doc/libpam-doc/html/Linux-PAM_SAG.html /usr/share/doc/libpam-doc/html/sag-*.html
+
+Format: text
+Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_SAG.txt.gz
diff --git a/debian/libpam-doc.doc-base.applications-guide b/debian/libpam-doc.doc-base.applications-guide
new file mode 100644
index 00000000..f38ef1e5
--- /dev/null
+++ b/debian/libpam-doc.doc-base.applications-guide
@@ -0,0 +1,17 @@
+Document: pam-applications-guide
+Title: The Linux-PAM Application Developers' Guide
+Author: Andrew G. Morgan <morgan@linux.kernel.org>
+Abstract: This manual documents what an application developer needs to know
+ about the Linux-PAM library. It describes how an application might use
+ the Linux-PAM library to authenticate users. In addition it contains a
+ description of the funtions to be found in libpam_misc library, that can
+ be used in general applications. Finally, it contains some comments on PAM
+ related security issues for the application developer.
+Section: Programming
+
+Format: HTML
+Index: /usr/share/doc/libpam-doc/html/Linux-PAM_ADG.html
+Files: /usr/share/doc/libpam-doc/html/Linux-PAM_ADG.html /usr/share/doc/libpam-doc/html/adg*.html
+
+Format: text
+Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_ADG.txt.gz
diff --git a/debian/libpam-doc.doc-base.modules-guide b/debian/libpam-doc.doc-base.modules-guide
new file mode 100644
index 00000000..4708f381
--- /dev/null
+++ b/debian/libpam-doc.doc-base.modules-guide
@@ -0,0 +1,14 @@
+Document: pam-modules-guide
+Title: The Linux-PAM Module Writers' Guide
+Author: ndrew G. Morgan <morgan@linux.kernel.org>
+Abstract: This manual documents what a programmer needs to know in order to
+ write a module that conforms to the Linux-PAM standard. It also discusses
+ some security issues from the point of view of the module programmer.
+Section: Programming
+
+Format: HTML
+Index: /usr/share/doc/libpam-doc/html/Linux-PAM_MWG.html
+Files: /usr/share/doc/libpam-doc/html/Linux-PAM_MWG.html /usr/share/doc/libpam-doc/html/mwg*.html
+
+Format: text
+Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_MWG.txt.gz
diff --git a/debian/libpam-doc.install b/debian/libpam-doc.install
new file mode 100644
index 00000000..3129ebf1
--- /dev/null
+++ b/debian/libpam-doc.install
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/doc/Linux-PAM/*.html usr/share/doc/libpam-doc/html
+debian/tmp/usr/share/doc/Linux-PAM/*.txt usr/share/doc/libpam-doc/txt
+
diff --git a/debian/libpam-modules-bin.install b/debian/libpam-modules-bin.install
new file mode 100644
index 00000000..fee3bced
--- /dev/null
+++ b/debian/libpam-modules-bin.install
@@ -0,0 +1,6 @@
+sbin/unix_chkpwd sbin
+sbin/unix_update sbin
+sbin/pam_tally sbin
+sbin/pam_tally2 sbin
+sbin/mkhomedir_helper sbin
+sbin/pam_timestamp_check usr/sbin
diff --git a/debian/libpam-modules-bin.lintian-overrides b/debian/libpam-modules-bin.lintian-overrides
new file mode 100644
index 00000000..56345417
--- /dev/null
+++ b/debian/libpam-modules-bin.lintian-overrides
@@ -0,0 +1,6 @@
+# yes, we know it's sgid, that's the whole point...
+libpam-modules-bin: setgid-binary sbin/unix_chkpwd 2755 root/shadow
+# these manpages are in libpam-modules as they document both the module and
+# the helper binary
+libpam-modules-bin: binary-without-manpage sbin/pam_tally
+libpam-modules-bin: binary-without-manpage sbin/pam_tally2
diff --git a/debian/libpam-modules-bin.manpages b/debian/libpam-modules-bin.manpages
new file mode 100644
index 00000000..8ab40612
--- /dev/null
+++ b/debian/libpam-modules-bin.manpages
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/man/man8/mkhomedir_helper.8
+debian/tmp/usr/share/man/man8/unix_*.8
+debian/tmp/usr/share/man/man8/pam_timestamp_check.8
diff --git a/debian/libpam-modules.examples b/debian/libpam-modules.examples
new file mode 100644
index 00000000..f9de4282
--- /dev/null
+++ b/debian/libpam-modules.examples
@@ -0,0 +1,2 @@
+modules/pam_filter/upperLOWER/*.c
+
diff --git a/debian/libpam-modules.install b/debian/libpam-modules.install
new file mode 100644
index 00000000..191a34ea
--- /dev/null
+++ b/debian/libpam-modules.install
@@ -0,0 +1,2 @@
+etc/security/* etc/security
+lib/*/security/*.so
diff --git a/debian/libpam-modules.lintian-overrides b/debian/libpam-modules.lintian-overrides
new file mode 100644
index 00000000..c6f25ec7
--- /dev/null
+++ b/debian/libpam-modules.lintian-overrides
@@ -0,0 +1,13 @@
+# These are false positives because they don't use any functions that need
+# fortifying. Since we know we have hardening turned on globally, suppress
+# them. If we ever see this warning again for *other* modules, then we know
+# there's a real problem.
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_echo.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_filter.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_group.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_limits.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_shells.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_tally.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_tally2.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_time.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_wheel.so
diff --git a/debian/libpam-modules.manpages b/debian/libpam-modules.manpages
new file mode 100644
index 00000000..a9f488d0
--- /dev/null
+++ b/debian/libpam-modules.manpages
@@ -0,0 +1,2 @@
+debian/tmp/usr/share/man/man8/pam_*.8
+debian/tmp/usr/share/man/man5/*conf.5
diff --git a/debian/libpam-modules.postinst b/debian/libpam-modules.postinst
new file mode 100644
index 00000000..ce03090b
--- /dev/null
+++ b/debian/libpam-modules.postinst
@@ -0,0 +1,28 @@
+#!/bin/sh -e
+
+# If the user has removed the config file, respect this sign of dementia
+# -- only create on package install.
+
+if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.99.7.1-3
+then
+ if ! [ -f /etc/security/opasswd ]; then
+ umask 066
+ touch /etc/security/opasswd
+ umask 022
+ fi
+fi
+
+if dpkg --compare-versions "$2" lt 0.99.9.0-1 && ! [ -f /etc/environment ]
+then
+ touch /etc/environment
+fi
+
+if dpkg --compare-versions "$2" lt-nl 1.1.2-1 \
+ && grep -q 'pam_unix.*\bmin=[0-9]\+' /etc/pam.d/common-password
+then
+ echo "'min=' option to pam_unix is obsolete."
+ echo "replacing with 'minlen=' in /etc/pam.d/common-password."
+ sed -i -e'/pam_unix/ s/\bmin=/minlen=/' /etc/pam.d/common-password
+fi
+
+#DEBHELPER#
diff --git a/debian/libpam-modules.preinst b/debian/libpam-modules.preinst
new file mode 100644
index 00000000..6ee3e91d
--- /dev/null
+++ b/debian/libpam-modules.preinst
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+
+. /usr/share/debconf/confmodule
+
+if dpkg --compare-versions "$2" lt-nl 1.1.3-2; then
+ db_version 2.0
+
+ if pidof xscreensaver xlockmore >/dev/null; then
+ db_input critical libpam-modules/disable-screensaver || true
+ db_go || true
+ fi
+fi
+
+#DEBHELPER#
diff --git a/debian/libpam-modules.templates b/debian/libpam-modules.templates
new file mode 100644
index 00000000..b928751e
--- /dev/null
+++ b/debian/libpam-modules.templates
@@ -0,0 +1,9 @@
+Template: libpam-modules/disable-screensaver
+Type: error
+_Description: xscreensaver and xlockmore must be restarted before upgrading
+ One or more running instances of xscreensaver or xlockmore have been
+ detected on this system. Because of incompatible library changes, the
+ upgrade of the libpam-modules package will leave you unable to
+ authenticate to these programs. You should arrange for these programs
+ to be restarted or stopped before continuing this upgrade, to avoid
+ locking your users out of their current sessions.
diff --git a/debian/libpam-runtime.dirs b/debian/libpam-runtime.dirs
new file mode 100644
index 00000000..fd23e8bf
--- /dev/null
+++ b/debian/libpam-runtime.dirs
@@ -0,0 +1 @@
+/var/lib/pam
diff --git a/debian/libpam-runtime.install b/debian/libpam-runtime.install
new file mode 100644
index 00000000..5619c83c
--- /dev/null
+++ b/debian/libpam-runtime.install
@@ -0,0 +1,7 @@
+debian/local/pam.conf etc
+debian/local/other etc/pam.d
+debian/local/common-* usr/share/pam
+debian/local/pam_getenv usr/sbin
+debian/tmp/usr/share/locale usr/share
+debian/local/pam-auth-update usr/sbin
+debian/pam-configs/unix usr/share/pam-configs/
diff --git a/debian/libpam-runtime.links b/debian/libpam-runtime.links
new file mode 100644
index 00000000..9afa90fd
--- /dev/null
+++ b/debian/libpam-runtime.links
@@ -0,0 +1 @@
+usr/share/man/man7/PAM.7.gz usr/share/man/man7/pam.7.gz
diff --git a/debian/libpam-runtime.lintian-overrides b/debian/libpam-runtime.lintian-overrides
new file mode 100644
index 00000000..ad868c24
--- /dev/null
+++ b/debian/libpam-runtime.lintian-overrides
@@ -0,0 +1,9 @@
+# deliberate.
+libpam-runtime: no-debconf-config
+# this warning is just plain crack, there's no reason that using debconf
+# outside of a maintainer script implies an error.
+libpam-runtime: debconf-is-not-a-registry usr/sbin/pam-auth-update
+# this warning is wrong for debconf error templates
+libpam-runtime: postinst-uses-db-input
+# meh.
+libpam-runtime: using-first-person-in-templates libpam-runtime/you-had-no-auth
diff --git a/debian/libpam-runtime.manpages b/debian/libpam-runtime.manpages
new file mode 100644
index 00000000..1e7d9aed
--- /dev/null
+++ b/debian/libpam-runtime.manpages
@@ -0,0 +1,5 @@
+debian/tmp/usr/share/man/man5/pam.conf.5
+debian/tmp/usr/share/man/man5/pam.d.5
+debian/tmp/usr/share/man/man8/PAM.8
+debian/local/pam_getenv.8
+debian/local/pam-auth-update.8
diff --git a/debian/libpam-runtime.postinst b/debian/libpam-runtime.postinst
new file mode 100644
index 00000000..518e8d24
--- /dev/null
+++ b/debian/libpam-runtime.postinst
@@ -0,0 +1,45 @@
+#!/bin/sh -e
+
+. /usr/share/debconf/confmodule
+
+calculate_md5sum()
+{
+ configfile="$1"
+ sed -n -e'1,/# here are the per-package modules (the "Primary" block)/p;
+ /# here.s the fallback if no module succeeds/,/# and here are more per-package modules (the "Additional" block)/p;
+ /# end of pam-auth-update config/,$p' \
+ /etc/pam.d/"$configfile" | md5sum | awk '{ print $1 }'
+}
+
+# If the user has removed the config file, respect this sign of dementia
+# -- only create on package install.
+force=
+if [ -z "$2" ] || dpkg --compare-versions "$2" lt 1.0.1-11
+then
+ force=--force
+ for configfile in common-auth common-account common-session \
+ common-password
+ do
+ if [ -f /etc/pam.d/$configfile ] && \
+ ! fgrep -q $(calculate_md5sum $configfile) \
+ /usr/share/pam/$configfile.md5sums 2>/dev/null
+ then
+ force=
+ fi
+ done
+fi
+
+pam-auth-update --package $force
+
+if [ -n "$force" ]; then
+ rm -f /etc/pam.d/common-auth.pam-old \
+ /etc/pam.d/common-account.pam-old \
+ /etc/pam.d/common-password.pam-old \
+ /etc/pam.d/common-session.pam-old
+elif dpkg --compare-versions "$2" lt-nl 1.1.0-1 \
+ && [ ! -e /etc/pam.d/common-session-noninteractive ]
+then
+ cp -a /etc/pam.d/common-session /etc/pam.d/common-session-noninteractive
+fi
+
+#DEBHELPER#
diff --git a/debian/libpam-runtime.postrm b/debian/libpam-runtime.postrm
new file mode 100644
index 00000000..9a11040d
--- /dev/null
+++ b/debian/libpam-runtime.postrm
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+
+if [ "$1" = "purge" ]; then
+ rm -f /etc/pam.d/common-auth /etc/pam.d/common-account \
+ /etc/pam.d/common-session /etc/pam.d/common-password
+ rm -f /var/lib/pam/auth /var/lib/pam/account /var/lib/pam/session \
+ /var/lib/pam/password /var/lib/pam/seen
+ rmdir --ignore-fail-on-non-empty /var/lib/pam
+fi
+
+#DEBHELPER#
diff --git a/debian/libpam-runtime.prerm b/debian/libpam-runtime.prerm
new file mode 100644
index 00000000..ec239237
--- /dev/null
+++ b/debian/libpam-runtime.prerm
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = remove ]; then
+ pam-auth-update --package --remove unix
+fi
+
+#DEBHELPER#
diff --git a/debian/libpam-runtime.templates b/debian/libpam-runtime.templates
new file mode 100644
index 00000000..52cbed96
--- /dev/null
+++ b/debian/libpam-runtime.templates
@@ -0,0 +1,47 @@
+Template: libpam-runtime/title
+Type: title
+_Description: PAM configuration
+
+Template: libpam-runtime/profiles
+Type: multiselect
+Choices: ${profiles}
+Choices-C: ${profile_names}
+_Description: PAM profiles to enable:
+ Pluggable Authentication Modules (PAM) determine how authentication,
+ authorization, and password changing are handled on the system, as well
+ as allowing configuration of additional actions to take when starting
+ user sessions.
+ .
+ Some PAM module packages provide profiles that can be used to
+ automatically adjust the behavior of all PAM-using applications on the
+ system. Please indicate which of these behaviors you wish to enable.
+
+Template: libpam-runtime/conflicts
+Type: error
+#flag:translate!:3
+#flag:comment:2
+# This paragraph is followed by a (currently) non-translatable list of
+# PAM profile names.
+_Description: Incompatible PAM profiles selected.
+ The following PAM profiles cannot be used together:
+ .
+ ${conflicts}
+ .
+ Please select a different set of modules to enable.
+
+Template: libpam-runtime/override
+Type: boolean
+Default: false
+_Description: Override local changes to /etc/pam.d/common-*?
+ One or more of the files /etc/pam.d/common-{auth,account,password,session}
+ have been locally modified. Please indicate whether these local changes
+ should be overridden using the system-provided configuration. If you
+ decline this option, you will need to manage your system's
+ authentication configuration by hand.
+
+Template: libpam-runtime/no_profiles_chosen
+Type: error
+_Description: No PAM profiles have been selected.
+ No PAM profiles have been selected for use on this system. This would grant
+ all users access without authenticating, and is not allowed. Please select
+ at least one PAM profile from the available list.
diff --git a/debian/libpam0g-dev.examples b/debian/libpam0g-dev.examples
new file mode 100644
index 00000000..c1b7e77e
--- /dev/null
+++ b/debian/libpam0g-dev.examples
@@ -0,0 +1,5 @@
+examples/blank.c
+examples/check_user.c
+examples/vpass.c
+examples/xsh.c
+libpamc/test/{agents,modules,regress}
diff --git a/debian/libpam0g-dev.install.in b/debian/libpam0g-dev.install.in
new file mode 100644
index 00000000..827690aa
--- /dev/null
+++ b/debian/libpam0g-dev.install.in
@@ -0,0 +1,2 @@
+usr/include/security/*
+lib/@DEB_HOST_MULTIARCH@/*.a usr/lib/@DEB_HOST_MULTIARCH@
diff --git a/debian/libpam0g-dev.links.in b/debian/libpam0g-dev.links.in
new file mode 100644
index 00000000..ee062368
--- /dev/null
+++ b/debian/libpam0g-dev.links.in
@@ -0,0 +1,3 @@
+/lib/@DEB_HOST_MULTIARCH@/libpam.so.0 usr/lib/@DEB_HOST_MULTIARCH@/libpam.so
+/lib/@DEB_HOST_MULTIARCH@/libpamc.so.0 usr/lib/@DEB_HOST_MULTIARCH@/libpamc.so
+/lib/@DEB_HOST_MULTIARCH@/libpam_misc.so.0 usr/lib/@DEB_HOST_MULTIARCH@/libpam_misc.so
diff --git a/debian/libpam0g-dev.manpages b/debian/libpam0g-dev.manpages
new file mode 100644
index 00000000..7c726776
--- /dev/null
+++ b/debian/libpam0g-dev.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man3/*
diff --git a/debian/libpam0g.docs b/debian/libpam0g.docs
new file mode 100644
index 00000000..8ef4b45a
--- /dev/null
+++ b/debian/libpam0g.docs
@@ -0,0 +1,2 @@
+debian/local/Debian-PAM-MiniPolicy
+README
diff --git a/debian/libpam0g.install b/debian/libpam0g.install
new file mode 100644
index 00000000..622f9ef2
--- /dev/null
+++ b/debian/libpam0g.install
@@ -0,0 +1 @@
+lib/*/lib*.so.*
diff --git a/debian/libpam0g.lintian-overrides b/debian/libpam0g.lintian-overrides
new file mode 100644
index 00000000..f66356af
--- /dev/null
+++ b/debian/libpam0g.lintian-overrides
@@ -0,0 +1,8 @@
+# obvious multilib package false-positive; also the package name hasn't
+# changed since the glibc transition, go us!
+libpam0g: package-name-doesnt-match-sonames libpam0 libpam-misc0 libpamc0
+# yes, these are deliberately asked in the postinst because the checking
+# for daemons to be restarted needs to be done in the postinst and not
+# before
+libpam0g: no-debconf-config
+libpam0g: postinst-uses-db-input
diff --git a/debian/libpam0g.postinst b/debian/libpam0g.postinst
new file mode 100644
index 00000000..bc8a52f2
--- /dev/null
+++ b/debian/libpam0g.postinst
@@ -0,0 +1,200 @@
+#!/bin/sh
+
+# postinst based heavily on the postinst of libssl0.9.8, courtesy of
+# Christoph Martin.
+
+. /usr/share/debconf/confmodule
+
+set -e
+
+# element() is a helper function for file-rc:
+element() {
+ local element list IFS
+
+ element="$1"
+
+ [ "$2" = "in" ] && shift
+ list="$2"
+ [ "$list" = "-" ] && return 1
+ [ "$list" = "*" ] && return 0
+
+ IFS=","
+ set -- $list
+ case $element in
+ "$1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8"|"$9")
+ return 0
+ esac
+ return 1
+}
+
+# filerc (runlevel, service) returns /etc/init.d/service, if service is
+# running in $runlevel:
+filerc() {
+ local runlevel basename
+ runlevel=$1
+ basename=$2
+ while read LINE
+ do
+ case $LINE in
+ \#*|"") continue
+ esac
+
+ set -- $LINE
+ SORT_NO="$1"; STOP="$2"; START="$3"; CMD="$4"
+ [ "$CMD" = "/etc/init.d/$basename" ] || continue
+
+ if element "$runlevel" in "$START" || element "S" in "$START"
+ then
+ echo "/etc/init.d/$basename"
+ return 0
+ fi
+ done < /etc/runlevel.conf
+ echo ""
+}
+
+installed_services() {
+ check="$@"
+
+ # Only get the ones that are installed, and configured
+ check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
+
+ # some init scripts don't match the package names
+ check=$(echo $check | \
+ sed -e's/\bapache2-common\b/apache2/g' \
+ -e's/\bat\b/atd/g' \
+ -e's/\bdovecot-common\b/dovecot/g' \
+ -e's/\bdante-server\b/danted/g' \
+ -e's/\bexim4-base\b/exim4/g' \
+ -e's/\bheartbeat-2\b/heartbeat/g' \
+ -e's/\bhylafax-server\b/hylafax/g' \
+ -e's/\bpartimage-server\b/partimaged/g' \
+ -e's/\bpostgresql-common\b/postgresql/g' \
+ -e's/\bsasl2-bin\b/saslauthd/g' \
+ )
+
+ for service in $check; do
+ idl="/etc/init.d/${service}"
+ if [ -n "$idl" ] && [ -x $idl ]; then
+ services="$service $services"
+ else
+ echo "WARNING: init script for $service not found." >&2
+ fi
+ done
+ echo "$services"
+}
+
+if [ "$1" = "configure" ]
+then
+ if [ ! -z "$2" ]; then
+ if dpkg --compare-versions "$2" lt 1.1.3-2; then
+ db_version 2.0
+
+ echo -n "Checking for services that may need to be restarted..."
+
+ check="apache2-common at bayonne cherokee courier-authdaemon"
+ check="$check cron cups"
+ check="$check dante-server diald dovecot-common exim exim4-base"
+ check="$check fcron fireflier-server freeradius gdm heartbeat"
+ check="$check heartbeat-2 hylafax-server iiimf-server inn2"
+ check="$check kannel linesrv linesrv-mysql lsh-server"
+ check="$check muddleftpd netatalk nuauth partimage-server"
+ check="$check perdition pgpool popa3d"
+ check="$check postgresql-common proftpd pure-ftpd"
+ check="$check pure-ftpd-ldap pure-ftpd-mysql"
+ check="$check pure-ftpd-postgresql racoon samba sasl2-bin"
+ check="$check sfs-server solid-pop3d squid squid3 tac-plus"
+ check="$check vsftpd wu-ftpd wzdftpd xrdp yardradius yaws"
+
+ if ! who | awk '{print $2}'|grep -q ':[0-9]'; then
+ check="$check wdm xdm"
+ fi
+
+ echo "Checking init scripts..."
+ services=$(installed_services "$check")
+ if [ -n "$services" ]; then
+ db_input critical libraries/restart-without-asking || true
+ db_go || true
+ db_get libraries/restart-without-asking
+ if [ "$RET" != true ]; then
+ db_reset libpam0g/restart-services
+ db_set libpam0g/restart-services "$services"
+ db_input critical libpam0g/restart-services || true
+ db_go || true
+ db_get libpam0g/restart-services
+
+ if [ "x$RET" != "x" ]
+ then
+ services=$RET
+ else
+ services=""
+ fi
+ fi
+ echo
+ if [ "$services" != "" ]; then
+ echo "Restarting services possibly affected by the upgrade:"
+ failed=""
+ rl=$(runlevel | sed 's/.*\ //')
+ for service in $services; do
+ idl="invoke-rc.d ${service}"
+
+ case "$service" in
+ gdm)
+ echo -n " $service: reloading..."
+ if $idl reload > /dev/null 2>&1; then
+ echo "done."
+ else
+ echo "FAILED! ($?)"
+ failed="$service $failed"
+ fi
+ continue
+ ;;
+ esac
+ echo -n " $service: stopping..."
+ $idl stop > /dev/null 2>&1 || true
+ sleep 1
+ echo -n "starting..."
+ if $idl start > /dev/null 2>&1; then
+ echo "done."
+ else
+ echo "FAILED! ($?)"
+ failed="$service $failed"
+ fi
+ done
+ echo
+ if [ -n "$failed" ]; then
+ db_subst libpam0g/restart-failed services "$failed"
+ db_input critical libpam0g/restart-failed || true
+ db_go || true
+ else
+ echo "Services restarted successfully."
+ fi
+ echo
+ fi
+ else
+ echo "Nothing to restart."
+ fi
+
+ if who | awk '{print $2}' | grep -q ':[0-9]'; then
+ dms=""
+ for service in wdm xdm; do
+ case "$services" in
+ *$service*) ;;
+ *) dms="$dms $service"
+ esac
+ done
+ services=$(installed_services "$dms")
+ if [ -n "$services" ]; then
+ db_input critical libpam0g/xdm-needs-restart || true
+ db_go || true
+ fi
+ fi
+
+ # Shut down the frontend, to make sure none of the
+ # restarted services keep a connection open to it
+ db_stop
+ fi # end upgrading and $2 lt 1.1.3-2
+ fi # Upgrading
+fi
+
+#DEBHELPER#
+
diff --git a/debian/libpam0g.symbols b/debian/libpam0g.symbols
new file mode 100644
index 00000000..0ba30efa
--- /dev/null
+++ b/debian/libpam0g.symbols
@@ -0,0 +1,12 @@
+libpam.so.0 libpam0g #MINVER#
+ *@LIBPAM_1.0 0.99.7.1
+ *@LIBPAM_EXTENSION_1.0 0.99.7.1
+ *@LIBPAM_EXTENSION_1.1 1.1.0
+ *@LIBPAM_EXTENSION_1.1.1 1.1.1
+ *@LIBPAM_MODUTIL_1.0 0.99.7.1
+ *@LIBPAM_MODUTIL_1.1 0.99.10.0
+ *@LIBPAM_MODUTIL_1.1.3 1.1.3
+libpam_misc.so.0 libpam0g #MINVER#
+ *@LIBPAM_MISC_1.0 0.99.7.1
+libpamc.so.0 libpam0g #MINVER#
+ *@LIBPAMC_1.0 0.99.7.1
diff --git a/debian/libpam0g.templates b/debian/libpam0g.templates
new file mode 100644
index 00000000..64a616ac
--- /dev/null
+++ b/debian/libpam0g.templates
@@ -0,0 +1,38 @@
+Template: libpam0g/restart-services
+Type: string
+_Description: Services to restart for PAM library upgrade:
+ Most services that use PAM need to be restarted to use modules built for
+ this new version of libpam. Please review the following space-separated
+ list of init.d scripts for services to be restarted now, and correct it
+ if needed.
+
+Template: libpam0g/xdm-needs-restart
+Type: error
+_Description: Display manager must be restarted manually
+ The wdm and xdm display managers require a restart for the new version of
+ libpam, but there are X login sessions active on your system that would be
+ terminated by this restart. You will therefore need to restart these
+ services by hand before further X logins will be possible.
+
+Template: libpam0g/restart-failed
+Type: error
+#flag:translate!:3
+_Description: Failure restarting some services for PAM upgrade
+ The following services could not be restarted for the PAM library upgrade:
+ .
+ ${services}
+ .
+ You will need to start these manually by running
+ '/etc/init.d/<service> start'.
+
+Template: libraries/restart-without-asking
+Type: boolean
+Default: false
+_Description: Restart services during package upgrades without asking?
+ There are services installed on your system which need to be restarted
+ when certain libraries, such as libpam, libc, and libssl, are upgraded.
+ Since these restarts may cause interruptions of service for the system,
+ you will normally be prompted on each upgrade for the list of services
+ you wish to restart. You can choose this option to avoid being prompted;
+ instead, all necessary restarts will be done for you automatically so you
+ can avoid being asked questions on each library upgrade.
diff --git a/debian/local/Debian-PAM-MiniPolicy b/debian/local/Debian-PAM-MiniPolicy
new file mode 100644
index 00000000..e51a0246
--- /dev/null
+++ b/debian/local/Debian-PAM-MiniPolicy
@@ -0,0 +1,145 @@
+Author: Ben Collins <bcollins@debian.org>
+Modified by: Sam Hartman <hartmans@debian.org>,
+ Steve Langasek <vorlon@debian.org>
+
+Objective: To document a base set of policies regarding PAM (Pluggable
+Authentication Modules) usage in Debian packages.
+
+===========================================================================
+
+In order to have a consistent and stable implementation across packages
+that use PAM, these guidelines will help to avoid some common mistakes and
+be usable as a cross reference for FAQ's.
+
+This document will not go into the details of how to add PAM usage to
+existing code; please read the documentation in the libpam-doc package for
+info on that. However, it does specify behavior needed to make sure PAM
+modules in Debian will work with your application.
+
+==================
+ PAM Applications
+==================
+
+Each application that uses PAM also must contain a file in /etc/pam.d/.
+This file specifies which PAM modules will be used for the common PAM
+functions in that application. There are several notes concerning what
+modules to use in this file. Most commonly, this file should use the
+@include directive to include common-auth, common-account, and
+common-password, and one of either common-session or
+common-session-noninteractive.
+
+The selection of common-session or common-session-noninteractive is based
+on whether the service provides "shell-like" interactive capabilities to
+the user (e.g.: login, ssh, gdm) or is a non-interactive session or a
+session mediated by a structured protocol (e.g.: cron, cups, samba, ppp).
+This allows a service to avoid calling some modules, such as
+pam_ck_connector, that only make sense in an interactive context and should
+be avoided otherwise. It is expected that the modules used for
+noninteractive sessions will always be a subset of those used for
+interactive sessions.
+
+Under some circumstances (such as ftp auth, or auth based on tty) other
+service-specific modules will need to be listed in the service's /etc/pam.d
+file.
+
+Here is an example of a PAM configuration file that just includes the
+common module fragments:
+
+ #
+ # /etc/pam.d/other - specify the PAM fallback behaviour
+ #
+ # Note that this file is used for any unspecified service; for example
+ #if /etc/pam.d/cron specifies no session modules but cron calls
+ #pam_open_session, the session module out of /etc/pam.d/other is
+ #used. If you really want nothing to happen then use pam_permit.so or
+ #pam_deny.so as appropriate.
+
+ # We fall back to the system default in /etc/pam.d/common-*
+ #
+
+ @include common-auth
+ @include common-account
+ @include common-password
+ @include common-session
+
+The name of this file is determined by the call to pam_start() in the
+application source code. The first parameter will be a string containing
+the "service" name (eg. "login", "httpd", etc..). Please make sure that
+the filename coincides with the value of this parameter used in your
+application.
+
+The file should _not_ reference the full path of the modules. It only needs
+to reference the basename (eg. "pam_unix.so"). This will ensure that the
+program continues to work even if the module location changes, since
+libpam itself will resolve the location.
+
+
+Packages which configure their services by default to use modules other than
+those provided by /etc/pam.d/common-* must depend on the package providing
+those modules. E.g., /etc/pam.d/login includes the line:
+
+ session required pam_limits.so
+
+therefore it must depend on libpam-modules, which provides
+/lib/security/pam_limits.so.
+
+Applications need to depend on libpam-runtime (>= 0.76-14) to
+guarantee that /etc/pam.d/common-* exist.
+
+Applications that use common-session-noninteractive must depend
+on libpam-runtime (>= 1.0.1-11) for this file.
+
+
+The pam_unix.so module allows programs to authenticate the uid of the
+calling process without being setuid or setgid. NOTE: this means the user
+executing the program; you cannot authenticate other users without suid
+root (root makes sure the NIS and NIS+ works too) or at least sgid shadow
+(won't work in the above cases). Most notably this affects programs like
+apache being able to use PAM since it runs as www-data which has no
+privileges and cannot use pam_unix.so to authenticate other users. On the
+other hand it does allow programs like vlock to authenticate.
+
+The application needs to follow the following rules to make sure PAM
+modules work:
+
+1) Use the same PAM handle for all operations. This means it is not OK to
+call pam_start once for authentication and then later for session
+management. Modules need to be able to store pam_data between entry
+points.
+
+2) The pam_open_session and pam_setcred calls must be made in a parent
+process of the eventual session. They need to be able to influence the
+environment of the session.
+
+3) If you are started as root or have root privs for some other reason,
+pam_open_session and pam_setcred should be called while still root.
+
+4) Implied by 1, make sure that pam_close_session and pam_end are called in
+the same process or a process descended from the execution context as
+pam_open_session and pam_setcred. The pam_close_session call may need
+state stored in the handle by the open session entry point to clean up
+properly. The pam_end call may need to free data (thus influencing system
+state in some cases) allocated in the earlier calls.
+
+
+
+=============
+ PAM Modules
+=============
+
+Separately packaged PAM modules should adhere to a few basic setup rules:
+
+ 1) Packages should use the naming scheme of `libpam-<name>' (eg.
+ libpam-ldap).
+
+ 2) The modules should be located in the directory of the most recent
+ libpam-modules (currently /lib/security).
+
+ 3) The module should be named as pam_<name>.so. The module should not
+ contain a version suffix.
+
+ 4) The module should be linked to libpam (-lpam) when compiled so that
+ proper version dependencies will work.
+
+ 5) Any config files should be located in /etc/security. The filename
+ will be in the form of <name>.conf.
diff --git a/debian/local/common-account b/debian/local/common-account
new file mode 100644
index 00000000..84aa98d4
--- /dev/null
+++ b/debian/local/common-account
@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system. The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+$account_primary
+# here's the fallback if no module succeeds
+account requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$account_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-account.md5sums b/debian/local/common-account.md5sums
new file mode 100644
index 00000000..047c30ee
--- /dev/null
+++ b/debian/local/common-account.md5sums
@@ -0,0 +1,2 @@
+9f04221fe44762047894adeb96ffd069 debian/local/common-account
+3c0c362eaf3421848b679d63fd48c3fa # 1.0.1-6 -
diff --git a/debian/local/common-auth b/debian/local/common-auth
new file mode 100644
index 00000000..ac9d2dd3
--- /dev/null
+++ b/debian/local/common-auth
@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+$auth_primary
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$auth_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-auth.md5sums b/debian/local/common-auth.md5sums
new file mode 100644
index 00000000..48bd3590
--- /dev/null
+++ b/debian/local/common-auth.md5sums
@@ -0,0 +1,3 @@
+933d757dcd5974b00619f68955743be7 /etc/pam.d/common-auth
+b58d8e0a6cadbf879df94869cca6be98 /etc/pam.d/common-auth
+8d4fe17e66ba25de16a117035d1396aa # 1.0.1-6 -
diff --git a/debian/local/common-password b/debian/local/common-password
new file mode 100644
index 00000000..963f1eb4
--- /dev/null
+++ b/debian/local/common-password
@@ -0,0 +1,34 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords. The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords. Without this option,
+# the default is Unix crypt. Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+$password_primary
+# here's the fallback if no module succeeds
+password requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$password_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-password.md5sums b/debian/local/common-password.md5sums
new file mode 100644
index 00000000..3c33255d
--- /dev/null
+++ b/debian/local/common-password.md5sums
@@ -0,0 +1,6 @@
+601ecfbc99fd359877552cb5298087ad /etc/pam.d/common-password
+e5ae8ba8d00083c922d9d82a0432ef78 /etc/pam.d/common-password
+5d518818f1c6c369040b782f7852f53e /etc/pam.d/common-password
+9ba753d0824276b44bcadfee1f87b6bc # 1.0.1-4ubuntu5 - 1.0.1-4ubuntu5.5
+4bd7610f2e85f8ddaef79c7db7cb49eb # 1.0.1-6 - 1.1.0-1
+50fce2113dfda83ac8bdd5a6e706caec # 1.0.1-6ubuntu1 -
diff --git a/debian/local/common-session b/debian/local/common-session
new file mode 100644
index 00000000..2e94d6c7
--- /dev/null
+++ b/debian/local/common-session
@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+$session_primary
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$session_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-session-noninteractive b/debian/local/common-session-noninteractive
new file mode 100644
index 00000000..1dd1a172
--- /dev/null
+++ b/debian/local/common-session-noninteractive
@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+$session_nonint_primary
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$session_nonint_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-session-noninteractive.md5sums b/debian/local/common-session-noninteractive.md5sums
new file mode 100644
index 00000000..020c2e45
--- /dev/null
+++ b/debian/local/common-session-noninteractive.md5sums
@@ -0,0 +1 @@
+ad2b78ce1498dd637ef36469430b6ac6 # 1.0.1-11 -
diff --git a/debian/local/common-session.md5sums b/debian/local/common-session.md5sums
new file mode 100644
index 00000000..9f06fa1a
--- /dev/null
+++ b/debian/local/common-session.md5sums
@@ -0,0 +1,3 @@
+4845c1632b3561a9debe8d59be1b238e /etc/pam.d/common-session
+4a25673e8b36f1805219027d3be02cd2 # 1.0.1-4ubuntu5 - 1.0.1-4ubuntu5.5
+240fb92986c885b327cdb21dd641da8c # 1.0.1-6 -
diff --git a/debian/local/other b/debian/local/other
new file mode 100644
index 00000000..59d776c9
--- /dev/null
+++ b/debian/local/other
@@ -0,0 +1,16 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used. If you really want nothing to happen then use pam_permit.so or
+#pam_deny.so as appropriate.
+
+# We fall back to the system default in /etc/pam.d/common-*
+#
+
+@include common-auth
+@include common-account
+@include common-password
+@include common-session
diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
new file mode 100644
index 00000000..17d3fc66
--- /dev/null
+++ b/debian/local/pam-auth-update
@@ -0,0 +1,700 @@
+#!/usr/bin/perl -w
+
+# pam-auth-update: update /etc/pam.d/common-* from /usr/share/pam-configs
+#
+# Update the /etc/pam.d/common-* files based on the per-package profiles
+# provided in /usr/share/pam-configs/ taking into consideration user's
+# preferences (as determined via debconf prompting).
+#
+# Written by Steve Langasek <steve.langasek@canonical.com>
+#
+# Copyright (C) 2008 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of version 3 of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# # This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+# USA.
+
+use strict;
+use Debconf::Client::ConfModule ':all';
+use IPC::Open2 'open2';
+
+version('2.0');
+my $capb=capb('backup escape');
+
+my $inputdir = '/usr/share/pam-configs';
+my $template = 'libpam-runtime/profiles';
+my $errtemplate = 'libpam-runtime/conflicts';
+my $overridetemplate = 'libpam-runtime/override';
+my $blanktemplate = 'libpam-runtime/no_profiles_chosen';
+my $titletemplate = 'libpam-runtime/title';
+my $confdir = '/etc/pam.d';
+my $savedir = '/var/lib/pam';
+my (%profiles, @sorted, @enabled, @conflicts, @new, %removals);
+my $force = 0;
+my $package = 0;
+my $priority = 'high';
+my %md5sums = (
+ 'auth' => ['8d4fe17e66ba25de16a117035d1396aa'],
+ 'account' => ['3c0c362eaf3421848b679d63fd48c3fa'],
+ 'password' => [
+ '50fce2113dfda83ac8bdd5a6e706caec',
+ '4bd7610f2e85f8ddaef79c7db7cb49eb',
+ '9ba753d0824276b44bcadfee1f87b6bc',
+ ],
+ 'session' => [
+ '240fb92986c885b327cdb21dd641da8c',
+ '4a25673e8b36f1805219027d3be02cd2',
+ ],
+ 'session-noninteractive' => [
+ 'ad2b78ce1498dd637ef36469430b6ac6',
+ ],
+);
+
+opendir(DIR, $inputdir) || die "could not open config directory: $!";
+while (my $profile = readdir(DIR)) {
+ next if ($profile eq '.' || $profile eq '..');
+ %{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile);
+}
+closedir DIR;
+
+# use a '--force' arg to specify that /etc/pam.d should be overwritten;
+# used only on upgrades where the postinst has already determined that the
+# checksums match. Module packages other than libpam-runtime itself must
+# NEVER use this option! Document with big skullses and crossboneses! It
+# needs to be exposed for libpam-runtime because that's the package that
+# decides whether we have a pristine config to be converted, and knows
+# whether the version being upgraded from is one for which the conversion
+# should be done.
+
+while ($#ARGV >= 0) {
+ my $opt = shift;
+ if ($opt eq '--force') {
+ $force = 1;
+ } elsif ($opt eq '--package') {
+ $package = 1;
+ } elsif ($opt eq '--remove') {
+ while ($#ARGV >= 0) {
+ last if ($ARGV[0] =~ /^--/);
+ $removals{shift @ARGV} = 1;
+ }
+ # --remove implies --package
+ $package = 1 if (keys(%removals));
+ }
+}
+
+$priority = 'medium' if ($package);
+
+x_loadtemplatefile('/var/lib/dpkg/info/libpam-runtime.templates','libpam-runtime');
+
+# always sort by priority, so we have consistency and don't have to
+# shuffle later
+@sorted = sort { $profiles{$b}->{'Priority'} <=> $profiles{$a}->{'Priority'}
+ || $b cmp $a }
+ keys(%profiles);
+# If we're being called for package removal, filter out those options here
+@sorted = grep { !$removals{$_} } @sorted;
+
+subst($template, 'profile_names', join(', ',@sorted));
+subst($template, 'profiles',
+ join(', ', map { $profiles{$_}->{'Name'} } @sorted));
+
+my $diff = diff_profiles($confdir,$savedir);
+
+if ($diff) {
+ @enabled = grep { !$removals{$_} } @{$diff->{'mods'}};
+} else {
+ @enabled = split(/, /,get($template));
+}
+
+# find out what we've seen, so we can ignore those defaults
+my %seen;
+if (-e $savedir . '/seen') {
+ open(SEEN,$savedir . '/seen');
+ while (<SEEN>) {
+ chomp;
+ $seen{$_} = 1;
+ }
+ close(SEEN);
+}
+
+# filter out any options that are no longer available for any reason
+@enabled = grep { $profiles{$_} } @enabled;
+
+# an empty module set is an error, so in that case grab all the defaults
+if (!@enabled) {
+ %seen = ();
+ $priority = 'high' unless ($force);
+}
+
+# add any previously-unseen configs
+push(@enabled,
+ grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted);
+@enabled = sort { $profiles{$b}->{'Priority'} <=> $profiles{$a}->{'Priority'}
+ || $b cmp $a }
+ @enabled;
+my $prev = '';
+@enabled = grep { $_ ne $prev && (($prev) = $_) } @enabled;
+
+# Do we have any new options to show? If not, we shouldn't reprompt the
+# user, at any priority level, unless explicitly called.
+@new = grep { !$seen{$_} } @sorted;
+
+settitle($titletemplate);
+
+# if diff_profiles() fails, and we weren't passed a 'force' argument
+# (because this isn't an upgrade from an old version, or the checksum
+# didn't match, or we're being called by some other module package), prompt
+# the user whether to override. If the user declines (the default), we
+# never again manage this config unless manually called with '--force'.
+if (!$diff && !$force) {
+ input('high',$overridetemplate);
+ go();
+ $force = 1 if (get($overridetemplate) eq 'true');
+}
+
+if (!$diff && !$force) {
+ print STDERR <<EOF;
+
+pam-auth-update: Local modifications to /etc/pam.d/common-*, not updating.
+pam-auth-update: Run pam-auth-update --force to override.
+
+EOF
+ exit;
+}
+
+umask(0022);
+
+do {
+ @conflicts = ();
+
+ if (@new || !$package) {
+ fset($template,'seen','false');
+ }
+ set($template,join(', ', @enabled));
+
+ input($priority,$template);
+ go();
+
+ @enabled = split(/, /, get($template));
+
+ # in case of conflicts, automatically unset the lower priority
+ # item of each pair
+ foreach my $elem (@enabled)
+ {
+ for (my $i=$#enabled; $i >= 0; $i--)
+ {
+ my $conflict = $enabled[$i];
+ if ($profiles{$elem}->{'Conflicts'}->{$conflict}) {
+ splice(@enabled,$i,1);
+ my $desc = $profiles{$elem}->{'Name'}
+ . ', ' . $profiles{$conflict}->{'Name'};
+ push(@conflicts,$desc);
+ }
+ }
+ }
+ if (@conflicts) {
+ subst($errtemplate, 'conflicts', join("\\n", @conflicts));
+ input('high',$errtemplate);
+ }
+ set($template, join(', ', @enabled));
+ if (!@enabled) {
+ input('high',$blanktemplate);
+ # we can only end up here by user error, but give them another
+ # shot at selecting a correct config anyway.
+ fset($template,'seen','false');
+ }
+} while (@conflicts || !@enabled);
+
+# the decision has been made about what configs to use, so even if
+# something fails after this, we shouldn't go munging the default
+# options again. Save the list of known configs to /var/lib/pam.
+open(SEEN,"> $savedir/seen");
+for my $i (@sorted) {
+ print SEEN "$i\n";
+}
+close(SEEN);
+
+# @enabled now contains our list of profiles to use for piecing together
+# a config
+# we have:
+# - templates into which we insert the specialness
+# - magic comments denoting the beginning and end of our managed block;
+# looking at only the functional config lines would potentially let us
+# handle more cases, at the expense of much greater complexity, so
+# pass on this at least for the first round
+# - a representation of the autogenerated config stored in /var/lib/pam,
+# that we can diff against in order to account for changed options or
+# manually dropped modules
+# - a hash describing the local modifications the user has made to the
+# config; these are always preserved unless manually overridden with
+# the --force option
+
+write_profiles(\%profiles, \@enabled, $confdir, $savedir, $diff, $force);
+
+
+# take a single line from a stock config, and merge it with the
+# information about local admin edits
+sub merge_one_line
+{
+ my ($line,$diff,$count) = @_;
+ my (@opts,$modline);
+
+ my ($adds,$removes);
+
+ $line =~ /^((\[[^]]+\]|\w+)\s+\S+)\s*(.*)/;
+
+ @opts = split(/\s+/,$3);
+ $modline = $1;
+ $modline =~ s/end/$count/g;
+ if ($diff) {
+ my $mod = $modline;
+ $mod =~ s/(\[[^0-9]*)[0-9]+(.*\])/$1$2/g;
+ $adds = \%{$diff->{'add'}{$mod}};
+ $removes = \%{$diff->{'remove'}{$mod}};
+ } else {
+ $adds = $removes = undef;
+ }
+
+ for (my $i = 0; $i <= $#opts; $i++) {
+ if ($adds->{$opts[$i]}) {
+ delete $adds->{$opts[$i]};
+ }
+ if ($removes->{$opts[$i]}) {
+ splice(@opts,$i,1);
+ $i--;
+ }
+ }
+ return $modline . " " . join(' ',@opts,sort keys(%{$adds})) . "\n";
+}
+
+# return the lines for a given config name, type, and position in the stack
+sub lines_for_module_and_type
+{
+ my ($profiles, $mod, $type, $modpos) = @_;
+ if ($modpos == 0 && $profiles->{$mod}{$type . '-Initial'}) {
+ return $profiles->{$mod}{$type . '-Initial'};
+ }
+ return $profiles->{$mod}{$type};
+}
+
+# create a single PAM config from the indicated template and selections,
+# writing to a new file
+sub create_from_template
+{
+ my($template,$dest,$profiles,$enabled,$diff,$type) = @_;
+ my $state = 0;
+ my $uctype = ucfirst($type);
+ $type =~ s/-noninteractive//;
+
+ open(INPUT,$template) || return 0;
+ open(OUTPUT,">$dest") || return 0;
+
+ while (<INPUT>) {
+ if ($state == 1) {
+ if (/^# here's the fallback if no module succeeds/) {
+ print OUTPUT;
+ $state++;
+ }
+ next;
+ }
+ if ($state == 3) {
+ if (/^# end of pam-auth-update config/) {
+ print OUTPUT;
+ $state++;
+ }
+ next;
+ }
+
+ print OUTPUT;
+
+ my ($pattern,$val);
+ if ($state == 0) {
+ $pattern = '^# here are the per-package modules \(the "Primary" block\)';
+ $val = 'Primary';
+ } elsif ($state == 2) {
+ $pattern = '^# and here are more per-package modules \(the "Additional" block\)';
+ $val = 'Additional';
+ } else {
+ next;
+ }
+
+ if (/$pattern/) {
+ my $i = 0;
+ my $count = 0;
+ # first we need to get a count of lines that we're
+ # going to output, so we can fix up the jumps correctly
+ for my $mod (@{$enabled}) {
+ my $output;
+ next if (!$profiles->{$mod}{$uctype . '-Type'});
+ next if $profiles->{$mod}{$uctype . '-Type'} ne $val;
+ $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++);
+ # bypasses a perl warning about @_, sigh
+ my @tmparr = split("\n+",$output);
+ $count += @tmparr;
+ }
+
+ # in case anything tries to jump in the 'additional'
+ # block, let's try not to jump off the stack...
+ $count-- if ($val eq 'Additional');
+
+ # no primary block, so output a stock pam_permit line
+ # to keep the stack intact
+ if ($val eq 'Primary' && $count == 0)
+ {
+ print OUTPUT "$type\t[default=1]\t\t\tpam_permit.so\n";
+ }
+
+ $i = 0;
+ for my $mod (@{$enabled}) {
+ my $output;
+ my @output;
+ next if (!$profiles->{$mod}{$uctype . '-Type'});
+ next if $profiles->{$mod}{$uctype . '-Type'} ne $val;
+ $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++);
+ for my $line (split("\n",$output)) {
+ $line = merge_one_line($line,$diff,
+ $count);
+ print OUTPUT "$type\t$line";
+ $count--;
+ }
+ }
+ $state++;
+ }
+ }
+ close(INPUT);
+ close(OUTPUT);
+
+ if ($state < 4) {
+ unlink($dest);
+ return 0;
+ }
+ return 1;
+}
+
+# take a template file, strip out everything between the markers, and
+# return the md5sum of the remaining contents. Used for testing for
+# local modifications of the boilerplate.
+sub get_template_md5sum
+{
+ my($template) = @_;
+ my $state = 0;
+
+ open(INPUT,$template) || return '';
+ my($md5sum_fd,$output_fd);
+ my $pid = open2($md5sum_fd, $output_fd, 'md5sum');
+ return '' if (!$pid);
+
+ while (<INPUT>) {
+ if ($state == 1) {
+ if (/^# here's the fallback if no module succeeds/) {
+ print $output_fd $_;
+ $state++;
+ }
+ next;
+ }
+ if ($state == 3) {
+ if (/^# end of pam-auth-update config/) {
+ print $output_fd $_;
+ $state++;
+ }
+ next;
+ }
+
+ print $output_fd $_;
+
+ my ($pattern,$val);
+ if ($state == 0) {
+ $pattern = '^# here are the per-package modules \(the "Primary" block\)';
+ } elsif ($state == 2) {
+ $pattern = '^# and here are more per-package modules \(the "Additional" block\)';
+ } else {
+ next;
+ }
+
+ if (/$pattern/) {
+ $state++;
+ }
+ }
+ close(INPUT);
+ close($output_fd);
+ my $md5sum = <$md5sum_fd>;
+ close($md5sum_fd);
+ waitpid $pid, 0;
+
+ $md5sum = (split(/\s+/,$md5sum))[0];
+ return $md5sum;
+}
+
+# merge a set of module declarations into a set of new config files,
+# using the information returned from diff_profiles().
+sub write_profiles
+{
+ my($profiles,$enabled,$confdir,$savedir,$diff,$force) = @_;
+
+ if (! -d $savedir) {
+ mkdir($savedir);
+ }
+
+ # because we can't atomically replace both /var/lib/pam/$foo and
+ # /etc/pam.d/common-$foo at the same time, take steps to make this
+ # somewhat robust
+ for my $type ('auth','account','password','session',
+ 'session-noninteractive')
+ {
+ my $target = $confdir . '/common-' . $type;
+ my $template = $target;
+ my $dest = $template . '.pam-new';
+
+ my $diff = $diff;
+ if ($diff) {
+ $diff = \%{$diff->{$type}};
+ }
+
+ # Detect if the template is unmodified, and if so, use
+ # the version from /usr/share. Depends on knowing the
+ # md5sums of the originals.
+ my $md5sum = get_template_md5sum($template);
+ for my $i (@{$md5sums{$type}}) {
+ if ($md5sum eq $i) {
+ $template = '/usr/share/pam/common-' . $type;
+ last;
+ }
+ }
+
+ # first, write out the new config
+ if (!create_from_template($template,$dest,$profiles,$enabled,
+ $diff,$type))
+ {
+ if (!$force) {
+ return 0;
+ }
+ $template = '/usr/share/pam/common-' . $type;
+ if (!create_from_template($template,$dest,$profiles,
+ $enabled,$diff,$type))
+ {
+ return 0;
+ }
+ }
+
+ # then write out the saved config
+ if (!open(OUTPUT, "> $savedir/$type.new")) {
+ unlink($dest);
+ return 0;
+ }
+ my $i = 0;
+ my $uctype = ucfirst($type);
+ for my $mod (@{$enabled}) {
+ my $output;
+ next if (!$profiles->{$mod}{$uctype . '-Type'});
+ next if ($profiles->{$mod}{$uctype . '-Type'} eq 'Additional');
+
+ $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++);
+ if ($output) {
+ print OUTPUT "Module: $mod\n";
+ print OUTPUT $output . "\n";
+ }
+ }
+
+ # no primary block, so output a stock pam_permit line
+ if ($i == 0)
+ {
+ print OUTPUT "Module: null\n";
+ print OUTPUT "[default=1]\t\t\tpam_permit.so\n";
+ }
+
+ $i = 0;
+ for my $mod (@{$enabled}) {
+ my $output;
+ next if (!$profiles->{$mod}{$uctype . '-Type'});
+ next if ($profiles->{$mod}{$uctype . '-Type'} eq 'Primary');
+
+ $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++);
+ if ($output) {
+ print OUTPUT "Module: $mod\n";
+ print OUTPUT $output . "\n";
+ }
+ }
+
+ close(OUTPUT);
+
+ # then do the renames, back-to-back
+ # we have to use system because File::Copy is in
+ # perl-modules, not perl-base
+ if (-e "$target" && $force) {
+ system('cp','-f',$target,$target . '.pam-old');
+ }
+ rename($dest,$target);
+ rename("$savedir/$type.new","$savedir/$type");
+ }
+
+ # at the end of a successful write, reset the 'seen' flag and the
+ # value of the debconf override question.
+ fset($overridetemplate,'seen','false');
+ set($overridetemplate,'false');
+}
+
+# reconcile the current config in /etc/pam.d with the saved ones in
+# /var/lib/pam; returns a hash of profile names and the corresponding
+# options that should be added/removed relative to the stock config.
+# returns false if any of the markers are missing that permit a merge,
+# or on any other failure.
+sub diff_profiles
+{
+ my ($sourcedir,$savedir) = @_;
+ my (%diff);
+
+ @{$diff{'mods'}} = ();
+ # Load the saved config from /var/lib/pam, then iterate through all
+ # lines in the current config that are in the managed block.
+ # If anything fails here, just return immediately since we then
+ # have nothing to merge; instead, the caller will decide later
+ # whether to force an overwrite.
+ for my $type ('auth','account','password','session',
+ 'session-noninteractive')
+ {
+ my (@saved,$modname);
+
+ open(SAVED,$savedir . '/' . $type) || return 0;
+ while (<SAVED>) {
+ if (/^Module: (.*)/) {
+ $modname = $1;
+ next;
+ }
+ chomp;
+ # trim out the destination of any jumps; this saves
+ # us from having to re-parse everything just to fix
+ # up the jump lengths, when changes to these will
+ # already show up as inconsistencies elsewhere
+ s/(\[[^0-9]*)[0-9]+(.*\])/$1$2/g;
+ s/(\[.*)end(.*\])/$1$2/g;
+ my (@temp) = ($modname,$_);
+ push(@saved,\@temp);
+ }
+ close(SAVED);
+
+ my $state = 0;
+ my (@prev_opts,$curmod);
+ my $realtype = $type;
+ $realtype =~ s/-noninteractive//;
+
+ open(CURRENT,$sourcedir . '/common-' . $type) || return 0;
+ while (<CURRENT>) {
+ if ($state == 0) {
+ $state = 1
+ if (/^# here are the per-package modules \(the "Primary" block\)/);
+ next;
+ }
+ if ($state == 1) {
+ s/^$realtype\s+//;
+ if (/^# here's the fallback if no module succeeds/) {
+ $state = 2;
+ next;
+ }
+ }
+ if ($state == 2) {
+ $state = 3
+ if (/^# and here are more per-package modules \(the "Additional" block\)/);
+ next;
+ }
+ if ($state == 3) {
+ last if (/^# end of pam-auth-update config/);
+ s/^$realtype\s+//;
+ }
+
+ my $found = 0;
+ my $curopts;
+ while (!$found && $#saved >= 0) {
+ my $line;
+ ($modname,$line) = @{$saved[0]};
+ shift(@saved);
+ $line =~ /^((\[[^]]+\]|\w+)\s+\S+)\s*(.*)/;
+ @prev_opts = split(/\s+/,$3);
+ $curmod = $1;
+ # FIXME: the key isn't derived from the config
+ # name, so collisions are possible if more
+ # than one config references the same module
+
+ $_ =~ s/(\[[^0-9]*)[0-9]+(.*\])/$1$2/g;
+ # check if this is a match for the current line
+ if ($_ =~ /^\Q$curmod\E\s*(.*)$/) {
+ $found = 1;
+ $curopts = $1;
+ push(@{$diff{'mods'}},$modname);
+ }
+ }
+
+ # there's a line in the live config that doesn't
+ # correspond to anything from the saved config.
+ # treat this as a failure; it's very error-prone
+ # to decide what to do with an added line that
+ # didn't come from a package.
+ return 0 if (!$found);
+
+ for my $opt (split(/\s+/,$curopts)) {
+ my $found = 0;
+ for (my $i = 0; $i <= $#prev_opts; $i++) {
+ if ($prev_opts[$i] eq $opt) {
+ $found = 1;
+ splice(@prev_opts,$i,1);
+ }
+ }
+ $diff{$type}{'add'}{$curmod}{$opt} = 1 if (!$found);
+ }
+ for my $opt (@prev_opts) {
+ $diff{$type}{'remove'}{$curmod}{$opt} = 1;
+ }
+ }
+ close(CURRENT);
+
+ # we couldn't parse the config, so the merge fails
+ return 0 if ($state < 3);
+ }
+ return \%diff;
+}
+
+# simple function to parse a provided config file, in pseudo-RFC822
+# format,
+sub parse_pam_profile
+{
+ my ($profile) = $_[0];
+ my $fieldname;
+ my %profile;
+ open(PROFILE, $profile) || die "could not read profile $profile: $!";
+ while (<PROFILE>) {
+ if (/^(\S+):\s+(.*)$/) {
+ $fieldname = $1;
+ # compatibility with the first implementation round;
+ # "Auth-Final" is now just called "Auth"
+ $fieldname =~ s/-Final$//;
+ if ($fieldname eq 'Conflicts') {
+ foreach my $elem (split(/, /, $2)) {
+ $profile{'Conflicts'}->{$elem} = 1;
+ }
+ } else {
+ $profile{$fieldname} = $2;
+ }
+ } else {
+ chomp;
+ s/^\s+//;
+ $profile{$fieldname} .= "\n$_" if ($_);
+ $profile{$fieldname} =~ s/^[\n\s]+//;
+ }
+ }
+ close(PROFILE);
+ if (!defined($profile{'Session-Interactive-Only'})) {
+ $profile{'Session-noninteractive-Type'} = $profile{'Session-Type'};
+ $profile{'Session-noninteractive'} = $profile{'Session'};
+ $profile{'Session-noninteractive-Initial'} = $profile{'Session-Initial'};
+ }
+ return %profile;
+}
diff --git a/debian/local/pam-auth-update.8 b/debian/local/pam-auth-update.8
new file mode 100644
index 00000000..fd5e2ad4
--- /dev/null
+++ b/debian/local/pam-auth-update.8
@@ -0,0 +1,101 @@
+.\" Copyright (C) 2008 Canonical Ltd.
+.\"
+.\" Author: Steve Langasek <steve.langasek@canonical.com>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of version 3 of the GNU General Public License as
+.\" published by the Free Software Foundation.
+.\"
+.\" .\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+.\" USA.
+.TH "PAM\-AUTH\-UPDATE" "8" "08/23/2008" "Debian"
+.SH NAME
+pam\-auth\-update - manage PAM configuration using packaged profiles
+.SH SYNOPSIS
+.B pam\-auth\-update
+.RB [ \-\-package " [" \-\-remove
+.IR profile " [" profile\fR... "]]]"
+.RB [ \-\-force ]
+.SH DESCRIPTION
+.I pam\-auth\-update
+is a utility that permits configuring the central authentication policy
+for the system using pre-defined profiles as supplied by PAM module
+packages.
+Profiles shipped in the
+.I /usr/share/pam\-configs/
+directory specify the modules, with options, to enable; the preferred
+ordering with respect to other profiles; and whether a profile should be
+enabled by default.
+Packages providing PAM modules register their profiles at install time
+by calling
+.BR "pam\-auth\-update \-\-package" .
+Selection of profiles is done using the standard debconf interface.
+The profile selection question will be asked at `medium' priority when
+packages are added or removed, so no user interaction is required by
+default.
+Users may invoke
+.B pam\-auth\-update
+directly to change their authentication configuration.
+.PP
+The script makes every effort to respect local changes to
+.IR "/etc/pam.d/common-*".
+Local modifications to the list of module options will be preserved, and
+additions of modules within the managed portion of the stack will cause
+.B pam\-auth\-update
+to treat the config files as locally modified and not make further
+changes to the config files unless given the
+.B \-\-force
+option.
+.PP
+If the user specifies that
+.B pam\-auth\-update
+should override local configuration changes, the locally-modified files
+will be saved in
+.I /etc/pam.d/
+with a suffix of
+.IR "\.pam\-old" .
+.SH OPTIONS
+.TP
+.B \-\-package
+Indicate that the caller is a package maintainer script; lowers the
+priority of debconf questions to `medium' so that the user is not
+prompted by default.
+.TP
+.B \-\-remove \fIprofile \fR[\fIprofile\fR...]
+Remove the specified profiles from the system configuration.
+.B pam\-auth\-update \-\-remove
+should be used to remove profiles from the configuration before the
+modules they reference are removed from disk, to ensure that PAM is in a
+consistent and usable state at all times during package upgrades or
+removals.
+.TP
+.B \-\-force
+Overwrite the current PAM configuration, without prompting.
+This option
+.B must not
+be used by package maintainer scripts; it is intended for use by
+administrators only.
+.SH FILES
+.PP
+.I /etc/pam.d/common\-*
+.RS 4
+Global configuration of PAM, affecting all installed services.
+.RE
+.PP
+.I /usr/share/pam\-configs/
+.RS 4
+Package-supplied authentication profiles.
+.RE
+.SH AUTHOR
+Steve Langasek <steve.langasek@canonical.com>
+.SH COPYRIGHT
+Copyright (C) 2008 Canonical Ltd.
+.SH "SEE ALSO"
+PAM(7), pam.d(5), debconf(7)
diff --git a/debian/local/pam.conf b/debian/local/pam.conf
new file mode 100644
index 00000000..3eeb72d3
--- /dev/null
+++ b/debian/local/pam.conf
@@ -0,0 +1,15 @@
+# ---------------------------------------------------------------------------#
+# /etc/pam.conf #
+# ---------------------------------------------------------------------------#
+#
+# NOTE
+# ----
+#
+# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
+# PAM service modules. This file is used only if that directory does not exist.
+# ---------------------------------------------------------------------------#
+
+# Format:
+# serv. module ctrl module [path] ...[args..] #
+# name type flag #
+
diff --git a/debian/local/pam_getenv b/debian/local/pam_getenv
new file mode 100644
index 00000000..2abddcad
--- /dev/null
+++ b/debian/local/pam_getenv
@@ -0,0 +1,123 @@
+#!/usr/bin/perl -w
+
+=head1 NAME
+
+pam_getenv - get environment variables from /etc/environment
+
+=head1 SYNOPSIS
+
+pam_getenv B<[-l] [-s]> I<env_var>
+
+=head1 DESCRIPTION
+
+This tool will print out the value of I<env_var> from F</etc/environment>. It will attempt to expand environment variable references in the definition of I<env_var> but will fail if PAM items are expanded.
+
+The B<-l> option indicates the script should return an environment variable related to default locale information.
+
+The B<-s> option indicates that the script should return an
+system default environment variable.
+
+Currently neither the B<-l> or B<-s> options do anything. They are
+included because future versions of Debian may have a separate
+repository for the initial environment used by init scripts and for
+system locale information. These options will allow this script to be
+a stable interface even in that environment.
+
+=cut
+
+# Copyright 2004 by Sam Hartman
+# This script may be copied under the terms of the GNU GPL
+# version 2, or at your option any later version.
+
+use strict;
+use vars qw(*CONFIGFILE *ENVFILE);
+
+sub read_line($) {
+ my $fh = shift;
+ my $line;
+ local $_;
+ line: while (<$fh>) {
+ chomp;
+ s/^\s+//;
+s/\#.*$//;
+ next if $_ eq "";
+ if (s/\\\s*$//) {
+ $line .= $_;
+ next line;
+ }
+
+ $line .= $_;
+ last;
+ }
+ $line;
+
+}
+
+
+sub parse_line($) {
+ my $var;
+ my (%x, @x);
+ local $_ = shift;
+ return undef unless defined $_ and s/(\S+)\s//;
+ $var->{Name} = $1;
+ s/^\s*//;
+ @x = split(/=([^"\s]\S*|"[^"]*")\s*/, $_);
+ unless (scalar(@x)%2 == 0) {
+ push @x, undef;
+ }
+ %x = @x;
+ @{$var}{"Default", "Override"} =
+ @x{"DEFAULT", "OVERRIDE"};
+ $var;
+}
+
+sub expand_val($) {
+ my ($val) = @_;
+return undef unless $val;
+ die "Cannot handle PAM items\n" if /(?<!\\)\@/;
+ $val =~ s/(?<!\\)\${([^}]+)}/$ENV{$1}||""/eg;
+ return $val;
+}
+
+my $lookup;
+
+while ($_ = shift) {
+ next if $_ eq "-s";
+ next if $_ eq "-l";
+ $lookup = $_;
+ last;
+}
+unless (defined $lookup) {
+ die "Usage: pam_getenv [-l] [-s] env_var\n";
+}
+
+my %allvars;
+
+open (CONFIGFILE, "/etc/security/pam_env.conf")
+ or die "Cannot open environment file: $!\n";
+
+while (my $var = parse_line(read_line(\*CONFIGFILE))) {
+ my $val;
+ unless ($val = expand_val($var->{Override})) {
+ $val = expand_val($var->{Default});
+ }
+ $allvars{$var->{Name}} = $val;
+}
+
+if (open (ENVFILE, "/etc/environment")) {
+ while (my $line = read_line(\*ENVFILE)) {
+ $line =~ s/^export //;
+ $line =~ /(.*?)=(.+)/ or next;
+ my ($var, $val) = ($1, $2);
+ # This is bizarre logic (" and ' match each other, quotes are only
+ # significant at the start and end of the string, and the trailing quote
+ # may be omitted), but it's what pam_env does.
+ $val =~ s/^["'](.*?)["']?$/$1/;
+ $allvars{$var} = $val;
+ }
+}
+
+if (exists $allvars{$lookup}) {
+ print $allvars{$lookup}, "\n";
+ exit(0);
+}
diff --git a/debian/pam-configs/cracklib b/debian/pam-configs/cracklib
new file mode 100644
index 00000000..1c48274f
--- /dev/null
+++ b/debian/pam-configs/cracklib
@@ -0,0 +1,9 @@
+Name: Cracklib password strength checking
+Default: yes
+Priority: 1024
+Conflicts: unix-zany
+Password-Type: Primary
+Password:
+ requisite pam_cracklib.so retry=3 minlen=8 difok=3
+Password-Initial:
+ requisite pam_cracklib.so retry=3 minlen=8 difok=3
diff --git a/debian/pam-configs/unix b/debian/pam-configs/unix
new file mode 100644
index 00000000..23a04f14
--- /dev/null
+++ b/debian/pam-configs/unix
@@ -0,0 +1,23 @@
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so nullok_secure try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so nullok_secure
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure sha512
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
new file mode 100644
index 00000000..95d2e354
--- /dev/null
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -0,0 +1,462 @@
+Index: pam.debian/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam.debian/modules/pam_unix/pam_unix_passwd.c
+@@ -97,6 +97,9 @@
+ # endif /* GNU libc 2.1 */
+ #endif
+
++extern const char *obscure_msg(const char *, const char *, const struct passwd *,
++ unsigned int);
++
+ /*
+ How it works:
+ Gets in username (has to be done) from the calling program
+@@ -513,6 +516,11 @@
+ return retval;
+ }
+ }
++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
++ struct passwd *pwd;
++ pwd = pam_modutil_getpwnam(pamh, user);
++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
++ }
+ }
+ if (remark) {
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
+@@ -529,7 +537,7 @@
+ int retval;
+ int remember = -1;
+ int rounds = -1;
+- int pass_min_len = 0;
++ int pass_min_len = 6;
+
+ /* <DO NOT free() THESE> */
+ const char *user;
+Index: pam.debian/modules/pam_unix/support.h
+===================================================================
+--- pam.debian.orig/modules/pam_unix/support.h
++++ pam.debian/modules/pam_unix/support.h
+@@ -90,8 +90,9 @@
+ password hash algorithms */
+ #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
+ #define UNIX_MIN_PASS_LEN 27 /* min length for password */
++#define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */
+ /* -------------- */
+-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+
+@@ -100,34 +101,35 @@
+ /* symbol token name ctrl mask ctrl *
+ * ----------------------- ------------------- --------------------- -------- */
+
+-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01},
+-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02},
+-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04},
+-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010},
+-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020},
+-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040},
+-/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100},
+-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200},
+-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000},
+-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000},
+-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000},
+-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000},
+-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000},
+-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0},
+-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000},
+-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000},
+-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000},
+-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000},
+-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000},
+-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000},
+-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000},
+-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000},
+-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000},
+-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000},
+-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000},
+-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000},
+-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000},
++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1},
++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2},
++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4},
++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8},
++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30), 0x10},
++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30), 0x20},
++/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40},
++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80},
++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100},
++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200},
++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400},
++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800},
++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000},
++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x2C22000), 0x2000},
++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200), 0},
++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000},
++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000},
++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000},
++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x2C22000), 0x20000},
++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000},
++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000},
++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000},
++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000},
++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x2C22000), 0x400000},
++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x2C22000), 0x800000},
++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000},
++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000},
++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000},
++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+Index: pam.debian/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml
++++ pam.debian/modules/pam_unix/pam_unix.8.xml
+@@ -333,8 +333,81 @@
+ <listitem>
+ <para>
+ Set a minimum password length of <replaceable>n</replaceable>
+- characters. The max. for DES crypt based passwords are 8
+- characters.
++ characters. The default value is 6. The maximum for DES
++ crypt-based passwords is 8 characters.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>obscure</option>
++ </term>
++ <listitem>
++ <para>
++ Enable some extra checks on password strength. These checks
++ are based on the "obscure" checks in the original shadow
++ package. The behavior is similar to the pam_cracklib
++ module, but for non-dictionary-based checks. The following
++ checks are implemented:
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>Palindrome</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password is not a palindrome
++ of (i.e., the reverse of) the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Case Change Only</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't the same as the
++ old one with a change of case.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Similar</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't too much like
++ the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Simple</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password too simple? This is based on
++ the length of the password and the number of
++ different types of characters (alpha, numeric, etc.)
++ used.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Rotated</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password a rotated version of the old
++ password? (E.g., "billy" and "illyb")
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
+ </para>
+ </listitem>
+ </varlistentry>
+Index: pam.debian/modules/pam_unix/obscure.c
+===================================================================
+--- /dev/null
++++ pam.debian/modules/pam_unix/obscure.c
+@@ -0,0 +1,198 @@
++/*
++ * Copyright 1989 - 1994, Julianne Frances Haugh
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <ctype.h>
++#include <stdio.h>
++#include <unistd.h>
++#include <string.h>
++#include <stdlib.h>
++#include <pwd.h>
++#include <security/pam_modules.h>
++#include <security/_pam_macros.h>
++
++
++#include "support.h"
++
++/* can't be a palindrome - like `R A D A R' or `M A D A M' */
++static int palindrome(const char *old, const char *new) {
++ int i, j;
++
++ i = strlen (new);
++
++ for (j = 0;j < i;j++)
++ if (new[i - j - 1] != new[j])
++ return 0;
++
++ return 1;
++}
++
++/* more than half of the characters are different ones. */
++static int similar(const char *old, const char *new) {
++ int i, j;
++
++ /*
++ * XXX - sometimes this fails when changing from a simple password
++ * to a really long one (MD5). For now, I just return success if
++ * the new password is long enough. Please feel free to suggest
++ * something better... --marekm
++ */
++ if (strlen(new) >= 8)
++ return 0;
++
++ for (i = j = 0; new[i] && old[i]; i++)
++ if (strchr(new, old[i]))
++ j++;
++
++ if (i >= j * 2)
++ return 0;
++
++ return 1;
++}
++
++/* a nice mix of characters. */
++static int simple(const char *old, const char *new) {
++ int digits = 0;
++ int uppers = 0;
++ int lowers = 0;
++ int others = 0;
++ int size;
++ int i;
++
++ for (i = 0;new[i];i++) {
++ if (isdigit (new[i]))
++ digits++;
++ else if (isupper (new[i]))
++ uppers++;
++ else if (islower (new[i]))
++ lowers++;
++ else
++ others++;
++ }
++
++ /*
++ * The scam is this - a password of only one character type
++ * must be 8 letters long. Two types, 7, and so on.
++ */
++
++ size = 9;
++ if (digits) size--;
++ if (uppers) size--;
++ if (lowers) size--;
++ if (others) size--;
++
++ if (size <= i)
++ return 0;
++
++ return 1;
++}
++
++static char *str_lower(char *string) {
++ char *cp;
++
++ for (cp = string; *cp; cp++)
++ *cp = tolower(*cp);
++ return string;
++}
++
++static const char * password_check(const char *old, const char *new,
++ const struct passwd *pwdp) {
++ const char *msg = NULL;
++ char *oldmono, *newmono, *wrapped;
++
++ if (strcmp(new, old) == 0)
++ return _("Bad: new password must be different than the old one");
++
++ newmono = str_lower(strdup(new));
++ oldmono = str_lower(strdup(old));
++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1);
++ strcpy (wrapped, oldmono);
++ strcat (wrapped, oldmono);
++
++ if (palindrome(oldmono, newmono)) {
++ msg = _("Bad: new password cannot be a palindrome");
++ } else if (strcmp(oldmono, newmono) == 0) {
++ msg = _("Bad: new and old password must differ by more than just case");
++ } else if (similar(oldmono, newmono)) {
++ msg = _("Bad: new and old password are too similar");
++ } else if (simple(old, new)) {
++ msg = _("Bad: new password is too simple");
++ } else if (strstr(wrapped, newmono)) {
++ msg = _("Bad: new password is just a wrapped version of the old one");
++ }
++
++ _pam_delete(newmono);
++ _pam_delete(oldmono);
++ _pam_delete(wrapped);
++
++ return msg;
++}
++
++const char *obscure_msg(const char *old, const char *new,
++ const struct passwd *pwdp, unsigned int ctrl) {
++ int oldlen, newlen;
++ char *new1, *old1;
++ const char *msg;
++
++ if (old == NULL)
++ return NULL; /* no check if old is NULL */
++
++ oldlen = strlen(old);
++ newlen = strlen(new);
++
++ /* Remaining checks are optional. */
++ if (off(UNIX_OBSCURE_CHECKS,ctrl))
++ return NULL;
++
++ if ((msg = password_check(old, new, pwdp)) != NULL)
++ return msg;
++
++ /* The traditional crypt() truncates passwords to 8 chars. It is
++ possible to circumvent the above checks by choosing an easy
++ 8-char password and adding some random characters to it...
++ Example: "password$%^&*123". So check it again, this time
++ truncated to the maximum length. Idea from npasswd. --marekm */
++
++ if (!UNIX_DES_CRYPT(ctrl))
++ return NULL; /* unlimited password length */
++
++ if (oldlen <= 8 && newlen <= 8)
++ return NULL;
++
++ new1 = strndup(new,8);
++ old1 = strndup(old,8);
++
++ msg = password_check(old1, new1, pwdp);
++
++ _pam_delete(new1);
++ _pam_delete(old1);
++
++ return msg;
++}
+Index: pam.debian/modules/pam_unix/Makefile.am
+===================================================================
+--- pam.debian.orig/modules/pam_unix/Makefile.am
++++ pam.debian/modules/pam_unix/Makefile.am
+@@ -42,7 +42,7 @@
+
+ pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \
+ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
+- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c
++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
+
+ bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
+ bigcrypt_CFLAGS = $(AM_CFLAGS)
+Index: pam.debian/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8
++++ pam.debian/modules/pam_unix/pam_unix.8
+@@ -178,7 +178,38 @@
+ .RS 4
+ Set a minimum password length of
+ \fIn\fR
+-characters\&. The max\&. for DES crypt based passwords are 8 characters\&.
++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&.
++.RE
++.PP
++\fBobscure\fR
++.RS 4
++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented:
++.PP
++\fBPalindrome\fR
++.RS 4
++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&.
++.RE
++.PP
++\fBCase Change Only\fR
++.RS 4
++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&.
++.RE
++.PP
++\fBSimilar\fR
++.RS 4
++Verifies that the new password isn\*(Aqt too much like the previous one\&.
++.RE
++.PP
++\fBSimple\fR
++.RS 4
++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&.
++.RE
++.PP
++\fBRotated\fR
++.RS 4
++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb")
++.RE
++.sp
+ .RE
+ .PP
+ Invalid arguments are logged with
diff --git a/debian/patches-applied/008_modules_pam_limits_chroot b/debian/patches-applied/008_modules_pam_limits_chroot
new file mode 100644
index 00000000..fd4fc3a8
--- /dev/null
+++ b/debian/patches-applied/008_modules_pam_limits_chroot
@@ -0,0 +1,132 @@
+Index: pam.debian/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.debian.orig/modules/pam_limits/pam_limits.c
++++ pam.debian/modules/pam_limits/pam_limits.c
+@@ -87,6 +87,7 @@
+ int flag_numsyslogins; /* whether to limit logins only for a
+ specific user or to count all logins */
+ int priority; /* the priority to run user process with */
++ char chroot_dir[8092]; /* directory to chroot into */
+ struct user_limits_struct limits[RLIM_NLIMITS];
+ const char *conf_file;
+ int utmp_after_pam_call;
+@@ -97,6 +98,7 @@
+ #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
+
+ #define LIMIT_PRI RLIM_NLIMITS+3
++#define LIMIT_CHROOT RLIM_NLIMITS+4
+
+ #define LIMIT_SOFT 1
+ #define LIMIT_HARD 2
+@@ -472,6 +474,8 @@
+ pl->login_limit = -2;
+ pl->login_limit_def = LIMITS_DEF_NONE;
+
++ pl->chroot_dir[0] = '\0';
++
+ return retval;
+ }
+
+@@ -542,6 +546,8 @@
+ pl->flag_numsyslogins = 1;
+ } else if (strcmp(lim_item, "priority") == 0) {
+ limit_item = LIMIT_PRI;
++ } else if (strcmp(lim_item, "chroot") == 0) {
++ limit_item = LIMIT_CHROOT;
+ } else {
+ pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
+ return;
+@@ -579,9 +585,9 @@
+ pam_syslog(pamh, LOG_DEBUG,
+ "wrong limit value '%s' for limit type '%s'",
+ lim_value, lim_type);
+- return;
++ return;
+ }
+- } else {
++ } else if (limit_item != LIMIT_CHROOT) {
+ #ifdef __USE_FILE_OFFSET64
+ rlimit_value = strtoull (lim_value, &endptr, 10);
+ #else
+@@ -642,7 +648,11 @@
+ #endif
+ }
+
+- if ( (limit_item != LIMIT_LOGIN)
++ if (limit_item == LIMIT_CHROOT) {
++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1);
++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0';
++ }
++ else if ( (limit_item != LIMIT_LOGIN)
+ && (limit_item != LIMIT_NUMSYSLOGINS)
+ && (limit_item != LIMIT_PRI) ) {
+ if (limit_type & LIMIT_SOFT) {
+@@ -986,6 +996,15 @@
+ retval |= LOGIN_ERR;
+ }
+
++ if (!retval && pl->chroot_dir[0]) {
++ i = chdir(pl->chroot_dir);
++ if (i == 0)
++ i = chroot(pl->chroot_dir);
++ if (i == 0)
++ i = chdir("/");
++ if (i != 0)
++ retval = LIMIT_ERR;
++ }
+ return retval;
+ }
+
+Index: pam.debian/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml
++++ pam.debian/modules/pam_limits/limits.conf.5.xml
+@@ -255,6 +255,12 @@
+ (Linux 2.6.12 and higher)</para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term><option>chroot</option></term>
++ <listitem>
++ <para>the directory to chroot the user to</para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+Index: pam.debian/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5
++++ pam.debian/modules/pam_limits/limits.conf.5
+@@ -260,6 +260,11 @@
+ .RS 4
+ maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher)
+ .RE
++.PP
++\fBchroot\fR
++.RS 4
++the directory to chroot the user to
++.RE
+ .RE
+ .PP
+ All items support the values
+Index: pam.debian/modules/pam_limits/limits.conf
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf
++++ pam.debian/modules/pam_limits/limits.conf
+@@ -35,6 +35,7 @@
+ # - msgqueue - max memory used by POSIX message queues (bytes)
+ # - nice - max nice priority allowed to raise to values: [-20, 19]
+ # - rtprio - max realtime priority
++# - chroot - change root to directory (Debian-specific)
+ #
+ #<domain> <type> <item> <value>
+ #
+@@ -45,6 +46,7 @@
+ #@faculty soft nproc 20
+ #@faculty hard nproc 50
+ #ftp hard nproc 0
++#ftp - chroot /ftp
+ #@student - maxlogins 4
+
+ # End of file
diff --git a/debian/patches-applied/021_nis_cleanup b/debian/patches-applied/021_nis_cleanup
new file mode 100644
index 00000000..6b62bb7a
--- /dev/null
+++ b/debian/patches-applied/021_nis_cleanup
@@ -0,0 +1,44 @@
+Patch from Philippe Troin <phil@fifi.org>
+
+Originally this included a bunch of changes to locking, but the more
+recent code pulled from Linux_pam CVS seems to fix that issue.
+
+Index: pam.deb/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam.deb/modules/pam_unix/pam_unix_passwd.c
+@@ -577,7 +577,7 @@
+
+ if (_unix_blankpasswd(pamh, ctrl, user)) {
+ return PAM_SUCCESS;
+- } else if (off(UNIX__IAMROOT, ctrl)) {
++ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) {
+ /* instruct user what is happening */
+ if (asprintf(&Announce, _("Changing password for %s."),
+ user) < 0) {
+@@ -590,7 +590,9 @@
+ set(UNIX__OLD_PASSWD, lctrl);
+ retval = _unix_read_password(pamh, lctrl
+ ,Announce
+- ,_("(current) UNIX password: ")
++ ,(on(UNIX__IAMROOT, ctrl)
++ ? _("NIS server root password: ")
++ : _("(current) UNIX password: "))
+ ,NULL
+ ,_UNIX_OLD_AUTHTOK
+ ,&pass_old);
+@@ -601,9 +603,12 @@
+ "password - (old) token not obtained");
+ return retval;
+ }
+- /* verify that this is the password for this user */
++ /* verify that this is the password for this user
++ * if we're not using NIS */
+
+- retval = _unix_verify_password(pamh, user, pass_old, ctrl);
++ if (off(UNIX_NIS, ctrl)) {
++ retval = _unix_verify_password(pamh, user, pass_old, ctrl);
++ }
+ } else {
+ D(("process run by root so do nothing this time around"));
+ pass_old = NULL;
diff --git a/debian/patches-applied/022_pam_unix_group_time_miscfixes b/debian/patches-applied/022_pam_unix_group_time_miscfixes
new file mode 100644
index 00000000..73cba7a2
--- /dev/null
+++ b/debian/patches-applied/022_pam_unix_group_time_miscfixes
@@ -0,0 +1,22 @@
+Description: handle the case of flags being empty or only PAM_SILENT, which is
+ documented in other PAM implementations as meaning PAM_ESTABLISH_CRED:
+ http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm
+
+Index: pam.deb/modules/pam_group/pam_group.c
+===================================================================
+--- pam.deb.orig/modules/pam_group/pam_group.c
++++ pam.deb/modules/pam_group/pam_group.c
+@@ -765,9 +765,12 @@
+ unsigned setting;
+
+ /* only interested in establishing credentials */
++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
++ Some people just pass PAM_SILENT, so cope with it, too. */
+
+ setting = flags;
+- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
++ && (setting != 0) && (setting != PAM_SILENT)) {
+ D(("ignoring call - not for establishing credentials"));
+ return PAM_SUCCESS; /* don't fail because of this */
+ }
diff --git a/debian/patches-applied/026_pam_unix_passwd_unknown_user b/debian/patches-applied/026_pam_unix_passwd_unknown_user
new file mode 100644
index 00000000..1b1aade2
--- /dev/null
+++ b/debian/patches-applied/026_pam_unix_passwd_unknown_user
@@ -0,0 +1,33 @@
+Description: distinguish between password manipulation failure and missing user.
+Author: Martin Schwenke <martin@meltin.net>
+
+Index: pam.deb/modules/pam_unix/passverify.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/passverify.c
++++ pam.deb/modules/pam_unix/passverify.c
+@@ -719,7 +719,7 @@
+ struct passwd *tmpent = NULL;
+ struct stat st;
+ FILE *pwfile, *opwfile;
+- int err = 1;
++ int err = 1, found = 0;
+ int oldmask;
+ #ifdef WITH_SELINUX
+ security_context_t prev_context=NULL;
+@@ -790,6 +790,7 @@
+
+ tmpent->pw_passwd = assigned_passwd.charp;
+ err = 0;
++ found = 1;
+ }
+ if (putpwent(tmpent, pwfile)) {
+ D(("error writing entry to password file: %m"));
+@@ -832,7 +833,7 @@
+ return PAM_SUCCESS;
+ } else {
+ unlink(PW_TMPFILE);
+- return PAM_AUTHTOK_ERR;
++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN;
+ }
+ }
+
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
new file mode 100644
index 00000000..717fdd5c
--- /dev/null
+++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
@@ -0,0 +1,253 @@
+Description: Allow explicit limits for root and reset limits on each session
+ When crossing session boundaries (such as when su'ing from one user to
+ another), if the target account has no limit specified in limits.conf we
+ want to use the default, not the current value configured for the
+ source account.
+ .
+ If /proc/1/limits is unavailable, fall back to a set of hard-coded values
+ that shadow the currently known defaults on Linux.
+ .
+ Also, don't apply wildcard limits to the root account; only apply limits to
+ root that reference root by name.
+Author: Peter Paluch <peterp@frcatel.fri.utc.sk>,
+ Ben Collins <bcollins@debian.org>,
+ Steve Langasek <vorlon@debian.org>,
+Bug-Debian: http://bugs.debian.org/63230
+Index: pam.debian/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.debian.orig/modules/pam_limits/pam_limits.c
++++ pam.debian/modules/pam_limits/pam_limits.c
+@@ -45,6 +45,14 @@
+ #include <libaudit.h>
+ #endif
+
++#ifndef MLOCK_LIMIT
++#ifdef __FreeBSD_kernel__
++#define MLOCK_LIMIT RLIM_INFINITY
++#else
++#define MLOCK_LIMIT (64*1024)
++#endif
++#endif
++
+ /* Module defines */
+ #define LINE_LENGTH 1024
+
+@@ -82,6 +90,7 @@
+
+ /* internal data */
+ struct pam_limit_s {
++ int root; /* running as root? */
+ int login_limit; /* the max logins limit */
+ int login_limit_def; /* which entry set the login limit */
+ int flag_numsyslogins; /* whether to limit logins only for a
+@@ -436,9 +445,18 @@
+ {
+ int i;
+ int retval = PAM_SUCCESS;
++ static int mlock_limit = 0;
+
+ D(("called."));
+
++ pl->root = 0;
++
++ if (mlock_limit == 0) {
++ mlock_limit = sysconf(_SC_PAGESIZE);
++ if (mlock_limit < MLOCK_LIMIT)
++ mlock_limit = MLOCK_LIMIT;
++ }
++
+ for(i = 0; i < RLIM_NLIMITS; i++) {
+ int r = getrlimit(i, &pl->limits[i].limit);
+ if (r == -1) {
+@@ -454,18 +472,68 @@
+ }
+
+ #ifdef __linux__
+- if (ctrl & PAM_SET_ALL) {
+- parse_kernel_limits(pamh, pl, ctrl);
++ parse_kernel_limits(pamh, pl, ctrl);
++#endif
+
+- for(i = 0; i < RLIM_NLIMITS; i++) {
++ for(i = 0; i < RLIM_NLIMITS; i++) {
+ if (pl->limits[i].supported &&
+ (pl->limits[i].src_soft == LIMITS_DEF_NONE ||
+ pl->limits[i].src_hard == LIMITS_DEF_NONE)) {
+- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
++#ifdef __linux__
++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
++#endif
++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT;
++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT;
++ switch(i) {
++ case RLIMIT_CPU:
++ case RLIMIT_FSIZE:
++ case RLIMIT_DATA:
++ case RLIMIT_RSS:
++ case RLIMIT_NPROC:
++#ifdef RLIMIT_AS
++ case RLIMIT_AS:
++#endif
++#ifdef RLIMIT_LOCKS
++ case RLIMIT_LOCKS:
++#endif
++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_MEMLOCK:
++ pl->limits[i].limit.rlim_cur = mlock_limit;
++ pl->limits[i].limit.rlim_max = mlock_limit;
++ break;
++#ifdef RLIMIT_SIGPENDING
++ case RLIMIT_SIGPENDING:
++ pl->limits[i].limit.rlim_cur = 16382;
++ pl->limits[i].limit.rlim_max = 16382;
++ break;
++#endif
++#ifdef RLIMIT_MSGQUEUE
++ case RLIMIT_MSGQUEUE:
++ pl->limits[i].limit.rlim_cur = 819200;
++ pl->limits[i].limit.rlim_max = 819200;
++ break;
++#endif
++ case RLIMIT_CORE:
++ pl->limits[i].limit.rlim_cur = 0;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_STACK:
++ pl->limits[i].limit.rlim_cur = 8192*1024;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_NOFILE:
++ pl->limits[i].limit.rlim_cur = 1024;
++ pl->limits[i].limit.rlim_max = 1024;
++ break;
++ default:
++ pl->limits[i].src_soft = LIMITS_DEF_NONE;
++ pl->limits[i].src_hard = LIMITS_DEF_NONE;
++ break;
++ }
+ }
+- }
+ }
+-#endif
+
+ errno = 0;
+ pl->priority = getpriority (PRIO_PROCESS, 0);
+@@ -804,7 +872,7 @@
+
+ if (strcmp(uname, domain) == 0) /* this user have a limit */
+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
+- else if (domain[0]=='@') {
++ else if (domain[0]=='@' && !pl->root) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "checking if %s is in group %s",
+@@ -830,7 +898,7 @@
+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
+ pl);
+ }
+- } else if (domain[0]=='%') {
++ } else if (domain[0]=='%' && !pl->root) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "checking if %s is in group %s",
+@@ -864,7 +932,7 @@
+ } else {
+ switch(rngtype) {
+ case LIMIT_RANGE_NONE:
+- if (strcmp(domain, "*") == 0)
++ if (strcmp(domain, "*") == 0 && !pl->root)
+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
+ pl);
+ break;
+@@ -1050,6 +1118,8 @@
+ return PAM_ABORT;
+ }
+
++ if (pwd->pw_uid == 0)
++ pl->root = 1;
+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
+ if (retval == PAM_IGNORE) {
+ D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
+Index: pam.debian/modules/pam_limits/limits.conf
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf
++++ pam.debian/modules/pam_limits/limits.conf
+@@ -11,6 +11,9 @@
+ # - the wildcard *, for default entry
+ # - the wildcard %, can be also used with %group syntax,
+ # for maxlogin limit
++# - NOTE: group and wildcard limits are not applied to root.
++# To apply a limit to the root user, <domain> must be
++# the literal username root.
+ #
+ #<type> can have the two values:
+ # - "soft" for enforcing the soft limits
+@@ -41,6 +44,7 @@
+ #
+
+ #* soft core 0
++#root hard core 100000
+ #* hard rss 10000
+ #@student hard nproc 20
+ #@faculty soft nproc 20
+Index: pam.debian/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml
++++ pam.debian/modules/pam_limits/limits.conf.5.xml
+@@ -88,6 +88,11 @@
+ </para>
+ </listitem>
+ </itemizedlist>
++ <para>
++ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not
++ applied to the root user. To set a limit for the root user, this field
++ must contain the literal username <emphasis remap='B'>root</emphasis>.
++ </para>
+ </listitem>
+ </varlistentry>
+
+@@ -309,6 +314,7 @@
+ </para>
+ <programlisting>
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
+Index: pam.debian/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5
++++ pam.debian/modules/pam_limits/limits.conf.5
+@@ -132,6 +132,10 @@
+ \fB%:\fR\fI<gid>\fR
+ applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&.
+ .RE
++.sp
++\fBNOTE:\fR
++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username
++\fBroot\fR\&.
+ .RE
+ .PP
+ \fB<type>\fR
+@@ -304,6 +308,7 @@
+ .\}
+ .nf
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
+Index: pam.debian/modules/pam_limits/README
+===================================================================
+--- pam.debian.orig/modules/pam_limits/README
++++ pam.debian/modules/pam_limits/README
+@@ -54,6 +54,7 @@
+ limits.conf.
+
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
diff --git a/debian/patches-applied/031_pam_include b/debian/patches-applied/031_pam_include
new file mode 100644
index 00000000..23962ad1
--- /dev/null
+++ b/debian/patches-applied/031_pam_include
@@ -0,0 +1,72 @@
+Patch to implement an @include directive for use in pam.d config files.
+
+Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
+
+Upstream status: not yet submitted
+
+Index: pam.deb/libpam/pam_handlers.c
+===================================================================
+--- pam.deb.orig/libpam/pam_handlers.c
++++ pam.deb/libpam/pam_handlers.c
+@@ -122,6 +122,10 @@
+ module_type = PAM_T_ACCT;
+ } else if (!strcasecmp("password", tok)) {
+ module_type = PAM_T_PASS;
++ } else if (!strcasecmp("@include", tok)) {
++ pam_include = 1;
++ module_type = requested_module_type;
++ goto parsing_done;
+ } else {
+ /* Illegal module type */
+ D(("_pam_init_handlers: bad module type: %s", tok));
+@@ -192,8 +196,10 @@
+ _pam_set_default_control(actions, _PAM_ACTION_BAD);
+ }
+
++parsing_done:
+ tok = _pam_StrTok(NULL, " \n\t", &nexttok);
+ if (pam_include) {
++ struct stat include_dir;
+ if (substack) {
+ res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other,
+ stack_level, module_type, actions, tok,
+@@ -204,13 +210,35 @@
+ return PAM_ABORT;
+ }
+ }
+- if (_pam_load_conf_file(pamh, tok, this_service, module_type,
+- stack_level + substack
++ if (tok[0] == '/') {
++ if (_pam_load_conf_file(pamh, tok, this_service,
++ module_type, stack_level + substack
++#ifdef PAM_READ_BOTH_CONFS
++ , !other
++#endif /* PAM_READ_BOTH_CONFS */
++ ) == PAM_SUCCESS)
++ continue;
++ }
++ else if (!stat(PAM_CONFIG_D, &include_dir)
++ && S_ISDIR(include_dir.st_mode))
++ {
++ char *include_file;
++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) {
++ pam_syslog(pamh, LOG_CRIT, "asprintf failed");
++ return PAM_ABORT;
++ }
++ if (_pam_load_conf_file(pamh, include_file, this_service,
++ module_type, stack_level + substack
+ #ifdef PAM_READ_BOTH_CONFS
+ , !other
+ #endif /* PAM_READ_BOTH_CONFS */
+- ) == PAM_SUCCESS)
+- continue;
++ ) == PAM_SUCCESS)
++ {
++ free(include_file);
++ continue;
++ }
++ free(include_file);
++ }
+ _pam_set_default_control(actions, _PAM_ACTION_BAD);
+ mod_path = NULL;
+ handler_type = PAM_HT_MUST_FAIL;
diff --git a/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL
new file mode 100644
index 00000000..58fab0ee
--- /dev/null
+++ b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL
@@ -0,0 +1,22 @@
+setrlimit will sometimes return EPERM for example if you try to increase the
+number of open files too much. This is not something we want to consider
+fatal. This also happens if you use non-root and try to decrease a limit.
+Running PAM as non-root is not so great.
+
+Authors: ?
+
+Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
+
+Index: pam.deb/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.deb.orig/modules/pam_limits/pam_limits.c
++++ pam.deb/modules/pam_limits/pam_limits.c
+@@ -735,6 +735,8 @@
+ if (res != 0)
+ pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+ rlimit2str(i));
++ if (res == -1 && errno == EPERM)
++ continue;
+ status |= res;
+ }
+
diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
new file mode 100644
index 00000000..146d3e0a
--- /dev/null
+++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
@@ -0,0 +1,145 @@
+Patch for Debian bug #163787 et al
+
+Always use the process uid, not getlogin(), to identify an applicant in
+pam_wheel; utmp may be wrong or may have no entry at all in the case of
+an xterm
+
+Authors: Ben Collins <bcollins@debian.org>
+
+Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
+
+Index: pam.debian/modules/pam_wheel/pam_wheel.c
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.c
++++ pam.debian/modules/pam_wheel/pam_wheel.c
+@@ -60,9 +60,8 @@
+ /* argument parsing */
+
+ #define PAM_DEBUG_ARG 0x0001
+-#define PAM_USE_UID_ARG 0x0002
+-#define PAM_TRUST_ARG 0x0004
+-#define PAM_DENY_ARG 0x0010
++#define PAM_TRUST_ARG 0x0002
++#define PAM_DENY_ARG 0x0004
+ #define PAM_ROOT_ONLY_ARG 0x0020
+
+ static int
+@@ -80,8 +79,7 @@
+
+ if (!strcmp(*argv,"debug"))
+ ctrl |= PAM_DEBUG_ARG;
+- else if (!strcmp(*argv,"use_uid"))
+- ctrl |= PAM_USE_UID_ARG;
++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
+ else if (!strcmp(*argv,"trust"))
+ ctrl |= PAM_TRUST_ARG;
+ else if (!strcmp(*argv,"deny"))
+@@ -129,27 +127,14 @@
+ }
+ }
+
+- if (ctrl & PAM_USE_UID_ARG) {
+- tpwd = pam_modutil_getpwuid (pamh, getuid());
+- if (!tpwd) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
+- }
+- fromsu = tpwd->pw_name;
+- } else {
+- fromsu = pam_modutil_getlogin(pamh);
+- if (fromsu) {
+- tpwd = pam_modutil_getpwnam (pamh, fromsu);
+- }
+- if (!fromsu || !tpwd) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
++ tpwd = pam_modutil_getpwuid (pamh, getuid());
++ if (!tpwd) {
++ if (ctrl & PAM_DEBUG_ARG) {
++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+ }
++ return PAM_SERVICE_ERR;
+ }
++ fromsu = tpwd->pw_name;
+
+ /*
+ * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
+Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml
++++ pam.debian/modules/pam_wheel/pam_wheel.8.xml
+@@ -33,9 +33,6 @@
+ <arg choice="opt">
+ trust
+ </arg>
+- <arg choice="opt">
+- use_uid
+- </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+@@ -115,18 +112,6 @@
+ </para>
+ </listitem>
+ </varlistentry>
+- <varlistentry>
+- <term>
+- <option>use_uid</option>
+- </term>
+- <listitem>
+- <para>
+- The check for wheel membership will be done against
+- the current uid instead of the original one (useful when
+- jumping with su from one account to another for example).
+- </para>
+- </listitem>
+- </varlistentry>
+ </variablelist>
+ </refsect1>
+
+Index: pam.debian/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.8
++++ pam.debian/modules/pam_wheel/pam_wheel.8
+@@ -31,7 +31,7 @@
+ pam_wheel \- Only permit root access to members of group wheel
+ .SH "SYNOPSIS"
+ .HP \w'\fBpam_wheel\&.so\fR\ 'u
+-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust]
+ .SH "DESCRIPTION"
+ .PP
+ The pam_wheel PAM module is used to enforce the so\-called
+@@ -72,11 +72,6 @@
+ .RS 4
+ The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&.
+ .RE
+-.PP
+-\fBuse_uid\fR
+-.RS 4
+-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&.
+-.RE
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+ The
+Index: pam.debian/modules/pam_wheel/README
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/README
++++ pam.debian/modules/pam_wheel/README
+@@ -39,12 +39,6 @@
+ modules the wheel members may be able to su to root without being prompted
+ for a passwd).
+
+-use_uid
+-
+- The check for wheel membership will be done against the current uid instead
+- of the original one (useful when jumping with su from one account to
+- another for example).
+-
+ EXAMPLES
+
+ The root account gains access by default (rootok), only wheel members can
diff --git a/debian/patches-applied/040_pam_limits_log_failure b/debian/patches-applied/040_pam_limits_log_failure
new file mode 100644
index 00000000..f80273e7
--- /dev/null
+++ b/debian/patches-applied/040_pam_limits_log_failure
@@ -0,0 +1,36 @@
+Patch for Debian bug #180310
+
+Generate some (low-severity) log information whenever setrlimit() fails,
+for debugging purposes.
+
+Authors: Sam Hartman <hartmans@debian.org>
+
+Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
+
+Index: pam.deb/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.deb.orig/modules/pam_limits/pam_limits.c
++++ pam.deb/modules/pam_limits/pam_limits.c
+@@ -732,9 +732,19 @@
+ if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
+ pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
+ res = setrlimit(i, &pl->limits[i].limit);
+- if (res != 0)
+- pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+- rlimit2str(i));
++ if (res != 0 && (i != RLIMIT_NOFILE
++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY))
++ {
++ int save_errno = errno;
++ pam_syslog(pamh, LOG_DEBUG,
++ "Could not set limit for '%s' to soft=%d, hard=%d:"
++ " %m; uid=%lu,euid=%lu", rlimit2str(i),
++ pl->limits[i].limit.rlim_cur,
++ pl->limits[i].limit.rlim_max,
++ (unsigned long) getuid(),
++ (unsigned long) geteuid());
++ errno = save_errno;
++ }
+ if (res == -1 && errno == EPERM)
+ continue;
+ status |= res;
diff --git a/debian/patches-applied/045_pam_dispatch_jump_is_ignore b/debian/patches-applied/045_pam_dispatch_jump_is_ignore
new file mode 100644
index 00000000..672ab44d
--- /dev/null
+++ b/debian/patches-applied/045_pam_dispatch_jump_is_ignore
@@ -0,0 +1,31 @@
+
+Previously jumps were treated as PAM_IGNORE in the freezing part of
+the chain and PAM_OK (aka required) in the frozen part of the chain.
+No one on pam-list was able to explain this behavior, so I changed it
+to be consistent.
+
+Index: pam.deb/libpam/pam_dispatch.c
+===================================================================
+--- pam.deb.orig/libpam/pam_dispatch.c
++++ pam.deb/libpam/pam_dispatch.c
+@@ -251,19 +251,7 @@
+ if ( _PAM_ACTION_IS_JUMP(action) ) {
+
+ /* If we are evaluating a cached chain, we treat this
+- module as required (aka _PAM_ACTION_OK) as well as
+- executing the jump. */
+-
+- if (use_cached_chain) {
+- if (impression == _PAM_UNDEF
+- || (impression == _PAM_POSITIVE
+- && status == PAM_SUCCESS) ) {
+- if ( retval != PAM_IGNORE || cached_retval == retval ) {
+- impression = _PAM_POSITIVE;
+- status = retval;
+- }
+- }
+- }
++ module as ignored as well as executing the jump. */
+
+ /* this means that we need to skip #action stacked modules */
+ while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) {
diff --git a/debian/patches-applied/054_pam_security_abstract_securetty_handling b/debian/patches-applied/054_pam_security_abstract_securetty_handling
new file mode 100644
index 00000000..91d6809f
--- /dev/null
+++ b/debian/patches-applied/054_pam_security_abstract_securetty_handling
@@ -0,0 +1,199 @@
+Description: extract the securetty logic for use with the "nullok_secure" option
+ introduced in the "055_pam_unix_nullok_secure" patch.
+
+Index: pam.debian/modules/pam_securetty/pam_securetty.c
+===================================================================
+--- pam.debian.orig/modules/pam_securetty/pam_securetty.c
++++ pam.debian/modules/pam_securetty/pam_securetty.c
+@@ -1,7 +1,5 @@
+ /* pam_securetty module */
+
+-#define SECURETTY_FILE "/etc/securetty"
+-#define TTY_PREFIX "/dev/"
+ #define CMDLINE_FILE "/proc/cmdline"
+ #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
+
+@@ -40,6 +38,9 @@
+ #include <security/pam_modutil.h>
+ #include <security/pam_ext.h>
+
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
+ #define PAM_DEBUG_ARG 0x0001
+ #define PAM_NOCONSOLE_ARG 0x0002
+
+@@ -73,11 +74,7 @@
+ const char *username;
+ const char *uttyname;
+ const void *void_uttyname;
+- char ttyfileline[256];
+- char ptname[256];
+- struct stat ttyfileinfo;
+ struct passwd *user_pwd;
+- FILE *ttyfile;
+
+ /* log a trail for debugging */
+ if (ctrl & PAM_DEBUG_ARG) {
+@@ -105,50 +102,7 @@
+ return PAM_SERVICE_ERR;
+ }
+
+- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
+- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
+- uttyname += sizeof(TTY_PREFIX)-1;
+- }
+-
+- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
+- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
+- return PAM_SUCCESS; /* for compatibility with old securetty handling,
+- this needs to succeed. But we still log the
+- error. */
+- }
+-
+- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
+- /* If the file is world writable or is not a
+- normal file, return error */
+- pam_syslog(pamh, LOG_ERR,
+- "%s is either world writable or not a normal file",
+- SECURETTY_FILE);
+- return PAM_AUTH_ERR;
+- }
+-
+- ttyfile = fopen(SECURETTY_FILE,"r");
+- if (ttyfile == NULL) { /* Check that we opened it successfully */
+- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
+- return PAM_SERVICE_ERR;
+- }
+-
+- if (isdigit(uttyname[0])) {
+- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
+- } else {
+- ptname[0] = '\0';
+- }
+-
+- retval = 1;
+-
+- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
+- && retval) {
+- if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
+- ttyfileline[strlen(ttyfileline) - 1] = '\0';
+-
+- retval = ( strcmp(ttyfileline, uttyname)
+- && (!ptname[0] || strcmp(ptname, uttyname)) );
+- }
+- fclose(ttyfile);
++ retval = _pammodutil_tty_secure(pamh, uttyname);
+
+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+ FILE *cmdlinefile;
+Index: pam.debian/modules/pam_securetty/tty_secure.c
+===================================================================
+--- /dev/null
++++ pam.debian/modules/pam_securetty/tty_secure.c
+@@ -0,0 +1,90 @@
++/*
++ * A function to determine if a particular line is in /etc/securetty
++ */
++
++
++#define SECURETTY_FILE "/etc/securetty"
++#define TTY_PREFIX "/dev/"
++
++/* This function taken out of pam_securetty by Sam Hartman
++ * <hartmans@debian.org>*/
++/*
++ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
++ * July 25, 1996.
++ * Slight modifications AGM. 1996/12/3
++ */
++
++#include <unistd.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <security/pam_modules.h>
++#include <stdarg.h>
++#include <syslog.h>
++#include <sys/syslog.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <ctype.h>
++#include <security/pam_modutil.h>
++#include <security/pam_ext.h>
++
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname)
++{
++ int retval = PAM_AUTH_ERR;
++ char ttyfileline[256];
++ char ptname[256];
++ struct stat ttyfileinfo;
++ FILE *ttyfile;
++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
++ uttyname += sizeof(TTY_PREFIX)-1;
++
++ if (stat(SECURETTY_FILE, &ttyfileinfo)) {
++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
++ SECURETTY_FILE);
++ return PAM_SUCCESS; /* for compatibility with old securetty handling,
++ this needs to succeed. But we still log the
++ error. */
++ }
++
++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
++ /* If the file is world writable or is not a
++ normal file, return error */
++ pam_syslog(pamh, LOG_ERR,
++ "%s is either world writable or not a normal file",
++ SECURETTY_FILE);
++ return PAM_AUTH_ERR;
++ }
++
++ ttyfile = fopen(SECURETTY_FILE,"r");
++ if(ttyfile == NULL) { /* Check that we opened it successfully */
++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
++ return PAM_SERVICE_ERR;
++ }
++
++ if (isdigit(uttyname[0])) {
++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
++ } else {
++ ptname[0] = '\0';
++ }
++
++ retval = 1;
++
++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
++ && retval) {
++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
++ ttyfileline[strlen(ttyfileline) - 1] = '\0';
++ retval = ( strcmp(ttyfileline,uttyname)
++ && (!ptname[0] || strcmp(ptname, uttyname)) );
++ }
++ fclose(ttyfile);
++
++ if(retval) {
++ retval = PAM_AUTH_ERR;
++ }
++
++ return retval;
++}
+Index: pam.debian/modules/pam_securetty/Makefile.am
+===================================================================
+--- pam.debian.orig/modules/pam_securetty/Makefile.am
++++ pam.debian/modules/pam_securetty/Makefile.am
+@@ -24,6 +24,10 @@
+ securelib_LTLIBRARIES = pam_securetty.la
+ pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam
+
++pam_securetty_la_SOURCES = \
++ pam_securetty.c \
++ tty_secure.c
++
+ if ENABLE_REGENERATE_MAN
+ noinst_DATA = README
+ README: pam_securetty.8.xml
diff --git a/debian/patches-applied/055_pam_unix_nullok_secure b/debian/patches-applied/055_pam_unix_nullok_secure
new file mode 100644
index 00000000..f0b0a3d2
--- /dev/null
+++ b/debian/patches-applied/055_pam_unix_nullok_secure
@@ -0,0 +1,224 @@
+Debian patch to add a new 'nullok_secure' option to pam_unix, which
+accepts users with null passwords only when the applicant is connected
+from a tty listed in /etc/securetty.
+
+Authors: Sam Hartman <hartmans@debian.org>,
+ Steve Langasek <vorlon@debian.org>
+
+Upstream status: not yet submitted
+
+Index: pam.debian/modules/pam_unix/support.c
+===================================================================
+--- pam.debian.orig/modules/pam_unix/support.c
++++ pam.debian/modules/pam_unix/support.c
+@@ -84,14 +84,22 @@
+ /* now parse the arguments to this module */
+
+ for (; argc-- > 0; ++argv) {
+- int j;
++ int j, sl;
+
+ D(("pam_unix arg: %s", *argv));
+
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+- if (unix_args[j].token
+- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
+- break;
++ if (unix_args[j].token) {
++ sl = strlen(unix_args[j].token);
++ if (unix_args[j].token[sl-1] == '=') {
++ /* exclude argument from comparison */
++ if (!strncmp(*argv, unix_args[j].token, sl))
++ break;
++ } else {
++ /* compare full strings */
++ if (!strcmp(*argv, unix_args[j].token))
++ break;
++ }
+ }
+ }
+
+@@ -461,6 +469,7 @@
+ child = fork();
+ if (child == 0) {
+ int i=0;
++ int nullok = off(UNIX__NONULL, ctrl);
+ struct rlimit rlim;
+ static char *envp[] = { NULL };
+ char *args[] = { NULL, NULL, NULL, NULL };
+@@ -488,7 +497,18 @@
+ /* exec binary helper */
+ args[0] = strdup(CHKPWD_HELPER);
+ args[1] = x_strdup(user);
+- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
++
++ if (on(UNIX_NULLOK_SECURE, ctrl)) {
++ const void *uttyname;
++ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
++ if (retval != PAM_SUCCESS || uttyname == NULL
++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
++ {
++ nullok = 0;
++ }
++ }
++
++ if (nullok) {
+ args[2]=strdup("nullok");
+ } else {
+ args[2]=strdup("nonull");
+@@ -567,6 +587,17 @@
+ if (on(UNIX__NONULL, ctrl))
+ return 0; /* will fail but don't let on yet */
+
++ if (on(UNIX_NULLOK_SECURE, ctrl)) {
++ int retval2;
++ const void *uttyname;
++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname);
++ if (retval2 != PAM_SUCCESS || uttyname == NULL)
++ return 0;
++
++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
++ return 0;
++ }
++
+ /* UNIX passwords area */
+
+ retval = get_pwd_hash(pamh, name, &pwd, &salt);
+@@ -653,7 +684,8 @@
+ }
+ }
+ } else {
+- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
++ retval = verify_pwd_hash(p, salt,
++ _unix_blankpasswd(pamh, ctrl, name));
+ }
+
+ if (retval == PAM_SUCCESS) {
+Index: pam.debian/modules/pam_unix/support.h
+===================================================================
+--- pam.debian.orig/modules/pam_unix/support.h
++++ pam.debian/modules/pam_unix/support.h
+@@ -91,8 +91,9 @@
+ #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
+ #define UNIX_MIN_PASS_LEN 27 /* min length for password */
+ #define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */
++#define UNIX_NULLOK_SECURE 29 /* NULL passwords allowed only on secure ttys */
+ /* -------------- */
+-#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+
+@@ -110,7 +111,7 @@
+ /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40},
+ /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80},
+ /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200},
++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200},
+ /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400},
+ /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800},
+ /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000},
+@@ -130,6 +131,7 @@
+ /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000},
+ /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000},
+ /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000},
++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+@@ -165,6 +167,9 @@
+ ,const char *data_name
+ ,const void **pass);
+
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
+ extern int _unix_run_verify_binary(pam_handle_t *pamh,
+ unsigned int ctrl, const char *user, int *daysleft);
+ #endif /* _PAM_UNIX_SUPPORT_H */
+Index: pam.debian/modules/pam_unix/Makefile.am
+===================================================================
+--- pam.debian.orig/modules/pam_unix/Makefile.am
++++ pam.debian/modules/pam_unix/Makefile.am
+@@ -30,7 +30,8 @@
+ pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+ pam_unix_la_LIBADD = -L$(top_builddir)/libpam -lpam \
+- @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS)
++ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \
++ ../pam_securetty/tty_secure.lo
+
+ securelib_LTLIBRARIES = pam_unix.la
+
+Index: pam.debian/modules/pam_unix/README
+===================================================================
+--- pam.debian.orig/modules/pam_unix/README
++++ pam.debian/modules/pam_unix/README
+@@ -57,7 +57,16 @@
+
+ The default action of this module is to not permit the user access to a
+ service if their official password is blank. The nullok argument overrides
+- this default.
++ this default and allows any user with a blank password to access the
++ service.
++
++nullok_secure
++
++ The default action of this module is to not permit the user access to a
++ service if their official password is blank. The nullok_secure argument
++ overrides this default and allows any user with a blank password to access
++ the service as long as the value of PAM_TTY is set to one of the values
++ found in /etc/securetty.
+
+ try_first_pass
+
+Index: pam.debian/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8
++++ pam.debian/modules/pam_unix/pam_unix.8
+@@ -79,7 +79,14 @@
+ .RS 4
+ The default action of this module is to not permit the user access to a service if their official password is blank\&. The
+ \fBnullok\fR
+-argument overrides this default\&.
++argument overrides this default and allows any user with a blank password to access the service\&.
++.RE
++.PP
++\fBnullok_secure\fR
++.RS 4
++The default action of this module is to not permit the user access to a service if their official password is blank\&. The
++\fBnullok_secure\fR
++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&.
+ .RE
+ .PP
+ \fBtry_first_pass\fR
+Index: pam.debian/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml
++++ pam.debian/modules/pam_unix/pam_unix.8.xml
+@@ -135,7 +135,24 @@
+ <para>
+ The default action of this module is to not permit the
+ user access to a service if their official password is blank.
+- The <option>nullok</option> argument overrides this default.
++ The <option>nullok</option> argument overrides this default
++ and allows any user with a blank password to access the
++ service.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>nullok_secure</option>
++ </term>
++ <listitem>
++ <para>
++ The default action of this module is to not permit the
++ user access to a service if their official password is blank.
++ The <option>nullok_secure</option> argument overrides this
++ default and allows any user with a blank password to access
++ the service as long as the value of PAM_TTY is set to one of
++ the values found in /etc/securetty.
+ </para>
+ </listitem>
+ </varlistentry>
diff --git a/debian/patches-applied/PAM-manpage-section b/debian/patches-applied/PAM-manpage-section
new file mode 100644
index 00000000..a6dbf7ca
--- /dev/null
+++ b/debian/patches-applied/PAM-manpage-section
@@ -0,0 +1,1610 @@
+Patch to put the PAM manpage in section 7 (general topics) instead of 8
+(system administration commands)
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: maybe provide a backwards-compatibility link first?
+
+Index: pam.debian/doc/man/PAM.8
+===================================================================
+--- pam.debian.orig/doc/man/PAM.8
++++ pam.debian/doc/man/PAM.8
+@@ -118,4 +118,4 @@
+ \fBpam_authenticate\fR(3),
+ \fBpam_sm_setcred\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBPAM\fR(8)
++\fBPAM\fR(7)
+Index: pam.debian/doc/man/pam.8.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam.8.xml
++++ pam.debian/doc/man/pam.8.xml
+@@ -6,7 +6,7 @@
+
+ <refmeta>
+ <refentrytitle>pam</refentrytitle>
+- <manvolnum>8</manvolnum>
++ <manvolnum>7</manvolnum>
+ <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+@@ -179,7 +179,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>PAM</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_access/access.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_access/access.conf.5
++++ pam.debian/modules/pam_access/access.conf.5
+@@ -181,7 +181,7 @@
+ .PP
+ \fBpam_access\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHORS"
+ .PP
+ Original
+Index: pam.debian/modules/pam_access/access.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_access/access.conf.5.xml
++++ pam.debian/modules/pam_access/access.conf.5.xml
+@@ -191,7 +191,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_env/pam_env.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.conf.5
++++ pam.debian/modules/pam_env/pam_env.conf.5
+@@ -112,7 +112,7 @@
+ .PP
+ \fBpam_env\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_env was written by Dave Kinchlea <kinch@kinch\&.ark\&.com>\&.
+Index: pam.debian/modules/pam_env/pam_env.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.conf.5.xml
++++ pam.debian/modules/pam_env/pam_env.conf.5.xml
+@@ -110,7 +110,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_group/group.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_group/group.conf.5
++++ pam.debian/modules/pam_group/group.conf.5
+@@ -113,7 +113,7 @@
+ .PP
+ \fBpam_group\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_group/group.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_group/group.conf.5.xml
++++ pam.debian/modules/pam_group/group.conf.5.xml
+@@ -128,7 +128,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5
++++ pam.debian/modules/pam_limits/limits.conf.5
+@@ -327,7 +327,7 @@
+ .PP
+ \fBpam_limits\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBgetrlimit\fR(2)\fBgetrlimit\fR(3p)
+ .SH "AUTHOR"
+ .PP
+Index: pam.debian/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml
++++ pam.debian/modules/pam_limits/limits.conf.5.xml
+@@ -332,7 +332,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry>
+ </para>
+Index: pam.debian/modules/pam_namespace/namespace.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_namespace/namespace.conf.5
++++ pam.debian/modules/pam_namespace/namespace.conf.5
+@@ -150,7 +150,7 @@
+ .PP
+ \fBpam_namespace\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHORS"
+ .PP
+ The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam.debian/modules/pam_namespace/namespace.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_namespace/namespace.conf.5.xml
++++ pam.debian/modules/pam_namespace/namespace.conf.5.xml
+@@ -196,7 +196,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_time/time.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_time/time.conf.5
++++ pam.debian/modules/pam_time/time.conf.5
+@@ -108,7 +108,7 @@
+ .PP
+ \fBpam_time\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_time/time.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_time/time.conf.5.xml
++++ pam.debian/modules/pam_time/time.conf.5.xml
+@@ -130,7 +130,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_access/pam_access.8
+===================================================================
+--- pam.debian.orig/modules/pam_access/pam_access.8
++++ pam.debian/modules/pam_access/pam_access.8
+@@ -125,7 +125,7 @@
+ .PP
+ \fBaccess.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\&.dnttm\&.ru>\&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&.
+Index: pam.debian/modules/pam_access/pam_access.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_access/pam_access.8.xml
++++ pam.debian/modules/pam_access/pam_access.8.xml
+@@ -237,7 +237,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_cracklib/pam_cracklib.8
+===================================================================
+--- pam.debian.orig/modules/pam_cracklib/pam_cracklib.8
++++ pam.debian/modules/pam_cracklib/pam_cracklib.8
+@@ -345,7 +345,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_cracklib was written by Cristian Gafton <gafton@redhat\&.com>
+Index: pam.debian/modules/pam_cracklib/pam_cracklib.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_cracklib/pam_cracklib.8.xml
++++ pam.debian/modules/pam_cracklib/pam_cracklib.8.xml
+@@ -532,7 +532,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_debug/pam_debug.8
+===================================================================
+--- pam.debian.orig/modules/pam_debug/pam_debug.8
++++ pam.debian/modules/pam_debug/pam_debug.8
+@@ -138,7 +138,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_debug was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_debug/pam_debug.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_debug/pam_debug.8.xml
++++ pam.debian/modules/pam_debug/pam_debug.8.xml
+@@ -216,7 +216,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_deny/pam_deny.8
+===================================================================
+--- pam.debian.orig/modules/pam_deny/pam_deny.8
++++ pam.debian/modules/pam_deny/pam_deny.8
+@@ -96,7 +96,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_deny was written by Andrew G\&. Morgan <morgan@kernel\&.org>
+Index: pam.debian/modules/pam_deny/pam_deny.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_deny/pam_deny.8.xml
++++ pam.debian/modules/pam_deny/pam_deny.8.xml
+@@ -120,7 +120,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_echo/pam_echo.8
+===================================================================
+--- pam.debian.orig/modules/pam_echo/pam_echo.8
++++ pam.debian/modules/pam_echo/pam_echo.8
+@@ -126,7 +126,7 @@
+ .PP
+ \fBpam.conf\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam.debian/modules/pam_echo/pam_echo.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_echo/pam_echo.8.xml
++++ pam.debian/modules/pam_echo/pam_echo.8.xml
+@@ -159,7 +159,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry></para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_env/pam_env.8
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.8
++++ pam.debian/modules/pam_env/pam_env.8
+@@ -88,7 +88,7 @@
+ .PP
+ \fBuser_readenv=\fR\fB\fI0|1\fR\fR
+ .RS 4
+-Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is on\&.
++Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is off\&.
+ .RE
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+@@ -138,7 +138,7 @@
+ .PP
+ \fBpam_env.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_env was written by Dave Kinchlea <kinch@kinch\&.ark\&.com>\&.
+Index: pam.debian/modules/pam_env/pam_env.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.8.xml
++++ pam.debian/modules/pam_env/pam_env.8.xml
+@@ -235,7 +235,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_exec/pam_exec.8
+===================================================================
+--- pam.debian.orig/modules/pam_exec/pam_exec.8
++++ pam.debian/modules/pam_exec/pam_exec.8
+@@ -147,7 +147,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\&.de>\&.
+Index: pam.debian/modules/pam_exec/pam_exec.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_exec/pam_exec.8.xml
++++ pam.debian/modules/pam_exec/pam_exec.8.xml
+@@ -228,7 +228,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_faildelay/pam_faildelay.8
+===================================================================
+--- pam.debian.orig/modules/pam_faildelay/pam_faildelay.8
++++ pam.debian/modules/pam_faildelay/pam_faildelay.8
+@@ -87,7 +87,7 @@
+ \fBpam_fail_delay\fR(3),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_faildelay was written by Darren Tucker <dtucker@zip\&.com\&.au>\&.
+Index: pam.debian/modules/pam_faildelay/pam_faildelay.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_faildelay/pam_faildelay.8.xml
++++ pam.debian/modules/pam_faildelay/pam_faildelay.8.xml
+@@ -121,7 +121,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_filter/pam_filter.8
+===================================================================
+--- pam.debian.orig/modules/pam_filter/pam_filter.8
++++ pam.debian/modules/pam_filter/pam_filter.8
+@@ -166,7 +166,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_filter was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_filter/pam_filter.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_filter/pam_filter.8.xml
++++ pam.debian/modules/pam_filter/pam_filter.8.xml
+@@ -246,7 +246,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_ftp/pam_ftp.8
+===================================================================
+--- pam.debian.orig/modules/pam_ftp/pam_ftp.8
++++ pam.debian/modules/pam_ftp/pam_ftp.8
+@@ -119,7 +119,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_ftp was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_ftp/pam_ftp.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_ftp/pam_ftp.8.xml
++++ pam.debian/modules/pam_ftp/pam_ftp.8.xml
+@@ -168,7 +168,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_group/pam_group.8
+===================================================================
+--- pam.debian.orig/modules/pam_group/pam_group.8
++++ pam.debian/modules/pam_group/pam_group.8
+@@ -103,7 +103,7 @@
+ .PP
+ \fBgroup.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_group/pam_group.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_group/pam_group.8.xml
++++ pam.debian/modules/pam_group/pam_group.8.xml
+@@ -148,7 +148,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_issue/pam_issue.8
+===================================================================
+--- pam.debian.orig/modules/pam_issue/pam_issue.8
++++ pam.debian/modules/pam_issue/pam_issue.8
+@@ -152,7 +152,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_issue was written by Ben Collins <bcollins@debian\&.org>\&.
+Index: pam.debian/modules/pam_issue/pam_issue.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_issue/pam_issue.8.xml
++++ pam.debian/modules/pam_issue/pam_issue.8.xml
+@@ -219,7 +219,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_keyinit/pam_keyinit.8
+===================================================================
+--- pam.debian.orig/modules/pam_keyinit/pam_keyinit.8
++++ pam.debian/modules/pam_keyinit/pam_keyinit.8
+@@ -130,7 +130,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\fBkeyctl\fR(1)
++\fBpam\fR(7)\fBkeyctl\fR(1)
+ .SH "AUTHOR"
+ .PP
+ pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&.
+Index: pam.debian/modules/pam_keyinit/pam_keyinit.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_keyinit/pam_keyinit.8.xml
++++ pam.debian/modules/pam_keyinit/pam_keyinit.8.xml
+@@ -223,7 +223,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum>
+Index: pam.debian/modules/pam_lastlog/pam_lastlog.8
+===================================================================
+--- pam.debian.orig/modules/pam_lastlog/pam_lastlog.8
++++ pam.debian/modules/pam_lastlog/pam_lastlog.8
+@@ -139,7 +139,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_lastlog/pam_lastlog.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_lastlog/pam_lastlog.8.xml
++++ pam.debian/modules/pam_lastlog/pam_lastlog.8.xml
+@@ -244,7 +244,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_limits/pam_limits.8
+===================================================================
+--- pam.debian.orig/modules/pam_limits/pam_limits.8
++++ pam.debian/modules/pam_limits/pam_limits.8
+@@ -146,7 +146,7 @@
+ .PP
+ \fBlimits.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com>
+Index: pam.debian/modules/pam_limits/pam_limits.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_limits/pam_limits.8.xml
++++ pam.debian/modules/pam_limits/pam_limits.8.xml
+@@ -241,7 +241,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_listfile/pam_listfile.8
+===================================================================
+--- pam.debian.orig/modules/pam_listfile/pam_listfile.8
++++ pam.debian/modules/pam_listfile/pam_listfile.8
+@@ -205,7 +205,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_listfile was written by Michael K\&. Johnson <johnsonm@redhat\&.com> and Elliot Lee <sopwith@cuc\&.edu>\&.
+Index: pam.debian/modules/pam_listfile/pam_listfile.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_listfile/pam_listfile.8.xml
++++ pam.debian/modules/pam_listfile/pam_listfile.8.xml
+@@ -281,7 +281,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_localuser/pam_localuser.8
+===================================================================
+--- pam.debian.orig/modules/pam_localuser/pam_localuser.8
++++ pam.debian/modules/pam_localuser/pam_localuser.8
+@@ -102,7 +102,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_localuser was written by Nalin Dahyabhai <nalin@redhat\&.com>\&.
+Index: pam.debian/modules/pam_localuser/pam_localuser.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_localuser/pam_localuser.8.xml
++++ pam.debian/modules/pam_localuser/pam_localuser.8.xml
+@@ -158,7 +158,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_loginuid/pam_loginuid.8
+===================================================================
+--- pam.debian.orig/modules/pam_loginuid/pam_loginuid.8
++++ pam.debian/modules/pam_loginuid/pam_loginuid.8
+@@ -75,7 +75,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBauditctl\fR(8),
+ \fBauditd\fR(8)
+ .SH "AUTHOR"
+Index: pam.debian/modules/pam_loginuid/pam_loginuid.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_loginuid/pam_loginuid.8.xml
++++ pam.debian/modules/pam_loginuid/pam_loginuid.8.xml
+@@ -104,7 +104,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
+Index: pam.debian/modules/pam_mail/pam_mail.8
+===================================================================
+--- pam.debian.orig/modules/pam_mail/pam_mail.8
++++ pam.debian/modules/pam_mail/pam_mail.8
+@@ -153,7 +153,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_mail was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_mail/pam_mail.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_mail/pam_mail.8.xml
++++ pam.debian/modules/pam_mail/pam_mail.8.xml
+@@ -265,7 +265,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8
+===================================================================
+--- pam.debian.orig/modules/pam_mkhomedir/pam_mkhomedir.8
++++ pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8
+@@ -123,7 +123,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_mkhomedir was written by Jason Gunthorpe <jgg@debian\&.org>\&.
+Index: pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml
++++ pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+@@ -189,7 +189,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_motd/pam_motd.8
+===================================================================
+--- pam.debian.orig/modules/pam_motd/pam_motd.8
++++ pam.debian/modules/pam_motd/pam_motd.8
+@@ -78,7 +78,7 @@
+ \fBmotd\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_motd was written by Ben Collins <bcollins@debian\&.org>\&.
+Index: pam.debian/modules/pam_motd/pam_motd.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_motd/pam_motd.8.xml
++++ pam.debian/modules/pam_motd/pam_motd.8.xml
+@@ -99,7 +99,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_namespace/pam_namespace.8
+===================================================================
+--- pam.debian.orig/modules/pam_namespace/pam_namespace.8
++++ pam.debian/modules/pam_namespace/pam_namespace.8
+@@ -176,7 +176,7 @@
+ \fBnamespace.conf\fR(5),
+ \fBpam.d\fR(5),
+ \fBmount\fR(8),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam.debian/modules/pam_namespace/pam_namespace.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_namespace/pam_namespace.8.xml
++++ pam.debian/modules/pam_namespace/pam_namespace.8.xml
+@@ -392,7 +392,7 @@
+ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_nologin/pam_nologin.8
+===================================================================
+--- pam.debian.orig/modules/pam_nologin/pam_nologin.8
++++ pam.debian/modules/pam_nologin/pam_nologin.8
+@@ -124,7 +124,7 @@
+ \fBnologin\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_nologin was written by Michael K\&. Johnson <johnsonm@redhat\&.com>\&.
+Index: pam.debian/modules/pam_nologin/pam_nologin.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_nologin/pam_nologin.8.xml
++++ pam.debian/modules/pam_nologin/pam_nologin.8.xml
+@@ -160,7 +160,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_permit/pam_permit.8
+===================================================================
+--- pam.debian.orig/modules/pam_permit/pam_permit.8
++++ pam.debian/modules/pam_permit/pam_permit.8
+@@ -78,7 +78,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_permit was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_permit/pam_permit.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_permit/pam_permit.8.xml
++++ pam.debian/modules/pam_permit/pam_permit.8.xml
+@@ -91,7 +91,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_rhosts/pam_rhosts.8
+===================================================================
+--- pam.debian.orig/modules/pam_rhosts/pam_rhosts.8
++++ pam.debian/modules/pam_rhosts/pam_rhosts.8
+@@ -122,7 +122,7 @@
+ \fBrhosts\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam.debian/modules/pam_rhosts/pam_rhosts.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_rhosts/pam_rhosts.8.xml
++++ pam.debian/modules/pam_rhosts/pam_rhosts.8.xml
+@@ -156,7 +156,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_rootok/pam_rootok.8
+===================================================================
+--- pam.debian.orig/modules/pam_rootok/pam_rootok.8
++++ pam.debian/modules/pam_rootok/pam_rootok.8
+@@ -99,7 +99,7 @@
+ \fBsu\fR(1),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_rootok was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_rootok/pam_rootok.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_rootok/pam_rootok.8.xml
++++ pam.debian/modules/pam_rootok/pam_rootok.8.xml
+@@ -116,7 +116,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_securetty/pam_securetty.8
+===================================================================
+--- pam.debian.orig/modules/pam_securetty/pam_securetty.8
++++ pam.debian/modules/pam_securetty/pam_securetty.8
+@@ -119,7 +119,7 @@
+ \fBsecuretty\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&.
+Index: pam.debian/modules/pam_securetty/pam_securetty.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_securetty/pam_securetty.8.xml
++++ pam.debian/modules/pam_securetty/pam_securetty.8.xml
+@@ -168,7 +168,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_selinux/pam_selinux.8
+===================================================================
+--- pam.debian.orig/modules/pam_selinux/pam_selinux.8
++++ pam.debian/modules/pam_selinux/pam_selinux.8
+@@ -123,7 +123,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_selinux was written by Dan Walsh <dwalsh@redhat\&.com>\&.
+Index: pam.debian/modules/pam_selinux/pam_selinux.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_selinux/pam_selinux.8.xml
++++ pam.debian/modules/pam_selinux/pam_selinux.8.xml
+@@ -226,7 +226,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_sepermit/pam_sepermit.8
+===================================================================
+--- pam.debian.orig/modules/pam_sepermit/pam_sepermit.8
++++ pam.debian/modules/pam_sepermit/pam_sepermit.8
+@@ -124,7 +124,7 @@
+ \fBsepermit.conf\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\fBselinux\fR(8)
++\fBpam\fR(7)\fBselinux\fR(8)
+ .SH "AUTHOR"
+ .PP
+ pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam.debian/modules/pam_sepermit/pam_sepermit.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_sepermit/pam_sepermit.8.xml
++++ pam.debian/modules/pam_sepermit/pam_sepermit.8.xml
+@@ -176,7 +176,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+Index: pam.debian/modules/pam_shells/pam_shells.8
+===================================================================
+--- pam.debian.orig/modules/pam_shells/pam_shells.8
++++ pam.debian/modules/pam_shells/pam_shells.8
+@@ -85,7 +85,7 @@
+ \fBshells\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_shells was written by Erik Troan <ewt@redhat\&.com>\&.
+Index: pam.debian/modules/pam_shells/pam_shells.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_shells/pam_shells.8.xml
++++ pam.debian/modules/pam_shells/pam_shells.8.xml
+@@ -102,7 +102,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_succeed_if/pam_succeed_if.8
+===================================================================
+--- pam.debian.orig/modules/pam_succeed_if/pam_succeed_if.8
++++ pam.debian/modules/pam_succeed_if/pam_succeed_if.8
+@@ -217,7 +217,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBglob\fR(7),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ Nalin Dahyabhai <nalin@redhat\&.com>
+Index: pam.debian/modules/pam_succeed_if/pam_succeed_if.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_succeed_if/pam_succeed_if.8.xml
++++ pam.debian/modules/pam_succeed_if/pam_succeed_if.8.xml
+@@ -294,7 +294,7 @@
+ <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_tally/pam_tally.8
+===================================================================
+--- pam.debian.orig/modules/pam_tally/pam_tally.8
++++ pam.debian/modules/pam_tally/pam_tally.8
+@@ -248,7 +248,7 @@
+ \fBfaillog\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_tally was written by Tim Baverstock and Tomas Mraz\&.
+Index: pam.debian/modules/pam_tally/pam_tally.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_tally/pam_tally.8.xml
++++ pam.debian/modules/pam_tally/pam_tally.8.xml
+@@ -444,7 +444,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_time/pam_time.8
+===================================================================
+--- pam.debian.orig/modules/pam_time/pam_time.8
++++ pam.debian/modules/pam_time/pam_time.8
+@@ -109,7 +109,7 @@
+ .PP
+ \fBtime.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_time/pam_time.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_time/pam_time.8.xml
++++ pam.debian/modules/pam_time/pam_time.8.xml
+@@ -169,7 +169,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_umask/pam_umask.8
+===================================================================
+--- pam.debian.orig/modules/pam_umask/pam_umask.8
++++ pam.debian/modules/pam_umask/pam_umask.8
+@@ -171,7 +171,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_umask was written by Thorsten Kukuk <kukuk@thkukuk\&.de>\&.
+Index: pam.debian/modules/pam_umask/pam_umask.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_umask/pam_umask.8.xml
++++ pam.debian/modules/pam_umask/pam_umask.8.xml
+@@ -204,7 +204,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8
++++ pam.debian/modules/pam_unix/pam_unix.8
+@@ -263,7 +263,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_unix was written by various people\&.
+Index: pam.debian/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml
++++ pam.debian/modules/pam_unix/pam_unix.8.xml
+@@ -487,7 +487,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/misc_conv.3
+===================================================================
+--- pam.debian.orig/doc/man/misc_conv.3
++++ pam.debian/doc/man/misc_conv.3
+@@ -117,7 +117,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_conv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/misc_conv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/misc_conv.3.xml
++++ pam.debian/doc/man/misc_conv.3.xml
+@@ -171,7 +171,7 @@
+ <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_acct_mgmt.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_acct_mgmt.3
++++ pam.debian/doc/man/pam_acct_mgmt.3
+@@ -97,4 +97,4 @@
+ \fBpam_authenticate\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_acct_mgmt.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_acct_mgmt.3.xml
++++ pam.debian/doc/man/pam_acct_mgmt.3.xml
+@@ -138,7 +138,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_authenticate.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_authenticate.3
++++ pam.debian/doc/man/pam_authenticate.3
+@@ -107,4 +107,4 @@
+ \fBpam_setcred\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_authenticate.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_authenticate.3.xml
++++ pam.debian/doc/man/pam_authenticate.3.xml
+@@ -162,7 +162,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_chauthtok.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_chauthtok.3
++++ pam.debian/doc/man/pam_chauthtok.3
+@@ -106,4 +106,4 @@
+ \fBpam_setcred\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_chauthtok.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_chauthtok.3.xml
++++ pam.debian/doc/man/pam_chauthtok.3.xml
+@@ -157,7 +157,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_conv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_conv.3
++++ pam.debian/doc/man/pam_conv.3
+@@ -174,4 +174,4 @@
+ \fBpam_set_item\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_conv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_conv.3.xml
++++ pam.debian/doc/man/pam_conv.3.xml
+@@ -221,7 +221,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_error.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_error.3
++++ pam.debian/doc/man/pam_error.3
+@@ -80,7 +80,7 @@
+ \fBpam_vinfo\fR(3),
+ \fBpam_prompt\fR(3),
+ \fBpam_vprompt\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_error.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_error.3.xml
++++ pam.debian/doc/man/pam_error.3.xml
+@@ -105,7 +105,7 @@
+ <refentrytitle>pam_vprompt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_getenv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenv.3
++++ pam.debian/doc/man/pam_getenv.3
+@@ -57,4 +57,4 @@
+ \fBpam_start\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_getenv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenv.3.xml
++++ pam.debian/doc/man/pam_getenv.3.xml
+@@ -60,7 +60,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_getenvlist.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenvlist.3
++++ pam.debian/doc/man/pam_getenvlist.3
+@@ -63,4 +63,4 @@
+ \fBpam_start\fR(3),
+ \fBpam_getenv\fR(3),
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_getenvlist.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenvlist.3.xml
++++ pam.debian/doc/man/pam_getenvlist.3.xml
+@@ -78,7 +78,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_info.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_info.3
++++ pam.debian/doc/man/pam_info.3
+@@ -76,7 +76,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_info.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_info.3.xml
++++ pam.debian/doc/man/pam_info.3.xml
+@@ -93,7 +93,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_misc_drop_env.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_drop_env.3
++++ pam.debian/doc/man/pam_misc_drop_env.3
+@@ -52,7 +52,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_getenvlist\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_misc_drop_env.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_drop_env.3.xml
++++ pam.debian/doc/man/pam_misc_drop_env.3.xml
+@@ -46,7 +46,7 @@
+ <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_misc_paste_env.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_paste_env.3
++++ pam.debian/doc/man/pam_misc_paste_env.3
+@@ -47,7 +47,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_misc_paste_env.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_paste_env.3.xml
++++ pam.debian/doc/man/pam_misc_paste_env.3.xml
+@@ -44,7 +44,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_misc_setenv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_setenv.3
++++ pam.debian/doc/man/pam_misc_setenv.3
+@@ -52,7 +52,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_misc_setenv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_setenv.3.xml
++++ pam.debian/doc/man/pam_misc_setenv.3.xml
+@@ -51,7 +51,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_prompt.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_prompt.3
++++ pam.debian/doc/man/pam_prompt.3
+@@ -70,7 +70,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBpam_conv\fR(3)
+ .SH "STANDARDS"
+ .PP
+Index: pam.debian/doc/man/pam_prompt.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_prompt.3.xml
++++ pam.debian/doc/man/pam_prompt.3.xml
+@@ -95,7 +95,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+Index: pam.debian/doc/man/pam_putenv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_putenv.3
++++ pam.debian/doc/man/pam_putenv.3
+@@ -108,4 +108,4 @@
+ \fBpam_getenv\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_putenv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_putenv.3.xml
++++ pam.debian/doc/man/pam_putenv.3.xml
+@@ -145,7 +145,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_strerror.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_strerror.3
++++ pam.debian/doc/man/pam_strerror.3
+@@ -49,4 +49,4 @@
+ This function returns always a pointer to a string\&.
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_strerror.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_strerror.3.xml
++++ pam.debian/doc/man/pam_strerror.3.xml
+@@ -51,7 +51,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_syslog.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_syslog.3
++++ pam.debian/doc/man/pam_syslog.3
+@@ -67,7 +67,7 @@
+ variable argument list macros\&.
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_syslog.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_syslog.3.xml
++++ pam.debian/doc/man/pam_syslog.3.xml
+@@ -66,7 +66,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_userdb/pam_userdb.8
+===================================================================
+--- pam.debian.orig/modules/pam_userdb/pam_userdb.8
++++ pam.debian/modules/pam_userdb/pam_userdb.8
+@@ -150,7 +150,7 @@
+ \fBcrypt\fR(3),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&.
+Index: pam.debian/modules/pam_userdb/pam_userdb.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_userdb/pam_userdb.8.xml
++++ pam.debian/modules/pam_userdb/pam_userdb.8.xml
+@@ -277,7 +277,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_warn/pam_warn.8
+===================================================================
+--- pam.debian.orig/modules/pam_warn/pam_warn.8
++++ pam.debian/modules/pam_warn/pam_warn.8
+@@ -83,7 +83,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_warn was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_warn/pam_warn.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_warn/pam_warn.8.xml
++++ pam.debian/modules/pam_warn/pam_warn.8.xml
+@@ -90,7 +90,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.8
++++ pam.debian/modules/pam_wheel/pam_wheel.8
+@@ -136,7 +136,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&.
+Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml
++++ pam.debian/modules/pam_wheel/pam_wheel.8.xml
+@@ -212,7 +212,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_xauth/pam_xauth.8
+===================================================================
+--- pam.debian.orig/modules/pam_xauth/pam_xauth.8
++++ pam.debian/modules/pam_xauth/pam_xauth.8
+@@ -177,7 +177,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_xauth was written by Nalin Dahyabhai <nalin@redhat\&.com>, based on original version by Michael K\&. Johnson <johnsonm@redhat\&.com>\&.
+Index: pam.debian/modules/pam_xauth/pam_xauth.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_xauth/pam_xauth.8.xml
++++ pam.debian/modules/pam_xauth/pam_xauth.8.xml
+@@ -276,7 +276,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
diff --git a/debian/patches-applied/cve-2011-4708.patch b/debian/patches-applied/cve-2011-4708.patch
new file mode 100644
index 00000000..eb67e789
--- /dev/null
+++ b/debian/patches-applied/cve-2011-4708.patch
@@ -0,0 +1,27 @@
+Description: fix cve-2011-4708: .pam_environment privilege issue
+Index: pam.debian/modules/pam_env/pam_env.c
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.c
++++ pam.debian/modules/pam_env/pam_env.c
+@@ -10,7 +10,7 @@
+ #define DEFAULT_READ_ENVFILE 1
+
+ #define DEFAULT_USER_ENVFILE ".pam_environment"
+-#define DEFAULT_USER_READ_ENVFILE 1
++#define DEFAULT_USER_READ_ENVFILE 0
+
+ #include "config.h"
+
+Index: pam.debian/modules/pam_env/pam_env.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.8.xml
++++ pam.debian/modules/pam_env/pam_env.8.xml
+@@ -147,7 +147,7 @@
+ <listitem>
+ <para>
+ Turns on or off the reading of the user specific environment
+- file. 0 is off, 1 is on. By default this option is on.
++ file. 0 is off, 1 is on. By default this option is off.
+ </para>
+ </listitem>
+ </varlistentry>
diff --git a/debian/patches-applied/do_not_check_nis_accidentally b/debian/patches-applied/do_not_check_nis_accidentally
new file mode 100644
index 00000000..8d85bfc3
--- /dev/null
+++ b/debian/patches-applied/do_not_check_nis_accidentally
@@ -0,0 +1,22 @@
+Patch for Debian bug #469635
+
+Always call _unix_getpwnam() consistent with the value of the 'nis'
+option, so that we only grab from the backends we're expecting.
+
+Authors: Quentin Godfroy <godfroy@clipper.ens.fr>
+
+Upstream status: should be submitted
+
+Index: pam.deb/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam.deb/modules/pam_unix/pam_unix_passwd.c
+@@ -551,7 +551,7 @@
+ return PAM_USER_UNKNOWN;
+ } else {
+ struct passwd *pwd;
+- _unix_getpwnam(pamh, user, 1, 1, &pwd);
++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);
+ if (pwd == NULL) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "user \"%s\" has corrupted passwd entry",
diff --git a/debian/patches-applied/fix-man-crud b/debian/patches-applied/fix-man-crud
new file mode 100644
index 00000000..eb258107
--- /dev/null
+++ b/debian/patches-applied/fix-man-crud
@@ -0,0 +1,22144 @@
+Regenerate broken manpages with a sane XML toolchain, correcting lintian
+warnings.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: patch to autogenerated files, no need to submit, hopefully
+obsoleted soon
+
+Index: pam.debian/doc/man/pam_close_session.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_close_session.3
++++ pam.debian/doc/man/pam_close_session.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_close_session
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_CLOSE_SESSION" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_CLOSE_SESSION" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_close_session \- terminate PAM session management
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_close_session('u
+ .BI "int pam_close_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -191,7 +46,7 @@
+ \fBpam_open_session\fR(3)\&.
+ .PP
+ It should be noted that the effective uid,
+-\fBgeteuid\fR(2)\&. of the application should be of sufficient privilege to perform such tasks as unmounting the user\'s home directory for example\&.
++\fBgeteuid\fR(2)\&. of the application should be of sufficient privilege to perform such tasks as unmounting the user\*(Aqs home directory for example\&.
+ .PP
+ The flags argument is the binary or of zero or more of the following values:
+ .PP
+@@ -222,6 +77,5 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_open_session\fR(3),
+ \fBpam_strerror\fR(3)
+Index: pam.debian/doc/man/pam_fail_delay.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_fail_delay.3
++++ pam.debian/doc/man/pam_fail_delay.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_fail_delay
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_FAIL_DELAY" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_FAIL_DELAY" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_fail_delay \- request a delay on failure
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_fail_delay('u
+ .BI "int pam_fail_delay(pam_handle_t\ *" "pamh" ", unsigned\ int\ " "usec" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -204,26 +59,12 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ #ifdef HAVE_PAM_FAIL_DELAY
+ \&.\&.\&.\&.
+ #endif /* HAVE_PAM_FAIL_DELAY */
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+@@ -239,24 +80,10 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+@@ -290,25 +117,11 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ pam_fail_delay (pamh, 3000000 /* micro\-seconds */ );
+ pam_authenticate (pamh, 0);
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+@@ -320,25 +133,11 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ module #1: pam_fail_delay (pamh, 2000000);
+ module #2: pam_fail_delay (pamh, 4000000);
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+@@ -357,7 +156,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_start\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3)
+Index: pam.debian/doc/man/pam_get_data.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_get_data.3
++++ pam.debian/doc/man/pam_get_data.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_get_data
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_GET_DATA" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_GET_DATA" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_get_data \- get module internal data
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_get_data('u
+ .BI "int pam_get_data(const\ pam_handle_t\ *" "pamh" ", const\ char\ *" "module_data_name" ", const\ void\ **" "data" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ This function together with the
+@@ -222,7 +77,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_end\fR(3),
+ \fBpam_set_data\fR(3),
+ \fBpam_strerror\fR(3)
+Index: pam.debian/doc/man/pam_get_user.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_get_user.3
++++ pam.debian/doc/man/pam_get_user.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_get_user
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_GET_USER" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_GET_USER" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_get_user \- get user name
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_get_user('u
+ .BI "int pam_get_user(const\ pam_handle_t\ *" "pamh" ", const\ char\ **" "user" ", const\ char\ *" "prompt" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -233,7 +88,7 @@
+ \fI*user\fR\&. Note, this memory should
+ \fBnot\fR
+ be
+-\fIfree()\fR\'d or
++\fIfree()\fR\*(Aqd or
+ \fImodified\fR
+ by the module\&.
+ .PP
+@@ -262,7 +117,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_end\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_set_item\fR(3),
+Index: pam.debian/doc/man/pam_set_data.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_set_data.3
++++ pam.debian/doc/man/pam_set_data.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_set_data
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SET_DATA" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SET_DATA" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_set_data \- set module internal data
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_set_data('u
+ .BI "int pam_set_data(pam_handle_t\ *" "pamh" ", const\ char\ *" "module_data_name" ", void\ *" "data" ", void\ " "(*cleanup)(pam_handle_t\ *pamh,\ void\ *data,\ int\ error_status)" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -226,7 +81,7 @@
+ .PP
+ The
+ \fIerror_status\fR
+-may have been logically OR\'d with either of the following two values:
++may have been logically OR\*(Aqd with either of the following two values:
+ .PP
+ PAM_DATA_REPLACE
+ .RS 4
+@@ -259,7 +114,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_end\fR(3),
+ \fBpam_get_data\fR(3),
+ \fBpam_strerror\fR(3)
+Index: pam.debian/doc/man/pam_sm_authenticate.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_sm_authenticate.3
++++ pam.debian/doc/man/pam_sm_authenticate.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_sm_authenticate
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SM_AUTHENTICATE" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SM_AUTHENTICATE" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,44 +27,34 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_sm_authenticate \- PAM service function for user authentication
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #define PAM_SM_AUTH
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'PAM_EXTERN\ int\ pam_sm_authenticate('u
+ .BI "PAM_EXTERN int pam_sm_authenticate(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+ \fBpam_sm_authenticate\fR
+-function is the service module\'s implementation of the
++function is the service module\*(Aqs implementation of the
+ \fBpam_authenticate\fR(3)
+ interface\&.
+ .PP
+ This function performs the task of authenticating the user\&.
+ .PP
+-Valid flags, which may be logically OR\'d with
++Valid flags, which may be logically OR\*(Aqd with
+ \fIPAM_SILENT\fR, are:
+ .PP
+ PAM_SILENT
+@@ -254,7 +105,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(3),
+ \fBpam_authenticate\fR(3),
+ \fBpam_sm_setcred\fR(3),
+Index: pam.debian/doc/man/pam_sm_close_session.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_sm_close_session.3
++++ pam.debian/doc/man/pam_sm_close_session.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_sm_close_session
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SM_CLOSE_SESSION" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SM_CLOSE_SESSION" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,38 +27,28 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_sm_close_session \- PAM service function to terminate session management
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #define PAM_SM_SESSION
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'PAM_EXTERN\ int\ pam_sm_close_session('u
+ .BI "PAM_EXTERN int pam_sm_close_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+ \fBpam_sm_close_session\fR
+-function is the service module\'s implementation of the
++function is the service module\*(Aqs implementation of the
+ \fBpam_close_session\fR(3)
+ interface\&.
+ .PP
+@@ -222,7 +73,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(3),
+ \fBpam_close_session\fR(3),
+ \fBpam_sm_close_session\fR(3),
+Index: pam.debian/doc/man/pam_sm_setcred.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_sm_setcred.3
++++ pam.debian/doc/man/pam_sm_setcred.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_sm_setcred
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SM_SETCRED" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SM_SETCRED" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,38 +27,28 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_sm_setcred \- PAM service function to alter credentials
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #define PAM_SM_AUTH
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'PAM_EXTERN\ int\ pam_sm_setcred('u
+ .BI "PAM_EXTERN int pam_sm_setcred(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+ \fBpam_sm_setcred\fR
+-function is the service module\'s implementation of the
++function is the service module\*(Aqs implementation of the
+ \fBpam_setcred\fR(3)
+ interface\&.
+ .PP
+@@ -205,7 +56,7 @@
+ \fIafter\fR
+ the user has been authenticated but before a session has been established\&.
+ .PP
+-Valid flags, which may be logically OR\'d with
++Valid flags, which may be logically OR\*(Aqd with
+ \fIPAM_SILENT\fR, are:
+ .PP
+ PAM_SILENT
+@@ -247,12 +98,12 @@
+ .PP
+ PAM_CRED_UNAVAIL
+ .RS 4
+-This module cannot retrieve the user\'s credentials\&.
++This module cannot retrieve the user\*(Aqs credentials\&.
+ .RE
+ .PP
+ PAM_CRED_EXPIRED
+ .RS 4
+-The user\'s credentials have expired\&.
++The user\*(Aqs credentials have expired\&.
+ .RE
+ .PP
+ PAM_CRED_ERR
+@@ -275,7 +126,6 @@
+ \fBpam_setcred\fR()\&.
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(3),
+ \fBpam_authenticate\fR(3),
+ \fBpam_setcred\fR(3),
+Index: pam.debian/modules/pam_pwhistory/pam_pwhistory.8
+===================================================================
+--- pam.debian.orig/modules/pam_pwhistory/pam_pwhistory.8
++++ pam.debian/modules/pam_pwhistory/pam_pwhistory.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_pwhistory
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_PWHISTORY" "8" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_PWHISTORY" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,13 +27,11 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_pwhistory \- PAM module to remember last passwords
+-.SH "Synopsis"
+-.fam C
++.SH "SYNOPSIS"
+ .HP \w'\fBpam_pwhistory\&.so\fR\ 'u
+ \fBpam_pwhistory\&.so\fR [debug] [use_authtok] [enforce_for_root] [remember=\fIN\fR] [retry=\fIN\fR] [authtok_type=\fISTRING\fR]
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ This module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently\&.
+@@ -205,11 +64,11 @@
+ The last
+ \fIN\fR
+ passwords for each user are saved in
+-\FC/etc/security/opasswd\F[]\&. The default is
++/etc/security/opasswd\&. The default is
+ \fI10\fR\&. Value of
+ \fI0\fR
+ makes the module to keep the existing contents of the
+-\FCopasswd\F[]
++opasswd
+ file unchanged\&.
+ .RE
+ .PP
+@@ -236,7 +95,7 @@
+ .PP
+ PAM_AUTHTOK_ERR
+ .RS 4
+-No new password was entered, the user aborted password change or new password couldn\'t be set\&.
++No new password was entered, the user aborted password change or new password couldn\*(Aqt be set\&.
+ .RE
+ .PP
+ PAM_IGNORE
+@@ -260,26 +119,12 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ #%PAM\-1\&.0
+ password required pam_pwhistory\&.so
+ password required pam_unix\&.so use_authtok
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+@@ -290,44 +135,28 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ #%PAM\-1\&.0
+ password required pam_cracklib\&.so retry=3
+ password required pam_pwhistory\&.so use_authtok
+ password required pam_unix\&.so use_authtok
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+ .sp
+ .SH "FILES"
+ .PP
+-\FC/etc/security/opasswd\F[]
++/etc/security/opasswd
+ .RS 4
+ File with password history
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
+-\fBpam_get_authtok\fR(3)
++\fBpam\fR(8)\fBpam_get_authtok\fR(3)
+ .SH "AUTHOR"
+ .PP
+ pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam.debian/modules/pam_timestamp/pam_timestamp.8
+===================================================================
+--- pam.debian.orig/modules/pam_timestamp/pam_timestamp.8
++++ pam.debian/modules/pam_timestamp/pam_timestamp.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_timestamp
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_TIMESTAMP" "8" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_TIMESTAMP" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,13 +27,11 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_timestamp \- Authenticate using cached successful authentication attempts
+-.SH "Synopsis"
+-.fam C
++.SH "SYNOPSIS"
+ .HP \w'\fBpam_timestamp\&.so\fR\ 'u
+ \fBpam_timestamp\&.so\fR [timestamp_timeout=\fInumber\fR] [verbose] [debug]
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ In a nutshell,
+@@ -234,40 +93,25 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ auth sufficient pam_timestamp\&.so verbose
+ auth required pam_unix\&.so
+
+ session required pam_unix\&.so
+ session optional pam_timestamp\&.so
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+ .SH "FILES"
+ .PP
+-\FC/var/run/sudo/\&.\&.\&.\F[]
++/var/run/sudo/\&.\&.\&.
+ .RS 4
+ timestamp files and directories
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_timestamp_check\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+Index: pam.debian/modules/pam_unix/unix_update.8
+===================================================================
+--- pam.debian.orig/modules/pam_unix/unix_update.8
++++ pam.debian/modules/pam_unix/unix_update.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: unix_update
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "UNIX_UPDATE" "8" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "UNIX_UPDATE" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,16 +27,13 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ unix_update \- Helper binary that updates the password of a given user
+-.SH "Synopsis"
+-.fam C
++.SH "SYNOPSIS"
+ .HP \w'\fBunix_update\fR\ 'u
+ \fBunix_update\fR [\&.\&.\&.]
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+-
+ \fIunix_update\fR
+ is a helper program for the
+ \fIpam_unix\fR
+@@ -188,7 +46,6 @@
+ module and it should not be called directly from applications\&.
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_unix\fR(8)
+ .SH "AUTHOR"
+ .PP
+Index: pam.debian/doc/man/pam_end.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_end.3
++++ pam.debian/doc/man/pam_end.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_end
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_END" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_END" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_end \- termination of PAM transaction
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_end('u
+ .BI "int pam_end(pam_handle_t\ *" "pamh" ", int\ " "pam_status" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -202,13 +57,13 @@
+ (See
+ \fBpam_set_data\fR(3)
+ and
+-\fBpam_get_data\fR(3))\&. In this way the module can be given notification of the pass/fail nature of the tear\-down process, and perform any last minute tasks that are appropriate to the module before it is unlinked\&. This argument can be logically OR\'d with
++\fBpam_get_data\fR(3))\&. In this way the module can be given notification of the pass/fail nature of the tear\-down process, and perform any last minute tasks that are appropriate to the module before it is unlinked\&. This argument can be logically OR\*(Aqd with
+ \fIPAM_DATA_SILENT\fR
+ to indicate to indicate that the module should not treat the call too seriously\&. It is generally used to indicate that the current closing of the library is in a
+ \fBfork\fR(2)ed process, and that the parent will take care of cleaning up things that exist outside of the current process space (files etc\&.)\&.
+ .PP
+ This function
+-\fIfree\fR\'s all memory for items associated with the
++\fIfree\fR\*(Aqs all memory for items associated with the
+ \fBpam_set_item\fR(3)
+ and
+ \fBpam_get_item\fR(3)
+@@ -228,7 +83,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_get_data\fR(3),
+ \fBpam_set_data\fR(3),
+ \fBpam_start\fR(3),
+Index: pam.debian/doc/man/pam_get_item.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_get_item.3
++++ pam.debian/doc/man/pam_get_item.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_get_item
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_GET_ITEM" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_GET_ITEM" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_get_item \- getting PAM informations
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_get_item('u
+ .BI "int pam_get_item(const\ pam_handle_t\ *" "pamh" ", int\ " "item_type" ", const\ void\ **" "item" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -195,7 +50,7 @@
+ data and should
+ \fBnot\fR
+ be
+-\fIfree()\fR\'ed or over\-written! The following values are supported for
++\fIfree()\fR\*(Aqed or over\-written! The following values are supported for
+ \fIitem_type\fR:
+ .PP
+ PAM_SERVICE
+@@ -214,13 +69,13 @@
+ .PP
+ PAM_USER_PROMPT
+ .RS 4
+-The string used when prompting for a user\'s name\&. The default value for this string is a localized version of "login: "\&.
++The string used when prompting for a user\*(Aqs name\&. The default value for this string is a localized version of "login: "\&.
+ .RE
+ .PP
+ PAM_TTY
+ .RS 4
+ The terminal name: prefixed by
+-\FC/dev/\F[]
++/dev/
+ if it is a device file; for graphical, X\-based, applications the value for this item should be the
+ \fI$DISPLAY\fR
+ variable\&.
+@@ -232,7 +87,6 @@
+ .sp
+ Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\&. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\&.
+ .sp
+-
+ \fIPAM_RUSER@PAM_RHOST\fR
+ should always identify the requesting user\&. In some cases,
+ \fIPAM_RUSER\fR
+@@ -338,6 +192,5 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_set_item\fR(3),
+ \fBpam_strerror\fR(3)
+Index: pam.debian/doc/man/pam_sm_acct_mgmt.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_sm_acct_mgmt.3
++++ pam.debian/doc/man/pam_sm_acct_mgmt.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_sm_acct_mgmt
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SM_ACCT_MGMT" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SM_ACCT_MGMT" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,44 +27,34 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_sm_acct_mgmt \- PAM service function for account management
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #define PAM_SM_ACCOUNT
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'PAM_EXTERN\ int\ pam_sm_acct_mgmt('u
+ .BI "PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+ \fBpam_sm_acct_mgmt\fR
+-function is the service module\'s implementation of the
++function is the service module\*(Aqs implementation of the
+ \fBpam_acct_mgmt\fR(3)
+ interface\&.
+ .PP
+ This function performs the task of establishing whether the user is permitted to gain access at this time\&. It should be understood that the user has previously been validated by an authentication module\&. This function checks for other things\&. Such things might be: the time of day or the date, the terminal line, remote hostname, etc\&. This function may also determine things like the expiration on passwords, and respond that the user change it before continuing\&.
+ .PP
+-Valid flags, which may be logically OR\'d with
++Valid flags, which may be logically OR\*(Aqd with
+ \fIPAM_SILENT\fR, are:
+ .PP
+ PAM_SILENT
+@@ -233,7 +84,7 @@
+ .PP
+ PAM_NEW_AUTHTOK_REQD
+ .RS 4
+-The user\'s authentication token has expired\&. Before calling this function again the application will arrange for a new one to be given\&. This will likely result in a call to
++The user\*(Aqs authentication token has expired\&. Before calling this function again the application will arrange for a new one to be given\&. This will likely result in a call to
+ \fBpam_sm_chauthtok()\fR\&.
+ .RE
+ .PP
+@@ -253,7 +104,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(3),
+ \fBpam_acct_mgmt\fR(3),
+ \fBpam_sm_chauthtok\fR(3),
+Index: pam.debian/doc/man/pam_sm_open_session.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_sm_open_session.3
++++ pam.debian/doc/man/pam_sm_open_session.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_sm_open_session
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SM_OPEN_SESSION" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SM_OPEN_SESSION" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,38 +27,28 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_sm_open_session \- PAM service function to start session management
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #define PAM_SM_SESSION
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'PAM_EXTERN\ int\ pam_sm_open_session('u
+ .BI "PAM_EXTERN int pam_sm_open_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+ \fBpam_sm_open_session\fR
+-function is the service module\'s implementation of the
++function is the service module\*(Aqs implementation of the
+ \fBpam_open_session\fR(3)
+ interface\&.
+ .PP
+@@ -222,7 +73,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(3),
+ \fBpam_open_session\fR(3),
+ \fBpam_sm_close_session\fR(3),
+Index: pam.debian/modules/pam_tally2/pam_tally2.8
+===================================================================
+--- pam.debian.orig/modules/pam_tally2/pam_tally2.8
++++ pam.debian/modules/pam_tally2/pam_tally2.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_tally2
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 10/25/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_TALLY2" "8" "10/25/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_TALLY2" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,17 +27,13 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_tally2 \- The login counter (tallying) module
+-.SH "Synopsis"
+-.fam C
++.SH "SYNOPSIS"
+ .HP \w'\fBpam_tally2\&.so\fR\ 'u
+ \fBpam_tally2\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [root_unlock_time=\fIn\fR] [serialize] [audit] [silent] [no_log_info]
+-.fam
+-.fam C
+ .HP \w'\fBpam_tally2\fR\ 'u
+ \fBpam_tally2\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet]
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&.
+@@ -186,13 +43,13 @@
+ and
+ \fBpam_tally2\fR\&. The former is the PAM module and the latter, a stand\-alone program\&.
+ \fBpam_tally2\fR
+-is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display users\' counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&.
++is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display users\*(Aq counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&.
+ .PP
+ Normally, failed attempts to access
+ \fIroot\fR
+ will
+ \fBnot\fR
+-cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via
++cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\*(Aqt given shell accounts and root may only login via
+ \fBsu\fR
+ or at the machine console (not telnet/rsh, etc), this is safe\&.
+ .SH "OPTIONS"
+@@ -217,7 +74,7 @@
+ \fBfile=\fR\fB\fI/path/to/counter\fR\fR
+ .RS 4
+ File where to keep counts\&. Default is
+-\FC/var/log/tallylog\F[]\&.
++/var/log/tallylog\&.
+ .RE
+ .PP
+ \fBaudit\fR
+@@ -227,12 +84,12 @@
+ .PP
+ \fBsilent\fR
+ .RS 4
+-Don\'t print informative messages\&.
++Don\*(Aqt print informative messages\&.
+ .RE
+ .PP
+ \fBno_log_info\fR
+ .RS 4
+-Don\'t log informative messages via
++Don\*(Aqt log informative messages via
+ \fBsyslog\fR(3)\&.
+ .RE
+ .RE
+@@ -293,7 +150,7 @@
+ .RS 4
+ Account phase resets attempts counter if the user is
+ \fBnot\fR
+-magic root\&. This phase can be used optionally for services which don\'t call
++magic root\&. This phase can be used optionally for services which don\*(Aqt call
+ \fBpam_setcred\fR(3)
+ correctly or if the reset should be done regardless of the failure of the account phase of other modules\&.
+ .PP
+@@ -337,7 +194,7 @@
+ .SH "EXAMPLES"
+ .PP
+ Add the following line to
+-\FC/etc/pam\&.d/login\F[]
++/etc/pam\&.d/login
+ to lock the account after 4 failed logins\&. Root account will be locked as well\&. The accounts will be automatically unlocked after 20 minutes\&. The module does not have to be called in the account phase because the
+ \fBlogin\fR
+ calls
+@@ -347,15 +204,7 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ auth required pam_securetty\&.so
+ auth required pam_tally2\&.so deny=4 even_deny_root unlock_time=1200
+ auth required pam_env\&.so
+@@ -368,25 +217,18 @@
+ session required pam_lastlog\&.so nowtmp
+ session optional pam_mail\&.so standard
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+ .SH "FILES"
+ .PP
+-\FC/var/log/tallylog\F[]
++/var/log/tallylog
+ .RS 4
+ failure count logging file
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+ \fBpam\fR(8)
+Index: pam.debian/modules/pam_unix/unix_chkpwd.8
+===================================================================
+--- pam.debian.orig/modules/pam_unix/unix_chkpwd.8
++++ pam.debian/modules/pam_unix/unix_chkpwd.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: unix_chkpwd
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "UNIX_CHKPWD" "8" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "UNIX_CHKPWD" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,16 +27,13 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ unix_chkpwd \- Helper binary that verifies the password of the current user
+-.SH "Synopsis"
+-.fam C
++.SH "SYNOPSIS"
+ .HP \w'\fBunix_chkpwd\fR\ 'u
+ \fBunix_chkpwd\fR [\&.\&.\&.]
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+-
+ \fIunix_chkpwd\fR
+ is a helper program for the
+ \fIpam_unix\fR
+@@ -189,7 +47,6 @@
+ module and it should not be called directly from applications\&.
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_unix\fR(8)
+ .SH "AUTHOR"
+ .PP
+Index: pam.debian/doc/man/pam_sm_chauthtok.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_sm_chauthtok.3
++++ pam.debian/doc/man/pam_sm_chauthtok.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_sm_chauthtok
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SM_CHAUTHTOK" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SM_CHAUTHTOK" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,44 +27,34 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_sm_chauthtok \- PAM service function for authentication token management
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #define PAM_SM_PASSWORD
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'PAM_EXTERN\ int\ pam_sm_chauthtok('u
+ .BI "PAM_EXTERN int pam_sm_chauthtok(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+ \fBpam_sm_chauthtok\fR
+-function is the service module\'s implementation of the
++function is the service module\*(Aqs implementation of the
+ \fBpam_chauthtok\fR(3)
+ interface\&.
+ .PP
+ This function is used to (re\-)set the authentication token of the user\&.
+ .PP
+-Valid flags, which may be logically OR\'d with
++Valid flags, which may be logically OR\*(Aqd with
+ \fIPAM_SILENT\fR, are:
+ .PP
+ PAM_SILENT
+@@ -221,7 +72,7 @@
+ .PP
+ PAM_PRELIM_CHECK
+ .RS 4
+-This indicates that the modules are being probed as to their ready status for altering the user\'s authentication token\&. If the module requires access to another system over some network it should attempt to verify it can connect to this system on receiving this flag\&. If a module cannot establish it is ready to update the user\'s authentication token it should return
++This indicates that the modules are being probed as to their ready status for altering the user\*(Aqs authentication token\&. If the module requires access to another system over some network it should attempt to verify it can connect to this system on receiving this flag\&. If a module cannot establish it is ready to update the user\*(Aqs authentication token it should return
+ \fBPAM_TRY_AGAIN\fR, this information will be passed back to the application\&.
+ .sp
+ If the control value
+@@ -233,7 +84,7 @@
+ .PP
+ PAM_UPDATE_AUTHTOK
+ .RS 4
+-This informs the module that this is the call it should change the authorization tokens\&. If the flag is logically OR\'d with
++This informs the module that this is the call it should change the authorization tokens\&. If the flag is logically OR\*(Aqd with
+ \fBPAM_CHANGE_EXPIRED_AUTHTOK\fR, the token is only changed if it has actually expired\&.
+ .RE
+ .PP
+@@ -285,7 +136,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_sm_chauthtok\fR(3),
+Index: pam.debian/modules/pam_timestamp/pam_timestamp_check.8
+===================================================================
+--- pam.debian.orig/modules/pam_timestamp/pam_timestamp_check.8
++++ pam.debian/modules/pam_timestamp/pam_timestamp_check.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_timestamp_check
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_TIMESTAMP_CHECK" "8" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_TIMESTAMP_CHECK" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,13 +27,11 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_timestamp_check \- Check to see if the default timestamp is valid
+-.SH "Synopsis"
+-.fam C
++.SH "SYNOPSIS"
+ .HP \w'\fBpam_timestamp_check\fR\ 'u
+ \fBpam_timestamp_check\fR [\-k] [\-d] [\fItarget_user\fR]
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ With no arguments
+@@ -182,7 +41,7 @@
+ .PP
+ \fB\-k\fR
+ .RS 4
+-Instead of checking the validity of a timestamp, remove it\&. This is analogous to sudo\'s
++Instead of checking the validity of a timestamp, remove it\&. This is analogous to sudo\*(Aqs
+ \fI\-k\fR
+ option\&.
+ .RE
+@@ -246,40 +105,25 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ auth sufficient pam_timestamp\&.so verbose
+ auth required pam_unix\&.so
+
+ session required pam_unix\&.so
+ session optional pam_timestamp\&.so
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+ .SH "FILES"
+ .PP
+-\FC/var/run/sudo/\&.\&.\&.\F[]
++/var/run/sudo/\&.\&.\&.
+ .RS 4
+ timestamp files and directories
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_timestamp_check\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+Index: pam.debian/doc/man/pam_open_session.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_open_session.3
++++ pam.debian/doc/man/pam_open_session.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_open_session
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_OPEN_SESSION" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_OPEN_SESSION" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_open_session \- start PAM session management
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_open_session('u
+ .BI "int pam_open_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -191,7 +46,7 @@
+ \fBpam_close_session\fR(3)\&.
+ .PP
+ It should be noted that the effective uid,
+-\fBgeteuid\fR(2)\&. of the application should be of sufficient privilege to perform such tasks as creating or mounting the user\'s home directory for example\&.
++\fBgeteuid\fR(2)\&. of the application should be of sufficient privilege to perform such tasks as creating or mounting the user\*(Aqs home directory for example\&.
+ .PP
+ The flags argument is the binary or of zero or more of the following values:
+ .PP
+@@ -222,6 +77,5 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_close_session\fR(3),
+ \fBpam_strerror\fR(3)
+Index: pam.debian/doc/man/pam_set_item.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_set_item.3
++++ pam.debian/doc/man/pam_set_item.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_set_item
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SET_ITEM" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SET_ITEM" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_set_item \- set and update PAM informations
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_set_item('u
+ .BI "int pam_set_item(pam_handle_t\ *" "pamh" ", int\ " "item_type" ", const\ void\ *" "item" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -209,13 +64,13 @@
+ .PP
+ PAM_USER_PROMPT
+ .RS 4
+-The string used when prompting for a user\'s name\&. The default value for this string is a localized version of "login: "\&.
++The string used when prompting for a user\*(Aqs name\&. The default value for this string is a localized version of "login: "\&.
+ .RE
+ .PP
+ PAM_TTY
+ .RS 4
+ The terminal name: prefixed by
+-\FC/dev/\F[]
++/dev/
+ if it is a device file; for graphical, X\-based, applications the value for this item should be the
+ \fI$DISPLAY\fR
+ variable\&.
+@@ -227,7 +82,6 @@
+ .sp
+ Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\&. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\&.
+ .sp
+-
+ \fIPAM_RUSER@PAM_RHOST\fR
+ should always identify the requesting user\&. In some cases,
+ \fIPAM_RUSER\fR
+@@ -335,6 +189,5 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3)
+Index: pam.debian/modules/pam_mkhomedir/mkhomedir_helper.8
+===================================================================
+--- pam.debian.orig/modules/pam_mkhomedir/mkhomedir_helper.8
++++ pam.debian/modules/pam_mkhomedir/mkhomedir_helper.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: mkhomedir_helper
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "MKHOMEDIR_HELPER" "8" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "MKHOMEDIR_HELPER" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,16 +27,13 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ mkhomedir_helper \- Helper binary that creates home directories
+-.SH "Synopsis"
+-.fam C
++.SH "SYNOPSIS"
+ .HP \w'\fBmkhomedir_helper\fR\ 'u
+ \fBmkhomedir_helper\fR {\fIuser\fR} [\fIumask\fR\ [\ \fIpath\-to\-skel\fR\ ]]
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+-
+ \fImkhomedir_helper\fR
+ is a helper program for the
+ \fIpam_mkhomedir\fR
+@@ -194,7 +52,6 @@
+ The helper never touches home directories if they already exist\&.
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_mkhomedir\fR(8)
+ .SH "AUTHOR"
+ .PP
+Index: pam.debian/doc/man/pam.3
+===================================================================
+--- pam.debian.orig/doc/man/pam.3
++++ pam.debian/doc/man/pam.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,42 +27,29 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam \- Pluggable Authentication Modules Library
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_modules\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_ext\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .SH "DESCRIPTION"
+ .PP
+-
+ \fBPAM\fR
+ is a system of libraries that handle the authentication tasks of applications (services) on the system\&. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
+ \fBlogin\fR(1)
+@@ -429,7 +277,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_acct_mgmt\fR(3),
+ \fBpam_authenticate\fR(3),
+ \fBpam_chauthtok\fR(3),
+Index: pam.debian/doc/man/pam_start.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_start.3
++++ pam.debian/doc/man/pam_start.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_start
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_START" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_START" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_start \- initialization of PAM transaction
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_start('u
+ .BI "int pam_start(const\ char\ *" "service_name" ", const\ char\ *" "user" ", const\ struct\ pam_conv\ *" "pam_conversation" ", pam_handle_t\ **" "pamh" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -192,9 +47,9 @@
+ The
+ \fIservice_name\fR
+ argument specifies the name of the service to apply and will be stored as PAM_SERVICE item in the new context\&. The policy for the service will be read from the file
+-\FC/etc/pam\&.d/service_name\F[]
++/etc/pam\&.d/service_name
+ or, if that file does not exist, from
+-\FC/etc/pam\&.conf\F[]\&.
++/etc/pam\&.conf\&.
+ .PP
+ The
+ \fIuser\fR
+@@ -243,7 +98,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_get_data\fR(3),
+ \fBpam_set_data\fR(3),
+ \fBpam_end\fR(3),
+Index: pam.debian/doc/man/pam_get_authtok.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_get_authtok.3
++++ pam.debian/doc/man/pam_get_authtok.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_get_authtok
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_GET_AUTHTOK" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_GET_AUTHTOK" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,31 +27,21 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_get_authtok, pam_get_authtok_verify, pam_get_authtok_noverify \- get authentication token
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_ext\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_get_authtok('u
+ .BI "int pam_get_authtok(pam_handle_t\ *" "pamh" ", int\ " "item" ", const\ char\ **" "authtok" ", const\ char\ *" "prompt" ");"
+-.fam
+-.fam C
+ .HP \w'int\ pam_get_authtok_noverify('u
+ .BI "int pam_get_authtok_noverify(pam_handle_t\ *" "pamh" ", const\ char\ **" "authtok" ", const\ char\ *" "prompt" ");"
+-.fam
+-.fam C
+ .HP \w'int\ pam_get_authtok_verify('u
+ .BI "int pam_get_authtok_verify(pam_handle_t\ *" "pamh" ", const\ char\ **" "authtok" ", const\ char\ *" "prompt" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -202,7 +53,7 @@
+ data and should
+ \fBnot\fR
+ be
+-\fIfree()\fR\'ed or over\-written!
++\fIfree()\fR\*(Aqed or over\-written!
+ .PP
+ The
+ \fIprompt\fR
+@@ -216,8 +67,7 @@
+ PAM_AUTHTOK
+ .RS 4
+ Returns the current authentication token\&. Called from
+-\fBpam_sm_chauthtok\fR(3)
+-\fBpam_get_authtok\fR
++\fBpam_sm_chauthtok\fR(3)\fBpam_get_authtok\fR
+ will ask the user to confirm the new token by retyping it\&. If a prompt was specified, "Retype" will be used as prefix\&.
+ .RE
+ .PP
+@@ -238,7 +88,7 @@
+ data and should
+ \fBnot\fR
+ be
+-\fIfree()\fR\'ed or over\-written!
++\fIfree()\fR\*(Aqed or over\-written!
+ .PP
+ The
+ \fBpam_get_authtok_verify\fR
+@@ -252,16 +102,15 @@
+ data and should
+ \fBnot\fR
+ be
+-\fIfree()\fR\'ed or over\-written!
++\fIfree()\fR\*(Aqed or over\-written!
+ .SH "OPTIONS"
+ .PP
+-
+ \fBpam_get_authtok\fR
+ honours the following module options:
+ .PP
+ \fBtry_first_pass\fR
+ .RS 4
+-Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\&.
++Before prompting the user for their password, the module first tries the previous stacked module\*(Aqs password in case that satisfies this module as well\&.
+ .RE
+ .PP
+ \fBuse_first_pass\fR
+@@ -312,7 +161,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(8)
+ .SH "STANDARDS"
+ .PP
+Index: pam.debian/doc/man/pam_setcred.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_setcred.3
++++ pam.debian/doc/man/pam_setcred.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_setcred
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SETCRED" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_SETCRED" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_setcred \- establish / delete user credentials
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_setcred('u
+ .BI "int pam_setcred(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -193,15 +48,15 @@
+ .PP
+ A credential is something that the user possesses\&. It is some property, such as a
+ \fIKerberos\fR
+-ticket, or a supplementary group membership that make up the uniqueness of a given user\&. On a Linux system the user\'s
++ticket, or a supplementary group membership that make up the uniqueness of a given user\&. On a Linux system the user\*(Aqs
+ \fIUID\fR
+ and
+-\fIGID\fR\'s are credentials too\&. However, it has been decided that these properties (along with the default supplementary groups of which the user is a member) are credentials that should be set directly by the application and not by PAM\&. Such credentials should be established, by the application, prior to a call to this function\&. For example,
++\fIGID\fR\*(Aqs are credentials too\&. However, it has been decided that these properties (along with the default supplementary groups of which the user is a member) are credentials that should be set directly by the application and not by PAM\&. Such credentials should be established, by the application, prior to a call to this function\&. For example,
+ \fBinitgroups\fR(2)
+ (or equivalent) should have been performed\&.
+ .PP
+ Valid
+-\fIflags\fR, any one of which, may be logically OR\'d with
++\fIflags\fR, any one of which, may be logically OR\*(Aqd with
+ \fBPAM_SILENT\fR, are:
+ .PP
+ PAM_ESTABLISH_CRED
+@@ -211,12 +66,12 @@
+ .PP
+ PAM_DELETE_CRED
+ .RS 4
+-Delete the user\'s credentials\&.
++Delete the user\*(Aqs credentials\&.
+ .RE
+ .PP
+ PAM_REINITIALIZE_CRED
+ .RS 4
+-Fully reinitialize the user\'s credentials\&.
++Fully reinitialize the user\*(Aqs credentials\&.
+ .RE
+ .PP
+ PAM_REFRESH_CRED
+@@ -261,7 +116,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_authenticate\fR(3),
+ \fBpam_open_session\fR(3),
+ \fBpam_close_session\fR(3),
+Index: pam.debian/modules/pam_sepermit/sepermit.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_sepermit/sepermit.conf.5
++++ pam.debian/modules/pam_sepermit/sepermit.conf.5
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: sepermit.conf
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "SEPERMIT\&.CONF" "5" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "SEPERMIT\&.CONF" "5" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,13 +27,12 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ sepermit.conf \- configuration file for the pam_sepermit module
+ .SH "DESCRIPTION"
+ .PP
+ The lines of the configuration file have the following syntax:
+ .PP
+-
+ \fI<user>\fR[:\fI<option>\fR:\fI<option>\fR\&.\&.\&.]
+ .PP
+ The
+@@ -220,7 +80,7 @@
+ .PP
+ \fBexclusive\fR
+ .RS 4
+-Only single login session will be allowed for the user and the user\'s processes will be killed on logout\&.
++Only single login session will be allowed for the user and the user\*(Aqs processes will be killed on logout\&.
+ .RE
+ .PP
+ \fBignore\fR
+@@ -232,37 +92,22 @@
+ .SH "EXAMPLES"
+ .PP
+ These are some example lines which might be specified in
+-\FC/etc/security/sepermit\&.conf\F[]\&.
++/etc/security/sepermit\&.conf\&.
+ .sp
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ %guest_u:exclusive
+ %staff_u:ignore
+ %user_u:ignore
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_sepermit\fR(8),
+ \fBpam.d\fR(5),
+ \fBpam\fR(8),
+Index: pam.debian/modules/pam_tty_audit/pam_tty_audit.8
+===================================================================
+--- pam.debian.orig/modules/pam_tty_audit/pam_tty_audit.8
++++ pam.debian/modules/pam_tty_audit/pam_tty_audit.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_tty_audit
+ .\" Author: [see the "AUTHOR" section]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_TTY_AUDIT" "8" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_TTY_AUDIT" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,13 +27,11 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_tty_audit \- Enable or disable TTY auditing for specified users
+-.SH "Synopsis"
+-.fam C
++.SH "SYNOPSIS"
+ .HP \w'\fBpam_tty_audit\&.so\fR\ 'u
+ \fBpam_tty_audit\&.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR]
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&.
+@@ -196,7 +55,7 @@
+ .PP
+ \fBopen_only\fR
+ .RS 4
+-Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\'t
++Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\*(Aqt
+ \fBfork()\fR
+ to run the authenticated session, such as
+ \fBsudo\fR\&.
+@@ -232,31 +91,16 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ session required pam_tty_audit\&.so disable=* enable=root
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+ .sp
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBaureport\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+Index: pam.debian/doc/man/PAM.8
+===================================================================
+--- pam.debian.orig/doc/man/PAM.8
++++ pam.debian/doc/man/PAM.8
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM" "8" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM" "8" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,15 +27,14 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ PAM, pam \- Pluggable Authentication Modules for Linux
+ .SH "DESCRIPTION"
+ .PP
+ This manual is intended to offer a quick introduction to
+ \fBLinux\-PAM\fR\&. For more information the reader is directed to the
+-\fBLinux\-PAM system administrators\' guide\fR\&.
++\fBLinux\-PAM system administrators\*(Aq guide\fR\&.
+ .PP
+-
+ \fBLinux\-PAM\fR
+ is a system of libraries that handle the authentication tasks of applications (services) on the system\&. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
+ \fBlogin\fR(1)
+@@ -184,13 +44,12 @@
+ The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable\&. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users\&. This dynamic configuration is set by the contents of the single
+ \fBLinux\-PAM\fR
+ configuration file
+-\FC/etc/pam\&.conf\F[]\&. Alternatively, the configuration can be set by individual configuration files located in the
+-\FC/etc/pam\&.d/\F[]
++/etc/pam\&.conf\&. Alternatively, the configuration can be set by individual configuration files located in the
++/etc/pam\&.d/
+ directory\&. The presence of this directory will cause
+ \fBLinux\-PAM\fR
+ to
+-\fIignore\fR
+-\FC/etc/pam\&.conf\F[]\&.
++\fIignore\fR/etc/pam\&.conf\&.
+ .PP
+ From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the
+ \fBLinux\-PAM\fR
+@@ -212,36 +71,36 @@
+ \fBsession\fR
+ management\&. (We highlight the abbreviations used for these groups in the configuration file\&.)
+ .PP
+-Simply put, these groups take care of different aspects of a typical user\'s request for a restricted service:
++Simply put, these groups take care of different aspects of a typical user\*(Aqs request for a restricted service:
+ .PP
+ \fBaccount\fR
+-\- provide account verification types of service: has the user\'s password expired?; is this user permitted access to the requested service?
++\- provide account verification types of service: has the user\*(Aqs password expired?; is this user permitted access to the requested service?
+ .PP
+ \fBauth\fRentication \- authenticate a user and set up user credentials\&. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password\&. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of
+ \fBLinux\-PAM\fR\&.
+ .PP
+ \fBpassword\fR
+-\- this group\'s responsibility is the task of updating authentication mechanisms\&. Typically, such services are strongly coupled to those of the
++\- this group\*(Aqs responsibility is the task of updating authentication mechanisms\&. Typically, such services are strongly coupled to those of the
+ \fBauth\fR
+ group\&. Some authentication mechanisms lend themselves well to being updated with such a function\&. Standard UN*X password\-based access is the obvious example: please enter a replacement password\&.
+ .PP
+ \fBsession\fR
+-\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn\&. Such tasks include the maintenance of audit trails and the mounting of the user\'s home directory\&. The
++\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn\&. Such tasks include the maintenance of audit trails and the mounting of the user\*(Aqs home directory\&. The
+ \fBsession\fR
+ management group is important as it provides both an opening and closing hook for modules to affect the services available to a user\&.
+ .SH "FILES"
+ .PP
+-\FC/etc/pam\&.conf\F[]
++/etc/pam\&.conf
+ .RS 4
+ the configuration file
+ .RE
+ .PP
+-\FC/etc/pam\&.d\F[]
++/etc/pam\&.d
+ .RS 4
+ the
+ \fBLinux\-PAM\fR
+ configuration directory\&. Generally, if this directory is present, the
+-\FC/etc/pam\&.conf\F[]
++/etc/pam\&.conf
+ file is ignored\&.
+ .RE
+ .SH "ERRORS"
+@@ -255,7 +114,6 @@
+ DCE\-RFC 86\&.0, October 1995\&. Contains additional features, but remains backwardly compatible with this RFC\&.
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(3),
+ \fBpam_authenticate\fR(3),
+ \fBpam_sm_setcred\fR(3),
+Index: pam.debian/doc/man/misc_conv.3
+===================================================================
+--- pam.debian.orig/doc/man/misc_conv.3
++++ pam.debian/doc/man/misc_conv.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: misc_conv
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "MISC_CONV" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "MISC_CONV" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ misc_conv \- text based conversation function
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_misc\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'void\ misc_conv('u
+ .BI "void misc_conv(int\ " "num_msg" ", const\ struct\ pam_message\ **" "msgm" ", struct\ pam_response\ **" "response" ", void\ *" "appdata_ptr" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -261,7 +116,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_conv\fR(3),
+ \fBpam\fR(8)
+ .SH "STANDARDS"
+Index: pam.debian/doc/man/pam.8
+===================================================================
+--- pam.debian.orig/doc/man/pam.8
++++ pam.debian/doc/man/pam.8
+@@ -1 +1 @@
+-.so man8/PAM.8
++.so PAM.8
+Index: pam.debian/doc/man/pam_acct_mgmt.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_acct_mgmt.3
++++ pam.debian/doc/man/pam_acct_mgmt.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_acct_mgmt
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_ACCT_MGMT" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_ACCT_MGMT" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_acct_mgmt \- PAM account validation management
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_acct_mgmt('u
+ .BI "int pam_acct_mgmt(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -238,7 +93,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_start\fR(3),
+ \fBpam_authenticate\fR(3),
+ \fBpam_chauthtok\fR(3),
+Index: pam.debian/doc/man/pam_authenticate.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_authenticate.3
++++ pam.debian/doc/man/pam_authenticate.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_authenticate
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_AUTHENTICATE" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_AUTHENTICATE" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_authenticate \- account authentication
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_authenticate('u
+ .BI "int pam_authenticate(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -248,7 +103,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_start\fR(3),
+ \fBpam_setcred\fR(3),
+ \fBpam_chauthtok\fR(3),
+Index: pam.debian/doc/man/pam_chauthtok.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_chauthtok.3
++++ pam.debian/doc/man/pam_chauthtok.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_chauthtok
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_CHAUTHTOK" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_CHAUTHTOK" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_chauthtok \- updating authentication tokens
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_chauthtok('u
+ .BI "int pam_chauthtok(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -237,7 +92,7 @@
+ .PP
+ PAM_TRY_AGAIN
+ .RS 4
+-Not all of the modules were in a position to update the authentication token(s)\&. In such a case none of the user\'s authentication tokens are updated\&.
++Not all of the modules were in a position to update the authentication token(s)\&. In such a case none of the user\*(Aqs authentication tokens are updated\&.
+ .RE
+ .PP
+ PAM_USER_UNKNOWN
+@@ -246,7 +101,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_start\fR(3),
+ \fBpam_authenticate\fR(3),
+ \fBpam_setcred\fR(3),
+Index: pam.debian/doc/man/pam_conv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_conv.3
++++ pam.debian/doc/man/pam_conv.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_conv
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_CONV" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_CONV" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,22 +27,16 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_conv \- PAM conversation function
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+ .sp
+-.fam C
+-.ps -1
+ .nf
+ struct pam_message {
+ int msg_style;
+@@ -200,8 +55,6 @@
+ };
+
+ .fi
+-.fam
+-.ps +1
+ .SH "DESCRIPTION"
+ .PP
+ The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\&. This callback is specified by the
+@@ -221,7 +74,7 @@
+ \fIresp\fR
+ points to an array of pam_response structures, holding the application supplied text\&. The
+ \fIresp_retcode\fR
+-member of this struct is unused and should be set to zero\&. It is the caller\'s responsibility to release both, this array and the responses themselves, using
++member of this struct is unused and should be set to zero\&. It is the caller\*(Aqs responsibility to release both, this array and the responses themselves, using
+ \fBfree\fR(3)\&. Note,
+ \fI*resp\fR
+ is a
+@@ -231,7 +84,7 @@
+ The number of responses is always equal to the
+ \fInum_msg\fR
+ conversation function argument\&. This does require that the response array is
+-\fBfree\fR(3)\'d after every call to the conversation function\&. The index of the responses corresponds directly to the prompt index in the pam_message array\&.
++\fBfree\fR(3)\*(Aqd after every call to the conversation function\&. The index of the responses corresponds directly to the prompt index in the pam_message array\&.
+ .PP
+ On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes\&.
+ .PP
+@@ -262,7 +115,7 @@
+ .PP
+ The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module\&. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once\&.
+ .PP
+-In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris\' PAM (and derivitives, known to include HP/UX, are there others?) does\&. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\&. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \'struct pam_message\' pointers\&. Solaris\' PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\&. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\&. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\&.
++In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris\*(Aq PAM (and derivitives, known to include HP/UX, are there others?) does\&. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\&. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \*(Aqstruct pam_message\*(Aq pointers\&. Solaris\*(Aq PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\&. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\&. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\&.
+ .PP
+ For what its worth the two known module writer work\-arounds for trying to maintain source level compatibility with both PAM implementations are:
+ .sp
+@@ -290,24 +143,10 @@
+ .if n \{\
+ .RS 4
+ .\}
+-.fam C
+-.ps -1
+ .nf
+-.if t \{\
+-.sp -1
+-.\}
+-.BB lightgray adjust-for-leading-newline
+-.sp -1
+-
+ msg[n] = & (( *msg )[n])
+
+-.EB lightgray adjust-for-leading-newline
+-.if t \{\
+-.sp 1
+-.\}
+ .fi
+-.fam
+-.ps +1
+ .if n \{\
+ .RE
+ .\}
+@@ -331,7 +170,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_start\fR(3),
+ \fBpam_set_item\fR(3),
+ \fBpam_get_item\fR(3),
+Index: pam.debian/doc/man/pam_error.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_error.3
++++ pam.debian/doc/man/pam_error.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_error
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_ERROR" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_ERROR" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,27 +27,19 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_error, pam_verror \- display error messages to the user
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_ext\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_error('u
+ .BI "int pam_error(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");"
+-.fam
+-.fam C
+ .HP \w'int\ pam_verror('u
+ .BI "int pam_verror(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -223,7 +76,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_info\fR(3),
+ \fBpam_vinfo\fR(3),
+ \fBpam_prompt\fR(3),
+Index: pam.debian/doc/man/pam_get_authtok_noverify.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_get_authtok_noverify.3
++++ pam.debian/doc/man/pam_get_authtok_noverify.3
+@@ -1 +1 @@
+-.so man3/pam_get_authtok.3
++.so pam_get_authtok.3
+Index: pam.debian/doc/man/pam_get_authtok_verify.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_get_authtok_verify.3
++++ pam.debian/doc/man/pam_get_authtok_verify.3
+@@ -1 +1 @@
+-.so man3/pam_get_authtok.3
++.so pam_get_authtok.3
+Index: pam.debian/doc/man/pam_getenv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenv.3
++++ pam.debian/doc/man/pam_getenv.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_getenv
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_GETENV" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_GETENV" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_getenv \- get a PAM environment variable
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'const\ char\ *pam_getenv('u
+ .BI "const char *pam_getenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -199,7 +54,6 @@
+ function returns NULL on failure\&.
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_start\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_putenv\fR(3),
+Index: pam.debian/doc/man/pam_getenvlist.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenvlist.3
++++ pam.debian/doc/man/pam_getenvlist.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_getenvlist
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_GETENVLIST" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_GETENVLIST" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_getenvlist \- getting the PAM environment
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_appl\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'char\ **pam_getenvlist('u
+ .BI "char **pam_getenvlist(pam_handle_t\ *" "pamh" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -190,9 +45,9 @@
+ function returns a complete copy of the PAM environment as associated with the handle
+ \fIpamh\fR\&. The PAM environment variables represent the contents of the regular environment variables of the authenticated user when service is granted\&.
+ .PP
+-The format of the memory is a malloc()\'d array of char pointers, the last element of which is set to NULL\&. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()\'d char string of the form: "\fIname=value\fR"\&.
++The format of the memory is a malloc()\*(Aqd array of char pointers, the last element of which is set to NULL\&. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()\*(Aqd char string of the form: "\fIname=value\fR"\&.
+ .PP
+-It should be noted that this memory will never be free()\'d by libpam\&. Once obtained by a call to
++It should be noted that this memory will never be free()\*(Aqd by libpam\&. Once obtained by a call to
+ \fBpam_getenvlist\fR, it is the responsibility of the calling application to free() this memory\&.
+ .PP
+ It is by design, and not a coincidence, that the format and contents of the returned array matches that required for the third argument of the
+@@ -205,7 +60,6 @@
+ function returns NULL on failure\&.
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_start\fR(3),
+ \fBpam_getenv\fR(3),
+ \fBpam_putenv\fR(3),
+Index: pam.debian/doc/man/pam_info.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_info.3
++++ pam.debian/doc/man/pam_info.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_info
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_INFO" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_INFO" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,27 +27,19 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_info, pam_vinfo \- display messages to the user
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_ext\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_info('u
+ .BI "int pam_info(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");"
+-.fam
+-.fam C
+ .HP \w'int\ pam_vinfo('u
+ .BI "int pam_vinfo(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -223,7 +76,6 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam\fR(8)
+ .SH "STANDARDS"
+ .PP
+Index: pam.debian/doc/man/pam_misc_drop_env.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_drop_env.3
++++ pam.debian/doc/man/pam_misc_drop_env.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_misc_drop_env
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_MISC_DROP_ENV" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_MISC_DROP_ENV" "3" "01/14/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+-.\" * (re)Define some macros
++.\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" toupper - uppercase a string (locale-aware)
++.\" http://bugs.debian.org/507673
++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+ .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de toupper
+-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+-\\$*
+-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH-xref - format a cross-reference to an SH section
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de SH-xref
+-.ie n \{\
+-.\}
+-.toupper \\$*
+-.el \{\
+-\\$*
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SH - level-one heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SH
+-.\" put an extra blank line of space above the head in non-TTY output
+-.if t \{\
+-.sp 1
+-.\}
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[an-margin]u
+-.ti 0
+-.HTML-TAG ".NH \\n[an-level]"
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-\." make the size of the head bigger
+-.ps +3
+-.ft B
+-.ne (2v + 1u)
+-.ie n \{\
+-.\" if n (TTY output), use uppercase
+-.toupper \\$*
+-.\}
+-.el \{\
+-.nr an-break-flag 0
+-.\" if not n (not TTY), use normal case (not uppercase)
+-\\$1
+-.in \\n[an-margin]u
+-.ti 0
+-.\" if not n (not TTY), put a border/line under subheading
+-.sp -.6
+-\l'\n(.lu'
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" SS - level-two heading that works better for non-TTY output
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de1 SS
+-.sp \\n[PD]u
+-.nr an-level 1
+-.set-an-margin
+-.nr an-prevailing-indent \\n[IN]
+-.fi
+-.in \\n[IN]u
+-.ti \\n[SN]u
+-.it 1 an-trap
+-.nr an-no-space-flag 1
+-.nr an-break-flag 1
+-.ps \\n[PS-SS]u
+-\." make the size of the head bigger
+-.ps +2
+-.ft B
+-.ne (2v + 1u)
+-.if \\n[.$] \&\\$*
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BB/BE - put background/screen (filled box) around block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BB
+-.if t \{\
+-.sp -.5
+-.br
+-.in +2n
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EB
+-.if t \{\
+-.if "\\$2"adjust-for-leading-newline" \{\
+-.sp -1
+-.\}
+-.br
+-.di
+-.in
+-.ll
+-.gcolor
+-.nr BW \\n(.lu-\\n(.i
+-.nr BH \\n(dn+.5v
+-.ne \\n(BHu+.5v
+-.ie "\\$2"adjust-for-leading-newline" \{\
+-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.el \{\
+-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+-.\}
+-.in 0
+-.sp -.5v
+-.nf
+-.BX
+-.in
+-.sp .5v
+-.fi
+-.\}
+-..
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.\" BM/EM - put colored marker in margin next to block of text
+-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-.de BM
+-.if t \{\
+-.br
+-.ll -2n
+-.gcolor red
+-.di BX
+-.\}
+-..
+-.de EM
+-.if t \{\
+-.br
+-.di
+-.ll
+-.gcolor
+-.nr BH \\n(dn
+-.ne \\n(BHu
+-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+-.in 0
+-.nf
+-.BX
+-.in
+-.fi
+-.\}
+-..
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
+ .\" -----------------------------------------------------------------
+ .\" * set default formatting
+ .\" -----------------------------------------------------------------
+@@ -166,23 +27,17 @@
+ .\" -----------------------------------------------------------------
+ .\" * MAIN CONTENT STARTS HERE *
+ .\" -----------------------------------------------------------------
+-.SH "Name"
++.SH "NAME"
+ pam_misc_drop_env \- liberating a locally saved environment
+-.SH "Synopsis"
++.SH "SYNOPSIS"
+ .sp
+ .ft B
+-.fam C
+-.ps -1
+ .nf
+ #include <security/pam_misc\&.h>
+ .fi
+-.fam
+-.ps +1
+ .ft
+-.fam C
+ .HP \w'int\ pam_misc_drop_env('u
+ .BI "int pam_misc_drop_env(char\ **" "env" ");"
+-.fam
+ .SH "DESCRIPTION"
+ .PP
+ This function is defined to complement the
+@@ -196,7 +51,6 @@
+ \fBfree()\fRing it\&.
+ .SH "SEE ALSO"
+ .PP
+-
+ \fBpam_getenvlist\fR(3),
+ \fBpam\fR(8)
+ .SH "STANDARDS"
+Index: pam.debian/doc/man/pam_misc_paste_env.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_paste_env.3
++++ pam.debian/doc/man/pam_misc_paste_env.3
+@@ -1,161 +1,22 @@
++'\" t
+ .\" Title: pam_misc_paste_env
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+-.\" Date: 06/21/2011
++.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English