223 files changed, 19642 insertions, 10116 deletions

diff --git a/Linux-PAM/doc/CREDITS b/Linux-PAM/doc/CREDITS
deleted file mode 100644
index 528032bb..00000000
--- a/Linux-PAM/doc/CREDITS
+++ /dev/null
@@ -1,49 +0,0 @@
-<!--
- an sgml list of people to credit for their contributions to Linux-PAM
- $Id: CREDITS,v 1.2 2001/03/19 01:46:41 agmorgan Exp $
-  -->
-Chris Adams,
-Peter Allgeyer,
-Tim Baverstock,
-Tim Berger,
-Craig S. Bell,
-Derrick J. Brashear,
-Ben Buxton,
-Seth Chaiklin,
-Oliver Crow,
-Chris Dent,
-Marc Ewing,
-Cristian Gafton,
-Emmanuel Galanos,
-Brad M. Garcia,
-Eric Hester,
-Michel D'Hooge,
-Roger Hu,
-Eric Jacksch,
-Michael K. Johnson,
-David Kinchlea,
-Olaf Kirch,
-Marcin Korzonek,
-Stephen Langasek,
-Nicolai Langfeldt,
-Elliot Lee,
-Luke Kenneth Casson Leighton,
-Al Longyear,
-Ingo Luetkebohle,
-Marek Michalkiewicz,
-Robert Milkowski,
-Aleph One,
-Martin Pool,
-Sean Reifschneider,
-Jan Rekorajski,
-Erik Troan,
-Theodore Ts'o,
-Jeff Uphoff,
-Myles Uyema,
-Savochkin Andrey Vladimirovich,
-Ronald Wahl,
-David Wood,
-John Wilmes,
-Joseph S. D. Yao
-and
-Alex O.  Yuriev.
diff --git a/Linux-PAM/doc/Makefile b/Linux-PAM/doc/Makefile
deleted file mode 100644
index 1c2ba510..00000000
--- a/Linux-PAM/doc/Makefile
+++ /dev/null
@@ -1,169 +0,0 @@
-
-### $Id: Makefile,v 1.10 2004/09/22 09:37:47 kukuk Exp $
-
-include ../Make.Rules
-
-#######################################################
-
-FILES=pam pam_appl pam_modules
-FSRCS=pam.sgml pam_appl.sgml pam_modules.sgml
-
-TEXTS=txts/pam.txt txts/pam_appl.txt txts/pam_modules.txt
-HTMLS=html/pam.html html/pam_appl.html html/pam_modules.html
-PSFILES=ps/pam.ps ps/pam_appl.ps ps/pam_modules.ps
-PDFFILES=pdf/pam.pdf ps/pam_appl.pdf ps/pam_modules.pdf
-
-MODULES=$(shell ls modules/*.sgml)
-
-#######################################################
-
-dummy:
-	@echo "Making the documentation..."
-	@$(MAKE) all
-
-# note, at this time we don't include pdf files by default, but you
-# can type make pdf in this directory and see what happens in the pdf
-# subdirectory.
-
-all: htmls texts postscript pdf
-
-htmls: $(HTMLS)
-
-$(HTMLS) : $(FSRCS)
-ifeq ($(HAVE_SGML2HTML),yes)
-	@for i in $(FILES) ; do \
-	if [ ! -f "html/$$i.html" ] || [ "$$i.sgml" -nt "html/$$i.html" ]; \
-	then \
-		cd html ; sgml2html ../$$i ; \
-		if [ $$? -ne 0 ]; then exit 1 ; fi ; \
-		cd .. ; \
-	fi ; \
-	done
-else
-	@echo XXX - you do not have the sgml2html binary installed
-endif
-
-texts: $(TEXTS)
-
-$(TEXTS) : $(FSRCS)
-ifeq ($(HAVE_SGML2TXT),yes)
-	@for i in $(FILES) ; do \
-		if [ ! -f "txts/$$i.txt" ] \
-				|| [ "$$i.sgml" -nt "txts/$$i.txt" ]; then \
-			cd txts ; sgml2txt ../$$i ; cd .. ; \
-		fi ; \
-	done
-else
-	@echo XXX - you do not have the sgml2txt binary installed
-endif
-
-postscript: $(PSFILES)
-
-$(PSFILES): $(FSRCS)
-ifneq ($(PSER),)
-	@for i in $(FILES) ; do \
-	if [ ! -f "ps/$$i.ps" ] || [ "$$i.sgml" -nt "ps/$$i.ps" ]; then \
-		cd ps ; $(PSER) ../$$i ; cd .. ; \
-	fi ; \
-	done
-else
-	@echo XXX - neither sgml2ps nor sgml2latex binaries are installed
-endif
-
-pdf: $(PDFFILES)
-
-$(PDFFILES) : $(PSFILES)
-ifeq ($(HAVE_PS2PDF),yes)
-	@for i in $(FILES) ; do \
-	if [ ! -f "pdf/$$i.pdf" ] || [ "ps/$$i.ps" -nt "ps/$$i.pdf" ]; then \
-		ps2pdf ps/$$i.ps pdf/$$i.pdf ; \
-	fi ; \
-	done
-else
-	@echo XXX - ps2pdf is not installed
-endif
-
-pam.sgml: pam_source.sgml MODULES-SGML CREDITS
-	@sed -e '/^<!\-\- insert\-file MODULES\-SGML \-\->/r MODULES-SGML' pam_source.sgml | sed -e '/^<!\-\- insert\-file CREDITS \-\->/r CREDITS' > pam.sgml
-
-MODULES-SGML: $(MODULES)
-	@echo 'Building module text from files in modules/*.sgml'
-	@rm -f MODULES-SGML
-	@echo '<!-- modules included:' > MODULES-SGML
-	@ls modules/*.sgml >> MODULES-SGML
-	@echo '  and that is all -->' >> MODULES-SGML
-	@cat modules/*.sgml >> MODULES-SGML
-
-extraclean: clean
-
-remove:
-	cd man && for file in *.3 ; do \
-	  rm -f $(FAKEROOT)$(MANDIR)/man3/$$file ; \
-	done
-	cd man && for file in *.8 ; do \
-	  rm -f $(FAKEROOT)$(MANDIR)/man8/$$file ; \
-	done
-	cd txts && for file in *.txt; do \
-	  rm -f $(FAKEROOT)$(DOCDIR)/text/$$file ; \
-	done
-	cd ps && for file in *.ps; do \
-	  rm -f $(FAKEROOT)$(DOCDIR)/ps/$$file  ; \
-	done
-	cd html && for file in *.html; do \
-	  rm -f $(FAKEROOT)$(DOCDIR)/html/$$file ; \
-	done
-
-install: all
-ifeq ($(HAVE_SGML2TXT),yes)
-	mkdir -p $(FAKEROOT)$(DOCDIR)/text
-	for file in txts/*.txt; do \
-	  install -m 644 $$file $(FAKEROOT)$(DOCDIR)/text ; \
-	done
-endif
-ifneq ($(PSER),)
-	mkdir -p $(FAKEROOT)$(DOCDIR)/ps
-	for file in ps/*.ps; do \
-	  install -m 644 $$file $(FAKEROOT)$(DOCDIR)/ps  ; \
-	done
-ifeq ($(HAVE_PS2PDF),yes)
-	mkdir -p $(FAKEROOT)$(DOCDIR)/pdf
-	for file in pdf/*.pdf; do \
-	  install -m 644 $$file $(FAKEROOT)$(DOCDIR)/pdf  ; \
-	done
-endif
-endif
-ifeq ($(HAVE_SGML2HTML),yes)
-	mkdir -p $(FAKEROOT)$(DOCDIR)/html
-	for file in html/*.html; do \
-	  install -m 644 $$file $(FAKEROOT)$(DOCDIR)/html ; \
-	done
-endif
-	mkdir -p $(FAKEROOT)$(MANDIR)/man3
-	mkdir -p $(FAKEROOT)$(MANDIR)/man8
-	for file in man/*.3 ; do \
-	  install -m 644 $$file $(FAKEROOT)$(MANDIR)/man3 ; \
-	done
-	for file in man/*.8 ; do \
-	  install -m 644 $$file $(FAKEROOT)$(MANDIR)/man8 ; \
-	done
-
-spec: specs/draft-morgan-pam.raw
-	cd specs/formatter && $(MAKE)
-	specs/formatter/padout < specs/draft-morgan-pam.raw > specs/draft-morgan-pam-current.txt
-
-releasedocs: all spec
-	tar zvfc Linux-PAM-$(MAJOR_REL).$(MINOR_REL)-docs.tar.gz \
-	--exclude CVS --exclude .cvsignore --exclude '.#*' \
-	html ps txts specs/draft-morgan-pam-current.txt
-
-clean:
-	rm -f *~ *.bak
-	rm -f html/pam*.html
-	rm -f man/*~
-	rm -f $(TEXTS)
-	rm -f $(PSFILES) ps/missfont.log
-	rm -f pdf/*.pdf
-	rm -f MODULES-SGML pam.sgml
-	rm -f specs/draft-morgan-pam-current.txt
-	$(MAKE) -C specs/formatter clean
-
diff --git a/Linux-PAM/doc/Makefile.am b/Linux-PAM/doc/Makefile.am
new file mode 100644
index 00000000..3b893899
--- /dev/null
+++ b/Linux-PAM/doc/Makefile.am
@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+#
+
+SUBDIRS = man specs sag adg mwg
+
+CLEANFILES = *~
+
+dist_html_DATA = index.html
+
+#######################################################
+
+releasedocs: all
+	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs
+	cp -av specs/draft-morgan-pam-current.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/
+	cp -av specs/rfc86.0.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/
+	make -C sag releasedocs
+	make -C adg releasedocs
+	make -C mwg releasedocs
+	
diff --git a/Linux-PAM/doc/Makefile.in b/Linux-PAM/doc/Makefile.in
new file mode 100644
index 00000000..6c3563ee
--- /dev/null
+++ b/Linux-PAM/doc/Makefile.in
@@ -0,0 +1,589 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+#
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = doc
+DIST_COMMON = $(dist_html_DATA) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 \
+	$(top_srcdir)/m4/jh_path_xml_catalog.m4 \
+	$(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(htmldir)"
+dist_htmlDATA_INSTALL = $(INSTALL_DATA)
+DATA = $(dist_html_DATA)
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BROWSER = @BROWSER@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+FO2PDF = @FO2PDF@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBDB = @LIBDB@
+LIBDL = @LIBDL@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBNSL = @LIBNSL@
+LIBOBJS = @LIBOBJS@
+LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
+LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
+LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@
+LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@
+LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@
+LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@
+LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SCONFIGDIR = @SCONFIGDIR@
+SECUREDIR = @SECUREDIR@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+WITH_DEBUG = @WITH_DEBUG@
+WITH_PAMLOCKING = @WITH_PAMLOCKING@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XMLCATALOG = @XMLCATALOG@
+XMLLINT = @XMLLINT@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libc_cv_fpie = @libc_cv_fpie@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pam_cv_ld_as_needed = @pam_cv_ld_as_needed@
+pam_xauth_path = @pam_xauth_path@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUBDIRS = man specs sag adg mwg
+CLEANFILES = *~
+dist_html_DATA = index.html
+all: all-recursive
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  doc/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  doc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-dist_htmlDATA: $(dist_html_DATA)
+	@$(NORMAL_INSTALL)
+	test -z "$(htmldir)" || $(MKDIR_P) "$(DESTDIR)$(htmldir)"
+	@list='$(dist_html_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(dist_htmlDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(htmldir)/$$f'"; \
+	  $(dist_htmlDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(htmldir)/$$f"; \
+	done
+
+uninstall-dist_htmlDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_html_DATA)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(htmldir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(htmldir)/$$f"; \
+	done
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
+	    (cd $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-recursive
+all-am: Makefile $(DATA)
+installdirs: installdirs-recursive
+installdirs-am:
+	for dir in "$(DESTDIR)$(htmldir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+info: info-recursive
+
+info-am:
+
+install-data-am: install-dist_htmlDATA
+
+install-dvi: install-dvi-recursive
+
+install-exec-am:
+
+install-html: install-html-recursive
+
+install-info: install-info-recursive
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am: uninstall-dist_htmlDATA
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-strip
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am check check-am clean clean-generic clean-libtool \
+	ctags ctags-recursive distclean distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dist_htmlDATA install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am tags tags-recursive uninstall uninstall-am \
+	uninstall-dist_htmlDATA
+
+
+#######################################################
+
+releasedocs: all
+	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs
+	cp -av specs/draft-morgan-pam-current.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/
+	cp -av specs/rfc86.0.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/
+	make -C sag releasedocs
+	make -C adg releasedocs
+	make -C mwg releasedocs
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/Linux-PAM/doc/NOTES b/Linux-PAM/doc/NOTES
deleted file mode 100644
index b0f40d47..00000000
--- a/Linux-PAM/doc/NOTES
+++ /dev/null
@@ -1,16 +0,0 @@
-Things to be added:
-
-@ modules:
-@ application:
-
-	use of
-		'user' = user to become,
-		'uid' = user requesting service
-		'euid' = privilege of current process.
-
-@ sysadmin:
-
-	included modules:
-		behavior
-	non-included modules:
-		behavior/pointers.
diff --git a/Linux-PAM/doc/adg/Linux-PAM_ADG.xml b/Linux-PAM/doc/adg/Linux-PAM_ADG.xml
new file mode 100644
index 00000000..54df797d
--- /dev/null
+++ b/Linux-PAM/doc/adg/Linux-PAM_ADG.xml
@@ -0,0 +1,779 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+	"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<book id="adg">
+  <bookinfo>
+    <title>The Linux-PAM Application Developers' Guide</title>
+    <authorgroup>
+      <author>
+        <firstname>Andrew G.</firstname>
+        <surname>Morgan</surname>
+        <email>morgan@kernel.org</email>
+      </author>
+      <author>
+        <firstname>Thorsten</firstname>
+        <surname>Kukuk</surname>
+        <email>kukuk@thkukuk.de</email>
+      </author>
+    </authorgroup>
+    <releaseinfo>Version 0.99.6.0, 5. August 2006</releaseinfo>
+    <abstract>
+      <para>
+        This manual documents what an application developer needs to know
+        about the <emphasis remap='B'>Linux-PAM</emphasis> library. It
+        describes how an application might use the
+        <emphasis remap='B'>Linux-PAM</emphasis> library to authenticate
+        users. In addition it contains a description of the funtions
+        to be found in <filename>libpam_misc</filename> library, that can
+        be used in general applications. Finally, it contains some comments
+        on PAM related security issues for the application developer.
+      </para>
+    </abstract>
+  </bookinfo>
+
+  <chapter id="adg-introduction">
+    <title>Introduction</title>
+    <section id="adg-introduction-description">
+      <title>Description</title>
+      <para>
+        <emphasis remap='B'>Linux-PAM</emphasis>
+        (Pluggable Authentication Modules for Linux) is a library that enables
+        the local system administrator to choose how individual applications
+        authenticate users. For an overview of the
+        <emphasis remap='B'>Linux-PAM</emphasis> library see the
+        <emphasis>Linux-PAM System Administrators' Guide</emphasis>.
+      </para>
+      <para>
+        It is the purpose of the <emphasis remap='B'>Linux-PAM</emphasis>
+        project to liberate the development of privilege granting software
+        from the development of secure and appropriate authentication schemes.
+        This is accomplished by providing a documented library of functions
+        that an application may use for all forms of user authentication
+        management. This library dynamically loads locally configured
+        authentication modules that actually perform the authentication tasks.
+      </para>
+      <para>
+        From the perspective of an application developer the information
+        contained in the local configuration of the PAM library should not be
+        important. Indeed it is intended that an application treat the
+        functions documented here as a 'black box' that will deal with all
+        aspects of user authentication. 'All aspects' includes user
+        verification, account management, session initialization/termination
+        and also the resetting of passwords
+        (<emphasis>authentication tokens</emphasis>).
+      </para>
+    </section>
+
+    <section id="adg-introduction-synopsis">
+      <title>Synopsis</title>
+      <para>
+        For general applications that wish to use the services provided by
+        <emphasis remap='B'>Linux-PAM</emphasis> the following is a summary
+        of the relevant linking information:
+        <programlisting>
+#include &lt;security/pam_appl.h&gt;
+
+cc -o application .... -lpam
+        </programlisting>
+      </para>
+      <para>
+        In addition to <command>libpam</command>, there is a library of
+        miscellaneous functions that make the job of writing
+        <emphasis>PAM-aware</emphasis> applications easier (this library is not
+        covered in the DCE-RFC for PAM and is specific to the Linux-PAM
+        distribution):
+        <programlisting>
+#include &lt;security/pam_appl.h&gt;
+#include &lt;security/pam_misc.h&gt;
+
+cc -o application .... -lpam -lpam_misc
+        </programlisting>
+      </para>
+    </section>
+  </chapter>
+
+  <chapter id="adg-overview">
+    <title>Overview</title>
+    <para>
+      Most service-giving applications are restricted. In other words,
+      their service is not available to all and every prospective client.
+      Instead, the applying client must jump through a number of hoops to
+      convince the serving application that they are authorized to obtain
+      service.
+    </para>
+    <para>
+      The process of <emphasis>authenticating</emphasis> a client is what
+      PAM is designed to manage. In addition to authentication, PAM provides
+      account management, credential management, session management and
+      authentication-token (password changing) management services.  It is
+      important to realize when writing a PAM based application that these
+      services are provided in a manner that is
+      <emphasis remap='B'>transparent</emphasis> to the application. That is
+      to say, when the application is written, no assumptions can be made
+      about <emphasis>how</emphasis> the client will be authenticated.
+    </para>
+    <para>
+      The process of authentication is performed by the PAM library via a
+      call to <function>pam_authenticate()</function>. The return value
+      of this function will indicate whether a named client (the
+      <emphasis>user</emphasis>) has been authenticated. If the PAM library
+      needs to prompt the user for any information, such as their
+      <emphasis>name</emphasis> or a <emphasis>password</emphasis>
+      then it will do so. If the PAM library is configured to authenticate
+      the user using some silent protocol, it will do this too. (This
+      latter case might be via some hardware interface for example.)
+    </para>
+    <para>
+      It is important to note that the application must leave all decisions
+      about when to prompt the user at the discretion of the PAM library.
+    </para>
+    <para>
+      The PAM library, however, must work equally well for different styles
+      of application. Some applications, like the familiar
+      <command>login</command> and <command>passwd</command> are terminal
+      based applications, exchanges of information with the client in
+      these cases is as plain text messages. Graphically based applications,
+      however, have a more sophisticated interface. They generally interact
+      with the user via specially constructed dialogue boxes. Additionally,
+      network based services require that text messages exchanged with the
+      client are specially formatted for automated processing: one such
+      example is <command>ftpd</command> which prefixes each exchanged
+      message with a numeric identifier.
+    </para>
+    <para>
+      The presentation of simple requests to a client is thus something very
+      dependent on the protocol that the serving application will use. In
+      spite of the fact that PAM demands that it drives the whole
+      authentication process, it is not possible to leave such protocol
+      subtleties up to the PAM library.  To overcome this potential problem,
+      the application provides the PAM library with a
+      <emphasis>conversation</emphasis> function.  This function is called
+      from <emphasis>within</emphasis> the PAM library and enables the PAM
+      to directly interact with the client. The sorts of things that this
+      conversation function must be able to do are prompt the user with
+      text and/or obtain textual input from the user for processing by the
+      PAM library. The details of this function are provided in a later
+      section.
+    </para>
+    <para>
+      For example, the conversation function may be called by the PAM
+      library with a request to prompt the user for a password. Its job is
+      to reformat the prompt request into a form that the client will
+      understand. In the case of <command>ftpd</command>, this might involve
+      prefixing the string with the number <command>331</command> and sending
+      the request over the network to a connected client. The conversation
+      function will then obtain any reply and, after extracting the typed
+      password, will return this string of text to the PAM library. Similar
+      concerns need to be addressed in the case of an X-based graphical
+      server.
+    </para>
+    <para>
+      There are a number of issues that need to be addressed when one is
+      porting an existing application to become PAM compliant. A section
+      below has been devoted to this: Porting legacy applications.
+    </para>
+    <para>
+      Besides authentication, PAM provides other forms of management.
+      Session management is provided with calls to
+      <function>pam_open_session()</function> and
+      <function>pam_close_session()</function>. What these functions
+      actually do is up to the local administrator. But typically, they
+      could be used to log entry and exit from the system or for mounting
+      and unmounting the user's home directory. If an application provides
+      continuous service for a period of time, it should probably call
+      these functions, first open after the user is authenticated and then
+      close when the service is terminated.
+    </para>
+    <para>
+      Account management is another area that an application developer
+      should include with a call to <function>pam_acct_mgmt()</function>.
+      This call will perform checks on the good health of the user's account
+      (has it expired etc.). One of the things this function may check is
+      whether the user's authentication token has expired - in such a case the
+      application may choose to attempt to update it with a call to
+      <function>pam_chauthtok()</function>, although some applications
+      are not suited to this task (<command>ftp</command> for example)
+      and in this case the application should deny access to the user.
+    </para>
+    <para>
+      PAM is also capable of setting and deleting the users credentials with
+      the call <function>pam_setcred()</function>. This function should
+      always be called after the user is authenticated and before service
+      is offered to the user. By convention, this should be the last call
+      to the PAM library before the PAM session is opened. What exactly a
+      credential is, is not well defined. However, some examples are given
+      in the glossary below.
+    </para>
+  </chapter>
+
+  <chapter id="adg-interface">
+    <title>
+      The public interface to <emphasis remap='B'>Linux-PAM</emphasis>
+    </title>
+    <para>
+      Firstly, the relevant include file for the
+      <emphasis remap='B'>Linux-PAM</emphasis> library is
+      <function>&lt;security/pam_appl.h&gt;</function>.
+      It contains the definitions for a number of functions. After
+      listing these functions, we collect some guiding remarks for
+      programmers.
+    </para>
+    <section id="adg-interface-by-app-expected">
+      <title>What can be expected by the application</title>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_start.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_end.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_set_item.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_get_item.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_strerror.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_fail_delay.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_authenticate.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_setcred.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_acct_mgmt.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_chauthtok.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_open_session.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_close_session.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_putenv.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_getenv.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_getenvlist.xml"/>
+    </section>
+    <section id="adg-interface-of-app-expected">
+      <title>What is expected of an application</title>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_conv.xml"/>
+    </section>
+    <section id="adg-interface-programming-notes">
+      <title>Programming notes</title>
+      <para>
+        Note, all of the authentication service function calls accept the
+        token <emphasis remap='B'>PAM_SILENT</emphasis>, which instructs
+        the modules to not send messages to the application. This token
+        can be logically OR'd with any one of the permitted tokens specific
+        to the individual function calls.
+        <emphasis remap='B'>PAM_SILENT</emphasis> does not override the
+        prompting of the user for passwords etc., it only stops informative
+        messages from being generated.
+      </para>
+    </section>
+  </chapter>
+
+  <chapter id="adg-security">
+    <title>
+      Security issues of <emphasis remap='B'>Linux-PAM</emphasis>
+    </title>
+    <para>
+      PAM, from the perspective of an application, is a convenient API for
+      authenticating users. PAM modules generally have no increased
+      privilege over that possessed by the application that is making use of
+      it. For this reason, the application must take ultimate responsibility
+      for protecting the environment in which PAM operates.
+    </para>
+    <para>
+      A poorly (or maliciously) written application can defeat any
+      <emphasis remap='B'>Linux-PAM</emphasis> module's authentication
+      mechanisms by simply ignoring it's return values. It is the
+      applications task and responsibility to grant privileges and access
+      to services.  The <emphasis remap='B'>Linux-PAM</emphasis> library
+      simply assumes the responsibility of <emphasis>authenticating</emphasis>
+      the user; ascertaining that the user <emphasis>is</emphasis> who they
+      say they are. Care should be taken to anticipate all of the documented
+      behavior of the <emphasis remap='B'>Linux-PAM</emphasis> library
+      functions. A failure to do this will most certainly lead to a future
+      security breach.
+    </para>
+
+    <section id="adg-security-library-calls">
+      <title>Care about standard library calls</title>
+      <para>
+        In general, writers of authorization-granting applications should
+        assume that each module is likely to call any or
+        <emphasis>all</emphasis> 'libc' functions. For 'libc' functions
+        that return pointers to static/dynamically allocated structures
+        (ie. the library allocates the memory and the user is not expected
+        to '<function>free()</function>' it) any module call to this
+        function is likely to corrupt a pointer previously
+        obtained by the application. The application programmer should
+        either re-call such a 'libc' function after a call to the
+        <emphasis remap='B'>Linux-PAM</emphasis> library, or copy the
+        structure contents to some safe area of memory before passing
+        control to the <emphasis remap='B'>Linux-PAM</emphasis> library.
+      </para>
+      <para>
+        Two important function classes that fall into this category are
+        <citerefentry>
+          <refentrytitle>getpwnam</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> and <citerefentry>
+          <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>.
+      </para>
+    </section>
+
+    <section id="adg-security-service-name">
+      <title>Choice of a service name</title>
+      <para>
+        When picking the <emphasis>service-name</emphasis> that
+        corresponds to the first entry in the
+        <emphasis remap='B'>Linux-PAM</emphasis> configuration file,
+        the application programmer should <emphasis>avoid</emphasis>
+        the temptation of choosing something related to
+        <varname>argv[0]</varname>. It is a trivial matter for any user
+        to invoke any application on a system under a different name and
+        this should not be permitted to cause a security breach.
+      </para>
+      <para>
+        In general, this is always the right advice if the program is
+        setuid, or otherwise more privileged than the user that invokes
+        it. In some cases, avoiding this advice is convenient, but as an
+        author of such an application, you should consider well the ways
+        in which your program will be installed and used. (Its often the
+        case that programs are not intended to be setuid, but end up
+        being installed that way for convenience. If your program falls
+        into this category, don't fall into the trap of making this mistake.)
+      </para>
+      <para>
+        To invoke some <emphasis>target</emphasis> application by
+        another name, the user may symbolically link the target application
+        with the desired name. To be precise all the user need do is,
+        <command>ln -s /target/application ./preferred_name</command>
+        and then run <command>./preferred_name</command>.
+      </para>
+      <para>
+        By studying the <emphasis remap='B'>Linux-PAM</emphasis>
+        configuration file(s), an attacker can choose the
+        <command>preferred_name</command> to be that of a service enjoying
+        minimal protection; for example a game which uses
+        <emphasis remap='B'>Linux-PAM</emphasis> to restrict access to
+        certain hours of the day.  If the service-name were to be linked
+        to the filename under which the service was invoked, it
+        is clear that the user is effectively in the position of
+        dictating which authentication scheme the service uses. Needless
+        to say, this is not a secure situation.
+      </para>
+      <para>
+        The conclusion is that the application developer should carefully
+        define the service-name of an application. The safest thing is to
+        make it a single hard-wired name.
+      </para>
+    </section>
+
+    <section id="adg-security-conv-function">
+      <title>The conversation function</title>
+      <para>
+        Care should be taken to ensure that the <function>conv()</function>
+        function is robust. Such a function is provided in the library
+        <command>libpam_misc</command> (see
+        <link linkend="adg-libpam-functions">below</link>).
+      </para>
+    </section>
+
+    <section id="adg-security-usre-identity">
+      <title>The identity of the user</title>
+      <para>
+        The <emphasis remap='B'>Linux-PAM</emphasis> modules will need
+        to determine the identity of the user who requests a service,
+        and the identity of the user who grants the service. These two
+        users will seldom be the same. Indeed there is generally a third
+        user identity to be considered, the new (assumed) identity of
+        the user once the service is granted.
+      </para>
+      <para>
+        The need for keeping tabs on these identities is clearly an
+        issue of security. One convention that is actively used by
+        some modules is that the identity of the user requesting a
+        service should be the current <emphasis>UID</emphasis>
+        (userid) of the running process; the identity of the
+        privilege granting user is the <emphasis>EUID</emphasis>
+        (effective userid) of the running process; the identity of
+        the user, under whose name the service will be executed, is
+        given by the contents of the <emphasis>PAM_USER</emphasis>
+        <citerefentry>
+          <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>. Note, modules can change the values of
+        <emphasis>PAM_USER</emphasis> and <emphasis>PAM_RUSER</emphasis>
+        during any of the <function>pam_*()</function> library calls.
+        For this reason, the application should take care to use the
+        <function>pam_get_item()</function> every time it wishes to
+        establish who the authenticated user is (or will currently be).
+      </para>
+      <para>
+        For network-serving databases and other applications that provide
+        their own security model (independent of the OS kernel) the above
+        scheme is insufficient to identify the requesting user.
+      </para>
+      <para>
+        A more portable solution to storing the identity of the requesting
+        user is to use the <emphasis>PAM_RUSER</emphasis> <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>. The application should supply this value before
+        attempting to authenticate the user with
+        <function>pam_authenticate()</function>. How well this name can be
+        trusted will ultimately be at the discretion of the local
+        administrator (who configures PAM for your application) and a
+        selected module may attempt to override the value where it can
+        obtain more reliable data. If an application is unable to determine
+        the identity of the requesting entity/user, it should not call
+        <citerefentry>
+          <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> to set <emphasis>PAM_RUSER</emphasis>.
+      </para>
+      <para>
+        In addition to the <emphasis>PAM_RUSER</emphasis> item, the
+        application should supply the <emphasis>PAM_RHOST</emphasis>
+        (<emphasis>requesting host</emphasis>) item. As a general rule,
+        the following convention for its value can be assumed:
+        NULL = unknown; localhost = invoked directly from the local system;
+        <emphasis>other.place.xyz</emphasis> = some component of the
+        user's connection originates from this remote/requesting host. At
+        present, PAM has no established convention for indicating whether
+        the application supports a trusted path to communication from
+        this host.
+      </para>
+    </section>
+
+    <section id="adg-security-resources">
+      <title>Sufficient resources</title>
+      <para>
+        Care should be taken to ensure that the proper execution of an
+        application is not compromised by a lack of system resources. If an
+        application is unable to open sufficient files to perform its service,
+        it should fail gracefully, or request additional resources.
+        Specifically, the quantities manipulated by the <citerefentry>
+        <refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry> family of commands should be taken into consideration.
+      </para>
+      <para>
+        This is also true of conversation prompts. The application should not
+        accept prompts of arbitrary length with out checking for resource
+        allocation failure and dealing with such extreme conditions gracefully
+        and in a mannor that preserves the PAM API. Such tolerance may be
+        especially important when attempting to track a malicious adversary.
+      </para>
+    </section>
+  </chapter>
+
+  <chapter id='adg-libpam_misc'>
+    <title>A library of miscellaneous helper functions</title>
+    <para>
+      To aid the work of the application developer a library of
+      miscellaneous functions is provided.  It is called
+      <command>libpam_miscy</command>, and contains a text based
+      conversation function, and routines for enhancing the standard
+      PAM-environment variable support.
+    </para>
+    <para>
+      The functions, structures and macros, made available by this
+      library can be defined by including
+      <function>&lt;security/pam_misc.h&gt;</function>. It should be
+      noted that this library is specific to
+      <emphasis remap='B'>Linux-PAM</emphasis> and is not referred to in
+      the defining DCE-RFC (see <link linkend="adg-see-also">See also</link>)
+      below.
+    </para>
+    <section id='adg-libpam-functions'>
+      <title>Functions supplied</title>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_misc_conv.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_misc_paste_env.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_misc_drop_env.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_misc_setenv.xml"/>
+    </section>
+  </chapter>
+
+  <chapter id='adg-porting'>
+    <title>Porting legacy applications</title>
+    <para>
+      The point of PAM is that the application is not supposed to
+      have any idea how the attached authentication modules will choose
+      to authenticate the user. So all they can do is provide a conversation
+      function that will talk directly to the user(client) on the modules'
+      behalf.
+    </para>
+    <para>
+      Consider the case that you plug a retinal scanner into the login
+      program. In this situation the user would be prompted: "please look
+      into the scanner". No username or password would be needed - all this
+      information could be deduced from the scan and a database lookup. The
+      point is that the retinal scanner is an ideal task for a "module".
+    </para>
+    <para>
+      While it is true that a pop-daemon program is designed with the POP
+      protocol in mind and no-one ever considered attaching a retinal
+      scanner to it, it is also the case that the "clean" PAM'ification of
+      such a daemon would allow for the possibility of a scanner module
+      being be attached to it. The point being that the "standard"
+      pop-authentication protocol(s) [which will be needed to satisfy
+      inflexible/legacy clients] would be supported by inserting an
+      appropriate pam_qpopper module(s).  However, having rewritten popd
+      once in this way any new protocols can be implemented in-situ.
+    </para>
+    <para>
+      One simple test of a ported application would be to insert the
+      <command>pam_permit</command> module and see if the application
+      demands you type a password...  In such a case, <command>xlock</command>
+      would fail to lock the terminal - or would at best be a screen-saver,
+      ftp would give password free access to all etc..  Neither of
+      these is a very secure thing to do, but they do illustrate how
+      much flexibility PAM puts in the hands of the local admin.
+    </para>
+    <para>
+      The key issue, in doing things correctly, is identifying what is part
+      of the authentication procedure (how many passwords etc..) the
+      exchange protocol (prefixes to prompts etc., numbers like 331 in the
+      case of ftpd) and what is part of the service that the application
+      delivers.  PAM really needs to have total control in the
+      authentication "procedure", the conversation function should only
+      deal with reformatting user prompts and extracting responses from raw
+      input.
+    </para>
+  </chapter>
+
+  <chapter id='adg-glossary'>
+    <title>Glossary of PAM related terms</title>
+    <para>
+      The following are a list of terms used within this document.
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>Authentication token</term>
+        <listitem>
+          <para>
+            Generally, this is a password. However, a user can authenticate
+            him/herself in a variety of ways. Updating the user's
+            authentication token thus corresponds to
+            <emphasis>refreshing</emphasis> the object they use to
+            authenticate themself with the system. The word password is
+            avoided to keep open the possibility that the authentication
+            involves a retinal scan or other non-textual mode of
+            challenge/response.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>Credentials</term>
+        <listitem>
+          <para>
+            Having successfully authenticated the user, PAM is able to
+            establish certain characteristics/attributes of the user.
+            These are termed <emphasis>credentials</emphasis>. Examples
+            of which are group memberships to perform privileged tasks
+            with, and <emphasis>tickets</emphasis> in the form of
+            environment variables etc. . Some user-credentials, such as
+            the user's UID and GID (plus default group memberships) are
+            not deemed to be PAM-credentials. It is the responsibility
+            of the application to grant these directly.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </chapter>
+
+  <chapter id='adg-example'>
+    <title>An example application</title>
+    <para>
+      To get a flavor of the way a <emphasis remap='B'>Linux-PAM</emphasis>
+      application is written we include the following example. It prompts
+      the user for their password and indicates whether their account
+      is valid on the standard output, its return code also indicates
+      the success (<returnvalue>0</returnvalue> for success;
+      <returnvalue>1</returnvalue> for failure).
+    </para>
+    <programlisting><![CDATA[
+/*
+  This program was contributed by Shane Watts
+  [modifications by AGM and kukuk]
+
+  You need to add the following (or equivalent) to the
+  /etc/pam.d/check_user file:
+  # check authorization
+  auth       required     pam_unix.so
+  account    required     pam_unix.so
+ */
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+#include <stdio.h>
+
+static struct pam_conv conv = {
+    misc_conv,
+    NULL
+};
+
+int main(int argc, char *argv[])
+{
+    pam_handle_t *pamh=NULL;
+    int retval;
+    const char *user="nobody";
+
+    if(argc == 2) {
+        user = argv[1];
+    }
+
+    if(argc > 2) {
+        fprintf(stderr, "Usage: check_user [username]\n");
+        exit(1);
+    }
+
+    retval = pam_start("check_user", user, &conv, &pamh);
+
+    if (retval == PAM_SUCCESS)
+        retval = pam_authenticate(pamh, 0);    /* is user really user? */
+
+    if (retval == PAM_SUCCESS)
+        retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */
+
+    /* This is where we have been authorized or not. */
+
+    if (retval == PAM_SUCCESS) {
+        fprintf(stdout, "Authenticated\n");
+    } else {
+        fprintf(stdout, "Not Authenticated\n");
+    }
+
+    if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close Linux-PAM */
+        pamh = NULL;
+        fprintf(stderr, "check_user: failed to release authenticator\n");
+        exit(1);
+    }
+
+    return ( retval == PAM_SUCCESS ? 0:1 );       /* indicate success */
+}
+]]>
+    </programlisting>
+  </chapter>
+
+  <chapter id='adg-files'>
+    <title>Files</title>
+    <variablelist>
+      <varlistentry>
+        <term><filename>/usr/include/security/pam_appl.h</filename></term>
+        <listitem>
+          <para>
+            Header file with interfaces for
+            <emphasis remap='B'>Linux-PAM</emphasis> applications.
+           </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><filename>/usr/include/security/pam_misc.h</filename></term>
+        <listitem>
+          <para>
+            Header file for useful library functions for making
+            applications easier to write.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </chapter>
+
+  <chapter id="adg-see-also">
+    <title>See also</title>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The Linux-PAM System Administrators' Guide.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The Linux-PAM Module Writers' Guide.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH
+          PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation
+          Request For Comments 86.0, October 1995.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </chapter>
+
+  <chapter id='adg-author'>
+    <title>Author/acknowledgments</title>
+    <para>
+      This document was written by Andrew G. Morgan (morgan@kernel.org)
+      with many contributions from
+      Chris Adams, Peter Allgeyer, Tim Baverstock, Tim Berger, Craig S. Bell,
+      Derrick J. Brashear, Ben Buxton, Seth Chaiklin, Oliver Crow, Chris Dent,
+      Marc Ewing, Cristian Gafton, Emmanuel Galanos, Brad M. Garcia,
+      Eric Hester, Roger Hu, Eric Jacksch, Michael K. Johnson, David Kinchlea,
+      Olaf Kirch, Marcin Korzonek, Thorsten Kukuk, Stephen Langasek,
+      Nicolai Langfeldt, Elliot Lee, Luke Kenneth Casson Leighton,
+      Al Longyear, Ingo Luetkebohle, Marek Michalkiewicz, Robert Milkowski,
+      Aleph One, Martin Pool, Sean Reifschneider, Jan Rekorajski, Erik Troan,
+      Theodore Ts'o, Jeff Uphoff, Myles Uyema, Savochkin Andrey Vladimirovich,
+      Ronald Wahl, David Wood, John Wilmes, Joseph S. D. Yao
+      and Alex O. Yuriev.
+    </para>
+    <para>
+      Thanks are also due to Sun Microsystems, especially to Vipin Samar and
+      Charlie Lai for their advice. At an early stage in the development of
+      <emphasis remap='B'>Linux-PAM</emphasis>, Sun graciously made the
+      documentation for their implementation of PAM available. This act
+      greatly accelerated the development of
+      <emphasis remap='B'>Linux-PAM</emphasis>.
+    </para>
+  </chapter>
+
+  <chapter id='adg-copyright'>
+    <title>Copyright information for this document</title>
+    <programlisting>
+Copyright (c) 2006 Thorsten Kukuk &lt;kukuk@thkukuk.de&gt;
+Copyright (c) 1996-2002 Andrew G. Morgan &lt;morgan@kernel.org&gt;
+    </programlisting>
+    <para>
+      Redistribution and use in source and binary forms, with or without
+      modification, are permitted provided that the following conditions are
+      met:
+    </para>
+    <programlisting>
+1. Redistributions of source code must retain the above copyright
+   notice, and the entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. The name of the author may not be used to endorse or promote
+   products derived from this software without specific prior
+   written permission.
+    </programlisting>
+    <para>
+      Alternatively, this product may be distributed under the terms of
+      the GNU General Public License (GPL), in which case the provisions
+      of the GNU GPL are required instead of the above restrictions.
+      (This clause is necessary due to a potential bad interaction between
+      the GNU GPL and the restrictions contained in a BSD-style copyright.)
+    </para>
+    <programlisting>
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+    </programlisting>
+  </chapter>
+</book>
diff --git a/Linux-PAM/doc/adg/Makefile.am b/Linux-PAM/doc/adg/Makefile.am
new file mode 100644
index 00000000..03d0c871
--- /dev/null
+++ b/Linux-PAM/doc/adg/Makefile.am
@@ -0,0 +1,97 @@
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+#
+
+CLEANFILES = Linux-PAM_ADG.fo *~
+
+EXTRA_DIST = $(XMLS)
+
+XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml)
+DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
+
+if ENABLE_REGENERATE_MAN
+MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html
+
+all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf
+
+Linux-PAM_ADG.pdf: $(XMLS) $(DEP_XMLS)
+if ENABLE_GENERATE_PDF
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam generate.toc "book toc" \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 3 --xinclude --nonet \
+	http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_ADG.fo
+	$(FO2PDF) Linux-PAM_ADG.fo $@
+else
+	echo "No fo2pdf processor installed, skip PDF generation"
+endif
+
+Linux-PAM_ADG.txt: $(XMLS) $(DEP_XMLS)
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam generate.toc "book toc" \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 3 --xinclude --nonet \
+	  http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@
+
+html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS)
+	@test -d html || mkdir -p html
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam base.dir html/ \
+	  --stringparam root.filename Linux-PAM_ADG \
+	  --stringparam use.id.as.filename 1 \
+	  --stringparam chunk.first.sections 1 \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 3 --xinclude --nonet \
+	  http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $<
+
+distclean-local:
+	-rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf
+
+endif
+
+install-data-local:
+	$(mkinstalldirs) $(DESTDIR)$(docdir)
+	$(mkinstalldirs) $(DESTDIR)$(pdfdir)
+	$(mkinstalldirs) $(DESTDIR)$(htmldir)
+	test -f html/Linux-PAM_ADG.html || exit 0; \
+	    $(install_sh_DATA) html/Linux-PAM_ADG.html html/adg-*.html \
+		$(DESTDIR)$(htmldir)/ || \
+	    $(install_sh_DATA) $(srcdir)/html/Linux-PAM_ADG.html \
+		$(srcdir)/html/sag-*.html \
+		$(DESTDIR)$(htmldir)/
+	test -f Linux-PAM_ADG.txt || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_ADG.txt $(DESTDIR)$(docdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_ADG.txt \
+		$(DESTDIR)$(docdir)/
+	test -f Linux-PAM_ADG.pdf || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_ADG.pdf $(DESTDIR)$(pdfdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_ADG.pdf \
+		$(DESTDIR)$(pdfdir)/
+
+uninstall-local:
+	-rm $(DESTDIR)$(htmldir)/Linux-PAM_ADG.html
+	-rm $(DESTDIR)$(htmldir)/adg-*.html
+	-rm $(DESTDIR)$(docdir)/Linux-PAM_ADG.txt
+	-rm $(DESTDIR)$(pdfdir)/Linux-PAM_ADG.pdf
+
+releasedocs: all
+	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html
+	test -f html/Linux-PAM_ADG.html || exit 0; \
+	    cp -ap html/Linux-PAM_ADG.html html/adg-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html/ || \
+	    cp -ap $(srcdir)/html/Linux-PAM_ADG.html \
+		$(srcdir)/html/adg-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html/
+	test -f Linux-PAM_ADG.txt || exit 0; \
+	    cp -p Linux-PAM_ADG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/ || \
+	    cp -p $(srcdir)/Linux-PAM_ADG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/
+	test -f Linux-PAM_ADG.pdf || exit 0; \
+	    cp -p Linux-PAM_ADG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/ || \
+	    cp -p $(srcdir)/Linux-PAM_ADG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/
diff --git a/Linux-PAM/doc/adg/Makefile.in b/Linux-PAM/doc/adg/Makefile.in
new file mode 100644
index 00000000..7b770841
--- /dev/null
+++ b/Linux-PAM/doc/adg/Makefile.in
@@ -0,0 +1,470 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+#
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = doc/adg
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 \
+	$(top_srcdir)/m4/jh_path_xml_catalog.m4 \
+	$(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BROWSER = @BROWSER@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+FO2PDF = @FO2PDF@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBDB = @LIBDB@
+LIBDL = @LIBDL@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBNSL = @LIBNSL@
+LIBOBJS = @LIBOBJS@
+LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
+LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
+LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@
+LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@
+LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@
+LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@
+LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SCONFIGDIR = @SCONFIGDIR@
+SECUREDIR = @SECUREDIR@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+WITH_DEBUG = @WITH_DEBUG@
+WITH_PAMLOCKING = @WITH_PAMLOCKING@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XMLCATALOG = @XMLCATALOG@
+XMLLINT = @XMLLINT@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libc_cv_fpie = @libc_cv_fpie@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pam_cv_ld_as_needed = @pam_cv_ld_as_needed@
+pam_xauth_path = @pam_xauth_path@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+CLEANFILES = Linux-PAM_ADG.fo *~
+EXTRA_DIST = $(XMLS)
+XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml)
+DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
+@ENABLE_REGENERATE_MAN_TRUE@MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  doc/adg/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  doc/adg/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+@ENABLE_REGENERATE_MAN_FALSE@distclean-local:
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-local
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-data-local
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-local
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distclean-local \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-local \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am uninstall uninstall-am uninstall-local
+
+
+@ENABLE_REGENERATE_MAN_TRUE@all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf
+
+@ENABLE_REGENERATE_MAN_TRUE@Linux-PAM_ADG.pdf: $(XMLS) $(DEP_XMLS)
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam generate.toc "book toc" \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 3 --xinclude --nonet \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_ADG.fo
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(FO2PDF) Linux-PAM_ADG.fo $@
+@ENABLE_GENERATE_PDF_FALSE@@ENABLE_REGENERATE_MAN_TRUE@	echo "No fo2pdf processor installed, skip PDF generation"
+
+@ENABLE_REGENERATE_MAN_TRUE@Linux-PAM_ADG.txt: $(XMLS) $(DEP_XMLS)
+@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam generate.toc "book toc" \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 3 --xinclude --nonet \
+@ENABLE_REGENERATE_MAN_TRUE@	  http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@
+
+@ENABLE_REGENERATE_MAN_TRUE@html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS)
+@ENABLE_REGENERATE_MAN_TRUE@	@test -d html || mkdir -p html
+@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam base.dir html/ \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam root.filename Linux-PAM_ADG \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam use.id.as.filename 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam chunk.first.sections 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 3 --xinclude --nonet \
+@ENABLE_REGENERATE_MAN_TRUE@	  http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $<
+
+@ENABLE_REGENERATE_MAN_TRUE@distclean-local:
+@ENABLE_REGENERATE_MAN_TRUE@	-rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf
+
+install-data-local:
+	$(mkinstalldirs) $(DESTDIR)$(docdir)
+	$(mkinstalldirs) $(DESTDIR)$(pdfdir)
+	$(mkinstalldirs) $(DESTDIR)$(htmldir)
+	test -f html/Linux-PAM_ADG.html || exit 0; \
+	    $(install_sh_DATA) html/Linux-PAM_ADG.html html/adg-*.html \
+		$(DESTDIR)$(htmldir)/ || \
+	    $(install_sh_DATA) $(srcdir)/html/Linux-PAM_ADG.html \
+		$(srcdir)/html/sag-*.html \
+		$(DESTDIR)$(htmldir)/
+	test -f Linux-PAM_ADG.txt || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_ADG.txt $(DESTDIR)$(docdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_ADG.txt \
+		$(DESTDIR)$(docdir)/
+	test -f Linux-PAM_ADG.pdf || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_ADG.pdf $(DESTDIR)$(pdfdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_ADG.pdf \
+		$(DESTDIR)$(pdfdir)/
+
+uninstall-local:
+	-rm $(DESTDIR)$(htmldir)/Linux-PAM_ADG.html
+	-rm $(DESTDIR)$(htmldir)/adg-*.html
+	-rm $(DESTDIR)$(docdir)/Linux-PAM_ADG.txt
+	-rm $(DESTDIR)$(pdfdir)/Linux-PAM_ADG.pdf
+
+releasedocs: all
+	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html
+	test -f html/Linux-PAM_ADG.html || exit 0; \
+	    cp -ap html/Linux-PAM_ADG.html html/adg-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html/ || \
+	    cp -ap $(srcdir)/html/Linux-PAM_ADG.html \
+		$(srcdir)/html/adg-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html/
+	test -f Linux-PAM_ADG.txt || exit 0; \
+	    cp -p Linux-PAM_ADG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/ || \
+	    cp -p $(srcdir)/Linux-PAM_ADG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/
+	test -f Linux-PAM_ADG.pdf || exit 0; \
+	    cp -p Linux-PAM_ADG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/ || \
+	    cp -p $(srcdir)/Linux-PAM_ADG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/Linux-PAM/doc/adg/pam_acct_mgmt.xml b/Linux-PAM/doc/adg/pam_acct_mgmt.xml
new file mode 100644
index 00000000..6a3a37d2
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_acct_mgmt.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_acct_mgmt'>
+  <title>Account validation management</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_acct_mgmt.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_acct_mgmt-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_acct_mgmt-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_acct_mgmt.3.xml" xpointer='xpointer(//refsect1[@id = "pam_acct_mgmt-description"]/*)'/>
+  </section>
+  <section id='adg-pam_acct_mgmt-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_acct_mgmt.3.xml" xpointer='xpointer(//refsect1[@id = "pam_acct_mgmt-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_authenticate.xml b/Linux-PAM/doc/adg/pam_authenticate.xml
new file mode 100644
index 00000000..2ca9b540
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_authenticate.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_authenticate'>
+  <title>Authenticating the user</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_authenticate.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_authenticate-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_authenticate-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_authenticate.3.xml" xpointer='xpointer(//refsect1[@id = "pam_authenticate-description"]/*)'/>
+  </section>
+  <section id='adg-pam_authenticate-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_authenticate.3.xml" xpointer='xpointer(//refsect1[@id = "pam_authenticate-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_chauthtok.xml b/Linux-PAM/doc/adg/pam_chauthtok.xml
new file mode 100644
index 00000000..1c613da7
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_chauthtok.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_chauthtok'>
+  <title>Updating authentication tokens</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_chauthtok.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_chauthtok-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_chauthtok-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_chauthtok.3.xml" xpointer='xpointer(//refsect1[@id = "pam_chauthtok-description"]/*)'/>
+  </section>
+  <section id='adg-pam_chauthtok-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_chauthtok.3.xml" xpointer='xpointer(//refsect1[@id = "pam_chauthtok-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_close_session.xml b/Linux-PAM/doc/adg/pam_close_session.xml
new file mode 100644
index 00000000..4b93fc3a
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_close_session.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_close_session'>
+  <title>terminating PAM session management</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_close_session.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_close_session-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_close_session-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_close_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_close_session-description"]/*)'/>
+  </section>
+  <section id='adg-pam_close_session-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_close_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_close_session-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_conv.xml b/Linux-PAM/doc/adg/pam_conv.xml
new file mode 100644
index 00000000..01b75127
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_conv.xml
@@ -0,0 +1,35 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_conv'>
+  <title>The conversation function</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_conv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_conv-synopsis"]/*)'/>
+  </funcsynopsis>
+  <programlisting>
+struct pam_message {
+    int msg_style;
+    const char *msg;
+};
+
+struct pam_response {
+    char *resp;
+    int resp_retcode;
+};
+
+struct pam_conv {
+    int (*conv)(int num_msg, const struct pam_message **msg,
+                struct pam_response **resp, void *appdata_ptr);
+    void *appdata_ptr;
+};
+  </programlisting>
+  <section id='adg-pam_conv-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_conv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_conv-description"]/*)'/>
+  </section>
+  <section id='adg-pam_conv-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_conv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_conv-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_end.xml b/Linux-PAM/doc/adg/pam_end.xml
new file mode 100644
index 00000000..efa328be
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_end.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_end'>
+  <title>Termination of PAM transaction</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_end.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_end-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_end-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_end.3.xml" xpointer='xpointer(//refsect1[@id = "pam_end-description"]/*)'/>
+  </section>
+  <section id='adg-pam_end-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_end.3.xml" xpointer='xpointer(//refsect1[@id = "pam_end-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_fail_delay.xml b/Linux-PAM/doc/adg/pam_fail_delay.xml
new file mode 100644
index 00000000..589e1148
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_fail_delay.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_fail_delay'>
+  <title>Request a delay on failure</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_fail_delay-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_fail_delay-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//refsect1[@id = "pam_fail_delay-description"]/*)'/>
+  </section>
+  <section id='adg-pam_fail_delay-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//refsect1[@id = "pam_fail_delay-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_get_item.xml b/Linux-PAM/doc/adg/pam_get_item.xml
new file mode 100644
index 00000000..f23c734b
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_get_item.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_get_item'>
+  <title>Getting PAM items</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_item.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_get_item-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_get_item-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_item-description"]/*)'/>
+  </section>
+  <section id='adg-pam_get_item-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_item-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_getenv.xml b/Linux-PAM/doc/adg/pam_getenv.xml
new file mode 100644
index 00000000..61d69c33
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_getenv.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_getenv'>
+  <title>Get a PAM environment variable</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_getenv-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_getenv-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenv-description"]/*)'/>
+  </section>
+  <section id='adg-pam_getenv-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenv-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_getenvlist.xml b/Linux-PAM/doc/adg/pam_getenvlist.xml
new file mode 100644
index 00000000..d3c2fcd3
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_getenvlist.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_getenvlist'>
+  <title>Getting the PAM environment</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_getenvlist-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_getenvlist-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenvlist-description"]/*)'/>
+  </section>
+  <section id='adg-pam_getenvlist-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenvlist-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_misc_conv.xml b/Linux-PAM/doc/adg/pam_misc_conv.xml
new file mode 100644
index 00000000..2dc760cc
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_misc_conv.xml
@@ -0,0 +1,14 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-misc_conv'>
+  <title>Text based conversation function</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/misc_conv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "misc_conv-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-misc_conv-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/misc_conv.3.xml" xpointer='xpointer(//refsect1[@id = "misc_conv-description"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_misc_drop_env.xml b/Linux-PAM/doc/adg/pam_misc_drop_env.xml
new file mode 100644
index 00000000..956d4815
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_misc_drop_env.xml
@@ -0,0 +1,14 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_misc_drop_env'>
+  <title>Liberating a locally saved environment</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_misc_drop_env.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_misc_drop_env-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_misc_drop_env-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_misc_drop_env.3.xml" xpointer='xpointer(//refsect1[@id = "pam_misc_drop_env-description"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_misc_paste_env.xml b/Linux-PAM/doc/adg/pam_misc_paste_env.xml
new file mode 100644
index 00000000..c6d3856b
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_misc_paste_env.xml
@@ -0,0 +1,14 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_misc_paste_env'>
+  <title>Transcribing an environment to that of PAM</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_misc_paste_env.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_misc_paste_env-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_misc_paste_env-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_misc_paste_env.3.xml" xpointer='xpointer(//refsect1[@id = "pam_misc_paste_env-description"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_misc_setenv.xml b/Linux-PAM/doc/adg/pam_misc_setenv.xml
new file mode 100644
index 00000000..3b1a32e4
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_misc_setenv.xml
@@ -0,0 +1,14 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_misc_setenv'>
+  <title>BSD like PAM environment variable setting</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_misc_setenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_misc_setenv-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_misc_setenv-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_misc_setenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_misc_setenv-description"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_open_session.xml b/Linux-PAM/doc/adg/pam_open_session.xml
new file mode 100644
index 00000000..ba738a55
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_open_session.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_open_session'>
+  <title>Start PAM session management</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_open_session.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_open_session-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_open_session-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_open_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_open_session-description"]/*)'/>
+  </section>
+  <section id='adg-pam_open_session-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_open_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_open_session-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_putenv.xml b/Linux-PAM/doc/adg/pam_putenv.xml
new file mode 100644
index 00000000..e55f1a42
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_putenv.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_putenv'>
+  <title>Set or change PAM environment variable</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_putenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_putenv-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_putenv-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_putenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_putenv-description"]/*)'/>
+  </section>
+  <section id='adg-pam_putenv-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_putenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_putenv-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_set_item.xml b/Linux-PAM/doc/adg/pam_set_item.xml
new file mode 100644
index 00000000..41169387
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_set_item.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_set_item'>
+  <title>Setting PAM items</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_item.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_set_item-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_set_item-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_item-description"]/*)'/>
+  </section>
+  <section id='adg-pam_set_item-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_item-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_setcred.xml b/Linux-PAM/doc/adg/pam_setcred.xml
new file mode 100644
index 00000000..1d3d23cd
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_setcred.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_setcred'>
+  <title>Setting user credentials</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_setcred.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_setcred-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_setcred-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_setcred.3.xml" xpointer='xpointer(//refsect1[@id = "pam_setcred-description"]/*)'/>
+  </section>
+  <section id='adg-pam_setcred-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_setcred.3.xml" xpointer='xpointer(//refsect1[@id = "pam_setcred-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_start.xml b/Linux-PAM/doc/adg/pam_start.xml
new file mode 100644
index 00000000..e5ec8481
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_start.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_start'>
+  <title>Initialization of PAM transaction</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_start.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_start-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_start-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_start.3.xml" xpointer='xpointer(//refsect1[@id = "pam_start-description"]/*)'/>
+  </section>
+  <section id='adg-pam_start-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_start.3.xml" xpointer='xpointer(//refsect1[@id = "pam_start-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/adg/pam_strerror.xml b/Linux-PAM/doc/adg/pam_strerror.xml
new file mode 100644
index 00000000..35b08a27
--- /dev/null
+++ b/Linux-PAM/doc/adg/pam_strerror.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_strerror'>
+  <title>Strings describing PAM error codes</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_strerror.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_strerror-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_strerror-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_strerror.3.xml" xpointer='xpointer(//refsect1[@id = "pam_strerror-description"]/*)'/>
+  </section>
+  <section id='adg-pam_strerror-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_strerror.3.xml" xpointer='xpointer(//refsect1[@id = "pam_strerror-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/figs/pam_orient.txt b/Linux-PAM/doc/figs/pam_orient.txt
deleted file mode 100644
index a8b745a1..00000000
--- a/Linux-PAM/doc/figs/pam_orient.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-
-
-
-	 +----------------+
-	 | application: X |
-         +----------------+	  /  +----------+     +================+
-       	 | authentication-[---->--\--] Linux-   |--<--| /etc/pam.conf  |
-	 |       +        [----<--/--] 	 PAM    |     |================|
-	 |[conversation()][--+    \  |          |     | X auth .. a.so |
-	 +----------------+  |    /  +-n--n-----+     | X auth .. b.so |
-	 |                |  |       __|  |           |           _____/
-	 |  service user  |  A      |  	  |           |____,-----' 
-	 |                |  |      V  	  A	        	   
-	 +----------------+  +------|-----|---------+ -----+------+
-	                        +---u-----u----+    |	   |	  |
-			        |   auth....   |--[ a ]--[ b ]--[ c ]
-				+--------------+
-				|   acct....   |--[ b ]--[ d ]
-				+--------------+
-				|   password   |--[ b ]--[ c ]
-				+--------------+
-				|   session    |--[ e ]--[ c ]
-				+--------------+
\ No newline at end of file
diff --git a/Linux-PAM/doc/html/index.html b/Linux-PAM/doc/html/index.html
deleted file mode 100644
index 5cb1e0f0..00000000
--- a/Linux-PAM/doc/html/index.html
+++ /dev/null
@@ -1,21 +0,0 @@
-
-<HTML>
-<HEAD>
-<TITLE>Linux-PAM - Pluggable Authentication Modules for Linux</TITLE>
-</HEAD>
-<BODY>
-
-<p>
-Here is the documentation for Linux-PAM. As you will see it is
-currently not complete. However, in order of decreasing length:
-
-<ul>
-<li> <a href="pam.html">The System Administrators' Guide</a>
-<li> <a href="pam_modules.html">The Module Writers' Manual</a>
-<li> <a href="pam_appl.html">The Application developers' Manual</a>
-</ul>
-
-<hr>
-<p>
-REVISION: <tt>$Id: index.html,v 1.1.1.1 2000/06/20 22:10:56 agmorgan Exp $</tt>
-</BODY>
diff --git a/Linux-PAM/doc/index.html b/Linux-PAM/doc/index.html
new file mode 100644
index 00000000..9afc8b79
--- /dev/null
+++ b/Linux-PAM/doc/index.html
@@ -0,0 +1,21 @@
+<html>
+  <head>
+    <title>The Linux-PAM Administration and Developer Guides</title>
+  </head>
+  <body>
+    <center>
+      <h1>The Linux-PAM Guides</h1>
+    </center>
+    <hr>
+    <p>
+      Here is the documentation for Linux-PAM. As you will see it is
+      currently not complete.
+    <p>
+    <ul>
+      <li> <a href="Linux-PAM_SAG.html">The System Administrators' Guide</a>
+      <li> <a href="Linux-PAM_MWG.html">The Module Writers' Guide</a>
+      <li> <a href="Linux-PAM_ADG.html">The Application Developers' Guide</a>
+    </ul>
+    <hr>
+  </body>
+</html>
\ No newline at end of file
diff --git a/Linux-PAM/doc/man/Makefile.am b/Linux-PAM/doc/man/Makefile.am
new file mode 100644
index 00000000..7d17a439
--- /dev/null
+++ b/Linux-PAM/doc/man/Makefile.am
@@ -0,0 +1,51 @@
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+#
+
+CLEANFILES = *~
+
+EXTRA_DIST = $(MANS) $(XMLS)
+
+man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \
+	pam_acct_mgmt.3 pam_authenticate.3 \
+	pam_chauthtok.3 pam_close_session.3 pam_conv.3 \
+	pam_end.3 pam_error.3 \
+	pam_fail_delay.3 \
+	pam_get_data.3 pam_get_item.3 pam_get_user.3 pam_getenv.3 \
+	pam_getenvlist.3 \
+	pam_info.3 \
+	pam_open_session.3 \
+	pam_prompt.3 pam_putenv.3 \
+	pam_set_data.3 pam_set_item.3 pam_syslog.3 \
+	pam_setcred.3 pam_sm_acct_mgmt.3 pam_sm_authenticate.3 \
+	pam_sm_close_session.3 pam_sm_open_session.3 pam_sm_setcred.3 \
+	pam_sm_chauthtok.3 pam_start.3 pam_strerror.3 \
+	pam_verror.3 pam_vinfo.3 pam_vprompt.3 pam_vsyslog.3 \
+	misc_conv.3 pam_misc_paste_env.3 pam_misc_drop_env.3 \
+	pam_misc_setenv.3
+XMLS = pam.3.xml pam.8.xml \
+	pam_acct_mgmt.3.xml pam_authenticate.3.xml \
+	pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \
+	pam_end.3.xml pam_error.3.xml \
+	pam_fail_delay.3.xml \
+	pam_get_data.3.xml pam_get_item.3.xml pam_get_user.3.xml \
+	pam_getenv.3.xml pam_getenvlist.3.xml \
+        pam_info.3.xml \
+	pam_open_session.3.xml \
+	pam_prompt.3.xml pam_putenv.3.xml \
+	pam_set_data.3.xml pam_set_item.3.xml pam_syslog.3.xml \
+	pam_setcred.3.xml pam_sm_acct_mgmt.3.xml pam_sm_authenticate.3.xml \
+	pam_sm_close_session.3.xml pam_sm_open_session.3.xml \
+	pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \
+	pam_sm_chauthtok.3.xml \
+	pam_item_types.inc.xml \
+	pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \
+	misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
+	pam_misc_setenv.3.xml
+
+if ENABLE_REGENERATE_MAN
+pam_get_item.3: pam_item_types.inc.xml
+pam_set_data.3: pam_item_types.inc.xml
+pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
diff --git a/Linux-PAM/doc/man/Makefile.in b/Linux-PAM/doc/man/Makefile.in
new file mode 100644
index 00000000..ed2f5fdb
--- /dev/null
+++ b/Linux-PAM/doc/man/Makefile.in
@@ -0,0 +1,577 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+#
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = doc/man
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 \
+	$(top_srcdir)/m4/jh_path_xml_catalog.m4 \
+	$(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+man3dir = $(mandir)/man3
+am__installdirs = "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \
+	"$(DESTDIR)$(man8dir)"
+man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(man_MANS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BROWSER = @BROWSER@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+FO2PDF = @FO2PDF@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBDB = @LIBDB@
+LIBDL = @LIBDL@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBNSL = @LIBNSL@
+LIBOBJS = @LIBOBJS@
+LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
+LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
+LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@
+LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@
+LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@
+LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@
+LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SCONFIGDIR = @SCONFIGDIR@
+SECUREDIR = @SECUREDIR@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+WITH_DEBUG = @WITH_DEBUG@
+WITH_PAMLOCKING = @WITH_PAMLOCKING@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XMLCATALOG = @XMLCATALOG@
+XMLLINT = @XMLLINT@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libc_cv_fpie = @libc_cv_fpie@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pam_cv_ld_as_needed = @pam_cv_ld_as_needed@
+pam_xauth_path = @pam_xauth_path@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+CLEANFILES = *~
+EXTRA_DIST = $(MANS) $(XMLS)
+man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \
+	pam_acct_mgmt.3 pam_authenticate.3 \
+	pam_chauthtok.3 pam_close_session.3 pam_conv.3 \
+	pam_end.3 pam_error.3 \
+	pam_fail_delay.3 \
+	pam_get_data.3 pam_get_item.3 pam_get_user.3 pam_getenv.3 \
+	pam_getenvlist.3 \
+	pam_info.3 \
+	pam_open_session.3 \
+	pam_prompt.3 pam_putenv.3 \
+	pam_set_data.3 pam_set_item.3 pam_syslog.3 \
+	pam_setcred.3 pam_sm_acct_mgmt.3 pam_sm_authenticate.3 \
+	pam_sm_close_session.3 pam_sm_open_session.3 pam_sm_setcred.3 \
+	pam_sm_chauthtok.3 pam_start.3 pam_strerror.3 \
+	pam_verror.3 pam_vinfo.3 pam_vprompt.3 pam_vsyslog.3 \
+	misc_conv.3 pam_misc_paste_env.3 pam_misc_drop_env.3 \
+	pam_misc_setenv.3
+
+XMLS = pam.3.xml pam.8.xml \
+	pam_acct_mgmt.3.xml pam_authenticate.3.xml \
+	pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \
+	pam_end.3.xml pam_error.3.xml \
+	pam_fail_delay.3.xml \
+	pam_get_data.3.xml pam_get_item.3.xml pam_get_user.3.xml \
+	pam_getenv.3.xml pam_getenvlist.3.xml \
+        pam_info.3.xml \
+	pam_open_session.3.xml \
+	pam_prompt.3.xml pam_putenv.3.xml \
+	pam_set_data.3.xml pam_set_item.3.xml pam_syslog.3.xml \
+	pam_setcred.3.xml pam_sm_acct_mgmt.3.xml pam_sm_authenticate.3.xml \
+	pam_sm_close_session.3.xml pam_sm_open_session.3.xml \
+	pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \
+	pam_sm_chauthtok.3.xml \
+	pam_item_types.inc.xml \
+	pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \
+	misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
+	pam_misc_setenv.3.xml
+
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  doc/man/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  doc/man/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man3: $(man3_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
+	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    3*) ;; \
+	    *) ext='3' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \
+	done
+uninstall-man3:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    3*) ;; \
+	    *) ext='3' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man3dir)/$$inst"; \
+	done
+install-man5: $(man5_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
+	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    5*) ;; \
+	    *) ext='5' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
+	done
+uninstall-man5:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    5*) ;; \
+	    *) ext='5' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
+	done
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man: install-man3 install-man5 install-man8
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man
+
+uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-man3 \
+	install-man5 install-man8 install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \
+	uninstall-man uninstall-man3 uninstall-man5 uninstall-man8
+
+
+@ENABLE_REGENERATE_MAN_TRUE@pam_get_item.3: pam_item_types.inc.xml
+@ENABLE_REGENERATE_MAN_TRUE@pam_set_data.3: pam_item_types.inc.xml
+@ENABLE_REGENERATE_MAN_TRUE@pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
+@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/Linux-PAM/doc/man/PAM.8 b/Linux-PAM/doc/man/PAM.8
new file mode 100644
index 00000000..112ea7d7
--- /dev/null
+++ b/Linux-PAM/doc/man/PAM.8
@@ -0,0 +1,103 @@
+.\"     Title: pam
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM" "8" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+PAM, pam \- Pluggable Authentication Modules for Linux
+.SH "DESCRIPTION"
+.PP
+This manual is intended to offer a quick introduction to
+\fBLinux\-PAM\fR. For more information the reader is directed to the
+\fBLinux\-PAM system administrators' guide\fR.
+.PP
+
+\fBLinux\-PAM\fR
+is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
+\fBlogin\fR(1)
+and
+\fBsu\fR(1)) defer to to perform standard authentication tasks.
+.PP
+The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users. This dynamic configuration is set by the contents of the single
+\fBLinux\-PAM\fR
+configuration file
+\fI/etc/pam.conf\fR. Alternatively, the configuration can be set by individual configuration files located in the
+\fI/etc/pam.d/\fR
+directory. The presence of this directory will cause
+\fBLinux\-PAM\fR
+to
+\fIignore\fR
+\fI/etc/pam.conf\fR.
+.PP
+From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the
+\fBLinux\-PAM\fR
+library. The important point to recognize is that the configuration file(s)
+\fIdefine\fR
+the connection between applications
+(\fBservices\fR) and the pluggable authentication modules
+(\fBPAM\fRs) that perform the actual authentication tasks.
+.PP
+\fBLinux\-PAM\fR
+separates the tasks of
+\fIauthentication\fR
+into four independent management groups:
+\fBaccount\fR
+management;
+\fBauth\fRentication management;
+\fBpassword\fR
+management; and
+\fBsession\fR
+management. (We highlight the abbreviations used for these groups in the configuration file.)
+.PP
+Simply put, these groups take care of different aspects of a typical user's request for a restricted service:
+.PP
+\fBaccount\fR
+\- provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service?
+.PP
+\fBauth\fRentication \- authenticate a user and set up user credentials. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of
+\fBLinux\-PAM\fR.
+.PP
+\fBpassword\fR
+\- this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the
+\fBauth\fR
+group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password\-based access is the obvious example: please enter a replacement password.
+.PP
+\fBsession\fR
+\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The
+\fBsession\fR
+management group is important as it provides both an opening and closing hook for modules to affect the services available to a user.
+.SH "FILES"
+.TP 3n
+\fI/etc/pam.conf\fR
+the configuration file
+.TP 3n
+\fI/etc/pam.d\fR
+the
+\fBLinux\-PAM\fR
+configuration directory. Generally, if this directory is present, the
+\fI/etc/pam.conf\fR
+file is ignored.
+.SH "ERRORS"
+.PP
+Typically errors generated by the
+\fBLinux\-PAM\fR
+system of libraries, will be written to
+\fBsyslog\fR(3).
+.SH "CONFORMING TO"
+.PP
+DCE\-RFC 86.0, October 1995. Contains additional features, but remains backwardly compatible with this RFC.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(3),
+\fBpam_authenticate\fR(3),
+\fBpam_sm_setcred\fR(3),
+\fBpam_strerror\fR(3),
+\fBPAM\fR(8)
diff --git a/Linux-PAM/doc/man/misc_conv.3 b/Linux-PAM/doc/man/misc_conv.3
new file mode 100644
index 00000000..bb8cbd87
--- /dev/null
+++ b/Linux-PAM/doc/man/misc_conv.3
@@ -0,0 +1,97 @@
+.\"     Title: misc_conv
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "MISC_CONV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+misc_conv \- text based conversation function
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_misc.h>
+.fi
+.ft
+.HP 15
+.BI "void misc_conv(int\ " "num_msg" ", const\ struct\ pam_message\ **" "msgm" ", struct\ pam_response\ **" "response" ", void\ *" "appdata_ptr" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBmisc_conv\fR
+function is part of
+\fBlibpam_misc\fR
+and not of the standard
+\fBlibpam\fR
+library. This function will prompt the user with the appropriate comments and obtain the appropriate inputs as directed by authentication modules.
+.PP
+In addition to simply slotting into the appropriate
+\fBpam_conv\fR(3), this function provides some time\-out facilities. The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something. The five variabls are as follows:
+.TP 3n
+\fBtime_t\fR \fIpam_misc_conv_warn_time\fR;
+This variable contains the
+\fItime\fR
+(as returned by
+\fBtime\fR(2)) that the user should be first warned that the clock is ticking. By default it has the value
+0, which indicates that no such warning will be given. The application may set its value to sometime in the future, but this should be done prior to passing control to the
+\fILinux\-PAM\fR
+library.
+.TP 3n
+\fBconst char *\fR\fIpam_misc_conv_warn_line\fR;
+Used in conjuction with
+\fIpam_misc_conv_warn_time\fR, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching. Its default value is a translated version of
+\(lq...Time is running out...\(rq, but this can be changed by the application prior to passing control to
+\fILinux\-PAM\fR.
+.TP 3n
+\fBtime_t\fR \fIpam_misc_conv_die_time\fR;
+This variable contains the
+\fItime\fR
+(as returned by
+\fBtime\fR(2)) that the will time out. By default it has the value
+0, which indicates that the conversation function will not timeout. The application may set its value to sometime in the future, but this should be done prior to passing control to the
+\fILinux\-PAM\fR
+library.
+.TP 3n
+\fBconst char *\fR\fIpam_misc_conv_die_line\fR;
+Used in conjuction with
+\fIpam_misc_conv_die_time\fR, this variable is a pointer to the string that will be displayed when the conversation times out. Its default value is a translated version of
+\(lq...Sorry, your time is up!\(rq, but this can be changed by the application prior to passing control to
+\fILinux\-PAM\fR.
+.TP 3n
+\fBint\fR \fIpam_misc_conv_died\fR;
+Following a return from the
+\fILinux\-PAM\fR
+libraray, the value of this variable indicates whether the conversation has timed out. A value of
+1
+indicates the time\-out occurred.
+.PP
+The following two function pointers are available for supporting binary prompts in the conversation function. They are optimized for the current incarnation of the
+\fBlibpamc\fR
+library and are subject to change.
+.TP 3n
+\fBint\fR \fI(*pam_binary_handler_fn)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIprompt_p\fR);
+This function pointer is initialized to
+NULL
+but can be filled with a function that provides machine\-machine (hidden) message exchange. It is intended for use with hidden authentication protocols such as RSA or Diffie\-Hellman key exchanges. (This is still under development.)
+.TP 3n
+\fBint\fR \fI(*pam_binary_handler_free)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIdelete_me\fR);
+This function pointer is initialized to
+\fBPAM_BP_RENEW(delete_me, 0, 0)\fR, but can be redefined as desired by the application.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_conv\fR(3),
+\fBpam\fR(8)
+.SH "STANDARDS"
+.PP
+The
+\fBmisc_conv\fR
+function is part of the
+\fBlibpam_misc\fR
+Library and not defined in any standard.
diff --git a/Linux-PAM/doc/man/misc_conv.3.xml b/Linux-PAM/doc/man/misc_conv.3.xml
new file mode 100644
index 00000000..825dd10c
--- /dev/null
+++ b/Linux-PAM/doc/man/misc_conv.3.xml
@@ -0,0 +1,188 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="misc_conv">
+
+  <refmeta>
+    <refentrytitle>misc_conv</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="misc_conv-name">
+    <refname>misc_conv</refname>
+    <refpurpose>text based conversation function</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="misc_conv-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_misc.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>void <function>misc_conv</function></funcdef>
+        <paramdef>int <parameter>num_msg</parameter></paramdef>
+        <paramdef>const struct pam_message **<parameter>msgm</parameter></paramdef>
+        <paramdef>struct pam_response **<parameter>response</parameter></paramdef>
+        <paramdef>void *<parameter>appdata_ptr</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='misc_conv-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>misc_conv</function> function is part of
+      <command>libpam_misc</command> and not of the standard
+      <command>libpam</command> library. This function will prompt
+      the user with the appropriate comments and obtain the appropriate
+      inputs as directed by authentication modules.
+    </para>
+    <para>
+      In addition to simply slotting into the appropriate <citerefentry>
+      <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, this function provides some time-out facilities.
+      The function exports five variables that can be used by an
+      application programmer to limit the amount of time this conversation
+      function will spend waiting for the user to type something. The
+      five variabls are as follows:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term><type>time_t</type> <varname>pam_misc_conv_warn_time</varname>;</term>
+        <listitem>
+          <para>
+            This variable contains the <emphasis>time</emphasis> (as
+            returned by <citerefentry>
+            <refentrytitle>time</refentrytitle><manvolnum>2</manvolnum>
+            </citerefentry>) that the user should be first warned that
+            the clock is ticking. By default it has the value
+            <returnvalue>0</returnvalue>, which indicates that no such
+            warning will be given. The application may set its value to
+            sometime in the future, but this should be done prior to
+            passing control to the <emphasis>Linux-PAM</emphasis> library.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><type>const char *</type><varname>pam_misc_conv_warn_line</varname>;</term>
+        <listitem>
+          <para>
+            Used in conjuction with
+            <varname>pam_misc_conv_warn_time</varname>, this variable is
+            a pointer to the string that will be displayed when it becomes
+            time to warn the user that the timeout is approaching. Its
+            default value is a translated version of
+            <quote>...Time is running out...</quote>, but this can be
+            changed by the application prior to passing control to
+            <emphasis>Linux-PAM</emphasis>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><type>time_t</type> <varname>pam_misc_conv_die_time</varname>;</term>
+        <listitem>
+          <para>
+            This variable contains the <emphasis>time</emphasis> (as
+            returned by <citerefentry>
+            <refentrytitle>time</refentrytitle><manvolnum>2</manvolnum>
+            </citerefentry>) that the will time out. By default it has
+            the value <returnvalue>0</returnvalue>, which indicates that
+            the conversation function will not timeout. The application
+            may set its value to sometime in the future, but this should
+            be done prior to passing control to the
+            <emphasis>Linux-PAM</emphasis> library.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><type>const char *</type><varname>pam_misc_conv_die_line</varname>;</term>
+        <listitem>
+          <para>
+            Used in conjuction with
+            <varname>pam_misc_conv_die_time</varname>, this variable is
+            a pointer to the string that will be displayed when the
+            conversation times out. Its default value is a translated
+            version of
+            <quote>...Sorry, your time is up!</quote>, but this can be
+            changed by the application prior to passing control to
+            <emphasis>Linux-PAM</emphasis>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><type>int</type> <varname>pam_misc_conv_died</varname>;</term>
+        <listitem>
+          <para>
+            Following a return from the <emphasis>Linux-PAM</emphasis>
+            libraray, the value of this variable indicates whether the
+            conversation has timed out. A value of
+            <returnvalue>1</returnvalue> indicates the time-out occurred.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+    <para>
+      The following two function pointers are available for supporting
+      binary prompts in the conversation function. They are optimized
+      for the current incarnation of the <command>libpamc</command>
+      library and are subject to change.
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>
+          <type>int</type> <varname>(*pam_binary_handler_fn)</varname>(<type>void *</type><varname>appdata</varname>, <type>pamc_bp_t *</type><varname>prompt_p</varname>);
+        </term>
+        <listitem>
+          <para>
+            This function pointer is initialized to
+            <returnvalue>NULL</returnvalue> but can be filled with a
+            function that provides machine-machine (hidden) message
+            exchange. It is intended for use with hidden authentication
+            protocols such as RSA or Diffie-Hellman key exchanges.
+            (This is still under development.)
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <type>int</type> <varname>(*pam_binary_handler_free)</varname>(<type>void *</type><varname>appdata</varname>, <type>pamc_bp_t *</type><varname>delete_me</varname>);
+        </term>
+        <listitem>
+          <para>
+            This function pointer is initialized to
+            <function>PAM_BP_RENEW(delete_me, 0, 0)</function>, but can be
+            redefined as desired by the application.
+          </para>
+        </listitem>
+      </varlistentry>
+     </variablelist>
+  </refsect1>
+
+  <refsect1 id='misc_conv-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='misc_conv-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>misc_conv</function> function is part of the
+      <command>libpam_misc</command> Library and not defined in any
+      standard.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam.3 b/Linux-PAM/doc/man/pam.3
new file mode 100644
index 00000000..f1cd729c
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.3
@@ -0,0 +1,282 @@
+.\"     Title: pam
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.0 <http://docbook.sf.net/>
+.\"      Date: 10/26/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM" "3" "10/26/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam \- Pluggable Authentication Modules Library
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_ext.h>
+.fi
+.ft
+.SH "DESCRIPTION"
+.PP
+
+\fBPAM\fR
+is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
+\fBlogin\fR(1)
+and
+\fBsu\fR(1)) defer to to perform standard authentication tasks.
+.SS "Initialization and Cleanup"
+.PP
+The
+\fBpam_start\fR(3)
+function creates the PAM context and initiates the PAM transaction. It is the first of the PAM functions that needs to be called by an application. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel. But it is not possible to use the same handle for different transactions, a new one is needed for every new context.
+.PP
+The
+\fBpam_end\fR(3)
+function terminates the PAM transaction and is the last function an application should call in the PAM contenxt. Upon return the handle pamh is no longer valid and all memory associated with it will be invalid. It can be called at any time to terminate a PAM transaction.
+.SS "Authentication"
+.PP
+The
+\fBpam_authenticate\fR(3)
+function is used to authenticate the user. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print.
+.PP
+The
+\fBpam_setcred\fR(3)
+function manages the userscredentials.
+.SS "Account Management"
+.PP
+The
+\fBpam_acct_mgmt\fR(3)
+function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated.
+.SS "Password Management"
+.PP
+The
+\fBpam_chauthtok\fR(3)
+function is used to change the authentication token for a given user on request or because the token has expired.
+.SS "Session Management"
+.PP
+The
+\fBpam_open_session\fR(3)
+function sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to
+\fBpam_close_session\fR(3).
+.SS "Conversation"
+.PP
+The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the
+\fIstruct pam_conv\fR
+passed to
+\fBpam_start\fR(3)
+at the start of the transaction. See
+\fBpam_conv\fR(3)
+for details.
+.SS "Data Objects"
+.PP
+The
+\fBpam_set_item\fR(3)
+and
+\fBpam_get_item\fR(3)
+functions allows applications and PAM service modules to set and retrieve PAM informations.
+.PP
+The
+\fBpam_get_user\fR(3)
+function is the preferred method to obtain the username.
+.PP
+The
+\fBpam_set_data\fR(3)
+and
+\fBpam_get_data\fR(3)
+functions allows PAM service modules to set and retrieve free\-form data from one invocation to another.
+.SS "Environment and Error Management"
+.PP
+The
+\fBpam_putenv\fR(3),
+\fBpam_getenv\fR(3)
+and
+\fBpam_getenvlist\fR(3)
+functions are for maintaining a set of private environment variables.
+.PP
+The
+\fBpam_strerror\fR(3)
+function returns a pointer to a string describing the given PAM error code.
+.SH "RETURN VALUES"
+.PP
+The following return codes are known by PAM:
+.PP
+PAM_ABORT
+.RS 3n
+Critical error, immediate abort.
+.RE
+.PP
+PAM_ACCT_EXPIRED
+.RS 3n
+User account has expired.
+.RE
+.PP
+PAM_AUTHINFO_UNAVAIL
+.RS 3n
+Authentication service cannot retrieve authentication info.
+.RE
+.PP
+PAM_AUTHTOK_DISABLE_AGING
+.RS 3n
+Authentication token aging disabled.
+.RE
+.PP
+PAM_AUTHTOK_ERR
+.RS 3n
+Authentication token manipulation error.
+.RE
+.PP
+PAM_AUTHTOK_EXPIRED
+.RS 3n
+Authentication token expired.
+.RE
+.PP
+PAM_AUTHTOK_LOCK_BUSY
+.RS 3n
+Authentication token lock busy.
+.RE
+.PP
+PAM_AUTHTOK_RECOVERY_ERR
+.RS 3n
+Authentication information cannot be recovered.
+.RE
+.PP
+PAM_AUTH_ERR
+.RS 3n
+Authentication failure.
+.RE
+.PP
+PAM_BUF_ERR
+.RS 3n
+Memory buffer error.
+.RE
+.PP
+PAM_CONV_ERR
+.RS 3n
+Conversation failure.
+.RE
+.PP
+PAM_CRED_ERR
+.RS 3n
+Failure setting user credentials.
+.RE
+.PP
+PAM_CRED_EXPIRED
+.RS 3n
+User credentials expired.
+.RE
+.PP
+PAM_CRED_INSUFFICIENT
+.RS 3n
+Insufficient credentials to access authentication data.
+.RE
+.PP
+PAM_CRED_UNAVAIL
+.RS 3n
+Authentication service cannot retrieve user credentials.
+.RE
+.PP
+PAM_IGNORE
+.RS 3n
+The return value should be ignored by PAM dispatch.
+.RE
+.PP
+PAM_MAXTRIES
+.RS 3n
+Have exhausted maximum number of retries for service.
+.RE
+.PP
+PAM_MODULE_UNKNOWN
+.RS 3n
+Module is unknown.
+.RE
+.PP
+PAM_NEW_AUTHTOK_REQD
+.RS 3n
+Authentication token is no longer valid; new one required.
+.RE
+.PP
+PAM_NO_MODULE_DATA
+.RS 3n
+No module specific data is present.
+.RE
+.PP
+PAM_OPEN_ERR
+.RS 3n
+Failed to load module.
+.RE
+.PP
+PAM_PERM_DENIED
+.RS 3n
+Permission denied.
+.RE
+.PP
+PAM_SERVICE_ERR
+.RS 3n
+Error in service module.
+.RE
+.PP
+PAM_SESSION_ERR
+.RS 3n
+Cannot make/remove an entry for the specified session.
+.RE
+.PP
+PAM_SUCCESS
+.RS 3n
+Success.
+.RE
+.PP
+PAM_SYMBOL_ERR
+.RS 3n
+Symbol not found.
+.RE
+.PP
+PAM_SYSTEM_ERR
+.RS 3n
+System error.
+.RE
+.PP
+PAM_TRY_AGAIN
+.RS 3n
+Failed preliminary check by password service.
+.RE
+.PP
+PAM_USER_UNKNOWN
+.RS 3n
+User not known to the underlying authentication module.
+.RE
+.SH "SEE ALSO"
+.PP
+
+\fBpam_acct_mgmt\fR(3),
+\fBpam_authenticate\fR(3),
+\fBpam_chauthtok\fR(3),
+\fBpam_close_session\fR(3),
+\fBpam_conv\fR(3),
+\fBpam_end\fR(3),
+\fBpam_get_data\fR(3),
+\fBpam_getenv\fR(3),
+\fBpam_getenvlist\fR(3),
+\fBpam_get_item\fR(3),
+\fBpam_get_user\fR(3),
+\fBpam_open_session\fR(3),
+\fBpam_putenv\fR(3),
+\fBpam_set_data\fR(3),
+\fBpam_set_item\fR(3),
+\fBpam_setcred\fR(3),
+\fBpam_start\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam.3.xml b/Linux-PAM/doc/man/pam.3.xml
new file mode 100644
index 00000000..3ae2d343
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.3.xml
@@ -0,0 +1,433 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam3'>
+
+  <refmeta>
+    <refentrytitle>pam</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id='pam3-name'>
+    <refname>pam</refname>
+    <refpurpose>Pluggable Authentication Modules Library</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv id='pam3-synopsis'>
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_ext.h&gt;</funcsynopsisinfo>
+   </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam3-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      <emphasis remap='B'>PAM</emphasis> is a system of libraries
+      that handle the authentication tasks of applications (services)
+      on the system. The library provides a stable general interface
+      (Application Programming Interface - API) that privilege granting
+      programs (such as
+      <citerefentry>
+        <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry> and <citerefentry>
+        <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>)
+      defer to to perform standard authentication tasks.
+    </para>
+
+    <refsect2 id='pam3-initialization_and_cleanup'>
+      <title>Initialization and Cleanup</title>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> function creates the PAM context and initiates the
+        PAM transaction. It is the first of the PAM functions that needs to
+        be called by an application. The transaction state is contained
+        entirely within the structure identified by this handle, so it is
+        possible to have multiple transactions in parallel. But it is not
+        possible to use the same handle for different transactions, a new
+        one is needed for every new context.
+      </para>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> function terminates the PAM transaction and is the last
+        function an application should call in the PAM contenxt. Upon return
+        the handle pamh is no longer valid and all memory associated with it
+        will be invalid. It can be called at any time to terminate a PAM
+        transaction.
+      </para>
+    </refsect2>
+
+    <refsect2 id='pam3-authentication'>
+      <title>Authentication</title>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        function is used to
+        authenticate the user. The user is required to provide an
+        authentication token depending upon the authentication service,
+        usually this is a password, but could also be a finger print.
+      </para>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        function manages the userscredentials.
+      </para>
+    </refsect2>
+
+    <refsect2 id='pam3-account_management'>
+      <title>Account Management</title>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> function is used to determine if the users account is
+        valid. It checks for authentication token and account expiration and
+        verifies access restrictions. It is typically called after the user
+        has been authenticated.
+      </para>
+    </refsect2>
+
+    <refsect2 id='pam3-password_management'>
+      <title>Password Management</title>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> function is used to change the authentication token
+        for a given user on request or because the token has expired.
+      </para>
+    </refsect2>
+
+    <refsect2 id='pam3-session_management'>
+      <title>Session Management</title>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> function sets up a user session for a previously
+        successful authenticated user. The session should later be terminated
+        with a call to
+        <citerefentry>
+          <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>.
+      </para>
+    </refsect2>
+
+    <refsect2 id='pam3-conversation'>
+      <title>Conversation</title>
+      <para>
+        The PAM library uses an application-defined callback to allow
+        a direct communication between a loaded module and the application.
+        This callback is specified by the
+        <emphasis>struct pam_conv</emphasis> passed to
+        <citerefentry>
+          <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> at the start of the transaction. See
+        <citerefentry>
+          <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        for details.
+      </para>
+    </refsect2>
+
+    <refsect2 id='pam3-data'>
+      <title>Data Objects</title>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        and
+        <citerefentry>
+          <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        functions allows applications and PAM service modules to set and
+        retrieve PAM informations.
+      </para>
+      <para>
+         The
+        <citerefentry>
+          <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        function is the preferred method to obtain the username.
+      </para>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        and
+        <citerefentry>
+          <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        functions allows PAM service modules to set and retrieve free-form
+        data from one invocation to another.
+      </para>
+    </refsect2>
+
+    <refsect2 id='pam3-miscellaneous'>
+    <title>Environment and Error Management</title>
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>,
+        <citerefentry>
+          <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> and
+        <citerefentry>
+          <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>
+        functions are for maintaining a set of private environment variables.
+      </para>
+
+      <para>
+        The
+        <citerefentry>
+          <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> function returns a pointer to a string describing the
+        given PAM error code.
+      </para>
+    </refsect2>
+  </refsect1>
+
+  <refsect1 id='pam3-return_values'>
+    <title>RETURN VALUES</title>
+    <para>
+      The following return codes are known by PAM:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_ABORT</term>
+        <listitem>
+          <para>Critical error, immediate abort.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_ACCT_EXPIRED</term>
+        <listitem>
+          <para>User account has expired.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHINFO_UNAVAIL</term>
+        <listitem>
+          <para>
+            Authentication service cannot retrieve authentication info.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_DISABLE_AGING</term>
+        <listitem>
+          <para>Authentication token aging disabled.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_ERR</term>
+        <listitem>
+          <para>Authentication token manipulation error.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_EXPIRED</term>
+        <listitem>
+          <para>Authentication token expired.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_LOCK_BUSY</term>
+        <listitem>
+          <para>Authentication token lock busy.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_RECOVERY_ERR</term>
+        <listitem>
+          <para>Authentication information cannot be recovered.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+          <para>Authentication failure.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+          <para>Memory buffer error.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CONV_ERR</term>
+        <listitem>
+          <para>Conversation failure.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_ERR</term>
+        <listitem>
+          <para>Failure setting user credentials.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_EXPIRED</term>
+        <listitem>
+          <para>User credentials expired.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_INSUFFICIENT</term>
+        <listitem>
+          <para>Insufficient credentials to access authentication data.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_UNAVAIL</term>
+        <listitem>
+          <para>Authentication service cannot retrieve user credentials.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_IGNORE</term>
+        <listitem>
+          <para>The return value should be ignored by PAM dispatch.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_MAXTRIES</term>
+        <listitem>
+          <para>Have exhausted maximum number of retries for service.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_MODULE_UNKNOWN</term>
+        <listitem>
+          <para>Module is unknown.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_NEW_AUTHTOK_REQD</term>
+        <listitem>
+          <para>
+            Authentication token is no longer valid; new one required.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_NO_MODULE_DATA</term>
+        <listitem>
+          <para>No module specific data is present.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_OPEN_ERR</term>
+        <listitem>
+          <para>Failed to load module.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PERM_DENIED</term>
+        <listitem>
+          <para>Permission denied.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SERVICE_ERR</term>
+        <listitem>
+          <para>Error in service module.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SESSION_ERR</term>
+        <listitem>
+          <para>Cannot make/remove an entry for the specified session.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+          <para>Success.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYMBOL_ERR</term>
+        <listitem>
+          <para>Symbol not found.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+          <para>System error.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_TRY_AGAIN</term>
+        <listitem>
+          <para>Failed preliminary check by password service.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>User not known to the underlying authentication module.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='see_also'><title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam.8 b/Linux-PAM/doc/man/pam.8
index 81f9eb35..da9773b9 100644
--- a/Linux-PAM/doc/man/pam.8
+++ b/Linux-PAM/doc/man/pam.8
@@ -1,375 +1 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: pam.8,v 1.3 2003/09/25 17:49:29 baggins Exp $
-.\" Copyright (c) Andrew G. Morgan 1996-7,2001 <morgan@kernel.org>
-.TH PAM 8 "2001 Jan 20" "Linux-PAM 0.74" "Linux-PAM Manual"
-.SH NAME
-
-Linux-PAM \- Pluggable Authentication Modules for Linux
-
-.SH SYNOPSIS
-.B /etc/pam.conf
-.sp 2
-.SH DESCRIPTION
-
-This manual is intended to offer a quick introduction to
-.BR Linux-PAM ". "
-For more information the reader is directed to the
-.BR "Linux-PAM system administrators' guide".
-
-.sp
-.BR Linux-PAM
-Is a system of libraries that handle the authentication tasks of
-applications (services) on the system.  The library provides a stable
-general interface (Application Programming Interface - API) that
-privilege granting programs (such as
-.BR login "(1) "
-and
-.BR su "(1)) "
-defer to to perform standard authentication tasks.
-
-.sp
-The principal feature of the PAM approach is that the nature of the
-authentication is dynamically configurable.  In other words, the
-system administrator is free to choose how individual
-service-providing applications will authenticate users. This dynamic
-configuration is set by the contents of the single
-.BR Linux-PAM
-configuration file
-.BR /etc/pam.conf "."
-Alternatively, the configuration can be set by individual
-configuration files located in the
-.B /etc/pam.d/
-directory.
-.IB "The presence of this directory will cause " Linux-PAM " to ignore"
-.BI /etc/pam.conf "."
-
-.sp
-From the point of view of the system administrator, for whom this
-manual is provided, it is not of primary importance to understand the
-internal behavior of the
-.BR Linux-PAM
-library.  The important point to recognize is that the configuration
-file(s)
-.I define
-the connection between applications
-.BR "" "(" services ")"
-and the pluggable authentication modules
-.BR "" "(" PAM "s)"
-that perform the actual authentication tasks.
-
-.sp
-.BR Linux-PAM
-separates the tasks of
-.I authentication
-into four independent management groups:
-.BR "account" " management; "
-.BR "auth" "entication management; "
-.BR "password" " management; "
-and
-.BR "session" " management."
-(We highlight the abbreviations used for these groups in the
-configuration file.)
-
-.sp
-Simply put, these groups take care of different aspects of a typical
-user's request for a restricted service:
-
-.sp
-.BR account " - "
-provide account verification types of service: has the user's password
-expired?; is this user permitted access to the requested service?
-
-.br
-.BR auth "entication - "
-establish the user is who they claim to be. Typically this is via some
-challenge-response request that the user must satisfy: if you are who
-you claim to be please enter your password.  Not all authentications
-are of this type, there exist hardware based authentication schemes
-(such as the use of smart-cards and biometric devices), with suitable
-modules, these may be substituted seamlessly for more standard
-approaches to authentication - such is the flexibility of
-.BR Linux-PAM "."
-
-.br
-.BR password " - "
-this group's responsibility is the task of updating authentication
-mechanisms. Typically, such services are strongly coupled to those of
-the
-.BR auth
-group. Some authentication mechanisms lend themselves well to being
-updated with such a function. Standard UN*X password-based access is
-the obvious example: please enter a replacement password.
-
-.br
-.BR session " - "
-this group of tasks cover things that should be done prior to a
-service being given and after it is withdrawn. Such tasks include the
-maintenance of audit trails and the mounting of the user's home
-directory. The
-.BR session
-management group is important as it provides both an opening and
-closing hook for modules to affect the services available to a user.
-
-.SH The configuration file(s)
-
-When a
-.BR Linux-PAM
-aware privilege granting application is started, it activates its
-attachment to the PAM-API.  This activation performs a number of
-tasks, the most important being the reading of the configuration file(s):
-.BR /etc/pam.conf "."
-Alternatively, this may be the contents of the
-.BR /etc/pam.d/
-directory.
-
-These files list the
-.BR PAM "s"
-that will do the authentication tasks required by this service, and
-the appropriate behavior of the PAM-API in the event that individual
-.BR PAM "s "
-fail.
-
-.sp
-The syntax of the
-.B /etc/pam.conf
-configuration file is as follows. The file is made
-up of a list of rules, each rule is typically placed on a single line,
-but may be extended with an escaped end of line: `\\<LF>'. Comments
-are preceded with `#' marks and extend to the next end of line.
-
-.sp
-The format of each rule is a space separated collection of tokens, the
-first three being case-insensitive:
-
-.sp
-.br
-.BR "   service  type  control  module-path  module-arguments"
-
-.sp
-The syntax of files contained in the
-.B /etc/pam.d/
-directory, are identical except for the absence of any
-.I service 
-field. In this case, the
-.I service
-is the name of the file in the
-.B /etc/pam.d/
-directory. This filename must be in lower case.
-
-.sp
-An important feature of
-.BR Linux-PAM ", "
-is that a number of rules may be
-.I stacked
-to combine the services of a number of PAMs for a given authentication
-task.
-
-.sp
-The
-.BR service
-is typically the familiar name of the corresponding application:
-.BR login
-and 
-.BR su
-are good examples. The
-.BR service "-name, " other ", "
-is reserved for giving
-.I default
-rules.  Only lines that mention the current service (or in the absence
-of such, the
-.BR other
-entries) will be associated with the given service-application.
-
-.sp
-The
-.BR type
-is the management group that the rule corresponds to. It is used to
-specify which of the management groups the subsequent module is to
-be associated with. Valid entries are:
-.BR account "; "
-.BR auth "; "
-.BR password "; "
-and
-.BR session "."
-The meaning of each of these tokens was explained above.
-
-.sp
-The third field,
-.BR control ", "
-indicates the behavior of the PAM-API should the module fail to
-succeed in its authentication task. There are two types of syntax for
-this control field: the simple one has a single simple keyword; the
-more complicated one involves a square-bracketed selection of
-.B value=action
-pairs.
-
-.sp
-For the simple (historical) syntax valid
-.BR control
-values are:
-.BR requisite
-- failure of such a PAM results in the immediate termination of the
-authentication process;
-.BR required
-- failure of such a PAM will ultimately lead to the PAM-API returning
-failure but only after the remaining
-.I stacked
-modules (for this
-.BR service
-and
-.BR type ")"
-have been invoked;
-.BR sufficient
-- success of such a module is enough to satisfy the authentication
-requirements of the stack of modules (if a prior
-.BR required
-module has failed the success of this one is
-.IR ignored "); "
-.BR optional
-- the success or failure of this module is only important if it is the
-only module in the stack associated with this
-.BR service "+" type "."
-
-.sp
-New control directive first introduced in ALT Linux is
-.BR include
-- include all lines of given type from the configuration
-file specified as an argument to this control.
-
-.sp
-For the more complicated syntax valid
-.B control
-values have the following form:
-.sp
-.RB  [value1=action1 value2=action2 ...]
-.sp
-Where
-.B valueN
-corresponds to the return code from the function invoked in the module
-for which the line is defined. It is selected from one of these:
-.BR success ;
-.BR open_err ;
-.BR symbol_err ;
-.BR service_err ;
-.BR system_err ;
-.BR buf_err ;
-.BR perm_denied ;
-.BR auth_err ;
-.BR cred_insufficient ;
-.BR authinfo_unavail ;
-.BR user_unknown ;
-.BR maxtries ;
-.BR new_authtok_reqd ;
-.BR acct_expired ;
-.BR session_err ;
-.BR cred_unavail ;
-.BR cred_expired ;
-.BR cred_err ;
-.BR no_module_data ;
-.BR conv_err ;
-.BR authtok_err ;
-.BR authtok_recover_err ;
-.BR authtok_lock_busy ;
-.BR authtok_disable_aging ;
-.BR try_again ;
-.BR ignore ;
-.BR abort ;
-.BR authtok_expired ;
-.BR module_unknown ;
-.BR bad_item "; and"
-.BR default .
-The last of these,
-.BR default ,
-implies 'all
-.BR valueN 's
-not mentioned explicitly. Note, the full list of PAM errors is
-available in /usr/include/security/_pam_types.h . The
-.B actionN
-can be: an unsigned integer, 
-.BR J ,
-signifying an action of 'jump over the next J modules in the stack';
-or take one of the following forms:
-.br
-.B ignore
-- when used with a stack of modules, the module's return status will
-not contribute to the return code the application obtains;
-.br
-.B bad 
-- this action indicates that the return code should be thought of as
-indicative of the module failing. If this module is the first in the
-stack to fail, its status value will be used for that of the whole
-stack.
-.br
-.B die
-- equivalent to bad with the side effect of terminating the module
-stack and PAM immediately returning to the application.
-.br
-.B ok
-- this tells PAM that the administrator thinks this return code
-should contribute directly to the return code of the full stack of
-modules. In other words, if the former state of the stack would lead
-to a return of
-.BR PAM_SUCCESS ,
-the module's return code will override this value. Note, if the former
-state of the stack holds some value that is indicative of a modules
-failure, this 'ok' value will not be used to override that value.
-.br
-.B done
-- equivalent to ok with the side effect of terminating the module
-stack and PAM immediately returning to the application.
-.br
-.B reset
-- clear all memory of the state of the module stack and start again
-with the next stacked module.
-
-.sp
-.BR module-path
-- this is either the full filename of the PAM to be used by the
-application (it begins with a '/'), or a relative pathname from the
-default module location:
-.BR /lib/security/ .
-
-.sp
-.BR module-arguments
-- these are a space separated list of tokens that can be used to
-modify the specific behavior of the given PAM. Such arguments will be
-documented for each individual module.
-
-.SH "FILES"
-.BR /etc/pam.conf " - the configuration file"
-.br
-.BR /etc/pam.d/ " - the"
-.BR Linux-PAM
-configuration directory. Generally, if this directory is present, the
-.B /etc/pam.conf
-file is ignored.
-.br
-.BR /lib/libpam.so.X " - the dynamic library"
-.br
-.BR /lib/security/*.so " - the PAMs
-
-.SH ERRORS
-Typically errors generated by the
-.BR Linux-PAM
-system of libraries, will be written to
-.BR syslog "(3)."
-
-.SH "CONFORMING TO"
-DCE-RFC 86.0, October 1995.
-.br
-Contains additional features, but remains backwardly compatible with
-this RFC.
-
-.SH BUGS
-.sp 2
-None known.
-
-.SH "SEE ALSO"
-
-The three
-.BR Linux-PAM
-Guides, for
-.BR "system administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+.so man8/PAM.8
diff --git a/Linux-PAM/doc/man/pam.8.xml b/Linux-PAM/doc/man/pam.8.xml
new file mode 100644
index 00000000..1267f01c
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.8.xml
@@ -0,0 +1,186 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam8'>
+
+  <refmeta>
+    <refentrytitle>pam</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id='pam8-name'>
+    <refname>PAM</refname>
+    <refname>pam</refname>
+    <refpurpose>Pluggable Authentication Modules for Linux</refpurpose>
+  </refnamediv>
+
+  <refsect1 id='pam8-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      This manual is intended to offer a quick introduction to
+      <emphasis remap='B'>Linux-PAM</emphasis>. For more information
+      the reader is directed to the
+      <emphasis remap='B'>Linux-PAM system administrators' guide</emphasis>.
+    </para>
+
+    <para>
+      <emphasis remap='B'>Linux-PAM</emphasis> is a system of libraries
+      that handle the authentication tasks of applications (services) on
+      the system. The library provides a stable general interface
+      (Application Programming Interface - API) that privilege granting
+      programs (such as <citerefentry>
+      <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry> and <citerefentry>
+      <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>) defer to to perform standard authentication tasks.
+    </para>
+
+    <para>
+      The principal feature of the PAM approach is that the nature of the
+      authentication is dynamically configurable.  In other words, the
+      system administrator is free to choose how individual
+      service-providing applications will authenticate users. This dynamic
+      configuration is set by the contents of the single
+      <emphasis remap='B'>Linux-PAM</emphasis> configuration file
+      <filename>/etc/pam.conf</filename>. Alternatively, the configuration
+      can be set by individual configuration files located in the
+      <filename>/etc/pam.d/</filename> directory. The presence of this
+      directory will cause <emphasis remap='B'>Linux-PAM</emphasis> to
+      <emphasis remap='I'>ignore</emphasis>
+      <filename>/etc/pam.conf</filename>.
+    </para>
+
+
+<para>From the point of view of the system administrator, for whom this
+manual is provided, it is not of primary importance to understand the
+internal behavior of the
+<emphasis remap='B'>Linux-PAM</emphasis>
+library.  The important point to recognize is that the configuration
+file(s)
+<emphasis remap='I'>define</emphasis>
+the connection between applications
+<emphasis remap='B'></emphasis>(<emphasis remap='B'>services</emphasis>)
+and the pluggable authentication modules
+<emphasis remap='B'></emphasis>(<emphasis remap='B'>PAM</emphasis>s)
+that perform the actual authentication tasks.</para>
+
+
+<para><emphasis remap='B'>Linux-PAM</emphasis>
+separates the tasks of
+<emphasis remap='I'>authentication</emphasis>
+into four independent management groups:
+<emphasis remap='B'>account</emphasis> management;
+<emphasis remap='B'>auth</emphasis>entication management;
+<emphasis remap='B'>password</emphasis> management;
+and
+<emphasis remap='B'>session</emphasis> management.
+(We highlight the abbreviations used for these groups in the
+configuration file.)</para>
+
+
+<para>Simply put, these groups take care of different aspects of a typical
+user's request for a restricted service:</para>
+
+
+<para><emphasis remap='B'>account</emphasis> -
+provide account verification types of service: has the user's password
+expired?; is this user permitted access to the requested service?</para>
+
+<!-- .br -->
+<para><emphasis remap='B'>auth</emphasis>entication -
+authenticate a user and set up user credentials. Typically this is via
+some challenge-response request that the user must satisfy: if you are
+who you claim to be please enter your password. Not all authentications
+are of this type, there exist hardware based authentication schemes
+(such as the use of smart-cards and biometric devices), with suitable
+modules, these may be substituted seamlessly for more standard
+approaches to authentication - such is the flexibility of
+<emphasis remap='B'>Linux-PAM</emphasis>.</para>
+
+<!-- .br -->
+<para><emphasis remap='B'>password</emphasis> -
+this group's responsibility is the task of updating authentication
+mechanisms. Typically, such services are strongly coupled to those of
+the
+<emphasis remap='B'>auth</emphasis>
+group. Some authentication mechanisms lend themselves well to being
+updated with such a function. Standard UN*X password-based access is
+the obvious example: please enter a replacement password.</para>
+
+<!-- .br -->
+<para><emphasis remap='B'>session</emphasis> -
+this group of tasks cover things that should be done prior to a
+service being given and after it is withdrawn. Such tasks include the
+maintenance of audit trails and the mounting of the user's home
+directory. The
+<emphasis remap='B'>session</emphasis>
+management group is important as it provides both an opening and
+closing hook for modules to affect the services available to a user.</para>
+
+</refsect1>
+
+  <refsect1 id='pam8-files'>
+    <title>FILES</title>
+    <variablelist>
+      <varlistentry>
+        <term><filename>/etc/pam.conf</filename></term>
+        <listitem>
+          <para>the configuration file</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><filename>/etc/pam.d</filename></term>
+        <listitem>
+          <para>
+            the <emphasis remap='B'>Linux-PAM</emphasis> configuration
+            directory. Generally, if this directory is present, the
+            <filename>/etc/pam.conf</filename> file is ignored.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam8-errors'>
+    <title>ERRORS</title>
+    <para>
+      Typically errors generated by the
+      <emphasis remap='B'>Linux-PAM</emphasis> system of libraries, will
+      be written to <citerefentry>
+      <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam8-conforming_to'>
+    <title>CONFORMING TO</title>
+    <para>
+      DCE-RFC 86.0, October 1995.
+      Contains additional features, but remains backwardly compatible
+      with this RFC.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam8-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam.conf-desc.xml b/Linux-PAM/doc/man/pam.conf-desc.xml
new file mode 100644
index 00000000..909dcdbe
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.conf-desc.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<section id='pam.conf-desc'>
+  <para>
+    When a <emphasis>PAM</emphasis> aware privilege granting application
+    is started, it activates its attachment to the PAM-API. This
+    activation performs a number of tasks, the most important being the
+    reading of the configuration file(s): <filename>/etc/pam.conf</filename>.
+    Alternatively, this may be the contents of the
+    <filename>/etc/pam.d/</filename> directory. The presence of this
+    directory will cause Linux-PAM to ignore
+    <filename>/etc/pam.conf</filename>.
+  </para>
+  <para>
+    These files list the <emphasis>PAM</emphasis>s that will do the
+    authentication tasks required by this service, and the appropriate
+    behavior of the PAM-API in the event that individual
+    <emphasis>PAM</emphasis>s fail.
+  </para>
+</section>
diff --git a/Linux-PAM/doc/man/pam.conf-dir.xml b/Linux-PAM/doc/man/pam.conf-dir.xml
new file mode 100644
index 00000000..8446cf35
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.conf-dir.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<section id='pam.conf-dir'>
+    <para>
+      More flexible than the single configuration file is it to
+      configure libpam via the contents of the
+      <filename>/etc/pam.d/</filename> directory. In this case the
+      directory is filled with files each of which has a filename
+      equal to a service-name (in lower-case): it is the personal
+      configuration file for the named service.
+    </para>
+
+    <para>
+      The syntax of each file in /etc/pam.d/ is similar to that of the
+      <filename>/etc/pam.conf</filename> file and is made up of lines
+      of the following form:
+    </para>
+
+    <programlisting>
+type  control  module-path  module-arguments
+    </programlisting>
+
+    <para>
+      The only difference being that the service-name is not present. The
+      service-name is of course the name of the given configuration file.
+      For example, <filename>/etc/pam.d/login</filename> contains the
+      configuration for the <emphasis remap='B'>login</emphasis> service.
+    </para>
+</section>
diff --git a/Linux-PAM/doc/man/pam.conf-syntax.xml b/Linux-PAM/doc/man/pam.conf-syntax.xml
new file mode 100644
index 00000000..60c64b75
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.conf-syntax.xml
@@ -0,0 +1,374 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<section id='pam.conf-syntax'>
+  <para>
+    The syntax of the <filename>/etc/pam.conf</filename>
+    configuration file is as follows. The file is made up of a list
+    of rules, each rule is typically placed on a single line,
+    but may be extended with an escaped end of line: `\&lt;LF&gt;'.
+    Comments are preceded with `#' marks and extend to the next end of
+    line.
+  </para>
+
+    <para>
+      The format of each rule is a space separated collection of tokens,
+      the first three being case-insensitive:
+    </para>
+
+    <para>
+      <emphasis remap='B'> service  type  control  module-path  module-arguments</emphasis>
+    </para>
+
+    <para>
+      The syntax of files contained in the <filename>/etc/pam.d/</filename>
+      directory, are identical except for the absence of any
+      <emphasis>service</emphasis> field. In this case, the
+      <emphasis>service</emphasis> is the name of the file in the
+      <filename>/etc/pam.d/</filename> directory. This filename must be
+      in lower case.
+    </para>
+
+    <para>
+      An important feature of <emphasis>PAM</emphasis>, is that a
+      number of rules may be <emphasis>stacked</emphasis> to combine
+      the services of a number of PAMs for a given authentication task.
+    </para>
+
+    <para>
+      The <emphasis>service</emphasis> is typically the familiar name of
+      the corresponding application: <emphasis>login</emphasis> and
+      <emphasis>su</emphasis> are good examples. The
+      <emphasis>service</emphasis>-name, <emphasis>other</emphasis>,
+      is reserved for giving <emphasis>default</emphasis> rules.
+      Only lines that mention the current service (or in the absence
+      of such, the <emphasis>other</emphasis> entries) will be associated
+      with the given service-application.
+    </para>
+
+    <para>
+      The <emphasis>type</emphasis> is the management group that the rule
+      corresponds to. It is used to specify which of the management groups
+      the subsequent module is to be associated with. Valid entries are:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>account</term>
+        <listitem>
+          <para>
+            this module type performs non-authentication based account
+            management. It is typically used to restrict/permit access
+            to a service based on the time of day, currently available
+            system resources (maximum number of users) or perhaps the
+            location of  the applicant user -- 'root' login only on the
+            console.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>auth</term>
+        <listitem>
+          <para>
+            this module type provides two aspects of authenticating
+            the user. Firstly, it establishes that the user is who they
+            claim to be, by instructing the application to prompt the user
+            for a password or other means of identification. Secondly, the
+            module can grant group membership or other privileges through
+            its credential granting properties.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>password</term>
+        <listitem>
+          <para>
+            this module type is required for updating the authentication
+            token associated with the user. Typically, there is one module
+            for each 'challenge/response' based authentication (auth) type.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>session</term>
+        <listitem>
+          <para>
+            this module type is associated with doing things that need to
+            be done for the user before/after they can be given service.
+            Such things include the logging of information concerning the
+            opening/closing of some data exchange with a user, mounting
+            directories, etc.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>
+      The third field, <emphasis>control</emphasis>, indicates the
+      behavior of the PAM-API should the module fail to succeed in its
+      authentication task. There are two types of syntax for this control
+      field: the simple one has a single simple keyword; the more
+      complicated one involves a square-bracketed selection of
+      <emphasis>value=action</emphasis> pairs.
+    </para>
+
+    <para>
+      For the simple (historical) syntax valid <emphasis>control</emphasis>
+      values are:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>required</term>
+        <listitem>
+          <para>
+            failure of such a PAM will ultimately lead to the PAM-API
+            returning failure but only after the remaining
+            <emphasis>stacked</emphasis> modules (for this
+            <emphasis>service</emphasis> and <emphasis>type</emphasis>)
+            have been invoked.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>requisite</term>
+        <listitem>
+          <para>
+            like <emphasis>required</emphasis>, however, in the case that
+            such a module returns a failure, control is directly returned
+            to the application. The return value is that associated with
+            the first required or requisite module to fail. Note, this flag
+            can be used to protect against the possibility of a user getting
+            the opportunity to enter a password over an unsafe medium. It is
+            conceivable that such behavior might inform an attacker of valid
+            accounts on a system. This possibility should be weighed against
+            the not insignificant concerns of exposing a sensitive password
+            in a hostile environment.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>sufficient</term>
+        <listitem>
+          <para>
+            success of such a module is enough to satisfy the
+            authentication requirements of the stack of modules (if a
+            prior <emphasis>required</emphasis> module has failed the
+            success of this one is <emphasis>ignored</emphasis>). A failure
+            of this module is not deemed as fatal to satisfying the
+            application that this type has succeeded. If the module succeeds 
+            the PAM framework returns success to the application immediately
+            without trying any other modules.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>optional</term>
+        <listitem>
+          <para>
+            the success or failure of this module is only important if
+            it is the only module in the stack associated with this
+            <emphasis>service</emphasis>+<emphasis>type</emphasis>.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>include</term>
+        <listitem>
+          <para>
+            include all lines of given type from the configuration
+            file specified as an argument to this control.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>
+      For the more complicated syntax valid <emphasis>control</emphasis>
+      values have the following form:
+    </para>
+    <programlisting>
+      [value1=action1 value2=action2 ...]
+    </programlisting>
+
+    <para>
+      Where <emphasis>valueN</emphasis> corresponds to the return code
+      from the function invoked in the module for which the line is
+      defined. It is selected from one of these:
+      <emphasis>success</emphasis>, <emphasis>open_err</emphasis>,
+      <emphasis>symbol_err</emphasis>, <emphasis>service_err</emphasis>,
+      <emphasis>system_err</emphasis>, <emphasis>buf_err</emphasis>,
+      <emphasis>perm_denied</emphasis>, <emphasis>auth_err</emphasis>,
+      <emphasis>cred_insufficient</emphasis>,
+      <emphasis>authinfo_unavail</emphasis>,
+      <emphasis>user_unknown</emphasis>, <emphasis>maxtries</emphasis>,
+      <emphasis>new_authtok_reqd</emphasis>,
+      <emphasis>acct_expired</emphasis>, <emphasis>session_err</emphasis>,
+      <emphasis>cred_unavail</emphasis>, <emphasis>cred_expired</emphasis>,
+      <emphasis>cred_err</emphasis>, <emphasis>no_module_data</emphasis>,
+      <emphasis>conv_err</emphasis>, <emphasis>authtok_err</emphasis>,
+      <emphasis>authtok_recover_err</emphasis>,
+      <emphasis>authtok_lock_busy</emphasis>,
+      <emphasis>authtok_disable_aging</emphasis>,
+      <emphasis>try_again</emphasis>, <emphasis>ignore</emphasis>,
+      <emphasis>abort</emphasis>, <emphasis>authtok_expired</emphasis>,
+      <emphasis>module_unknown</emphasis>, <emphasis>bad_item</emphasis>
+      and <emphasis>default</emphasis>.
+    </para>
+    <para>
+      The last of these, <emphasis>default</emphasis>, implies 'all
+      <emphasis>valueN</emphasis>'s not mentioned explicitly. Note, the
+      full list of PAM errors is available in
+      <filename>/usr/include/security/_pam_types.h</filename>. The
+      <emphasis>actionN</emphasis> can be: an unsigned integer,
+      <emphasis>n</emphasis>, signifying an action of 'jump over the
+      next <emphasis>n</emphasis> modules in the stack', or take one
+      of the following forms:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>ignore</term>
+        <listitem>
+           <para>
+             when used with a stack of modules, the module's return
+             status will not contribute to the return code the application
+             obtains.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>bad</term>
+        <listitem>
+           <para>
+             this action indicates that the return code should be thought
+             of as indicative of the module failing. If this module is the
+             first in the stack to fail, its status value will be used for
+             that of the whole stack.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>die</term>
+        <listitem>
+           <para>
+             equivalent to bad with the side effect of terminating the
+             module stack and PAM immediately returning to the application.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>ok</term>
+        <listitem>
+           <para>
+             this tells PAM that the administrator thinks this return code
+             should contribute directly to the return code of the full
+             stack of modules. In other words, if the former state of the
+             stack would lead to a return of <emphasis>PAM_SUCCESS</emphasis>,
+             the module's return code will override this value. Note, if
+             the former state of the stack holds some value that is
+             indicative of a modules failure, this 'ok' value will not be
+             used to override that value.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>done</term>
+        <listitem>
+           <para>
+             equivalent to ok with the side effect of terminating the module
+             stack and PAM immediately returning to the application.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>reset</term>
+        <listitem>
+           <para>
+             clear all memory of the state of the module stack and
+             start again with the next stacked module.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>
+      Each of the four keywords: required; requisite; sufficient; and
+      optional, have an equivalent expression in terms of the [...]
+      syntax. They are as follows:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>required</term>
+        <listitem>
+           <para>
+             [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>requisite</term>
+        <listitem>
+           <para>
+             [success=ok new_authtok_reqd=ok ignore=ignore default=die]
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>sufficient</term>
+        <listitem>
+           <para>
+             [success=done new_authtok_reqd=done default=ignore]
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>optional</term>
+        <listitem>
+           <para>
+             [success=ok new_authtok_reqd=ok default=ignore]
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>
+      <emphasis>module-path</emphasis> is either the full filename
+      of the PAM to be used by the application (it begins with a '/'),
+      or a relative pathname from the default module location:
+      <filename>/lib/security/</filename> or
+      <filename>/lib64/security/</filename>, depending on the architecture.
+    </para>
+
+    <para>
+      <emphasis>module-arguments</emphasis> are a space separated list
+      of tokens that can be used to modify the specific behavior of the
+      given PAM. Such arguments will be documented for each individual
+      module. Note, if you wish to include spaces in an argument, you
+      should surround that argument with square brackets.
+    </para>
+    <programlisting>
+    squid auth required pam_mysql.so user=passwd_query passwd=mada \
+          db=eminence [query=select user_name from internet_service \
+          where user_name='%u' and password=PASSWORD('%p') and \
+        service='web_proxy']
+    </programlisting>
+    <para>
+      When using this convention, you can include `[' characters
+      inside the string, and if you wish to include a `]' character
+      inside the string that will survive the argument parsing, you
+      should use `\['. In other words:
+    </para>
+    <programlisting>
+    [..[..\]..]    -->   ..[..]..
+    </programlisting>
+
+    <para>
+      Any line in (one of) the configuration file(s), that is not formatted
+      correctly, will generally tend (erring on the side of caution) to make
+      the authentication process fail.  A corresponding error is written to
+      the system log files with a call to
+      <citerefentry>
+        <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+
+</section>
diff --git a/Linux-PAM/doc/man/pam.conf.5 b/Linux-PAM/doc/man/pam.conf.5
new file mode 100644
index 00000000..3a76ba45
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.conf.5
@@ -0,0 +1,303 @@
+.\"     Title: pam.conf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: 01/16/2007
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM.CONF" "5" "01/16/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam.conf, pam.d \- PAM configuration files
+.SH "DESCRIPTION"
+.PP
+When a
+\fIPAM\fR
+aware privilege granting application is started, it activates its attachment to the PAM\-API. This activation performs a number of tasks, the most important being the reading of the configuration file(s):
+\fI/etc/pam.conf\fR. Alternatively, this may be the contents of the
+\fI/etc/pam.d/\fR
+directory. The presence of this directory will cause Linux\-PAM to ignore
+\fI/etc/pam.conf\fR.
+.PP
+These files list the
+\fIPAM\fRs that will do the authentication tasks required by this service, and the appropriate behavior of the PAM\-API in the event that individual
+\fIPAM\fRs fail.
+.PP
+The syntax of the
+\fI/etc/pam.conf\fR
+configuration file is as follows. The file is made up of a list of rules, each rule is typically placed on a single line, but may be extended with an escaped end of line: `\\<LF>'. Comments are preceded with `#' marks and extend to the next end of line.
+.PP
+The format of each rule is a space separated collection of tokens, the first three being case\-insensitive:
+.PP
+
+\fB service type control module\-path module\-arguments\fR
+.PP
+The syntax of files contained in the
+\fI/etc/pam.d/\fR
+directory, are identical except for the absence of any
+\fIservice\fR
+field. In this case, the
+\fIservice\fR
+is the name of the file in the
+\fI/etc/pam.d/\fR
+directory. This filename must be in lower case.
+.PP
+An important feature of
+\fIPAM\fR, is that a number of rules may be
+\fIstacked\fR
+to combine the services of a number of PAMs for a given authentication task.
+.PP
+The
+\fIservice\fR
+is typically the familiar name of the corresponding application:
+\fIlogin\fR
+and
+\fIsu\fR
+are good examples. The
+\fIservice\fR\-name,
+\fIother\fR, is reserved for giving
+\fIdefault\fR
+rules. Only lines that mention the current service (or in the absence of such, the
+\fIother\fR
+entries) will be associated with the given service\-application.
+.PP
+The
+\fItype\fR
+is the management group that the rule corresponds to. It is used to specify which of the management groups the subsequent module is to be associated with. Valid entries are:
+.PP
+account
+.RS 4
+this module type performs non\-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user \-\- 'root' login only on the console.
+.RE
+.PP
+auth
+.RS 4
+this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership or other privileges through its credential granting properties.
+.RE
+.PP
+password
+.RS 4
+this module type is required for updating the authentication token associated with the user. Typically, there is one module for each 'challenge/response' based authentication (auth) type.
+.RE
+.PP
+session
+.RS 4
+this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.
+.RE
+.PP
+The third field,
+\fIcontrol\fR, indicates the behavior of the PAM\-API should the module fail to succeed in its authentication task. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square\-bracketed selection of
+\fIvalue=action\fR
+pairs.
+.PP
+For the simple (historical) syntax valid
+\fIcontrol\fR
+values are:
+.PP
+required
+.RS 4
+failure of such a PAM will ultimately lead to the PAM\-API returning failure but only after the remaining
+\fIstacked\fR
+modules (for this
+\fIservice\fR
+and
+\fItype\fR) have been invoked.
+.RE
+.PP
+requisite
+.RS 4
+like
+\fIrequired\fR, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment.
+.RE
+.PP
+sufficient
+.RS 4
+success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior
+\fIrequired\fR
+module has failed the success of this one is
+\fIignored\fR). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules.
+.RE
+.PP
+optional
+.RS 4
+the success or failure of this module is only important if it is the only module in the stack associated with this
+\fIservice\fR+\fItype\fR.
+.RE
+.PP
+include
+.RS 4
+include all lines of given type from the configuration file specified as an argument to this control.
+.RE
+.PP
+For the more complicated syntax valid
+\fIcontrol\fR
+values have the following form:
+.sp
+.RS 4
+.nf
+      [value1=action1 value2=action2 ...]
+    
+.fi
+.RE
+.PP
+Where
+\fIvalueN\fR
+corresponds to the return code from the function invoked in the module for which the line is defined. It is selected from one of these:
+\fIsuccess\fR,
+\fIopen_err\fR,
+\fIsymbol_err\fR,
+\fIservice_err\fR,
+\fIsystem_err\fR,
+\fIbuf_err\fR,
+\fIperm_denied\fR,
+\fIauth_err\fR,
+\fIcred_insufficient\fR,
+\fIauthinfo_unavail\fR,
+\fIuser_unknown\fR,
+\fImaxtries\fR,
+\fInew_authtok_reqd\fR,
+\fIacct_expired\fR,
+\fIsession_err\fR,
+\fIcred_unavail\fR,
+\fIcred_expired\fR,
+\fIcred_err\fR,
+\fIno_module_data\fR,
+\fIconv_err\fR,
+\fIauthtok_err\fR,
+\fIauthtok_recover_err\fR,
+\fIauthtok_lock_busy\fR,
+\fIauthtok_disable_aging\fR,
+\fItry_again\fR,
+\fIignore\fR,
+\fIabort\fR,
+\fIauthtok_expired\fR,
+\fImodule_unknown\fR,
+\fIbad_item\fR
+and
+\fIdefault\fR.
+.PP
+The last of these,
+\fIdefault\fR, implies 'all
+\fIvalueN\fR's not mentioned explicitly. Note, the full list of PAM errors is available in
+\fI/usr/include/security/_pam_types.h\fR. The
+\fIactionN\fR
+can be: an unsigned integer,
+\fIn\fR, signifying an action of 'jump over the next
+\fIn\fR
+modules in the stack', or take one of the following forms:
+.PP
+ignore
+.RS 4
+when used with a stack of modules, the module's return status will not contribute to the return code the application obtains.
+.RE
+.PP
+bad
+.RS 4
+this action indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack.
+.RE
+.PP
+die
+.RS 4
+equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application.
+.RE
+.PP
+ok
+.RS 4
+this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules. In other words, if the former state of the stack would lead to a return of
+\fIPAM_SUCCESS\fR, the module's return code will override this value. Note, if the former state of the stack holds some value that is indicative of a modules failure, this 'ok' value will not be used to override that value.
+.RE
+.PP
+done
+.RS 4
+equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application.
+.RE
+.PP
+reset
+.RS 4
+clear all memory of the state of the module stack and start again with the next stacked module.
+.RE
+.PP
+Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [...] syntax. They are as follows:
+.PP
+required
+.RS 4
+[success=ok new_authtok_reqd=ok ignore=ignore default=bad]
+.RE
+.PP
+requisite
+.RS 4
+[success=ok new_authtok_reqd=ok ignore=ignore default=die]
+.RE
+.PP
+sufficient
+.RS 4
+[success=done new_authtok_reqd=done default=ignore]
+.RE
+.PP
+optional
+.RS 4
+[success=ok new_authtok_reqd=ok default=ignore]
+.RE
+.PP
+
+\fImodule\-path\fR
+is either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location:
+\fI/lib/security/\fR
+or
+\fI/lib64/security/\fR, depending on the architecture.
+.PP
+
+\fImodule\-arguments\fR
+are a space separated list of tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets.
+.sp
+.RS 4
+.nf
+    squid auth required pam_mysql.so user=passwd_query passwd=mada \\
+          db=eminence [query=select user_name from internet_service \\
+          where user_name='%u' and password=PASSWORD('%p') and \\
+        service='web_proxy']
+    
+.fi
+.RE
+.PP
+When using this convention, you can include `[' characters inside the string, and if you wish to include a `]' character inside the string that will survive the argument parsing, you should use `\\['. In other words:
+.sp
+.RS 4
+.nf
+    [..[..\\]..]    \-\->   ..[..]..
+    
+.fi
+.RE
+.PP
+Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the side of caution) to make the authentication process fail. A corresponding error is written to the system log files with a call to
+\fBsyslog\fR(3).
+.PP
+More flexible than the single configuration file is it to configure libpam via the contents of the
+\fI/etc/pam.d/\fR
+directory. In this case the directory is filled with files each of which has a filename equal to a service\-name (in lower\-case): it is the personal configuration file for the named service.
+.PP
+The syntax of each file in /etc/pam.d/ is similar to that of the
+\fI/etc/pam.conf\fR
+file and is made up of lines of the following form:
+.sp
+.RS 4
+.nf
+type  control  module\-path  module\-arguments
+    
+.fi
+.RE
+.PP
+The only difference being that the service\-name is not present. The service\-name is of course the name of the given configuration file. For example,
+\fI/etc/pam.d/login\fR
+contains the configuration for the
+\fBlogin\fR
+service.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(3),
+\fBPAM\fR(8),
+\fBpam_start\fR(3)
diff --git a/Linux-PAM/doc/man/pam.conf.8 b/Linux-PAM/doc/man/pam.conf.8
deleted file mode 100644
index d067b559..00000000
--- a/Linux-PAM/doc/man/pam.conf.8
+++ /dev/null
@@ -1 +0,0 @@
-.so pam.8
diff --git a/Linux-PAM/doc/man/pam.d.5 b/Linux-PAM/doc/man/pam.d.5
new file mode 100644
index 00000000..e4606aed
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.d.5
@@ -0,0 +1 @@
+.so man5/pam.conf.5
diff --git a/Linux-PAM/doc/man/pam.d.8 b/Linux-PAM/doc/man/pam.d.8
deleted file mode 100644
index d067b559..00000000
--- a/Linux-PAM/doc/man/pam.d.8
+++ /dev/null
@@ -1 +0,0 @@
-.so pam.8
diff --git a/Linux-PAM/doc/man/pam_acct_mgmt.3 b/Linux-PAM/doc/man/pam_acct_mgmt.3
new file mode 100644
index 00000000..352df7d1
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_acct_mgmt.3
@@ -0,0 +1,68 @@
+.\"     Title: pam_acct_mgmt
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_ACCT_MGMT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_acct_mgmt \- PAM account validation management
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 18
+.BI "int pam_acct_mgmt(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_acct_mgmt\fR
+function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated.
+.PP
+The
+\fIpamh\fR
+argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.TP 3n
+PAM_DISALLOW_NULL_AUTHTOK
+The PAM module service should return PAM_NEW_AUTHTOK_REQD if the user has a null authentication token.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_ACCT_EXPIRED
+User account has expired.
+.TP 3n
+PAM_AUTH_ERR
+Authentication failure.
+.TP 3n
+PAM_NEW_AUTHTOK_REQD
+The user account is valid but their authentication token is
+\fIexpired\fR. The correct response to this return\-value is to require that the user satisfies the
+\fBpam_chauthtok()\fR
+function before obtaining service. It may not be possible for some applications to do this. In such cases, the user should be denied access until such time as they can update their password.
+.TP 3n
+PAM_PERM_DENIED
+Permission denied.
+.TP 3n
+PAM_SUCCESS
+The authentication token was successfully updated.
+.TP 3n
+PAM_USER_UNKNOWN
+User unknown to password service.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_start\fR(3),
+\fBpam_authenticate\fR(3),
+\fBpam_chauthtok\fR(3),
+\fBpam_strerror\fR(3),
+\fBpam\fR(8)
diff --git a/Linux-PAM/doc/man/pam_acct_mgmt.3.xml b/Linux-PAM/doc/man/pam_acct_mgmt.3.xml
new file mode 100644
index 00000000..72274d1e
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_acct_mgmt.3.xml
@@ -0,0 +1,145 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_acct_mgmt'>
+  <refmeta>
+    <refentrytitle>pam_acct_mgmt</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_acct_mgmt-name">
+    <refname>pam_acct_mgmt</refname>
+    <refpurpose>PAM account validation management</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_acct_mgmt-synopsis'>
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_acct_mgmt</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_acct_mgmt-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_acct_mgmt</function> function is used to determine
+      if the users account is valid. It checks for authentication token
+      and account expiration and verifies access restrictions. It is
+      typically called after the user has been authenticated.
+    </para>
+    <para>
+      The <emphasis>pamh</emphasis> argument is an authentication
+      handle obtained by a prior call to pam_start().
+      The flags argument is the binary or of zero or more of the
+      following values:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_DISALLOW_NULL_AUTHTOK</term>
+        <listitem>
+          <para>
+            The PAM module service should return PAM_NEW_AUTHTOK_REQD
+            if the user has a null authentication token.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_acct_mgmt-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_ACCT_EXPIRED</term>
+        <listitem>
+           <para>
+             User account has expired.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+          <para>
+            Authentication failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_NEW_AUTHTOK_REQD</term>
+        <listitem>
+          <para>
+            The user account is valid but their authentication token
+            is <emphasis>expired</emphasis>. The correct response to
+            this return-value is to require that the user satisfies
+            the <function>pam_chauthtok()</function> function before
+            obtaining service. It may not be possible for some
+            applications to do this. In such cases, the user should be
+            denied access until such time as they can update their password.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PERM_DENIED</term>
+        <listitem>
+          <para>
+            Permission denied.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The authentication token was successfully updated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            User unknown to password service.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_acct_mgmt-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_authenticate.3 b/Linux-PAM/doc/man/pam_authenticate.3
index 7383f5f0..576a7a2c 100644
--- a/Linux-PAM/doc/man/pam_authenticate.3
+++ b/Linux-PAM/doc/man/pam_authenticate.3
@@ -1,91 +1,76 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: pam_authenticate.3,v 1.1.1.1 2000/06/20 22:10:57 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@parc.power.net>
-.TH PAM_AUTHENTICATE 3 "1996 Dec 9" "Linux-PAM 0.55" "App. Programmers' Manual"
-.SH NAME
-
-pam_authenticate \- authenticate a user
-
-.SH SYNOPSIS
-.B #include <security/pam_appl.h>
+.\"     Title: pam_authenticate
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_AUTHENTICATE" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_authenticate \- account authentication
+.SH "SYNOPSIS"
 .sp
-.BI "int pam_authenticate(pam_handle_t " *pamh ", int  " flags ");"
-.sp 2
-.SH DESCRIPTION
-.B pam_authenticate
-
-.br
-Use this function to authenticate an applicant user.  It is linked
-.I dynamically
-to the authentication modules by
-.BR Linux-PAM ". "
-It is the task of these module to perform such an authentication.  The
-specific nature of the authentication is not the concern of the
-application.
-
-.br
-Following successful completion, the
-.BR name
-of the authenticated user will be present in the
-.BR Linux-PAM
-item
-.BR PAM_USER ". "
-This item may be recovered with a call to
-.BR pam_get_item "(3)."
-
-.br
-The application developer should note that the modules may request
-that the user enter their username via the conversation mechanism (see
-.BR pam_start "(3))."
-Should this be the case, the user-prompt string can be set via
-the
-.BR PAM_USER_PROMPT
-item (see
-.BR pam_set_item "(3))."
-
-.SH "RETURN VALUE"
-On success
-.BR PAM_SUCCESS
-is returned.  All other returns should be considered
-authentication failures and will be
-.I delayed
-by an amount specified with prior calls to
-.BR pam_fail_delay "(3). "
-Specific failures that demand special attention are the following:
-.TP
-.B PAM_ABORT
-the application should exit immediately. Of course,
-.BR pam_end "(3)"
-should be called first.
-
-.TP
-.B PAM_MAXTRIES
-the application has tried too many times to authenticate the
-user, authentication should not be attempted again.
-
-.SH ERRORS
-May be translated to text with
-.BR pam_strerror "(3). "
-
-.SH "CONFORMING TO"
-DCE-RFC 86.0, October 1995.
-
-.SH BUGS
-.sp 2
-none known.
-
-.SH "SEE ALSO"
-
-.BR pam_start "(3), "
-.BR pam_get_item "(3) "
-.BR pam_fail_delay "(3) "
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 21
+.BI "int pam_authenticate(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_authenticate\fR
+function is used to authenticate the user. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print.
+.PP
+The PAM service module may request that the user enter their username vio the the conversation mechanism (see
+\fBpam_start\fR(3)
 and
-.BR pam_strerror "(3). "
+\fBpam_conv\fR(3)). The name of the authenticated user will be present in the PAM item PAM_USER. This item may be recovered with a call to
+\fBpam_get_item\fR(3).
+.PP
+The
+\fIpamh\fR
+argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.TP 3n
+PAM_DISALLOW_NULL_AUTHTOK
+The PAM module service should return PAM_AUTH_ERR if the user does not have a registered authentication token.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_ABORT
+The application should exit immediately after calling
+\fBpam_end\fR(3)
+first.
+.TP 3n
+PAM_AUTH_ERR
+The user was not authenticated.
+.TP 3n
+PAM_CRED_INSUFFICIENT
+For some reason the application does not have sufficient credentials to authenticate the user.
+.TP 3n
+PAM_AUTHINFO_UNVAIL
+The modules were not able to access the authentication information. This might be due to a network or hardware failure etc.
+.TP 3n
+PAM_MAXTRIES
+One or more of the authentication modules has reached its limit of tries authenticating the user. Do not try again.
+.TP 3n
+PAM_SUCCESS
+The user was successfully authenticated.
+.TP 3n
+PAM_USER_UNKNOWN
+User unknown to authentication service.
+.SH "SEE ALSO"
+.PP
 
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+\fBpam_start\fR(3),
+\fBpam_setcred\fR(3),
+\fBpam_chauthtok\fR(3),
+\fBpam_strerror\fR(3),
+\fBpam\fR(8)
diff --git a/Linux-PAM/doc/man/pam_authenticate.3.xml b/Linux-PAM/doc/man/pam_authenticate.3.xml
new file mode 100644
index 00000000..8ddc38c9
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_authenticate.3.xml
@@ -0,0 +1,169 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_authenticate'>
+  <refmeta>
+    <refentrytitle>pam_authenticate</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_authenticate-name">
+    <refname>pam_authenticate</refname>
+    <refpurpose>account authentication</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_authenticate-synopsis'>
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_authenticate</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_authenticate-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_authenticate</function> function is used to
+      authenticate the user. The user is required to provide an
+      authentication token depending upon the authentication service,
+      usually this is a password, but could also be a finger print.
+    </para>
+    <para>
+      The PAM service module may request that the user enter their
+      username vio the the conversation mechanism (see
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> and
+      <citerefentry>
+        <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>). The name of the authenticated user
+       will be present in the PAM item PAM_USER. This item may be
+       recovered with a call to
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+    <para>
+      The <emphasis>pamh</emphasis> argument is an authentication
+      handle obtained by a prior call to pam_start().
+      The flags argument is the binary or of zero or more of the
+      following values:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_DISALLOW_NULL_AUTHTOK</term>
+        <listitem>
+          <para>
+            The PAM module service should return PAM_AUTH_ERR
+            if the user does not have a registered authentication token.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_authenticate-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_ABORT</term>
+        <listitem>
+          <para>
+            The application should exit immediately after calling
+            <citerefentry>
+              <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry> first.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+          <para>
+            The user was not authenticated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_INSUFFICIENT</term>
+        <listitem>
+          <para>
+            For some reason the application does not have sufficient
+            credentials to authenticate the user.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHINFO_UNVAIL</term>
+        <listitem>
+          <para>
+            The modules were not able to access the authentication
+            information. This might be due to a network or hardware
+            failure etc.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_MAXTRIES</term>
+        <listitem>
+          <para>
+            One or more of the authentication modules has reached its
+            limit of tries authenticating the user. Do not try again.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The user was successfully authenticated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            User unknown to authentication service.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_authenticate-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_chauthtok.3 b/Linux-PAM/doc/man/pam_chauthtok.3
index a0466f0f..16c673b5 100644
--- a/Linux-PAM/doc/man/pam_chauthtok.3
+++ b/Linux-PAM/doc/man/pam_chauthtok.3
@@ -1,101 +1,73 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: pam_chauthtok.3,v 1.1.1.1 2000/06/20 22:10:57 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
-.TH PAM_CHAUTHTOK 3 "1997 Jan 4" "Linux-PAM 0.55" "App. Programmers' Manual"
-.SH NAME
-
+.\"     Title: pam_chauthtok
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_CHAUTHTOK" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
 pam_chauthtok \- updating authentication tokens
-
-.SH SYNOPSIS
-.B #include <security/pam_appl.h>
+.SH "SYNOPSIS"
 .sp
-.BI "int pam_chauthtok(pam_handle_t " *pamh ", int  " flags ");"
-.sp 2
-.SH DESCRIPTION
-.B pam_chauthtok
-
-.br
-Use this function to rejuvenate the authentication tokens (passwords
-etc.) of an applicant user.
-
-.br
-Note, the application should not pre-authenticate the user, as this is
-performed (if required) by the
-.BR Linux-PAM
-framework.
-
-.br
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 18
+.BI "int pam_chauthtok(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+.SH "DESCRIPTION"
+.PP
 The
-.I flags
-argument can
-.I optionally
-take the value,
-.BR PAM_CHANGE_EXPIRED_AUTHTOK "."
-In such cases the framework is only required to update those
-authentication tokens that have expired. Without this argument, the
-framework will attempt to obtain new tokens for all configured
-authentication mechanisms. The details of the types and number of such
-schemes should not concern the calling application.
-
-.SH RETURN VALUE
-A successful return from this function will be indicated with
-.BR PAM_SUCCESS "."
-
-.br
-Specific errors of special interest when calling this function are
-
-.br
-.BR PAM_AUTHTOK_ERROR
-- a valid new token was not obtained
-
-.br
-.BR PAM_AUTHTOK_RECOVERY_ERR
-- old authentication token was not available
-
-.br
-.BR PAM_AUTHTOK_LOCK_BUSY
-- a resource needed to update the token was locked (try again later)
-
-.br
-.BR PAM_AUTHTOK_DISABLE_AGING
-- one or more of the authentication modules does not honor
-authentication token aging
-
-.br
-.BR PAM_TRY_AGAIN
-- one or more authentication mechanism is not prepared to update a
-token at this time
-
-.br
-In general other return values may be returned. They should be treated
-as indicating failure.
-
-.SH ERRORS
-May be translated to text with
-.BR pam_strerror "(3). "
-
-.SH "CONFORMING TO"
-DCE-RFC 86.0, October 1995.
-
-.SH BUGS
-.sp 2
-none known.
-
+\fBpam_chauthtok\fR
+function is used to change the authentication token for a given user (as indicated by the state associated with the handle
+\fIpamh\fR).
+.PP
+The
+\fIpamh\fR
+argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.TP 3n
+PAM_CHANGE_EXPIRED_AUTHTOK
+This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired. If this argument is not passed, the application requires that all authentication tokens are to be changed.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTHTOK_ERR
+A module was unable to obtain the new authentication token.
+.TP 3n
+PAM_AUTHTOK_RECOVERY_ERR
+A module was unable to obtain the old authentication token.
+.TP 3n
+PAM_AUTHTOK_LOCK_BUSY
+One or more of the modules was unable to change the authentication token since it is currently locked.
+.TP 3n
+PAM_AUTHTOK_DISABLE_AGING
+Authentication token aging has been disabled for at least one of the modules.
+.TP 3n
+PAM_PERM_DENIED
+Permission denied.
+.TP 3n
+PAM_SUCCESS
+The authentication token was successfully updated.
+.TP 3n
+PAM_TRY_AGAIN
+Not all of the modules were in a position to update the authentication token(s). In such a case none of the user's authentication tokens are updated.
+.TP 3n
+PAM_USER_UNKNOWN
+User unknown to password service.
 .SH "SEE ALSO"
-
-.BR pam_start "(3), "
-.BR pam_authenticate "(3), "
-.BR pam_setcred "(3), "
-.BR pam_get_item "(3), "
-.BR pam_strerror "(3) "
-and
-.BR pam "(8)."
-
-.br
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+.PP
+
+\fBpam_start\fR(3),
+\fBpam_authenticate\fR(3),
+\fBpam_setcred\fR(3),
+\fBpam_get_item\fR(3),
+\fBpam_strerror\fR(3),
+\fBpam\fR(8)
diff --git a/Linux-PAM/doc/man/pam_chauthtok.3.xml b/Linux-PAM/doc/man/pam_chauthtok.3.xml
new file mode 100644
index 00000000..7e20070b
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_chauthtok.3.xml
@@ -0,0 +1,164 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_chauthtok'>
+  <refmeta>
+    <refentrytitle>pam_chauthtok</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_chauthtok-name">
+    <refname>pam_chauthtok</refname>
+    <refpurpose>updating authentication tokens</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_chauthtok-synopsis'>
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_chauthtok</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_chauthtok-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_chauthtok</function> function is used to change the
+      authentication token for a given user (as indicated by the state
+      associated with the handle <emphasis>pamh</emphasis>).
+    </para>
+    <para>
+      The <emphasis>pamh</emphasis> argument is an authentication 
+      handle obtained by a prior call to pam_start().
+      The flags argument is the binary or of zero or more of the
+      following values:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CHANGE_EXPIRED_AUTHTOK</term>
+        <listitem>
+          <para>
+            This argument indicates to the modules that the users
+            authentication token (password) should only be changed
+            if it has expired.
+            If this argument is not passed, the application requires
+            that all authentication tokens are to be changed.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_chauthtok-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_AUTHTOK_ERR</term>
+        <listitem>
+           <para>
+             A module was unable to obtain the new authentication token.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_RECOVERY_ERR</term>
+        <listitem>
+           <para>
+             A module was unable to obtain the old authentication token.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_LOCK_BUSY</term>
+        <listitem>
+           <para>
+             One or more of the modules was unable to change the
+             authentication token since it is currently locked.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_DISABLE_AGING</term>
+        <listitem>
+           <para>
+             Authentication token aging has been disabled for at least
+             one of the modules.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PERM_DENIED</term>
+        <listitem>
+           <para>
+             Permission denied.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The authentication token was successfully updated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_TRY_AGAIN</term>
+        <listitem>
+           <para>
+             Not all of the modules were in a position to update the
+             authentication token(s). In such a case none of the user's
+             authentication tokens are updated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+           <para>
+             User unknown to password service.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_chauthtok-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_close_session.3 b/Linux-PAM/doc/man/pam_close_session.3
index d851700c..622c10e9 100644
--- a/Linux-PAM/doc/man/pam_close_session.3
+++ b/Linux-PAM/doc/man/pam_close_session.3
@@ -1 +1,55 @@
-.so pam_open_session.3
+.\"     Title: pam_close_session
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_CLOSE_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_close_session \- terminate PAM session management
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 22
+.BI "int pam_close_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_close_session\fR
+function is used to indicate that an authenticated session has ended. The session should have been created with a call to
+\fBpam_open_session\fR(3).
+.PP
+It should be noted that the effective uid,
+\fBgeteuid\fR(2). of the application should be of sufficient privilege to perform such tasks as unmounting the user's home directory for example.
+.PP
+The flags argument is the binary or of zero or more of the following values:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_ABORT
+General failure.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_SESSION_ERR
+Session failure.
+.TP 3n
+PAM_SUCCESS
+Session was successful terminated.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_open_session\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_close_session.3.xml b/Linux-PAM/doc/man/pam_close_session.3.xml
new file mode 100644
index 00000000..db549bda
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_close_session.3.xml
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_send'>
+
+  <refmeta>
+    <refentrytitle>pam_close_session</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_close_session-name">
+    <refname>pam_close_session</refname>
+    <refpurpose>terminate PAM session management</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_close_session-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_close_session</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_close_session-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_close_session</function> function is used
+      to indicate that an authenticated session has ended.
+      The session should have been created with a call to
+      <citerefentry>
+        <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+    <para>
+      It should be noted that the effective uid,
+      <citerefentry>
+        <refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>. of the application should be of sufficient
+      privilege to perform such tasks as unmounting the
+      user's home directory for example.
+    </para>
+    <para>
+      The flags argument is the binary or of zero or more of the
+      following values:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_close_session-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_ABORT</term>
+        <listitem>
+           <para>
+              General failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SESSION_ERR</term>
+        <listitem>
+           <para>
+             Session failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Session was successful terminated.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_close_session-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_conv.3 b/Linux-PAM/doc/man/pam_conv.3
new file mode 100644
index 00000000..34b61fb3
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_conv.3
@@ -0,0 +1,129 @@
+.\"     Title: pam_conv
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_CONV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_conv \- PAM conversation function
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.sp
+.RS 3n
+.nf
+struct pam_message {
+    int msg_style;
+    const char *msg;
+};
+
+struct pam_response {
+    char *resp;
+    int resp_retcode;
+};
+
+struct pam_conv {
+    int (*conv)(int num_msg, const struct pam_message **msg,
+                struct pam_response **resp, void *appdata_ptr);
+    void *appdata_ptr;
+};
+    
+.fi
+.RE
+.SH "DESCRIPTION"
+.PP
+The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the
+\fIstruct pam_conv\fR
+passed to
+\fBpam_start\fR(3)
+at the start of the transaction.
+.PP
+When a module calls the referenced conv() function, the argument
+\fIappdata_ptr\fR
+is set to the second element of this structure.
+.PP
+The other arguments of a call to conv() concern the information exchanged by module and application. That is to say,
+\fInum_msg\fR
+holds the length of the array of pointers,
+\fImsg\fR. After a successful return, the pointer
+\fIresp\fR
+points to an array of pam_response structures, holding the application supplied text. The
+\fIresp_retcode\fR
+member of this struct is unused and should be set to zero. It is the caller's responsibility to release both, this array and the responses themselves, using
+\fBfree\fR(3). Note,
+\fI*resp\fR
+is a
+\fIstruct pam_response\fR
+array and not an array of pointers.
+.PP
+The number of responses is always equal to the
+\fInum_msg\fR
+conversation function argument. This does require that the response array is
+\fBfree\fR(3)'d after every call to the conversation function. The index of the responses corresponds directly to the prompt index in the pam_message array.
+.PP
+On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes.
+.PP
+Each message can have one of four types, specified by the
+\fImsg_style\fR
+member of
+\fIstruct pam_message\fR:
+.TP 3n
+PAM_PROMPT_ECHO_OFF
+Obtain a string without echoing any text.
+.TP 3n
+PAM_PROMPT_ECHO_ON
+Obtain a string whilst echoing text.
+.TP 3n
+PAM_ERROR_MSG
+Display an error message.
+.TP 3n
+PAM_TEXT_INFO
+Display some text.
+.PP
+The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once.
+.PP
+In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris' PAM (and derivitives, known to include HP/UX, are there others?) does. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[]). Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_meg read only 'struct pam_message' pointers. Solaris' PAM implementation interprets this argument as a pointer to a pointer to an array of num_meg pam_message structures. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems.
+.PP
+For what its worth the two known module writer work\-arounds for trying to maintain source level compatibility with both PAM implementations are:
+.TP 3n
+\(bu
+never call the conversation function with num_msg greater than one.
+.TP 3n
+\(bu
+set up msg as doubly referenced so both types of conversation function can find the messages. That is, make
+.sp
+.RS 3n
+.nf
+       msg[n] = & (( *msg )[n])
+       
+.fi
+.RE
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_CONV_ERR
+Conversation failure. The application should not set
+\fI*resp\fR.
+.TP 3n
+PAM_SUCCESS
+Success.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_start\fR(3),
+\fBpam_set_item\fR(3),
+\fBpam_get_item\fR(3),
+\fBpam_strerror\fR(3),
+\fBpam\fR(8)
diff --git a/Linux-PAM/doc/man/pam_conv.3.xml b/Linux-PAM/doc/man/pam_conv.3.xml
new file mode 100644
index 00000000..73bb37cc
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_conv.3.xml
@@ -0,0 +1,228 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_conv'>
+  <refmeta>
+    <refentrytitle>pam_conv</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_conv-name">
+    <refname>pam_conv</refname>
+    <refpurpose>PAM conversation function</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_conv-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+    </funcsynopsis>
+    <programlisting>
+struct pam_message {
+    int msg_style;
+    const char *msg;
+};
+
+struct pam_response {
+    char *resp;
+    int resp_retcode;
+};
+
+struct pam_conv {
+    int (*conv)(int num_msg, const struct pam_message **msg,
+                struct pam_response **resp, void *appdata_ptr);
+    void *appdata_ptr;
+};
+    </programlisting>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_conv-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The PAM library uses an application-defined callback to allow
+      a direct communication between a loaded module and the application.
+      This callback is specified by the
+      <emphasis>struct pam_conv</emphasis> passed to
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      at the start of the transaction.
+    </para>
+    <para>
+      When a module calls the referenced conv() function, the argument
+      <emphasis>appdata_ptr</emphasis> is set to the second element of
+      this structure.
+    </para>
+    <para>
+      The other arguments of a call to conv() concern the information
+      exchanged by module and application. That is to say,
+      <emphasis>num_msg</emphasis> holds the length of the array of
+      pointers, <emphasis>msg</emphasis>. After a successful return, the
+      pointer <emphasis>resp</emphasis> points to an array of pam_response
+      structures, holding the application supplied text. The
+      <emphasis>resp_retcode</emphasis> member of this struct is unused and
+      should be set to zero. It is the caller's responsibility to release
+      both, this array and the responses themselves, using
+      <citerefentry>
+        <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>. Note, <emphasis>*resp</emphasis> is a
+      <emphasis>struct pam_response</emphasis> array and not an array of
+      pointers.
+    </para>
+    <para>
+      The number of responses is always equal to the
+      <emphasis>num_msg</emphasis> conversation function argument.
+      This does require that the response array is
+      <citerefentry>
+        <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>'d after
+      every call to the conversation function.  The index of the
+      responses corresponds directly to the prompt index in the
+      pam_message array.
+    </para>
+    <para>
+      On failure, the conversation function should release any resources
+      it has allocated, and return one of the predefined PAM error codes.
+    </para>
+    <para>
+      Each message can have one of four types, specified by the
+      <emphasis>msg_style</emphasis> member of
+      <emphasis>struct pam_message</emphasis>:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_PROMPT_ECHO_OFF</term>
+        <listitem>
+           <para>
+             Obtain a string without echoing any text.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PROMPT_ECHO_ON</term>
+        <listitem>
+          <para>
+            Obtain a string whilst echoing text.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_ERROR_MSG</term>
+        <listitem>
+          <para>
+            Display an error message.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_TEXT_INFO</term>
+        <listitem>
+          <para>
+            Display some text.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+    <para>
+      The point of having an array of messages is that it becomes possible
+      to pass a number of things to the application in a single call from
+      the module. It can also be convenient for the application that related
+      things come at once: a windows based application can then present a
+      single form with many messages/prompts on at once.
+    </para>
+    <para>
+      In passing, it is worth noting that there is a descrepency between
+      the way Linux-PAM handles the const struct pam_message **msg
+      conversation function argument from the way that Solaris' PAM
+      (and derivitives, known to include HP/UX, are there others?) does.
+      Linux-PAM interprets the msg argument as entirely equivalent to the
+      following prototype
+  const struct pam_message *msg[] (which, in spirit, is consistent with
+  the commonly used prototypes for argv argument to the familiar main()
+  function: char **argv; and char *argv[]). Said another way Linux-PAM
+  interprets the msg argument as a pointer to an array of num_meg read
+  only 'struct pam_message' pointers.  Solaris' PAM implementation
+  interprets this argument as a pointer to a pointer to an array of
+  num_meg pam_message structures.  Fortunately, perhaps, for most
+  module/application developers when num_msg has a value of one these
+  two definitions are entirely equivalent. Unfortunately, casually
+  raising this number to two has led to unanticipated compatibility
+  problems.
+    </para>
+    <para>
+  For what its worth the two known module writer work-arounds for trying
+  to maintain source level compatibility with both PAM implementations
+  are:
+    </para>
+   <itemizedlist>
+      <listitem>
+        <para>
+          never call the conversation function with num_msg greater than one.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          set up msg as doubly referenced so both types of conversation
+          function can find the messages. That is, make
+        </para>
+        <programlisting>
+       msg[n] = &amp; (( *msg )[n])
+       </programlisting>
+      </listitem>
+    </itemizedlist>
+  </refsect1>
+
+  <refsect1 id="pam_conv-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+             Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CONV_ERR</term>
+        <listitem>
+           <para>
+             Conversation failure. The application should not set
+             <emphasis>*resp</emphasis>.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Success.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_conv-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_end.3 b/Linux-PAM/doc/man/pam_end.3
index de999f24..27cf95d2 100644
--- a/Linux-PAM/doc/man/pam_end.3
+++ b/Linux-PAM/doc/man/pam_end.3
@@ -1 +1,69 @@
-.so pam_start.3
+.\"     Title: pam_end
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_END" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_end \- termination of PAM transaction
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 12
+.BI "int pam_end(pam_handle_t\ *" "pamh" ", int\ " "pam_status" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_end\fR
+function terminates the PAM transaction and is the last function an application should call in the PAM contenxt. Upon return the handle
+\fIpamh\fR
+is no longer valid and all memory associated with it will be invalid.
+.PP
+The
+\fIpam_status\fR
+argument should be set to the value returned to the application by the last PAM library call.
+.PP
+The value taken by
+\fIpam_status\fR
+is used as an argument to the module specific callback function,
+\fBcleanup()\fR
+(See
+\fBpam_set_data\fR(3)
+and
+\fBpam_get_data\fR(3)). In this way the module can be given notification of the pass/fail nature of the tear\-down process, and perform any last minute tasks that are appropriate to the module before it is unlinked. This argument can be logically OR'd with
+\fIPAM_DATA_SILENT\fR
+to indicate to indicate that the module should not treat the call too seriously. It is generally used to indicate that the current closing of the library is in a
+\fBfork\fR(2)ed process, and that the parent will take care of cleaning up things that exist outside of the current process space (files etc.).
+.PP
+This function
+\fIfree\fR's all memory for items associated with the
+\fBpam_set_item\fR(3)
+and
+\fBpam_get_item\fR(3)
+functions. Pointers associated with such objects are not valid anymore after
+\fBpam_end\fR
+was called.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_SUCCESS
+Transaction was successful terminated.
+.TP 3n
+PAM_SYSTEM_ERR
+System error, for example a NULL pointer was submitted as PAM handle or the function was called by a module.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_get_data\fR(3),
+\fBpam_set_data\fR(3),
+\fBpam_start\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_end.3.xml b/Linux-PAM/doc/man/pam_end.3.xml
new file mode 100644
index 00000000..fd4a4250
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_end.3.xml
@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_end'>
+
+  <refmeta>
+    <refentrytitle>pam_end</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_end-name">
+    <refname>pam_end</refname>
+    <refpurpose>termination of PAM transaction</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_end-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_end</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>pam_status</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_end-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_end</function> function terminates the PAM
+      transaction and is the last function an application should call
+      in the PAM contenxt.  Upon return the handle <emphasis>pamh</emphasis>
+      is no longer valid and all memory associated with it will be
+      invalid.
+    </para>
+    <para>
+      The <emphasis>pam_status</emphasis> argument should be set to
+      the value returned to the application by the last PAM
+      library call.
+    </para>
+    <para>
+      The value taken by <emphasis>pam_status</emphasis> is used as
+      an argument to the module specific callback function,
+      <function>cleanup()</function>
+      (See <citerefentry>
+         <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> and
+      <citerefentry>
+        <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>). In this way the module can be given notification
+      of the pass/fail nature of the tear-down process, and perform any
+      last minute tasks that are appropriate to the module before it is
+      unlinked. This argument can be logically OR'd with
+      <emphasis>PAM_DATA_SILENT</emphasis> to indicate to indicate that
+      the module should not treat the call too seriously. It is generally
+      used to indicate that the current closing of the library is in a
+      <citerefentry>
+        <refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>ed
+      process, and that the parent will take care of cleaning up things
+      that exist outside of the current process space (files etc.).
+    </para>
+
+    <para>
+      This function <emphasis>free</emphasis>'s all memory for items
+      associated with the
+      <citerefentry>
+        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> and
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> functions. Pointers associated with such objects
+      are not valid anymore after <function>pam_end</function> was called.
+    </para>
+
+  </refsect1>
+  <refsect1 id="pam_end-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Transaction was successful terminated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+              System error, for example a NULL pointer was submitted
+              as PAM handle or the function was called by a module.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_end-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_error.3 b/Linux-PAM/doc/man/pam_error.3
new file mode 100644
index 00000000..f295f98b
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_error.3
@@ -0,0 +1,66 @@
+.\"     Title: pam_error
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_ERROR" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_error, pam_verror \- display error messages to the user
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_ext.h>
+.fi
+.ft
+.HP 14
+.BI "int pam_error(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "..." ");"
+.HP 15
+.BI "int pam_verror(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_error\fR
+function prints error messages through the conversation function to the user.
+.PP
+The
+\fBpam_verror\fR
+function performs the same task as
+\fBpam_error()\fR
+with the difference that it takes a set of arguments which have been obtained using the
+\fBstdarg\fR(3)
+variable argument list macros.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_CONV_ERR
+Conversation failure.
+.TP 3n
+PAM_SUCCESS
+Error message was displayed.
+.TP 3n
+PAM_SYSTEM_ERR
+System error.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_info\fR(3),
+\fBpam_vinfo\fR(3),
+\fBpam_prompt\fR(3),
+\fBpam_vprompt\fR(3),
+\fBpam\fR(8)
+.SH "STANDARDS"
+.PP
+The
+\fBpam_error\fR
+and
+\fBpam_verror\fR
+functions are Linux\-PAM extensions.
diff --git a/Linux-PAM/doc/man/pam_error.3.xml b/Linux-PAM/doc/man/pam_error.3.xml
new file mode 100644
index 00000000..de167f2c
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_error.3.xml
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_error">
+
+  <refmeta>
+    <refentrytitle>pam_error</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_error-name">
+    <refname>pam_error</refname>
+    <refname>pam_verror</refname>
+    <refpurpose>display error messages to the user</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv id="pam_error-synopsis">
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;security/pam_ext.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_error</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>const char *<parameter>fmt</parameter></paramdef>
+        <paramdef><parameter>...</parameter></paramdef>
+      </funcprototype>
+      <funcprototype>
+        <funcdef>int <function>pam_verror</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>const char *<parameter>fmt</parameter></paramdef>
+        <paramdef>va_list <parameter>args</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_error-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_error</function> function prints error messages
+      through the conversation function to the user.
+    </para>
+    <para>
+      The <function>pam_verror</function> function performs the same
+      task as <function>pam_error()</function> with the difference
+      that it takes a set of arguments which have been obtained using
+      the <citerefentry>
+        <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> variable argument list macros.
+    </para>
+  </refsect1>
+  <refsect1 id="pam_error-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CONV_ERR</term>
+        <listitem>
+           <para>
+              Conversation failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Error message was displayed.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+              System error.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_error-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_info</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_vinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_prompt</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_vprompt</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_error-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_error</function> and <function>pam_verror</function>
+      functions are Linux-PAM extensions.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_fail_delay.3 b/Linux-PAM/doc/man/pam_fail_delay.3
index 3b72f3d9..000276ed 100644
--- a/Linux-PAM/doc/man/pam_fail_delay.3
+++ b/Linux-PAM/doc/man/pam_fail_delay.3
@@ -1,130 +1,130 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: pam_fail_delay.3,v 1.1.1.1 2000/06/20 22:10:58 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
-.TH PAM_FAIL_DELAY 3 "1997 Jan 12" "Linux-PAM 0.56" "Programmers' Manual"
-.SH NAME
-
+.\"     Title: pam_fail_delay
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 08/01/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_FAIL_DELAY" "3" "08/01/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
 pam_fail_delay \- request a delay on failure
-
-.SH SYNOPSIS
-.B #include <security/pam_appl.h>
-.br
-or,
-.br
-.B #include <security/pam_modules.h>
+.SH "SYNOPSIS"
 .sp
-.BI "int pam_fail_delay(pam_handle_t " "*pamh" ", unsigned int " "usec" ");"
-.sp 2
-.SH DESCRIPTION
-.br
-It is often possible to attack an authentication scheme by exploiting
-the time it takes the scheme to deny access to an applicant user.  In
-cases of
-.I short
-timeouts, it may prove possible to attempt a
-.I brute force
-dictionary attack -- with an automated process, the attacker tries all
-possible passwords to gain access to the system.  In other cases,
-where individual failures can take measurable amounts of time
-(indicating the nature of the failure), an attacker can obtain useful
-information about the authentication process.  These latter attacks
-make use of procedural delays that constitute a
-.I covert channel
-of useful information.
-
-.br
-To minimize the effectiveness of such attacks, it is desirable to
-introduce a random delay in a failed authentication process.
-.B Linux-PAM
-provides such a facility.  The delay occurs upon failure of the
-.BR pam_authenticate "(3) "
-and
-.BR pam_chauthtok "(3) "
-functions.  It occurs
-.I after
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 19
+.BI "int pam_fail_delay(pam_handle_t\ *" "pamh" ", unsigned\ int\ " "usec" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_fail_delay\fR
+function provides a mechanism by which an application or module can suggest a minimum delay of
+\fIusec\fR
+micro\-seconds. The function keeps a record of the longest time requested with this function. Should
+\fBpam_authenticate\fR(3)
+fail, the failing return to the application is delayed by an amount of time randomly distributed (by up to 25%) about this longest value.
+.PP
+Independent of success, the delay time is reset to its zero default value when the PAM service module returns control to the application. The delay occurs
+\fIafter\fR
 all authentication modules have been called, but
-.I before
+\fIbefore\fR
 control is returned to the service application.
-
-.br
-The function,
-.BR pam_fail_delay "(3),"
-is used to specify a required minimum for the length of the
-failure-delay; the
-.I usec
-argument.  This function can be called by the service application
-and/or the authentication modules, both may have an interest in
-delaying a reapplication for service by the user.  The length of the
-delay is computed at the time it is required.  Its length is
-pseudo-gausianly distributed about the
-.I maximum
-requested value; the resultant delay will differ by as much as 25% of
-this maximum requested value (both up and down).
-
-.br
-On return from
-.BR pam_authenticate "(3) or " pam_chauthtok "(3),"
-independent of success or failure, the new requested delay is reset to
-its default value: zero.
-
-.SH EXAMPLE
-.br
-For example, a
-.B login
-application may require a failure delay of roughly 3 seconds. It will
-contain the following code:
+.PP
+When using this function the programmer should check if it is available with:
 .sp
-.br
-.B "     pam_fail_delay(pamh, 3000000 /* micro-seconds */ );"
-.br
-.B "     pam_authenticate(pamh, 0);"
+.RS 3n
+.nf
+#ifdef HAVE_PAM_FAIL_DELAY
+    ....
+#endif /* HAVE_PAM_FAIL_DELAY */
+      
+.fi
+.RE
+.PP
+For applications written with a single thread that are event driven in nature, generating this delay may be undesirable. Instead, the application may want to register the delay in some other way. For example, in a single threaded server that serves multiple authentication requests from a single event loop, the application might want to simply mark a given connection as blocked until an application timer expires. For this reason the delay function can be changed with the
+\fIPAM_FAIL_DELAY\fR
+item. It can be queried and set with
+\fBpam_get_item\fR(3)
+and
+\fBpam_set_item \fR(3)
+respectively. The value used to set it should be a function pointer of the following prototype:
 .sp
-.br
-if the modules do not request a delay, the failure delay will be
-between 2.25 and 3.75 seconds.
-
-.br
-However, the modules, invoked in the authentication process, may
-also request delays:
+.RS 3n
+.nf
+void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
+      
+.fi
+.RE
 .sp
-.br
-.RB "  (module #1)   " "pam_fail_delay(pamh, 2000000);"
+The arguments being the
+\fIretval\fR
+return code of the module stack, the
+\fIusec_delay\fR
+micro\-second delay that libpam is requesting and the
+\fIappdata_ptr\fR
+that the application has associated with the current
+\fIpamh\fR. This last value was set by the application when it called
+\fBpam_start\fR(3)
+or explicitly with
+\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay will be performed.
+.SH "RATIONALE"
+.PP
+It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user. In cases of
+\fIshort\fR
+timeouts, it may prove possible to attempt a
+\fIbrute force\fR
+dictionary attack \-\- with an automated process, the attacker tries all possible passwords to gain access to the system. In other cases, where individual failures can take measurable amounts of time (indicating the nature of the failure), an attacker can obtain useful information about the authentication process. These latter attacks make use of procedural delays that constitute a
+\fIcovert channel\fR
+of useful information.
+.PP
+To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process. Preferable this value should be set by the application or a special PAM module. Standard PAM modules should not modify the delay unconditional.
+.SH "EXAMPLE"
+.PP
+For example, a login application may require a failure delay of roughly 3 seconds. It will contain the following code:
 .sp
-.br
-.RB "  (module #2)   " "pam_fail_delay(pamh, 4000000);"
+.RS 3n
+.nf
+    pam_fail_delay (pamh, 3000000 /* micro\-seconds */ );
+    pam_authenticate (pamh, 0);
+    
+.fi
+.RE
+.PP
+if the modules do not request a delay, the failure delay will be between 2.25 and 3.75 seconds.
+.PP
+However, the modules, invoked in the authentication process, may also request delays:
 .sp
-.br
-in this case, it is the largest requested value that is used to
-compute the actual failed delay: here between 3 and 5 seconds.
-
-.SH "RETURN VALUE"
-Following a successful call to
-.BR pam_fail_delay "(3), " PAM_SUCCESS
-is returned.  All other returns should be considered serious failures.
-
-.SH ERRORS
-May be translated to text with
-.BR pam_strerror "(3). "
-
-.SH "CONFORMING TO"
-Under consideration by the X/Open group for future inclusion in the
-PAM RFC. 1996/1/10
-
-.SH BUGS
-.sp 2
-none known.
-
+.RS 3n
+.nf
+module #1:    pam_fail_delay (pamh, 2000000);
+module #2:    pam_fail_delay (pamh, 4000000);
+    
+.fi
+.RE
+.PP
+in this case, it is the largest requested value that is used to compute the actual failed delay: here between 3 and 5 seconds.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_SUCCESS
+Delay was successful adjusted.
+.TP 3n
+PAM_SYSTEM_ERR
+A NULL pointer was submitted as PAM handle.
 .SH "SEE ALSO"
+.PP
 
-.BR pam_start "(3), "
-.BR pam_get_item "(3) "
-and
-.BR pam_strerror "(3). "
-
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+\fBpam_start\fR(3),
+\fBpam_get_item\fR(3),
+\fBpam_strerror\fR(3)
+.SH "STANDARDS"
+.PP
+The
+\fBpam_fail_delay\fR
+function is an Linux\-PAM extension.
diff --git a/Linux-PAM/doc/man/pam_fail_delay.3.xml b/Linux-PAM/doc/man/pam_fail_delay.3.xml
new file mode 100644
index 00000000..a101cf39
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_fail_delay.3.xml
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_fail_delay">
+
+  <refmeta>
+    <refentrytitle>pam_fail_delay</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_fail_delay-name">
+    <refname>pam_fail_delay</refname>
+    <refpurpose>request a delay on failure</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_fail_delay-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_fail_delay</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>unsigned int <parameter>usec</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_fail_delay-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_fail_delay</function> function provides a
+      mechanism by which an application or module can suggest a minimum
+      delay of <emphasis>usec</emphasis> micro-seconds. The
+      function  keeps a record of the longest time requested with this
+      function. Should
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> fail, the failing return to the application is
+      delayed by an amount of time randomly distributed (by up to 25%)
+      about this longest value.
+    </para>
+    <para>
+      Independent of success, the delay time is reset to its zero
+      default value when the PAM service module returns control to
+      the application. The delay occurs <emphasis>after</emphasis> all
+      authentication modules have been called, but <emphasis>before</emphasis>
+      control is returned to the service application.
+    </para>
+    <para>
+      When using this function the programmer should check if it is
+      available with:
+    </para>
+      <programlisting>
+#ifdef HAVE_PAM_FAIL_DELAY
+    ....
+#endif /* HAVE_PAM_FAIL_DELAY */
+      </programlisting>
+
+    <para>
+      For applications written with a single thread that are event
+      driven in nature, generating this delay may be undesirable.
+      Instead, the application may want to register the delay in some
+      other way. For example, in a single threaded server that serves
+      multiple authentication requests from a single event loop, the
+      application might want to simply mark a given connection as
+      blocked until an application timer expires. For this reason
+      the delay function can be changed with the
+      <emphasis>PAM_FAIL_DELAY</emphasis> item. It can be queried and
+      set with
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      and
+      <citerefentry>
+        <refentrytitle>pam_set_item </refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>  respectively. The value used to set it should be
+      a function pointer of the following prototype:
+      <programlisting>
+void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
+      </programlisting>
+      The arguments being the <emphasis>retval</emphasis> return code
+      of the module stack, the <emphasis>usec_delay</emphasis>
+      micro-second delay that libpam is requesting and the
+      <emphasis>appdata_ptr</emphasis> that the application has associated
+      with the current <emphasis>pamh</emphasis>. This last value was set
+      by the application when it called
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> or explicitly with
+      <citerefentry>
+        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+      Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay
+      will be performed.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_fail_delay-rationale'>
+    <title>RATIONALE</title>
+    <para>
+      It is often possible to attack an authentication scheme by exploiting
+      the time it takes the scheme to deny access to an applicant user.  In
+      cases of <emphasis>short</emphasis> timeouts, it may prove possible
+      to attempt a <emphasis>brute force</emphasis> dictionary attack --
+      with an automated process, the attacker tries all possible passwords
+      to gain access to the system. In other cases, where individual
+      failures can take measurable amounts of time (indicating the nature
+      of the failure), an attacker can obtain useful information about the
+      authentication process. These latter attacks make use of procedural
+      delays that constitute a <emphasis>covert channel</emphasis>
+      of useful information.
+    </para>
+    <para>
+      To minimize the effectiveness of such attacks, it is desirable to
+      introduce a random delay in a failed authentication process.
+      Preferable this value should be set by the application or a special
+      PAM module. Standard PAM modules should not modify the delay
+      unconditional.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_fail_delay-example'>
+    <title>EXAMPLE</title>
+    <para>
+      For example, a login application may require a failure delay of
+      roughly 3 seconds. It will contain the following code:
+    </para>
+    <programlisting>
+    pam_fail_delay (pamh, 3000000 /* micro-seconds */ );
+    pam_authenticate (pamh, 0);
+    </programlisting>
+
+    <para>
+      if the modules do not request a delay, the failure delay will be
+      between 2.25 and 3.75 seconds.
+    </para>
+
+    <para>
+      However, the modules, invoked in the authentication process, may
+      also request delays:
+    </para>
+
+    <programlisting>
+module #1:    pam_fail_delay (pamh, 2000000);
+module #2:    pam_fail_delay (pamh, 4000000);
+    </programlisting>
+
+    <para>
+      in this case, it is the largest requested value that is used to
+      compute the actual failed delay: here between 3 and 5 seconds.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_fail_delay-return_values'>
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+            Delay was successful adjusted.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+             A NULL pointer was submitted as PAM handle.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_fail_delay-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_fail_delay-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_fail_delay</function> function is an
+      Linux-PAM extension.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_get_data.3 b/Linux-PAM/doc/man/pam_get_data.3
new file mode 100644
index 00000000..cacec733
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_get_data.3
@@ -0,0 +1,60 @@
+.\"     Title: pam_get_data
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_GET_DATA" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_get_data \- get module internal data
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 17
+.BI "int pam_get_data(const\ pam_handle_t\ *" "pamh" ", const\ char\ *" "module_data_name" ", const\ void\ **" "data" ");"
+.SH "DESCRIPTION"
+.PP
+This function together with the
+\fBpam_set_data\fR(3)
+function is useful to manage module\-specific data meaningful only to the calling PAM module.
+.PP
+The
+\fBpam_get_data\fR
+function looks up the object associated with the (hopefully) unique string
+\fImodule_data_name\fR
+in the PAM context specified by the
+\fIpamh\fR
+argument. A successful call to
+\fBpam_get_data\fR
+will result in
+\fIdata\fR
+pointing to the object. Note, this data is
+\fInot\fR
+a copy and should be treated as
+\fIconstant\fR
+by the module.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_SUCCESS
+Data was successful retrieved.
+.TP 3n
+PAM_SYSTEM_ERR
+A NULL pointer was submitted as PAM handle or the function was called by an application.
+.TP 3n
+PAM_NO_MODULE_DATA
+Module data not found or there is an entry, but it has the value NULL.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_end\fR(3),
+\fBpam_set_data\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_get_data.3.xml b/Linux-PAM/doc/man/pam_get_data.3.xml
new file mode 100644
index 00000000..e84e5a4c
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_get_data.3.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_get_data'>
+
+  <refmeta>
+    <refentrytitle>pam_get_data</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id='pam_get_data-name'>
+    <refname>pam_get_data</refname>
+    <refpurpose>
+       get module internal data
+    </refpurpose>
+  </refnamediv>
+
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+
+   <funcsynopsis id="pam_get_data-synopsis">
+     <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+     <funcprototype>
+       <funcdef>int <function>pam_get_data</function></funcdef>
+       <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef>
+       <paramdef>const char *<parameter>module_data_name</parameter></paramdef>
+       <paramdef>const void **<parameter>data</parameter></paramdef>
+     </funcprototype>
+   </funcsynopsis>
+
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_get_data-description">
+    <title>DESCRIPTION</title>
+    <para>
+      This function together with the
+      <citerefentry>
+        <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> function
+      is useful to manage module-specific data meaningful only to
+      the calling PAM module.
+    </para>
+    <para>
+      The <function>pam_get_data</function> function looks up the
+      object associated with the (hopefully) unique string
+      <emphasis>module_data_name</emphasis> in the PAM context
+      specified by the <emphasis>pamh</emphasis> argument.
+      A successful call to
+      <function>pam_get_data</function> will result in
+      <emphasis>data</emphasis> pointing to the object. Note,
+      this data is <emphasis>not</emphasis> a copy and should be
+      treated as <emphasis>constant</emphasis> by the module.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_get_data-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Data was successful retrieved.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+             A NULL pointer was submitted as PAM handle or the
+             function was called by an application.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_NO_MODULE_DATA</term>
+        <listitem>
+           <para>
+              Module data not found or there is an entry, but it has
+              the value NULL.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_get_data-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_get_item.3 b/Linux-PAM/doc/man/pam_get_item.3
index f4f0d462..ae63d298 100644
--- a/Linux-PAM/doc/man/pam_get_item.3
+++ b/Linux-PAM/doc/man/pam_get_item.3
@@ -1 +1,125 @@
-.so pam_set_item.3
+.\"     Title: pam_get_item
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_GET_ITEM" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_get_item \- getting PAM informations
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 17
+.BI "int pam_get_item(const\ pam_handle_t\ *" "pamh" ", int\ " "item_type" ", const\ void\ **" "item" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_get_item\fR
+function allows applications and PAM service modules to access and retrieve PAM informations of
+\fIitem_type\fR. Upon successful return,
+\fIitem\fR
+contains a pointer to the value of the corresponding item. Note, this is a pointer to the
+\fIactual\fR
+data and should
+\fBnot\fR
+be
+\fIfree()\fR'ed or over\-written! The following values are supported for
+\fIitem_type\fR:
+.TP 3n
+PAM_SERVICE
+The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program).
+.TP 3n
+PAM_USER
+The username of the entity under whose identity service will be given. That is, following authentication,
+\fIPAM_USER\fR
+identifies the local entity that gets to use the service. Note, this value can be mapped from something (eg., "anonymous") to something else (eg. "guest119") by any module in the PAM stack. As such an application should consult the value of
+\fIPAM_USER\fR
+after each call to a PAM function.
+.TP 3n
+PAM_USER_PROMPT
+The string used when prompting for a user's name. The default value for this string is a localized version of "login: ".
+.TP 3n
+PAM_TTY
+The terminal name: prefixed by
+\fI/dev/\fR
+if it is a device file; for graphical, X\-based, applications the value for this item should be the
+\fI$DISPLAY\fR
+variable.
+.TP 3n
+PAM_RUSER
+The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user.
+.sp
+Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator.
+.sp
+
+\fIPAM_RUSER@PAM_RHOST\fR
+should always identify the requesting user. In some cases,
+\fIPAM_RUSER\fR
+may be NULL. In such situations, it is unclear who the requesting entity is.
+.TP 3n
+PAM_RHOST
+The requesting hostname (the hostname of the machine from which the
+\fIPAM_RUSER\fR
+entity is requesting service). That is
+\fIPAM_RUSER@PAM_RHOST\fR
+does identify the requesting user. In some applications,
+\fIPAM_RHOST\fR
+may be NULL. In such situations, it is unclear where the authentication request is originating from.
+.TP 3n
+PAM_AUTHTOK
+The authentication token (often a password). This token should be ignored by all module functions besides
+\fBpam_sm_authenticate\fR(3)
+and
+\fBpam_sm_chauthtok\fR(3). In the former function it is used to pass the most recent authentication token from one stacked module to another. In the latter function the token is used for another purpose. It contains the currently active authentication token.
+.TP 3n
+PAM_OLDAUTHTOK
+The old authentication token. This token should be ignored by all module functions except
+\fBpam_sm_chauthtok\fR(3).
+.TP 3n
+PAM_CONV
+The pam_conv structure. See
+\fBpam_conv\fR(3).
+.TP 3n
+PAM_FAIL_DELAY
+A function pointer to redirect centrally managed failure delays. See
+\fBpam_fail_delay\fR(3).
+.PP
+If a service module wishes to obtain the name of the user, it should not use this function, but instead perform a call to
+\fBpam_get_user\fR(3).
+.PP
+Only a service module is privileged to read the authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BAD_ITEM
+The application attempted to set an undefined or inaccessible item.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_PERM_DENIED
+The value of
+\fIitem\fR
+was NULL.
+.TP 3n
+PAM_SUCCESS
+Data was successful updated.
+.TP 3n
+PAM_SYSTEM_ERR
+The
+\fIpam_handle_t\fR
+passed as first argument was invalid.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_set_item\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_get_item.3.xml b/Linux-PAM/doc/man/pam_get_item.3.xml
new file mode 100644
index 00000000..e5806d11
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_get_item.3.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
+[
+<!--
+<!ENTITY accessconf SYSTEM "pam_item_types.inc.xml">
+-->
+]>
+
+<refentry id='pam_get_item'>
+
+  <refmeta>
+    <refentrytitle>pam_get_item</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id='pam_get_item-name'>
+    <refname>pam_get_item</refname>
+    <refpurpose>
+       getting PAM informations
+    </refpurpose>
+  </refnamediv>
+
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+
+   <funcsynopsis id="pam_get_item-synopsis">
+     <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+     <funcprototype>
+       <funcdef>int <function>pam_get_item</function></funcdef>
+       <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef>
+       <paramdef>int <parameter>item_type</parameter></paramdef>
+       <paramdef>const void **<parameter>item</parameter></paramdef>
+     </funcprototype>
+   </funcsynopsis>
+
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_get_item-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_get_item</function> function allows applications
+      and PAM service modules to access and retrieve PAM informations
+      of <emphasis>item_type</emphasis>. Upon successful return,
+      <emphasis>item</emphasis> contains a pointer to the value of the
+      corresponding item. Note, this is a pointer to the
+      <emphasis>actual</emphasis> data and should
+      <emphasis remap="B">not</emphasis> be <emphasis>free()</emphasis>'ed or
+      over-written! The following values are supported for
+      <emphasis>item_type</emphasis>:
+   </para>
+
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_item_types.inc.xml"/>
+
+    <para>
+      If a service module wishes to obtain the name of the user,
+      it should not use this function, but instead perform a call to
+      <citerefentry>
+        <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+    <para>
+      Only a service module is privileged to read the
+      authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK.
+    </para>
+
+  </refsect1>
+
+  <refsect1 id="pam_get_item-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_BAD_ITEM</term>
+        <listitem>
+           <para>
+             The application attempted to set an undefined or inaccessible
+             item.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PERM_DENIED</term>
+        <listitem>
+           <para>
+             The value of <emphasis>item</emphasis> was NULL.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Data was successful updated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+             The <emphasis>pam_handle_t</emphasis> passed as first
+             argument was invalid.
+          </para>
+        </listitem>
+       </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_get_item-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_get_user.3 b/Linux-PAM/doc/man/pam_get_user.3
new file mode 100644
index 00000000..f4ab776b
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_get_user.3
@@ -0,0 +1,79 @@
+.\"     Title: pam_get_user
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_GET_USER" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_get_user \- get user name
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 17
+.BI "int pam_get_user(const\ pam_handle_t\ *" "pamh" ", const\ char\ **" "user" ", const\ char\ *" "prompt" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_get_user\fR
+function returns the name of the user specified by
+\fBpam_start\fR(3). If no user was specified it what
+\fBpam_get_item (pamh, PAM_USER, ... );\fR
+would have returned. If this is NULL it obtains the username via the
+\fBpam_conv\fR(3)
+mechanism, it prompts the user with the first non\-NULL string in the following list:
+.TP 3n
+\(bu
+The
+\fIprompt\fR
+argument passed to the function.
+.TP 3n
+\(bu
+What is returned by pam_get_item (pamh, PAM_USER_PROMPT, ... );
+.TP 3n
+\(bu
+The default prompt: "login: "
+.sp
+.RE
+.PP
+By whatever means the username is obtained, a pointer to it is returned as the contents of
+\fI*user\fR. Note, this memory should
+\fBnot\fR
+be
+\fIfree()\fR'd or
+\fImodified\fR
+by the module.
+.PP
+This function sets the
+\fIPAM_USER\fR
+item associated with the
+\fBpam_set_item\fR(3)
+and
+\fBpam_get_item\fR(3)
+functions.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_SUCCESS
+User name was successful retrieved.
+.TP 3n
+PAM_SYSTEM_ERR
+A NULL pointer was submitted.
+.TP 3n
+PAM_CONV_ERR
+The conversation method supplied by the application failed to obtain the username.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_end\fR(3),
+\fBpam_get_item\fR(3),
+\fBpam_set_item\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_get_user.3.xml b/Linux-PAM/doc/man/pam_get_user.3.xml
new file mode 100644
index 00000000..ff8be694
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_get_user.3.xml
@@ -0,0 +1,139 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_get_user'>
+
+  <refmeta>
+    <refentrytitle>pam_get_user</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id='pam_get_user-name'>
+    <refname>pam_get_user</refname>
+    <refpurpose>
+       get user name
+    </refpurpose>
+  </refnamediv>
+
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+
+   <funcsynopsis id="pam_get_user-synopsis">
+     <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+     <funcprototype>
+       <funcdef>int <function>pam_get_user</function></funcdef>
+       <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef>
+       <paramdef>const char **<parameter>user</parameter></paramdef>
+       <paramdef>const char *<parameter>prompt</parameter></paramdef>
+     </funcprototype>
+   </funcsynopsis>
+
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_get_user-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_get_user</function> function returns the
+      name of the user specified by
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>. If no user was specified it what 
+      <function>pam_get_item (pamh, PAM_USER, ... );</function> would
+      have returned. If this is NULL it obtains the username via the
+      <citerefentry>
+        <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> mechanism, it prompts the user with the first
+      non-NULL string in the following list:
+    </para>
+
+    <itemizedlist>
+      <listitem>
+        <para>
+          The <emphasis>prompt</emphasis> argument passed to the function.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          What is returned by pam_get_item (pamh, PAM_USER_PROMPT, ... );
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The default prompt: "login: "
+        </para>
+      </listitem>
+    </itemizedlist>
+    <para>
+      By whatever means the username is obtained, a pointer to it is
+      returned as the contents of <emphasis>*user</emphasis>. Note, 
+      this memory should <emphasis remap="B">not</emphasis> be 
+      <emphasis>free()</emphasis>'d or <emphasis>modified</emphasis>
+      by the module.
+    </para>
+    <para>
+      This function sets the <emphasis>PAM_USER</emphasis> item
+      associated with the 
+      <citerefentry>
+        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> and
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> functions.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_get_user-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             User name was successful retrieved.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+             A NULL pointer was submitted.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CONV_ERR</term>
+        <listitem>
+           <para>
+             The conversation method supplied by the
+             application failed to obtain the username.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_get_user-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_getenv.3 b/Linux-PAM/doc/man/pam_getenv.3
new file mode 100644
index 00000000..3882d080
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_getenv.3
@@ -0,0 +1,43 @@
+.\"     Title: pam_getenv
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_GETENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_getenv \- get a PAM environment variable
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 23
+.BI "const char *pam_getenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_getenv\fR
+function searches the PAM environment list as associated with the handle
+\fIpamh\fR
+for a string that matches the string pointed to by
+\fIname\fR. The return values are of the form: "\fIname=value\fR".
+.SH "RETURN VALUES"
+.PP
+The
+\fBpam_getenv\fR
+function returns NULL on failure.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_start\fR(3),
+\fBpam_getenvlist\fR(3),
+\fBpam_putenv\fR(3),
+\fBpam\fR(8)
diff --git a/Linux-PAM/doc/man/pam_getenv.3.xml b/Linux-PAM/doc/man/pam_getenv.3.xml
new file mode 100644
index 00000000..e78aa3c2
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_getenv.3.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_getenv'>
+  <refmeta>
+    <refentrytitle>pam_getenv</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_getenv-name">
+    <refname>pam_getenv</refname>
+    <refpurpose>get a PAM environment variable</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_getenv-synopsis'>
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>const char *<function>pam_getenv</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_getenv-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_getenv</function> function searches the
+      PAM environment list as associated with the handle
+      <emphasis>pamh</emphasis> for a string that matches the string
+      pointed to by <emphasis>name</emphasis>. The return values are
+      of the form: "<emphasis>name=value</emphasis>".
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_getenv-return_values">
+    <title>RETURN VALUES</title>
+    <para>
+      The <function>pam_getenv</function> function returns NULL
+      on failure.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_getenv-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_getenvlist.3 b/Linux-PAM/doc/man/pam_getenvlist.3
new file mode 100644
index 00000000..57c1d70e
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_getenvlist.3
@@ -0,0 +1,50 @@
+.\"     Title: pam_getenvlist
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_GETENVLIST" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_getenvlist \- getting the PAM environment
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 22
+.BI "char **pam_getenvlist(pam_handle_t\ *" "pamh" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_getenvlist\fR
+function returns a complete copy of the PAM environment as associated with the handle
+\fIpamh\fR. The PAM environment variables represent the contents of the regular environment variables of the authenticated user when service is granted.
+.PP
+The format of the memory is a malloc()'d array of char pointers, the last element of which is set to NULL. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()'d char string of the form: "\fIname=value\fR".
+.PP
+It should be noted that this memory will never be free()'d by libpam. Once obtained by a call to
+\fBpam_getenvlist\fR, it is the responsibility of the calling application to free() this memory.
+.PP
+It is by design, and not a coincidence, that the format and contents of the returned array matches that required for the third argument of the
+\fBexecle\fR(3)
+function call.
+.SH "RETURN VALUES"
+.PP
+The
+\fBpam_getenvlist\fR
+function returns NULL on failure.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_start\fR(3),
+\fBpam_getenv\fR(3),
+\fBpam_putenv\fR(3),
+\fBpam\fR(8)
diff --git a/Linux-PAM/doc/man/pam_getenvlist.3.xml b/Linux-PAM/doc/man/pam_getenvlist.3.xml
new file mode 100644
index 00000000..1c29b737
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_getenvlist.3.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_getenvlist'>
+  <refmeta>
+    <refentrytitle>pam_getenvlist</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_getenvlist-name">
+    <refname>pam_getenvlist</refname>
+    <refpurpose>getting the PAM environment</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_getenvlist-synopsis'>
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>char **<function>pam_getenvlist</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_getenvlist-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_getenvlist</function> function returns a complete
+      copy of the PAM environment as associated with the handle
+      <emphasis>pamh</emphasis>. The PAM environment variables
+      represent the contents of the regular environment variables of the
+      authenticated user when service is granted.
+    </para>
+    <para>
+      The format of the memory is a malloc()'d array of char pointers,
+      the last element of which is set to NULL. Each of the non-NULL
+      entries in this array point to a NUL terminated and malloc()'d
+      char string of the form: "<emphasis>name=value</emphasis>".
+    </para>
+    <para>
+      It should be noted that this memory will never be free()'d by
+      libpam. Once obtained by a call to
+      <function>pam_getenvlist</function>, it is the responsibility of
+      the calling application to free() this memory.
+    </para>
+    <para>
+      It is by design, and not a coincidence, that the format and contents
+      of the returned array matches that required for the third argument of
+      the
+      <citerefentry>
+        <refentrytitle>execle</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> function call.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_getenvlist-return_values">
+    <title>RETURN VALUES</title>
+    <para>
+      The <function>pam_getenvlist</function> function returns NULL
+      on failure.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_getenvlist-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_info.3 b/Linux-PAM/doc/man/pam_info.3
new file mode 100644
index 00000000..fabb5aa7
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_info.3
@@ -0,0 +1,62 @@
+.\"     Title: pam_info
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_INFO" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_info, pam_vinfo \- display messages to the user
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_ext.h>
+.fi
+.ft
+.HP 13
+.BI "int pam_info(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "..." ");"
+.HP 14
+.BI "int pam_vinfo(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_info\fR
+function prints messages through the conversation function to the user.
+.PP
+The
+\fBpam_vinfo\fR
+function performs the same task as
+\fBpam_info()\fR
+with the difference that it takes a set of arguments which have been obtained using the
+\fBstdarg\fR(3)
+variable argument list macros.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_CONV_ERR
+Conversation failure.
+.TP 3n
+PAM_SUCCESS
+Transaction was successful created.
+.TP 3n
+PAM_SYSTEM_ERR
+System error.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(8)
+.SH "STANDARDS"
+.PP
+The
+\fBpam_info\fR
+and
+\fBpam_vinfo\fR
+functions are Linux\-PAM extensions.
diff --git a/Linux-PAM/doc/man/pam_info.3.xml b/Linux-PAM/doc/man/pam_info.3.xml
new file mode 100644
index 00000000..88e671c7
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_info.3.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_info">
+
+  <refmeta>
+    <refentrytitle>pam_info</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_info-name">
+    <refname>pam_info</refname>
+    <refname>pam_vinfo</refname>
+    <refpurpose>display messages to the user</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv id="pam_info-synopsis">
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;security/pam_ext.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_info</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>const char *<parameter>fmt</parameter></paramdef>
+        <paramdef><parameter>...</parameter></paramdef>
+      </funcprototype>
+      <funcprototype>
+        <funcdef>int <function>pam_vinfo</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>const char *<parameter>fmt</parameter></paramdef>
+        <paramdef>va_list <parameter>args</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_info-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_info</function> function prints messages
+      through the conversation function to the user.
+    </para>
+    <para>
+      The <function>pam_vinfo</function> function performs the same
+      task as <function>pam_info()</function> with the difference
+      that it takes a set of arguments which have been obtained using
+      the <citerefentry>
+        <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> variable argument list macros.
+    </para>
+  </refsect1>
+  <refsect1 id="pam_info-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CONV_ERR</term>
+        <listitem>
+           <para>
+              Conversation failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Transaction was successful created.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+              System error.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_info-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_info-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_info</function> and <function>pam_vinfo</function>
+      functions are Linux-PAM extensions.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_item_types.inc.xml b/Linux-PAM/doc/man/pam_item_types.inc.xml
new file mode 100644
index 00000000..9d70087b
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_item_types.inc.xml
@@ -0,0 +1,151 @@
+<!-- this file is included by pam_set_item and pam_get_item -->
+
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SERVICE</term>
+        <listitem>
+          <para>
+            The service name (which identifies that PAM stack that
+            the PAM functions will use to authenticate the program).
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_USER</term>
+        <listitem>
+          <para>
+            The username of the entity under whose identity service
+            will be given. That is, following authentication,
+            <emphasis>PAM_USER</emphasis> identifies the local entity
+            that gets to use the service. Note, this value can be mapped
+            from something (eg., "anonymous") to something else (eg.
+            "guest119") by any module in the PAM stack. As such an
+            application should consult the value of
+            <emphasis>PAM_USER</emphasis> after each call to a PAM function.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_USER_PROMPT</term>
+        <listitem>
+          <para>
+            The string used when prompting for a user's name. The default
+            value for this string is a localized version of "login: ".
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_TTY</term>
+        <listitem>
+          <para>
+            The terminal name: prefixed by <filename>/dev/</filename> if
+            it is a device file; for graphical, X-based, applications the
+            value for this item should be the
+            <emphasis>$DISPLAY</emphasis> variable.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_RUSER</term>
+        <listitem>
+          <para>
+            The requesting user name: local name for a locally
+            requesting user or a remote user name for a remote
+            requesting user.
+          </para>
+          <para>
+            Generally an application or module will attempt to supply
+            the value that is most strongly authenticated (a local account
+            before a remote one. The level of trust in this value is
+            embodied in the actual authentication stack associated with
+            the application, so it is ultimately at the discretion of the
+            system administrator.
+          </para>
+          <para>
+            <emphasis>PAM_RUSER@PAM_RHOST</emphasis> should always identify
+             the requesting user. In some cases,
+             <emphasis>PAM_RUSER</emphasis> may be NULL. In such situations,
+             it is unclear who the requesting entity is.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_RHOST</term>
+        <listitem>
+          <para>
+            The requesting hostname (the hostname of the machine from
+            which the <emphasis>PAM_RUSER</emphasis> entity is requesting
+            service). That is <emphasis>PAM_RUSER@PAM_RHOST</emphasis>
+            does identify the requesting user. In some applications,
+            <emphasis>PAM_RHOST</emphasis> may be NULL. In such situations,
+            it is unclear where the authentication request is originating
+            from.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_AUTHTOK</term>
+        <listitem>
+          <para>
+            The authentication token (often a password). This token
+            should be ignored by all module functions besides
+            <citerefentry>
+              <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry> and
+            <citerefentry>
+              <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+            In the former function it is used to pass the most recent
+            authentication token from one stacked module to another. In
+            the latter function the token is used for another purpose.
+            It contains the currently active authentication token.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_OLDAUTHTOK</term>
+        <listitem>
+          <para>
+            The old authentication token. This token should be ignored
+            by all module functions except
+            <citerefentry>
+              <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+
+      <varlistentry>
+        <term>PAM_CONV</term>
+        <listitem>
+          <para>
+            The pam_conv structure. See
+            <citerefentry>
+              <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_FAIL_DELAY</term>
+        <listitem>
+          <para>
+            A function pointer to redirect centrally managed
+            failure delays. See
+            <citerefentry>
+              <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
diff --git a/Linux-PAM/doc/man/pam_misc_drop_env.3 b/Linux-PAM/doc/man/pam_misc_drop_env.3
new file mode 100644
index 00000000..5708d5bc
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_misc_drop_env.3
@@ -0,0 +1,46 @@
+.\"     Title: pam_misc_drop_env
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_MISC_DROP_ENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_misc_drop_env \- liberating a locally saved environment
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_misc.h>
+.fi
+.ft
+.HP 22
+.BI "int pam_misc_drop_env(char\ **" "env" ");"
+.SH "DESCRIPTION"
+.PP
+This function is defined to complement the
+\fBpam_getenvlist\fR(3)
+function. It liberates the memory associated with
+\fIenv\fR,
+\fIoverwriting\fR
+with
+\fI0\fR
+all memory before
+\fBfree()\fRing it.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_getenvlist\fR(3),
+\fBpam\fR(8)
+.SH "STANDARDS"
+.PP
+The
+\fBpam_misc_drop_env\fR
+function is part of the
+\fBlibpam_misc\fR
+Library and not defined in any standard.
diff --git a/Linux-PAM/doc/man/pam_misc_drop_env.3.xml b/Linux-PAM/doc/man/pam_misc_drop_env.3.xml
new file mode 100644
index 00000000..1941f589
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_misc_drop_env.3.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_misc_drop_env">
+
+  <refmeta>
+    <refentrytitle>pam_misc_drop_env</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_misc_drop_env-name">
+    <refname>pam_misc_drop_env</refname>
+    <refpurpose>liberating a locally saved environment</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_misc_drop_env-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_misc.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_misc_drop_env</function></funcdef>
+        <paramdef>char **<parameter>env</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_misc_drop_env-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      This function is defined to complement the <citerefentry>
+        <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> function. It liberates the memory associated
+      with <parameter>env</parameter>, <emphasis>overwriting</emphasis>
+      with <emphasis>0</emphasis> all memory before
+      <function>free()</function>ing it.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_misc_drop_env-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_misc_drop_env-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_misc_drop_env</function> function is part of the
+      <command>libpam_misc</command> Library and not defined in any
+      standard.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_misc_paste_env.3 b/Linux-PAM/doc/man/pam_misc_paste_env.3
new file mode 100644
index 00000000..9ba1e8fe
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_misc_paste_env.3
@@ -0,0 +1,41 @@
+.\"     Title: pam_misc_paste_env
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_MISC_PASTE_ENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_misc_paste_env \- transcribing an environment to that of PAM
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_misc.h>
+.fi
+.ft
+.HP 23
+.BI "int pam_misc_paste_env(pam_handle_t\ *" "pamh" ", const\ char\ *\ const\ *" "user" ");"
+.SH "DESCRIPTION"
+.PP
+This function takes the supplied list of environment pointers and
+\fIuploads\fR
+its contents to the PAM environment. Success is indicated by
+PAM_SUCCESS.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_putenv\fR(3),
+\fBpam\fR(8)
+.SH "STANDARDS"
+.PP
+The
+\fBpam_misc_paste_env\fR
+function is part of the
+\fBlibpam_misc\fR
+Library and not defined in any standard.
diff --git a/Linux-PAM/doc/man/pam_misc_paste_env.3.xml b/Linux-PAM/doc/man/pam_misc_paste_env.3.xml
new file mode 100644
index 00000000..d9a282c0
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_misc_paste_env.3.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_misc_paste_env">
+
+  <refmeta>
+    <refentrytitle>pam_misc_paste_env</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_misc_paste_env-name">
+    <refname>pam_misc_paste_env</refname>
+    <refpurpose>transcribing an environment to that of PAM</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_misc_paste_env-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_misc.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_misc_paste_env</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>const char * const *<parameter>user</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_misc_paste_env-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      This function takes the supplied list of environment pointers and
+      <emphasis>uploads</emphasis> its contents to the PAM environment.
+      Success is indicated by <errorname>PAM_SUCCESS</errorname>.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_misc_paste_env-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_misc_paste_env-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_misc_paste_env</function> function is part of the
+      <command>libpam_misc</command> Library and not defined in any
+      standard.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_misc_setenv.3 b/Linux-PAM/doc/man/pam_misc_setenv.3
new file mode 100644
index 00000000..49e8138c
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_misc_setenv.3
@@ -0,0 +1,46 @@
+.\"     Title: pam_misc_setenv
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_MISC_SETENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_misc_setenv \- BSD like PAM environment variable setting
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_misc.h>
+.fi
+.ft
+.HP 20
+.BI "int pam_misc_setenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name" ", const\ char\ *" "value" ", int" "readonly" ");"
+.SH "DESCRIPTION"
+.PP
+This function performs a task equivalent to
+\fBpam_putenv\fR(3), its syntax is, however, more like the BSD style function;
+\fBsetenv()\fR. The
+\fIname\fR
+and
+\fIvalue\fR
+are concatenated with an '=' to form a name=value and passed to
+\fBpam_putenv()\fR. If, however, the PAM variable is already set, the replacement will only be applied if the last argument,
+\fIreadonly\fR, is zero.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_putenv\fR(3),
+\fBpam\fR(8)
+.SH "STANDARDS"
+.PP
+The
+\fBpam_misc_setenv\fR
+function is part of the
+\fBlibpam_misc\fR
+Library and not defined in any standard.
diff --git a/Linux-PAM/doc/man/pam_misc_setenv.3.xml b/Linux-PAM/doc/man/pam_misc_setenv.3.xml
new file mode 100644
index 00000000..fdc8f33d
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_misc_setenv.3.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_misc_setenv">
+
+  <refmeta>
+    <refentrytitle>pam_misc_setenv</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+  <refnamediv id="pam_misc_setenv-name">
+    <refname>pam_misc_setenv</refname>
+    <refpurpose>BSD like PAM environment variable setting</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_misc_setenv-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_misc.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_misc_setenv</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>const char *<parameter>value</parameter></paramdef>
+        <paramdef>int<parameter>readonly</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_misc_setenv-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      This function performs a task equivalent to <citerefentry>
+      <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>, its syntax is, however, more like the BSD style
+      function; <function>setenv()</function>. The <parameter>name</parameter>
+      and <parameter>value</parameter> are concatenated with an '=' to
+      form a name=value and passed to <function>pam_putenv()</function>.
+      If, however, the PAM variable is already set, the replacement will
+      only be applied if the last argument, <parameter>readonly</parameter>,
+      is zero.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_misc_setenv-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_misc_setenv-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_misc_setenv</function> function is part of the
+      <command>libpam_misc</command> Library and not defined in any
+      standard.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_open_session.3 b/Linux-PAM/doc/man/pam_open_session.3
index 53f6adf1..e61b5ed8 100644
--- a/Linux-PAM/doc/man/pam_open_session.3
+++ b/Linux-PAM/doc/man/pam_open_session.3
@@ -1,99 +1,55 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: pam_open_session.3,v 1.1.1.1 2000/06/20 22:10:58 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
-.TH PAM_OPEN_SESSION 3 "1997 Jan 4" "Linux-PAM 0.55" "App. Programmers' Manual"
-.SH NAME
-
-pam_open/close_session \- PAM session management
-
-.SH SYNOPSIS
-.B #include <security/pam_appl.h>
+.\"     Title: pam_open_session
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_OPEN_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_open_session \- start PAM session management
+.SH "SYNOPSIS"
 .sp
-.BI "int pam_open_session(pam_handle_t " *pamh ", int  " flags ");"
-.sp
-.BI "int pam_close_session(pam_handle_t " *pamh ", int  " flags ");"
-.sp 2
-.SH DESCRIPTION
-
-PAM provides management-hooks for the initialization and termination
-of a session. 
-
-.TP
-.B pam_open_session
-.br
-Use this function to signal that an authenticated user session has
-begun. It should be called only after the user is properly identified
-and (where necessary) has been granted their credentials with
-.BR pam_authenticate "(3)"
-and
-.BR pam_setcred "(3)"
-respectively.
-
-.br
-Some types of functions associated with session
-initialization are logging for the purposes of system-audit and
-mounting directories (the user's home directory for example). These
-should not concern the application. It should be noted that the
-.I effective
-uid,
-.BR geteuid "(2),"
-of the application should be of sufficient privilege to perform such
-tasks.
-
-.TP
-.B pam_close_session
-.br
-Use this function to signal that a user session has
-terminated. In general this function may not need to be located in the
-same application as the initialization function,
-.BR pam_open_session "."
-
-.br
-Typically, this function will undo the actions of
-.BR pam_open_session "."
-That is, log audit information concerning the end of the user session
-or unmount the user's home directory. Apart from having sufficient
-privilege the details of the session termination should not concern
-the calling application. It is good programming practice, however, to
-cease acting on behalf of the user on returning from this call.
-
-.SH RETURN VALUE
-A successful return from the session management functions will be
-indicated with
-.BR PAM_SUCCESS "."
-
-.br
-The specific error indicating a failure to open or close a session is
-.BR PAM_SESSION_ERR "."
-In general other return values may be returned. They should be treated
-as indicating failure.
-
-.SH ERRORS
-May be translated to text with
-.BR pam_strerror "(3). "
-
-.SH "CONFORMING TO"
-OSF-RFC 86.0, October 1995.
-
-.SH BUGS
-.sp 2
-none known.
-
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 21
+.BI "int pam_open_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_open_session\fR
+function sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to
+\fBpam_close_session\fR(3).
+.PP
+It should be noted that the effective uid,
+\fBgeteuid\fR(2). of the application should be of sufficient privilege to perform such tasks as creating or mounting the user's home directory for example.
+.PP
+The flags argument is the binary or of zero or more of the following values:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_ABORT
+General failure.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_SESSION_ERR
+Session failure.
+.TP 3n
+PAM_SUCCESS
+Session was successful created.
 .SH "SEE ALSO"
+.PP
 
-.BR pam_start "(3), "
-.BR pam_authenticate "(3), "
-.BR pam_setcred "(3), "
-.BR pam_get_item "(3), "
-.BR pam_strerror "(3) "
-and
-.BR pam "(3)."
-
-.br
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+\fBpam_close_session\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_open_session.3.xml b/Linux-PAM/doc/man/pam_open_session.3.xml
new file mode 100644
index 00000000..eba0bc01
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_open_session.3.xml
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_send'>
+
+  <refmeta>
+    <refentrytitle>pam_open_session</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_open_session-name">
+    <refname>pam_open_session</refname>
+    <refpurpose>start PAM session management</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_open_session-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_open_session</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_open_session-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_open_session</function> function sets up a
+      user session for a previously successful authenticated user.
+      The session should later be terminated with a call to
+      <citerefentry>
+        <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+    <para>
+      It should be noted that the effective uid,
+      <citerefentry>
+        <refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>. of the application should be of sufficient
+      privilege to perform such tasks as creating or mounting the
+      user's home directory for example.
+    </para>
+    <para>
+      The flags argument is the binary or of zero or more of the
+      following values:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_open_session-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_ABORT</term>
+        <listitem>
+           <para>
+              General failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SESSION_ERR</term>
+        <listitem>
+           <para>
+             Session failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Session was successful created.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_open_session-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_prompt.3 b/Linux-PAM/doc/man/pam_prompt.3
new file mode 100644
index 00000000..ce3b2a96
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_prompt.3
@@ -0,0 +1,55 @@
+.\"     Title: pam_prompt
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_PROMPT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_prompt, pam_vprompt \- interface to conversation function
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_ext.h>
+.fi
+.ft
+.HP 16
+.BI "void pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "..." ");"
+.HP 17
+.BI "void pam_vprompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_prompt\fR
+function constructs a message from the specified format string and arguments and passes it to
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_CONV_ERR
+Conversation failure.
+.TP 3n
+PAM_SUCCESS
+Transaction was successful created.
+.TP 3n
+PAM_SYSTEM_ERR
+System error.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(8),
+\fBpam_conv\fR(3)
+.SH "STANDARDS"
+.PP
+The
+\fBpam_prompt\fR
+and
+\fBpam_vprompt\fR
+functions are Linux\-PAM extensions.
diff --git a/Linux-PAM/doc/man/pam_prompt.3.xml b/Linux-PAM/doc/man/pam_prompt.3.xml
new file mode 100644
index 00000000..d0824131
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_prompt.3.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_prompt">
+
+  <refmeta>
+    <refentrytitle>pam_prompt</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_prompt-name">
+    <refname>pam_prompt</refname>
+    <refname>pam_vprompt</refname>
+    <refpurpose>interface to conversation function</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv id="pam_prompt-synopsis">
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;security/pam_ext.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>void <function>pam_prompt</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>style</parameter></paramdef>
+        <paramdef>char **<parameter>response</parameter></paramdef>
+        <paramdef>const char *<parameter>fmt</parameter></paramdef>
+        <paramdef><parameter>...</parameter></paramdef>
+      </funcprototype>
+      <funcprototype>
+        <funcdef>void <function>pam_vprompt</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>style</parameter></paramdef>
+        <paramdef>char **<parameter>response</parameter></paramdef>
+        <paramdef>const char *<parameter>fmt</parameter></paramdef>
+        <paramdef>va_list <parameter>args</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_prompt-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_prompt</function> function constructs a message
+      from the specified format string and arguments and passes it to
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_prompt-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CONV_ERR</term>
+        <listitem>
+           <para>
+              Conversation failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Transaction was successful created.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+              System error.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+
+  <refsect1 id='pam_prompt-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_prompt-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_prompt</function> and <function>pam_vprompt</function>
+      functions are Linux-PAM extensions.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_putenv.3 b/Linux-PAM/doc/man/pam_putenv.3
new file mode 100644
index 00000000..60b49651
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_putenv.3
@@ -0,0 +1,74 @@
+.\"     Title: pam_putenv
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_PUTENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_putenv \- set or change PAM environment variable
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 15
+.BI "int pam_putenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name_value" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_putenv\fR
+function is used to add or change the value of PAM environment variables as associated with the
+\fIpamh\fR
+handle.
+.PP
+The
+\fIpamh\fR
+argument is an authentication handle obtained by a prior call to pam_start(). The
+\fIname_value\fR
+argument is a single NUL terminated string of one of the following forms:
+.TP 3n
+NAME=value of variable
+In this case the environment variable of the given NAME is set to the indicated value:
+\fIvalue of variable\fR. If this variable is already known, it is overwritten. Otherwise it is added to the PAM environment.
+.TP 3n
+NAME=
+This function sets the variable to an empty value. It is listed separately to indicate that this is the correct way to achieve such a setting.
+.TP 3n
+NAME
+Without an '=' the pam_putenv() function will delete the corresponding variable from the PAM environment.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_PERM_DENIED
+Argument
+\fIname_value\fR
+given is a NULL pointer.
+.TP 3n
+PAM_BAD_ITEM
+Variable requested (for deletion) is not currently set.
+.TP 3n
+PAM_ABORT
+The
+\fIpamh\fR
+handle is corrupt.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_SUCCESS
+The environment variable was successfully updated.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_start\fR(3),
+\fBpam_getenv\fR(3),
+\fBpam_getenvlist\fR(3),
+\fBpam_strerror\fR(3),
+\fBpam\fR(8)
diff --git a/Linux-PAM/doc/man/pam_putenv.3.xml b/Linux-PAM/doc/man/pam_putenv.3.xml
new file mode 100644
index 00000000..5efef381
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_putenv.3.xml
@@ -0,0 +1,144 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_putenv'>
+  <refmeta>
+    <refentrytitle>pam_putenv</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_putenv-name">
+    <refname>pam_putenv</refname>
+    <refpurpose>set or change PAM environment variable</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_putenv-synopsis'>
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_putenv</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>const char *<parameter>name_value</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_putenv-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_putenv</function> function is used to
+      add or change the value of PAM environment variables as
+      associated with the <emphasis>pamh</emphasis> handle.
+    </para>
+    <para>
+      The <emphasis>pamh</emphasis> argument is an authentication
+      handle obtained by a prior call to pam_start().
+      The <emphasis>name_value</emphasis> argument is a single NUL
+      terminated string of one of the following forms:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>NAME=value of variable</term>
+        <listitem>
+           <para>
+             In this case the environment variable of the given NAME
+             is set to the indicated value:
+             <emphasis>value of variable</emphasis>. If this variable
+             is already known, it is overwritten. Otherwise it is added
+             to the PAM environment.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>NAME=</term>
+        <listitem>
+          <para>
+            This function sets the variable to an empty value. It is
+            listed separately to indicate that this is the correct way
+            to achieve such a setting.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>NAME</term>
+        <listitem>
+          <para>
+            Without an '=' the pam_putenv() function will delete the
+            corresponding variable from the PAM environment.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_putenv-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_PERM_DENIED</term>
+        <listitem>
+           <para>
+             Argument <emphasis>name_value</emphasis> given is a NULL pointer.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BAD_ITEM</term>
+        <listitem>
+           <para>
+             Variable requested (for deletion) is not currently set.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_ABORT</term>
+        <listitem>
+           <para>
+             The <emphasis>pamh</emphasis> handle is corrupt.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+             Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The environment variable was successfully updated.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_putenv-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_set_data.3 b/Linux-PAM/doc/man/pam_set_data.3
new file mode 100644
index 00000000..c3a2a689
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_set_data.3
@@ -0,0 +1,93 @@
+.\"     Title: pam_set_data
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SET_DATA" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_set_data \- set module internal data
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 17
+.BI "int pam_set_data(pam_handle_t\ *" "pamh" ", const\ char\ *" "module_data_name" ", void\ *" "data" ", void\ " "(*cleanup)(pam_handle_t\ *pamh,\ void\ *data,\ int\ error_status)" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_set_data\fR
+function associates a pointer to an object with the (hopefully) unique string
+\fImodule_data_name\fR
+in the PAM context specified by the
+\fIpamh\fR
+argument.
+.PP
+PAM modules may be dynamically loadable objects. In general such files should not contain
+\fIstatic\fR
+variables. This function and its counterpart
+\fBpam_get_data\fR(3), provide a mechanism for a module to associate some data with the handle
+\fIpamh\fR. Typically a module will call the
+\fBpam_set_data\fR
+function to register some data under a (hopefully) unique
+\fImodule_data_name\fR. The data is available for use by other modules too but
+\fInot\fR
+by an application. Since this functions stores only a pointer to the
+\fIdata\fR, the module should not modify or free the content of it.
+.PP
+The function
+\fBcleanup()\fR
+is associated with the
+\fIdata\fR
+and, if non\-NULL, it is called when this data is over\-written or following a call to
+\fBpam_end\fR(3).
+.PP
+The
+\fIerror_status\fR
+argument is used to indicate to the module the sort of action it is to take in cleaning this data item. As an example, Kerberos creates a ticket file during the authentication phase, this file might be associated with a data item. When
+\fBpam_end\fR(3)
+is called by the module, the
+\fIerror_status\fR
+carries the return value of the
+\fBpam_authenticate\fR(3)
+or other
+\fIlibpam\fR
+function as appropriate. Based on this value the Kerberos module may choose to delete the ticket file (\fIauthentication failure\fR) or leave it in place.
+.PP
+The
+\fIerror_status\fR
+may have been logically OR'd with either of the following two values:
+.TP 3n
+PAM_DATA_REPLACE
+When a data item is being replaced (through a second call to
+\fBpam_set_data\fR) this mask is used. Otherwise, the call is assumed to be from
+\fBpam_end\fR(3).
+.TP 3n
+PAM_DATA_SILENT
+Which indicates that the process would prefer to perform the
+\fBcleanup()\fR
+quietly. That is, discourages logging/messages to the user.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_SUCCESS
+Data was successful stored.
+.TP 3n
+PAM_SYSTEM_ERR
+A NULL pointer was submitted as PAM handle or the function was called by an application.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_end\fR(3),
+\fBpam_get_data\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_set_data.3.xml b/Linux-PAM/doc/man/pam_set_data.3.xml
new file mode 100644
index 00000000..d6d224e7
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_set_data.3.xml
@@ -0,0 +1,172 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_set_data'>
+
+  <refmeta>
+    <refentrytitle>pam_set_data</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id='pam_set_data-name'>
+    <refname>pam_set_data</refname>
+    <refpurpose>
+       set module internal data
+    </refpurpose>
+  </refnamediv>
+
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+
+   <funcsynopsis id="pam_set_data-synopsis">
+     <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+     <funcprototype>
+       <funcdef>int <function>pam_set_data</function></funcdef>
+       <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+       <paramdef>const char *<parameter>module_data_name</parameter></paramdef>
+       <paramdef>void *<parameter>data</parameter></paramdef>
+       <paramdef>void <parameter>(*cleanup)(pam_handle_t *pamh, void *data, int error_status)</parameter></paramdef>
+     </funcprototype>
+   </funcsynopsis>
+
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_set_data-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_set_data</function> function associates a pointer
+      to an object with the (hopefully) unique string 
+      <emphasis>module_data_name</emphasis> in the PAM context specified
+      by the <emphasis>pamh</emphasis> argument.
+    </para>
+
+    <para>
+      PAM modules may be dynamically loadable objects. In general such files
+      should not contain <emphasis>static</emphasis> variables. This function
+      and its counterpart
+      <citerefentry>
+        <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      provide a mechanism for a module to associate some data with
+      the handle <emphasis>pamh</emphasis>. Typically a module will call the
+      <function>pam_set_data</function> function to register some data
+       under a (hopefully) unique <emphasis>module_data_name</emphasis>.
+       The data is available for use by other modules too but
+       <emphasis>not</emphasis> by an application. Since this functions
+       stores only a pointer to the <emphasis>data</emphasis>, the module
+       should not modify or free the content of it.
+    </para>
+
+    <para>
+      The function <function>cleanup()</function> is associated with the
+      <emphasis>data</emphasis> and, if non-NULL, it is called when this
+      data is over-written or following a call to
+      <citerefentry>
+        <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+
+    <para>
+      The <emphasis>error_status</emphasis> argument is used to indicate
+      to the module the sort of action it is to take in cleaning this data
+      item. As an example, Kerberos creates a ticket file during the
+      authentication phase, this file might be associated with a data item.
+      When
+      <citerefentry>
+        <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      is called by the module, the <emphasis>error_status</emphasis>
+      carries the return value of the
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+     or other <emphasis>libpam</emphasis> function as appropriate. Based
+     on this value the Kerberos module may choose to delete the ticket file
+     (<emphasis>authentication failure</emphasis>) or leave it in place.
+   </para>
+
+   <para>
+     The <emphasis>error_status</emphasis> may have been logically
+     OR'd with either of the following two values:
+   </para>
+
+    <variablelist>
+      <varlistentry>
+        <term>PAM_DATA_REPLACE</term>
+        <listitem>
+          <para>
+            When a data item is being replaced (through a second call to
+            <function>pam_set_data</function>) this mask is used.
+            Otherwise, the call is assumed to be from
+            <citerefentry>
+              <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_DATA_SILENT</term>
+        <listitem>
+          <para>
+            Which indicates that the process would prefer to perform the
+            <function>cleanup()</function> quietly. That is, discourages
+            logging/messages to the user.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_set_data-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Data was successful stored.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+             A NULL pointer was submitted as PAM handle or the
+             function was called by an application.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_set_data-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_set_item.3 b/Linux-PAM/doc/man/pam_set_item.3
index ddd081fe..fa802747 100644
--- a/Linux-PAM/doc/man/pam_set_item.3
+++ b/Linux-PAM/doc/man/pam_set_item.3
@@ -1,55 +1,124 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: pam_set_item.3,v 1.1 2001/12/08 19:02:48 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1996,1997 <morgan@kernel.org>
-.TH PAM_SET_ITEM 3 "2001 Jan 21" "Linux-PAM" "App. Programmers' Manual"
-.SH NAME
-
-pam_set_item, pam_get_item \- item manipulation under PAM
-
-.SH SYNOPSIS
-.B #include <security/pam_appl.h>
-.br
-or
-.br
-.B #include <secruity/pam_modules.h>
+.\"     Title: pam_set_item
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SET_ITEM" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_set_item \- set and update PAM informations
+.SH "SYNOPSIS"
 .sp
-.BI "int pam_set_item(pam_handle_t " *pamh ", int " item_type ", void " *item ");"
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 17
+.BI "int pam_set_item(pam_handle_t\ *" "pamh" ", int\ " "item_type" ", const\ void\ *" "item" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_set_item\fR
+function allows applications and PAM service modules to access and to update PAM informations of
+\fIitem_type\fR. For this a copy of the object pointed to by the
+\fIitem\fR
+argument is created. The following
+\fIitem_type\fRs are supported:
+.TP 3n
+PAM_SERVICE
+The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program).
+.TP 3n
+PAM_USER
+The username of the entity under whose identity service will be given. That is, following authentication,
+\fIPAM_USER\fR
+identifies the local entity that gets to use the service. Note, this value can be mapped from something (eg., "anonymous") to something else (eg. "guest119") by any module in the PAM stack. As such an application should consult the value of
+\fIPAM_USER\fR
+after each call to a PAM function.
+.TP 3n
+PAM_USER_PROMPT
+The string used when prompting for a user's name. The default value for this string is a localized version of "login: ".
+.TP 3n
+PAM_TTY
+The terminal name: prefixed by
+\fI/dev/\fR
+if it is a device file; for graphical, X\-based, applications the value for this item should be the
+\fI$DISPLAY\fR
+variable.
+.TP 3n
+PAM_RUSER
+The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user.
 .sp
-.BI "int pam_get_item(const pam_handle_t " *pamh ", int  " item_type ", const void " **item_p ");"
-.sp 2
-.SH DESCRIPTION
-.B pam_set_item
+Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator.
 .sp
-.B pam_set_item
-
-These functions are currently undocumented in a man page, but see the
-end of this man page for more information (the PAM guides).
-
-On success
-.BR PAM_SUCCESS
-is returned, all other return values should be treated as errors.
-
-.SH ERRORS
-May be translated to text with
-.BR pam_strerror "(3). "
-
-.SH "CONFORMING TO"
-DCE-RFC 86.0, October 1995.
 
-.SH BUGS
-.sp 2
-none known.
-
-.SH "SEE ALSO"
-
-.BR pam (8)
+\fIPAM_RUSER@PAM_RHOST\fR
+should always identify the requesting user. In some cases,
+\fIPAM_RUSER\fR
+may be NULL. In such situations, it is unclear who the requesting entity is.
+.TP 3n
+PAM_RHOST
+The requesting hostname (the hostname of the machine from which the
+\fIPAM_RUSER\fR
+entity is requesting service). That is
+\fIPAM_RUSER@PAM_RHOST\fR
+does identify the requesting user. In some applications,
+\fIPAM_RHOST\fR
+may be NULL. In such situations, it is unclear where the authentication request is originating from.
+.TP 3n
+PAM_AUTHTOK
+The authentication token (often a password). This token should be ignored by all module functions besides
+\fBpam_sm_authenticate\fR(3)
 and
-.BR pam_strerror "(3)."
+\fBpam_sm_chauthtok\fR(3). In the former function it is used to pass the most recent authentication token from one stacked module to another. In the latter function the token is used for another purpose. It contains the currently active authentication token.
+.TP 3n
+PAM_OLDAUTHTOK
+The old authentication token. This token should be ignored by all module functions except
+\fBpam_sm_chauthtok\fR(3).
+.TP 3n
+PAM_CONV
+The pam_conv structure. See
+\fBpam_conv\fR(3).
+.TP 3n
+PAM_FAIL_DELAY
+A function pointer to redirect centrally managed failure delays. See
+\fBpam_fail_delay\fR(3).
+.PP
+For all
+\fIitem_type\fRs, other than PAM_CONV and PAM_FAIL_DELAY,
+\fIitem\fR
+is a pointer to a <NUL> terminated character string. In the case of PAM_CONV,
+\fIitem\fR
+points to an initialized
+\fIpam_conv\fR
+structure. In the case of PAM_FAIL_DELAY,
+\fIitem\fR
+is a function pointer:
+\fBvoid (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)\fR
+.PP
+Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before returning to the application. Which means an application is not able to access the authentication tokens.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BAD_ITEM
+The application attempted to set an undefined or inaccessible item.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_SUCCESS
+Data was successful updated.
+.TP 3n
+PAM_SYSTEM_ERR
+The
+\fIpam_handle_t\fR
+passed as first argument was invalid.
+.SH "SEE ALSO"
+.PP
 
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+\fBpam_get_item\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_set_item.3.xml b/Linux-PAM/doc/man/pam_set_item.3.xml
new file mode 100644
index 00000000..cbac8413
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_set_item.3.xml
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
+[
+<!--
+<!ENTITY accessconf SYSTEM "pam_item_types.inc.xml">
+-->
+]>
+
+<refentry id='pam_set_item'>
+
+  <refmeta>
+    <refentrytitle>pam_set_item</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id='pam_set_item-name'>
+    <refname>pam_set_item</refname>
+    <refpurpose>
+       set and update PAM informations
+    </refpurpose>
+  </refnamediv>
+
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+
+   <funcsynopsis id="pam_set_item-synopsis">
+     <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+     <funcprototype>
+       <funcdef>int <function>pam_set_item</function></funcdef>
+       <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+       <paramdef>int <parameter>item_type</parameter></paramdef>
+       <paramdef>const void *<parameter>item</parameter></paramdef>
+     </funcprototype>
+   </funcsynopsis>
+
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_set_item-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_set_item</function> function allows applications
+      and PAM service modules to access and to update PAM informations
+      of <emphasis>item_type</emphasis>. For this a copy
+      of the object pointed to by the <emphasis>item</emphasis> argument
+      is created. The following <emphasis>item_type</emphasis>s are
+      supported:
+   </para>
+
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_item_types.inc.xml"/>
+
+    <para>
+      For all <emphasis>item_type</emphasis>s, other than PAM_CONV and
+      PAM_FAIL_DELAY, <emphasis>item</emphasis> is a pointer to a &lt;NUL&gt;
+      terminated character string. In the case of PAM_CONV,
+      <emphasis>item</emphasis> points to an initialized
+      <emphasis>pam_conv</emphasis> structure. In the case of
+      PAM_FAIL_DELAY, <emphasis>item</emphasis> is a function pointer:
+      <function>void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)</function>
+    </para>
+
+    <para>
+      Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before
+      returning to the application. Which means an application is not
+      able to access the authentication tokens.
+    </para>
+
+  </refsect1>
+
+  <refsect1 id="pam_set_item-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_BAD_ITEM</term>
+        <listitem>
+           <para>
+             The application attempted to set an undefined or inaccessible
+             item.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Data was successful updated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+             The <emphasis>pam_handle_t</emphasis> passed as first
+             argument was invalid.
+          </para>
+        </listitem>
+       </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_set_item-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_setcred.3 b/Linux-PAM/doc/man/pam_setcred.3
index ea251405..055ee56e 100644
--- a/Linux-PAM/doc/man/pam_setcred.3
+++ b/Linux-PAM/doc/man/pam_setcred.3
@@ -1,79 +1,82 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: pam_setcred.3,v 1.1.1.1 2000/06/20 22:10:58 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1996,1997 <morgan@parc.power.net>
-.TH PAM_SETCRED 3 "1997 July 6" "Linux-PAM 0.58" "App. Programmers' Manual"
-.SH NAME
-
-pam_setcred \- set the credentials for the user
-
-.SH SYNOPSIS
-.B #include <security/pam_appl.h>
+.\"     Title: pam_setcred
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SETCRED" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_setcred \- establish / delete user credentials
+.SH "SYNOPSIS"
 .sp
-.BI "int pam_setcred(pam_handle_t " *pamh ", int  " flags ");"
-.sp 2
-.SH DESCRIPTION
-.B pam_setcred
-
-This function is used to establish, maintain and delete the
-credentials of a user. It should be called after a user has been
-authenticated and before a session is opened for the user (with
-.BR pam_open_session "(3))."
-
-It should be noted that credentials come in many forms. Examples
-include: group memberships; ticket-files; and Linux-PAM environment
-variables.  For this reason, it is important that the basic identity
-of the user is established, by the application, prior to a call to
-this function.  For example, the default
-.BR Linux-PAM
-environment variables should be set and also
-.BR initgroups "(2) "
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 16
+.BI "int pam_setcred(pam_handle_t\ *" "pamh" ", int\ " "flags" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_setcred\fR
+function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been authenticated and before a session is opened for the user (with
+\fBpam_open_session\fR(3)).
+.PP
+A credential is something that the user possesses. It is some property, such as a
+\fIKerberos\fR
+ticket, or a supplementary group membership that make up the uniqueness of a given user. On a Linux system the user's
+\fIUID\fR
+and
+\fIGID\fR's are credentials too. However, it has been decided that these properties (along with the default supplementary groups of which the user is a member) are credentials that should be set directly by the application and not by PAM. Such credentials should be established, by the application, prior to a call to this function. For example,
+\fBinitgroups\fR(2)
 (or equivalent) should have been performed.
-
-.SH "VALID FLAGS"
-.TP
-.BR PAM_ESTABLISH_CRED
-initialize the credentials for the user.
-
-.TP
-.BR PAM_DELETE_CRED
-delete the user's credentials.
-
-.TP
-.BR PAM_REINITIALIZE_CRED
-delete and then initialize the user's credentials.
-
-.TP
-.BR PAM_REFRESH_CRED
-extend the lifetime of the existing credentials.
-
-.SH "RETURN VALUE"
-
-On success
-.BR PAM_SUCCESS
-is returned, all other return values should be treated as errors.
-
-.SH ERRORS
-May be translated to text with
-.BR pam_strerror "(3). "
-
-.SH "CONFORMING TO"
-DCE-RFC 86.0, October 1995.
-
-.SH BUGS
-.sp 2
-none known.
-
+.PP
+Valid
+\fIflags\fR, any one of which, may be logically OR'd with
+\fBPAM_SILENT\fR, are:
+.TP 3n
+PAM_ESTABLISH_CRED
+Initialize the credentials for the user.
+.TP 3n
+PAM_DELETE_CRED
+Delete the user's credentials.
+.TP 3n
+PAM_REINITIALIZE_CRED
+Fully reinitialize the user's credentials.
+.TP 3n
+PAM_REFRESH_CRED
+Extend the lifetime of the existing credentials.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_CRED_ERR
+Failed to set user credentials.
+.TP 3n
+PAM_CRED_EXPIRED
+User credentials are expired.
+.TP 3n
+PAM_CRED_UNAVAIL
+Failed to retrieve user credentials.
+.TP 3n
+PAM_SUCCESS
+Data was successful stored.
+.TP 3n
+PAM_SYSTEM_ERR
+A NULL pointer was submitted as PAM handle, the function was called by a module or another system error occured.
+.TP 3n
+PAM_USER_UNKNOWN
+User is not known to an authentication module.
 .SH "SEE ALSO"
+.PP
 
-.BR pam_authenticate "(3), "
-.BR pam_strerror "(3)"
-and
-.BR pam_open_session "(3). "
-
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+\fBpam_authenticate\fR(3),
+\fBpam_open_session\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_setcred.3.xml b/Linux-PAM/doc/man/pam_setcred.3.xml
new file mode 100644
index 00000000..90e23b5c
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_setcred.3.xml
@@ -0,0 +1,173 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_setcred">
+
+  <refmeta>
+    <refentrytitle>pam_setcred</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_setcred-name">
+    <refname>pam_setcred</refname>
+    <refpurpose>
+       establish / delete user credentials
+    </refpurpose>
+  </refnamediv>
+
+  <!-- body begins here -->
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_setcred-synopsis'>
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_setcred</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_setcred-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_setcred</function> function is used to establish,
+      maintain and delete the credentials of a user. It should be called
+      after a user has been authenticated and before a session is opened
+      for the user (with
+      <citerefentry>
+        <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
+       </citerefentry>).
+     </para>
+
+     <para>
+       A credential is something that the user possesses. It is some
+       property, such as a <emphasis>Kerberos</emphasis> ticket, or a
+       supplementary group membership that make up the uniqueness of a
+       given user. On a Linux system the user's <emphasis>UID</emphasis>
+       and <emphasis>GID</emphasis>'s are credentials too. However, it
+       has been decided that these properties (along with the default
+       supplementary groups of which the user is a member) are credentials
+       that should be set directly by the application and not by PAM.
+       Such credentials should be established, by the application, prior
+       to a call to this function.  For example,
+       <citerefentry>
+         <refentrytitle>initgroups</refentrytitle><manvolnum>2</manvolnum>
+       </citerefentry> (or equivalent) should have been performed.
+      </para>
+
+      <para>
+        Valid <emphasis>flags</emphasis>, any one of which, may be
+        logically OR'd with <option>PAM_SILENT</option>, are:
+      </para>
+
+      <variablelist>
+        <varlistentry>
+          <term>PAM_ESTABLISH_CRED</term>
+          <listitem>
+            <para>Initialize the credentials for the user.</para>
+          </listitem>
+          </varlistentry>
+        <varlistentry>
+          <term>PAM_DELETE_CRED</term>
+          <listitem>
+            <para>Delete the user's credentials.</para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>PAM_REINITIALIZE_CRED</term>
+          <listitem>
+            <para>Fully reinitialize the user's credentials.</para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>PAM_REFRESH_CRED</term>
+          <listitem>
+            <para>Extend the lifetime of the existing credentials.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+   </refsect1>
+
+   <refsect1 id='pam_setcred-return_values'>
+     <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_ERR</term>
+        <listitem>
+           <para>
+              Failed to set user credentials.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_EXPIRED</term>
+        <listitem>
+           <para>
+             User credentials are expired.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_UNAVAIL</term>
+        <listitem>
+           <para>
+              Failed to retrieve user credentials.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Data was successful stored.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+             A NULL pointer was submitted as PAM handle, the
+             function was called by a module or another system
+             error occured.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+           <para>
+              User is not known to an authentication module.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_set_data-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+         <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_sm_acct_mgmt.3 b/Linux-PAM/doc/man/pam_sm_acct_mgmt.3
new file mode 100644
index 00000000..b720e3af
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_acct_mgmt.3
@@ -0,0 +1,79 @@
+.\"     Title: pam_sm_acct_mgmt
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SM_ACCT_MGMT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_sm_acct_mgmt \- PAM service function for account management
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#define PAM_SM_ACCOUNT
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 32
+.BI "PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_sm_acct_mgmt\fR
+function is the service module's implementation of the
+\fBpam_acct_mgmt\fR(3)
+interface.
+.PP
+This function performs the task of establishing whether the user is permitted to gain access at this time. It should be understood that the user has previously been validated by an authentication module. This function checks for other things. Such things might be: the time of day or the date, the terminal line, remote hostname, etc. This function may also determine things like the expiration on passwords, and respond that the user change it before continuing.
+.PP
+Valid flags, which may be logically OR'd with
+\fIPAM_SILENT\fR, are:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.TP 3n
+PAM_DISALLOW_NULL_AUTHTOK
+Return
+\fBPAM_AUTH_ERR\fR
+if the database of authentication tokens for this authentication mechanism has a
+\fINULL\fR
+entry for the user.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_ACCT_EXPIRED
+User account has expired.
+.TP 3n
+PAM_AUTH_ERR
+Authentication failure.
+.TP 3n
+PAM_NEW_AUTHTOK_REQD
+The user's authentication token has expired. Before calling this function again the application will arrange for a new one to be given. This will likely result in a call to
+\fBpam_sm_chauthtok()\fR.
+.TP 3n
+PAM_PERM_DENIED
+Permission denied.
+.TP 3n
+PAM_SUCCESS
+The authentication token was successfully updated.
+.TP 3n
+PAM_USER_UNKNOWN
+User unknown to password service.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(3),
+\fBpam_acct_mgmt\fR(3),
+\fBpam_sm_chauthtok\fR(3),
+\fBpam_strerror\fR(3),
+\fBPAM\fR(8)
diff --git a/Linux-PAM/doc/man/pam_sm_acct_mgmt.3.xml b/Linux-PAM/doc/man/pam_sm_acct_mgmt.3.xml
new file mode 100644
index 00000000..35aa28a8
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_acct_mgmt.3.xml
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_sm_acct_mgmt'>
+  <refmeta>
+    <refentrytitle>pam_sm_acct_mgmt</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_sm_acct_mgmt-name">
+    <refname>pam_sm_acct_mgmt</refname>
+    <refpurpose>PAM service function for account management</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_sm_acct_mgmt-synopsis'>
+      <funcsynopsisinfo>#define PAM_SM_ACCOUNT</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>PAM_EXTERN int <function>pam_sm_acct_mgmt</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+        <paramdef>int <parameter>argc</parameter></paramdef>
+        <paramdef>const char **<parameter>argv</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_sm_acct_mgmt-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_sm_acct_mgmt</function> function is the service
+      module's implementation of the
+      <citerefentry>
+        <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> interface.
+    </para>
+    <para>
+      This function performs the task of establishing whether the user is
+      permitted to gain access at this time. It should be understood that
+      the user has previously been validated by an authentication
+      module. This function checks for other things. Such things might be:
+      the time of day or the date, the terminal line, remote hostname, etc.
+      This function may also determine things like the expiration on
+      passwords, and respond that the user change it before continuing.
+    </para>
+    <para>
+       Valid flags, which may be logically OR'd with
+       <emphasis>PAM_SILENT</emphasis>, are:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_DISALLOW_NULL_AUTHTOK</term>
+        <listitem>
+          <para>
+            Return <emphasis remap='B'>PAM_AUTH_ERR</emphasis> if the
+            database of authentication tokens for this authentication
+            mechanism has a <emphasis>NULL</emphasis> entry for the user.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_sm_acct_mgmt-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_ACCT_EXPIRED</term>
+        <listitem>
+           <para>
+             User account has expired.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+          <para>
+            Authentication failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_NEW_AUTHTOK_REQD</term>
+        <listitem>
+          <para>
+            The user's authentication token has expired. Before calling
+            this function again the application will arrange for a new
+            one to be given. This will likely result in a call to
+            <function>pam_sm_chauthtok()</function>.
+
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PERM_DENIED</term>
+        <listitem>
+          <para>
+            Permission denied.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The authentication token was successfully updated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            User unknown to password service.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_sm_acct_mgmt-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_sm_authenticate.3 b/Linux-PAM/doc/man/pam_sm_authenticate.3
new file mode 100644
index 00000000..7487f6af
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_authenticate.3
@@ -0,0 +1,80 @@
+.\"     Title: pam_sm_authenticate
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SM_AUTHENTICATE" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_sm_authenticate \- PAM service function for user authentication
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#define PAM_SM_AUTH
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 35
+.BI "PAM_EXTERN int pam_sm_authenticate(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_sm_authenticate\fR
+function is the service module's implementation of the
+\fBpam_authenticate\fR(3)
+interface.
+.PP
+This function performs the task of authenticating the user.
+.PP
+Valid flags, which may be logically OR'd with
+\fIPAM_SILENT\fR, are:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.TP 3n
+PAM_DISALLOW_NULL_AUTHTOK
+Return
+\fBPAM_AUTH_ERR\fR
+if the database of authentication tokens for this authentication mechanism has a
+\fINULL\fR
+entry for the user. Without this flag, such a
+\fINULL\fR
+token will lead to a success without the user being prompted.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTH_ERR
+Authentication failure.
+.TP 3n
+PAM_CRED_INSUFFICIENT
+For some reason the application does not have sufficient credentials to authenticate the user.
+.TP 3n
+PAM_AUTHINFO_UNAVAIL
+The modules were not able to access the authentication information. This might be due to a network or hardware failure etc.
+.TP 3n
+PAM_SUCCESS
+The authentication token was successfully updated.
+.TP 3n
+PAM_USER_UNKNOWN
+The supplied username is not known to the authentication service.
+.TP 3n
+PAM_MAXTRIES
+One or more of the authentication modules has reached its limit of tries authenticating the user. Do not try again.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(3),
+\fBpam_authenticate\fR(3),
+\fBpam_sm_setcred\fR(3),
+\fBpam_strerror\fR(3),
+\fBPAM\fR(8)
diff --git a/Linux-PAM/doc/man/pam_sm_authenticate.3.xml b/Linux-PAM/doc/man/pam_sm_authenticate.3.xml
new file mode 100644
index 00000000..37c77576
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_authenticate.3.xml
@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_sm_authenticate'>
+  <refmeta>
+    <refentrytitle>pam_sm_authenticate</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_sm_authenticate-name">
+    <refname>pam_sm_authenticate</refname>
+    <refpurpose>PAM service function for user authentication</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_sm_authenticate-synopsis'>
+      <funcsynopsisinfo>#define PAM_SM_AUTH</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>PAM_EXTERN int <function>pam_sm_authenticate</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+        <paramdef>int <parameter>argc</parameter></paramdef>
+        <paramdef>const char **<parameter>argv</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_sm_authenticate-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_sm_authenticate</function> function is the service
+      module's implementation of the
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> interface.
+    </para>
+    <para>
+      This function performs the task of authenticating the user.
+    </para>
+    <para>
+       Valid flags, which may be logically OR'd with
+       <emphasis>PAM_SILENT</emphasis>, are:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_DISALLOW_NULL_AUTHTOK</term>
+        <listitem>
+          <para>
+            Return <emphasis remap='B'>PAM_AUTH_ERR</emphasis> if the
+            database of authentication tokens for this authentication
+            mechanism has a <emphasis>NULL</emphasis> entry for the user.
+            Without this flag, such a <emphasis>NULL</emphasis> token 
+            will lead to a success without the user being prompted.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_sm_authenticate-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+          <para>
+            Authentication failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_INSUFFICIENT</term>
+        <listitem>
+          <para>
+            For some reason the application does not have sufficient
+            credentials to authenticate the user.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHINFO_UNAVAIL</term>
+        <listitem>
+          <para>
+            The modules were not able to access the authentication
+            information. This might be due to a network or hardware 
+            failure etc.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The authentication token was successfully updated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            The supplied username is not known to the authentication
+            service.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_MAXTRIES</term>
+        <listitem>
+          <para>
+            One or more of the authentication modules has reached its
+            limit of tries authenticating the user. Do not try again.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_sm_authenticate-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_sm_chauthtok.3 b/Linux-PAM/doc/man/pam_sm_chauthtok.3
new file mode 100644
index 00000000..c247f68f
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_chauthtok.3
@@ -0,0 +1,97 @@
+.\"     Title: pam_sm_chauthtok
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SM_CHAUTHTOK" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_sm_chauthtok \- PAM service function for authentication token management
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#define PAM_SM_PASSWORD
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 32
+.BI "PAM_EXTERN int pam_sm_chauthtok(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_sm_chauthtok\fR
+function is the service module's implementation of the
+\fBpam_chauthtok\fR(3)
+interface.
+.PP
+This function is used to (re\-)set the authentication token of the user.
+.PP
+Valid flags, which may be logically OR'd with
+\fIPAM_SILENT\fR, are:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.TP 3n
+PAM_CHANGE_EXPIRED_AUTHTOK
+This argument indicates to the module that the users authentication token (password) should only be changed if it has expired. This flag is optional and
+\fImust\fR
+be combined with one of the following two flags. Note, however, the following two options are
+\fImutually exclusive\fR.
+.TP 3n
+PAM_PRELIM_CHECK
+This indicates that the modules are being probed as to their ready status for altering the user's authentication token. If the module requires access to another system over some network it should attempt to verify it can connect to this system on receiving this flag. If a module cannot establish it is ready to update the user's authentication token it should return
+\fBPAM_TRY_AGAIN\fR, this information will be passed back to the application.
+.TP 3n
+PAM_UPDATE_AUTHTOK
+This informs the module that this is the call it should change the authorization tokens. If the flag is logically OR'd with
+\fBPAM_CHANGE_EXPIRED_AUTHTOK\fR, the token is only changed if it has actually expired.
+.PP
+The PAM library calls this function twice in succession. The first time with
+\fBPAM_PRELIM_CHECK\fR
+and then, if the module does not return
+\fBPAM_TRY_AGAIN\fR, subsequently with
+\fBPAM_UPDATE_AUTHTOK\fR. It is only on the second call that the authorization token is (possibly) changed.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTHTOK_ERR
+The module was unable to obtain the new authentication token.
+.TP 3n
+PAM_AUTHTOK_RECOVERY_ERR
+The module was unable to obtain the old authentication token.
+.TP 3n
+PAM_AUTHTOK_LOCK_BUSY
+Cannot change the authentication token since it is currently locked.
+.TP 3n
+PAM_AUTHTOK_DISABLE_AGING
+Authentication token aging has been disabled.
+.TP 3n
+PAM_PERM_DENIED
+Permission denied.
+.TP 3n
+PAM_TRY_AGAIN
+Preliminary check was unsuccessful. Signals an immediate return to the application is desired.
+.TP 3n
+PAM_SUCCESS
+The authentication token was successfully updated.
+.TP 3n
+PAM_USER_UNKNOWN
+User unknown to password service.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(3),
+\fBpam_chauthtok\fR(3),
+\fBpam_sm_chauthtok\fR(3),
+\fBpam_strerror\fR(3),
+\fBPAM\fR(8)
diff --git a/Linux-PAM/doc/man/pam_sm_chauthtok.3.xml b/Linux-PAM/doc/man/pam_sm_chauthtok.3.xml
new file mode 100644
index 00000000..c36a0baf
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_chauthtok.3.xml
@@ -0,0 +1,200 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_sm_chauthtok'>
+  <refmeta>
+    <refentrytitle>pam_sm_chauthtok</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_sm_chauthtok-name">
+    <refname>pam_sm_chauthtok</refname>
+    <refpurpose>PAM service function for authentication token management</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_sm_chauthtok-synopsis'>
+      <funcsynopsisinfo>#define PAM_SM_PASSWORD</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>PAM_EXTERN int <function>pam_sm_chauthtok</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+        <paramdef>int <parameter>argc</parameter></paramdef>
+        <paramdef>const char **<parameter>argv</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_sm_chauthtok-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_sm_chauthtok</function> function is the service
+      module's implementation of the
+      <citerefentry>
+        <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> interface.
+    </para>
+    <para>
+      This function is used to (re-)set the authentication token of the user. 
+    </para>
+    <para>
+       Valid flags, which may be logically OR'd with
+       <emphasis>PAM_SILENT</emphasis>, are:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CHANGE_EXPIRED_AUTHTOK</term>
+        <listitem>
+          <para>
+            This argument indicates to the module that the users
+            authentication token (password) should only be changed if 
+            it has expired. This flag is optional and 
+            <emphasis>must</emphasis> be combined with one of the 
+            following two flags. Note, however, the following two options 
+            are <emphasis>mutually exclusive</emphasis>.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PRELIM_CHECK</term>
+        <listitem>
+          <para>
+            This indicates that the modules are being probed as to 
+            their ready status for altering the user's authentication 
+            token. If the module requires access to another system over 
+            some network it should attempt to verify it can connect to 
+            this system on receiving this flag. If a module cannot establish 
+            it is ready to update the user's authentication token it should 
+            return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
+            information will be passed back to the application.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_UPDATE_AUTHTOK</term>
+        <listitem>
+          <para>
+            This informs the module that this is the call it should change
+            the authorization tokens. If the flag is logically OR'd with
+            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the 
+            token is only changed if it has actually expired.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+    <para>
+      The PAM library calls this function twice in succession. The first 
+      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, 
+      if the module does not return 
+      <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
+      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on 
+      the second call that the authorization token is (possibly) changed.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_sm_chauthtok-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_AUTHTOK_ERR</term>
+        <listitem>
+           <para>
+             The module was unable to obtain the new authentication token.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_RECOVERY_ERR</term>
+        <listitem>
+          <para>
+            The module was unable to obtain the old authentication token.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_LOCK_BUSY</term>
+        <listitem>
+          <para>
+            Cannot change the authentication token since it is currently
+            locked.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTHTOK_DISABLE_AGING</term>
+        <listitem>
+          <para>
+            Authentication token aging has been disabled.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PERM_DENIED</term>
+        <listitem>
+          <para>
+            Permission denied.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_TRY_AGAIN</term>
+        <listitem>
+          <para>
+            Preliminary check was unsuccessful. Signals an immediate
+            return to the application is desired.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The authentication token was successfully updated.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            User unknown to password service.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_sm_chauthtok-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_sm_close_session.3 b/Linux-PAM/doc/man/pam_sm_close_session.3
new file mode 100644
index 00000000..4d0f081b
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_close_session.3
@@ -0,0 +1,58 @@
+.\"     Title: pam_sm_close_session
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SM_CLOSE_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_sm_close_session \- PAM service function to terminate session management
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#define PAM_SM_SESSION
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 36
+.BI "PAM_EXTERN int pam_sm_close_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_sm_close_session\fR
+function is the service module's implementation of the
+\fBpam_close_session\fR(3)
+interface.
+.PP
+This function is called to terminate a session. The only valid value for
+\fIflags\fR
+is zero or:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_SESSION_ERR
+Cannot make/remove an entry for the specified session.
+.TP 3n
+PAM_SUCCESS
+The session was successfully terminated.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(3),
+\fBpam_close_session\fR(3),
+\fBpam_sm_close_session\fR(3),
+\fBpam_strerror\fR(3),
+\fBPAM\fR(8)
diff --git a/Linux-PAM/doc/man/pam_sm_close_session.3.xml b/Linux-PAM/doc/man/pam_sm_close_session.3.xml
new file mode 100644
index 00000000..f2e67185
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_close_session.3.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-close.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_sm_close_session'>
+  <refmeta>
+    <refentrytitle>pam_sm_close_session</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_sm_close_session-name">
+    <refname>pam_sm_close_session</refname>
+    <refpurpose>PAM service function to terminate session management</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_sm_close_session-synopsis'>
+      <funcsynopsisinfo>#define PAM_SM_SESSION</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>PAM_EXTERN int <function>pam_sm_close_session</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+        <paramdef>int <parameter>argc</parameter></paramdef>
+        <paramdef>const char **<parameter>argv</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_sm_close_session-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_sm_close_session</function> function is the service
+      module's implementation of the
+      <citerefentry>
+        <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> interface.
+    </para>
+    <para>
+      This function is called to terminate a session. The only valid
+      value for <varname role='parameter'>flags</varname> is zero or:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_sm_close_session-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SESSION_ERR</term>
+        <listitem>
+          <para>
+            Cannot make/remove an entry for the specified session.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The session was successfully terminated.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_sm_close_session-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_sm_close_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_sm_open_session.3 b/Linux-PAM/doc/man/pam_sm_open_session.3
new file mode 100644
index 00000000..b97f6005
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_open_session.3
@@ -0,0 +1,58 @@
+.\"     Title: pam_sm_open_session
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SM_OPEN_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_sm_open_session \- PAM service function to start session management
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#define PAM_SM_SESSION
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 35
+.BI "PAM_EXTERN int pam_sm_open_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_sm_open_session\fR
+function is the service module's implementation of the
+\fBpam_open_session\fR(3)
+interface.
+.PP
+This function is called to commence a session. The only valid value for
+\fIflags\fR
+is zero or:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_SESSION_ERR
+Cannot make/remove an entry for the specified session.
+.TP 3n
+PAM_SUCCESS
+The session was successfully started.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(3),
+\fBpam_open_session\fR(3),
+\fBpam_sm_close_session\fR(3),
+\fBpam_strerror\fR(3),
+\fBPAM\fR(8)
diff --git a/Linux-PAM/doc/man/pam_sm_open_session.3.xml b/Linux-PAM/doc/man/pam_sm_open_session.3.xml
new file mode 100644
index 00000000..0851c345
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_open_session.3.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_sm_open_session'>
+  <refmeta>
+    <refentrytitle>pam_sm_open_session</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_sm_open_session-name">
+    <refname>pam_sm_open_session</refname>
+    <refpurpose>PAM service function to start session management</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_sm_open_session-synopsis'>
+      <funcsynopsisinfo>#define PAM_SM_SESSION</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>PAM_EXTERN int <function>pam_sm_open_session</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+        <paramdef>int <parameter>argc</parameter></paramdef>
+        <paramdef>const char **<parameter>argv</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_sm_open_session-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_sm_open_session</function> function is the service
+      module's implementation of the
+      <citerefentry>
+        <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> interface.
+    </para>
+    <para>
+      This function is called to commence a session. The only valid
+      value for <varname role='parameter'>flags</varname> is zero or:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_sm_open_session-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SESSION_ERR</term>
+        <listitem>
+          <para>
+            Cannot make/remove an entry for the specified session.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The session was successfully started.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_sm_open_session-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_sm_close_session</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_sm_setcred.3 b/Linux-PAM/doc/man/pam_sm_setcred.3
new file mode 100644
index 00000000..b4cb70e8
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_setcred.3
@@ -0,0 +1,95 @@
+.\"     Title: pam_sm_setcred
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SM_SETCRED" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_sm_setcred \- PAM service function to alter credentials
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#define PAM_SM_AUTH
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_modules.h>
+.fi
+.ft
+.HP 30
+.BI "PAM_EXTERN int pam_sm_setcred(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_sm_setcred\fR
+function is the service module's implementation of the
+\fBpam_setcred\fR(3)
+interface.
+.PP
+This function performs the task of altering the credentials of the user with respect to the corresponding authorization scheme. Generally, an authentication module may have access to more information about a user than their authentication token. This function is used to make such information available to the application. It should only be called
+\fIafter\fR
+the user has been authenticated but before a session has been established.
+.PP
+Valid flags, which may be logically OR'd with
+\fIPAM_SILENT\fR, are:
+.TP 3n
+PAM_SILENT
+Do not emit any messages.
+.TP 3n
+PAM_DELETE_CRED
+Delete the credentials associated with the authentication service.
+.TP 3n
+PAM_REINITIALIZE_CRED
+Reinitialize the user credentials.
+.TP 3n
+PAM_REFRESH_CRED
+Extend the lifetime of the user credentials.
+.PP
+The way the
+\fBauth\fR
+stack is navigated in order to evaluate the
+\fBpam_setcred\fR() function call, independent of the
+\fBpam_sm_setcred\fR() return codes, is exactly the same way that it was navigated when evaluating the
+\fBpam_authenticate\fR() library call. Typically, if a stack entry was ignored in evaluating
+\fBpam_authenticate\fR(), it will be ignored when libpam evaluates the
+\fBpam_setcred\fR() function call. Otherwise, the return codes from each module specific
+\fBpam_sm_setcred\fR() call are treated as
+\fBrequired\fR.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_CRED_UNAVAIL
+This module cannot retrieve the user's credentials.
+.TP 3n
+PAM_CRED_EXPIRED
+The user's credentials have expired.
+.TP 3n
+PAM_CRED_ERR
+This module was unable to set the credentials of the user.
+.TP 3n
+PAM_SUCCESS
+The user credential was successfully set.
+.TP 3n
+PAM_USER_UNKNOWN
+The user is not known to this authentication module.
+.PP
+These, non\-\fIPAM_SUCCESS\fR, return values will typically lead to the credential stack
+\fIfailing\fR. The first such error will dominate in the return value of
+\fBpam_setcred\fR().
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(3),
+\fBpam_authenticate\fR(3),
+\fBpam_setcred\fR(3),
+\fBpam_sm_authenticate\fR(3),
+\fBpam_strerror\fR(3),
+\fBPAM\fR(8)
diff --git a/Linux-PAM/doc/man/pam_sm_setcred.3.xml b/Linux-PAM/doc/man/pam_sm_setcred.3.xml
new file mode 100644
index 00000000..e4809ad7
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_sm_setcred.3.xml
@@ -0,0 +1,179 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam_sm_setcred'>
+  <refmeta>
+    <refentrytitle>pam_sm_setcred</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_sm_setcred-name">
+    <refname>pam_sm_setcred</refname>
+    <refpurpose>PAM service function to alter credentials</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id='pam_sm_setcred-synopsis'>
+      <funcsynopsisinfo>#define PAM_SM_AUTH</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_modules.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>PAM_EXTERN int <function>pam_sm_setcred</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+        <paramdef>int <parameter>argc</parameter></paramdef>
+        <paramdef>const char **<parameter>argv</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id='pam_sm_setcred-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_sm_setcred</function> function is the service
+      module's implementation of the
+      <citerefentry>
+        <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> interface.
+    </para>
+    <para>
+      This function performs the task of altering the credentials of the
+      user with respect to the corresponding authorization
+      scheme. Generally, an authentication module may have access to more
+      information about a user than their authentication token. This
+      function is used to make such information available to the
+      application. It should only be called <emphasis>after</emphasis> the
+      user has been authenticated but before a session has been established.
+    </para>
+    <para>
+       Valid flags, which may be logically OR'd with
+       <emphasis>PAM_SILENT</emphasis>, are:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SILENT</term>
+        <listitem>
+           <para>
+             Do not emit any messages.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_DELETE_CRED</term>
+        <listitem>
+          <para>
+            Delete the credentials associated with the authentication service.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_REINITIALIZE_CRED</term>
+        <listitem>
+          <para>
+            Reinitialize the user credentials.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_REFRESH_CRED</term>
+        <listitem>
+          <para>
+            Extend the lifetime of the user credentials.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+    <para>
+      The way the <emphasis remap='B'>auth</emphasis> stack is 
+      navigated in order to evaluate the <function>pam_setcred</function>()
+      function call, independent of the <function>pam_sm_setcred</function>() 
+      return codes, is exactly the same way that it was navigated when
+      evaluating the <function>pam_authenticate</function>() library
+      call. Typically, if a stack entry was ignored in evaluating
+      <function>pam_authenticate</function>(), it will be ignored when
+      libpam evaluates the <function>pam_setcred</function>() function 
+      call. Otherwise, the return codes from each module specific 
+      <function>pam_sm_setcred</function>() call are treated as
+      <emphasis remap='B'>required</emphasis>.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_sm_setcred-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_CRED_UNAVAIL</term>
+        <listitem>
+          <para>
+            This module cannot retrieve the user's credentials.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_EXPIRED</term>
+        <listitem>
+          <para>
+            The user's credentials have expired.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_ERR</term>
+        <listitem>
+          <para>
+            This module was unable to set the credentials of the user.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             The user credential was successfully set.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            The user is not known to this authentication module.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+    <para>
+      These, non-<emphasis>PAM_SUCCESS</emphasis>, return values will 
+      typically lead to the credential stack <emphasis>failing</emphasis>.
+      The first such error will dominate in the return value of 
+      <function>pam_setcred</function>().
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_sm_setcred-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_start.3 b/Linux-PAM/doc/man/pam_start.3
index a912cc75..22521213 100644
--- a/Linux-PAM/doc/man/pam_start.3
+++ b/Linux-PAM/doc/man/pam_start.3
@@ -1,98 +1,80 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: pam_start.3,v 1.1.1.1 2000/06/20 22:10:58 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@parc.power.net>
-.TH PAM_START 3 "1997 Feb 15" "Linux-PAM 0.56" "Application Programmers' Manual"
-.SH NAME
-
-pam_start, pam_end \- activating Linux-PAM
-
-.SH SYNOPSIS
-.B #include <security/pam_appl.h>
-.sp
-.BI "int pam_start(const char " *service ", const char " *user ", const struct pam_conv " *conv ", pam_handle_t " **pamh_p ");"
-.sp
-.BI "int pam_end(pam_handle_t " *pamh ", int " pam_status ");"
-.sp 2
-.SH DESCRIPTION
-.TP
-.B pam_start
-Initialize the
-.I Linux-PAM
-library.  Identifying the application with a particular
-.IR service
-name.  The
-.IR user "name"
-can take the value
-.IR NULL ", "
-if not known at the time the interface is initialized.  The
-conversation structure is passed to the library via the
-.IR conv
-argument.  (For a complete description of this and other structures
-the reader is directed to the more verbose
-.IR Linux-PAM
-application developers' guide).  Upon successful initialization, an
-opaque pointer-handle for future access to the library is returned
-through the contents of the
-.IR pamh_p
-pointer.
-
-.TP
-.B pam_end
-Terminate the
-.B Linux-PAM
-library.  The service application associated with the
-.IR pamh
-handle, is terminated.  The argument,
-.IR pam_status ", "
-passes the value most recently returned to the application from the
-library; it indicates the manner in which the library should be
-shutdown.  Besides carrying a return value, this argument may be
-logically OR'd with
-.IR PAM_DATA_SILENT
-to indicate that the module should not treat the call too
-seriously. It is generally used to indicate that the current closing
-of the library is in a
-.IR fork "(2)ed"
-process, and that the parent will take care of cleaning up things that
-exist outside of the current process space (files etc.).
-
-.SH "RETURN VALUE"
-.TP
-.B pam_start
-.TP
-.B pam_end
-On success,
-.BR PAM_SUCCESS
-is returned
-
-.SH ERRORS
-May be translated to text with
-.BR pam_strerror "(3). "
-
-.SH "CONFORMING TO"
-DCE-RFC 86.0, October 1995.
+.\"     Title: pam_start
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_START" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_start \- initialization of PAM transaction
+.SH "SYNOPSIS"
 .sp
-Note, the 
-.BR PAM_DATA_SILENT
-flag is pending acceptance with the DCE (as of 1996/12/4).
-
-.SH BUGS
-.sp 2
-None known.
-
-.SH "SEE ALSO"
-
-.BR fork "(2), "
-.BR pam_authenticate "(3), "
-.BR pam_acct_mgmt "(3), "
-.BR pam_open_session "(3), "
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 14
+.BI "int pam_start(const\ char\ *" "service_name" ", const\ char\ *" "user" ", const\ struct\ pam_conv\ *" "pam_conversation" ", pam_handle_t\ **" "pamh" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_start\fR
+function creates the PAM context and initiates the PAM transaction. It is the first of the PAM functions that needs to be called by an application. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel. But it is not possible to use the same handle for different transactions, a new one is needed for every new context.
+.PP
+The
+\fIservice_name\fR
+argument specifies the name of the service to apply and will be stored as PAM_SERVICE item in the new context. The policy for the service will be read from the file
+\fI/etc/pam.d/service_name\fR
+or, if that file does not exist, from
+\fI/etc/pam.conf\fR.
+.PP
+The
+\fIuser\fR
+argument can specify the name of the target user and will be stored as PAM_USER item. If the argument is NULL, the module has to ask for this item if necessary.
+.PP
+The
+\fIpam_conversation\fR
+argument points to a
+\fIstruct pam_conv\fR
+describing the conversation function to use. An application must provide this for direct communication between a loaded module and the application.
+.PP
+Following a successful return (PAM_SUCCESS) the contents of
+\fIpamh\fR
+is a handle that contains the PAM context for successive calls to the PAM functions. In an error case is the content of
+\fIpamh\fR
+undefined.
+.PP
+The
+\fIpam_handle_t\fR
+is a blind structure and the application should not attempt to probe it directly for information. Instead the PAM library provides the functions
+\fBpam_set_item\fR(3)
 and
-.BR pam_chauthtok "(3)."
+\fBpam_get_item\fR(3). The PAM handle cannot be used for mulitiple authentications at the same time as long as
+\fBpam_end\fR
+was not called on it before.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_ABORT
+General failure.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_SUCCESS
+Transaction was successful created.
+.TP 3n
+PAM_SYSTEM_ERR
+System error, for example a NULL pointer was submitted instead of a pointer to data.
+.SH "SEE ALSO"
+.PP
 
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+\fBpam_get_data\fR(3),
+\fBpam_set_data\fR(3),
+\fBpam_end\fR(3),
+\fBpam_strerror\fR(3)
diff --git a/Linux-PAM/doc/man/pam_start.3.xml b/Linux-PAM/doc/man/pam_start.3.xml
new file mode 100644
index 00000000..9b370f52
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_start.3.xml
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_start'>
+
+  <refmeta>
+    <refentrytitle>pam_start</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_start-name">
+    <refname>pam_start</refname>
+    <refpurpose>initialization of PAM transaction</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_start-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>int <function>pam_start</function></funcdef>
+        <paramdef>const char *<parameter>service_name</parameter></paramdef>
+        <paramdef>const char *<parameter>user</parameter></paramdef>
+        <paramdef>const struct pam_conv *<parameter>pam_conversation</parameter></paramdef>
+        <paramdef>pam_handle_t **<parameter>pamh</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_start-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_start</function> function creates the PAM context
+      and initiates the PAM transaction. It is the first of the PAM
+      functions that needs to be called by an application. The transaction
+      state is contained entirely within the structure identified by this
+      handle, so it is possible to have multiple transactions in parallel.
+      But it is not possible to use the same handle for different
+      transactions, a new one is needed for every new context.
+    </para>
+
+    <para>
+      The <emphasis>service_name</emphasis> argument specifies the name
+      of the service to apply and will be stored as PAM_SERVICE item in
+      the new context. The policy for the service will be read from the
+      file <filename>/etc/pam.d/service_name</filename> or, if that file
+      does not exist, from <filename>/etc/pam.conf</filename>.
+    </para>
+
+    <para>
+       The <emphasis>user</emphasis> argument can specify the name
+       of the target user and will be stored as PAM_USER item. If
+       the argument is NULL, the module has to ask for this item if
+       necessary.
+    </para>
+
+    <para>
+       The <emphasis>pam_conversation</emphasis> argument points to
+       a <emphasis>struct pam_conv</emphasis> describing the
+       conversation function to use. An application must provide this
+       for direct communication between a loaded module and the
+       application.
+    </para>
+
+    <para>
+       Following a successful return (PAM_SUCCESS) the contents of
+       <emphasis>pamh</emphasis> is a handle that contains the PAM
+       context for successive calls to the PAM functions. In an error
+       case is the content of <emphasis>pamh</emphasis> undefined.
+    </para>
+
+    <para>
+      The <emphasis>pam_handle_t</emphasis> is a blind structure and
+      the application should not attempt to probe it directly for
+      information. Instead the PAM library provides the functions
+      <citerefentry>
+        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> and
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+      The PAM handle cannot be used for mulitiple authentications at the
+      same time as long as <function>pam_end</function> was not called on
+      it before.
+    </para>
+  </refsect1>
+  <refsect1 id="pam_start-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_ABORT</term>
+        <listitem>
+           <para>
+              General failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+              Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             Transaction was successful created.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+           <para>
+              System error, for example a NULL pointer was submitted
+              instead of a pointer to data.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_start-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_strerror.3 b/Linux-PAM/doc/man/pam_strerror.3
index b2318f28..2d1e8849 100644
--- a/Linux-PAM/doc/man/pam_strerror.3
+++ b/Linux-PAM/doc/man/pam_strerror.3
@@ -1,51 +1,36 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" ripped off from Rick Faith's getgroups man page
-.\" $Id: pam_strerror.3,v 1.1.1.1 2000/06/20 22:10:58 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@linux.kernel.org>
-.TH PAM_STRERROR 3 "1999 Oct 4" "Linux-PAM 0.70" "Programmers' Manual"
-.SH NAME
-
-pam_strerror \- return a textual description of a Linux-PAM error
-
-.SH SYNOPSIS
-.B #include <security/pam_appl.h>
-.br
-or,
-.br
-.B #include <security/pam_modules.h>
+.\"     Title: pam_strerror
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_STRERROR" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_strerror \- return string describing PAM error code
+.SH "SYNOPSIS"
 .sp
-.BI "const char * pam_strerror( pam_handle_t " "*pamh" ", int " pam_error ");"
-.sp 2
-.SH DESCRIPTION
-.B pam_strerror
-
-This function returns some text describing the
-.BR Linux-PAM
-error associated with the
-.B pam_error
-argument.
-
-.SH "RETURN VALUE"
-
-On success this function returns a description of the indicated
-error.  Should the function not recognize the error, ``Unknown
-Linux-PAM error'' is returned.
-
-.SH "CONFORMING TO"
-DCE-RFC 86.0, October 1995.
-
-.SH BUGS
-.sp 2
-This function should be internationalized.
-
+.ft B
+.nf
+#include <security/pam_appl.h>
+.fi
+.ft
+.HP 25
+.BI "const char *pam_strerror(pam_handle_t\ *" "pamh" ", int\ " "errnum" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_strerror\fR
+function returns a pointer to a string describing the error code passed in the argument
+\fIerrnum\fR, possibly using the LC_MESSAGES part of the current locale to select the appropriate language. This string must not be modified by the application. No library function will modify this string.
+.SH "RETURN VALUES"
+.PP
+This function returns always a pointer to a string.
 .SH "SEE ALSO"
+.PP
 
-.BR pam "(8). "
-
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
+\fBpam\fR(8)
diff --git a/Linux-PAM/doc/man/pam_strerror.3.xml b/Linux-PAM/doc/man/pam_strerror.3.xml
new file mode 100644
index 00000000..954e131d
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_strerror.3.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_strerror'>
+
+  <refmeta>
+    <refentrytitle>pam_strerror</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_strerror-name">
+    <refname>pam_strerror</refname>
+    <refpurpose>return string describing PAM error code</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_strerror-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>const char *<function>pam_strerror</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>errnum</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_strerror-description">
+    <title>DESCRIPTION</title>
+    <para>
+       The <function>pam_strerror</function> function returns a pointer to
+       a string describing the error code passed in the argument
+       <emphasis>errnum</emphasis>, possibly using the LC_MESSAGES part of
+       the current locale to select the appropriate language. This string
+       must not be modified by the application. No library function will
+       modify this string.
+    </para>
+  </refsect1>
+  <refsect1 id="pam_strerror-return_values">
+    <title>RETURN VALUES</title>
+    <para>
+       This function returns always a pointer to a string.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_strerror-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_syslog.3 b/Linux-PAM/doc/man/pam_syslog.3
new file mode 100644
index 00000000..112066d9
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_syslog.3
@@ -0,0 +1,61 @@
+.\"     Title: pam_syslog
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/27/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_SYSLOG" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_syslog, pam_vsyslog \- send messages to the system logger
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <syslog.h>
+.fi
+.ft
+.sp
+.ft B
+.nf
+#include <security/pam_ext.h>
+.fi
+.ft
+.HP 16
+.BI "void pam_syslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", " "..." ");"
+.HP 17
+.BI "void pam_vsyslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_syslog\fR
+function logs messages using
+\fBsyslog\fR(3)
+and is intended for internal use by Linux\-PAM and PAM service modules. The
+\fIpriority\fR
+argument is formed by ORing the facility and the level values as documented in the
+\fBsyslog\fR(3)
+manual page.
+.PP
+The
+\fBpam_vsyslog\fR
+function performs the same task as
+\fBpam_syslog()\fR
+with the difference that it takes a set of arguments which have been obtained using the
+\fBstdarg\fR(3)
+variable argument list macros.
+.SH "SEE ALSO"
+.PP
+
+\fBpam\fR(8)
+.SH "STANDARDS"
+.PP
+The
+\fBpam_syslog\fR
+and
+\fBpam_vsyslog\fR
+functions are Linux\-PAM extensions.
diff --git a/Linux-PAM/doc/man/pam_syslog.3.xml b/Linux-PAM/doc/man/pam_syslog.3.xml
new file mode 100644
index 00000000..7c5b166a
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_syslog.3.xml
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_syslog">
+
+  <refmeta>
+    <refentrytitle>pam_syslog</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_syslog-name">
+    <refname>pam_syslog</refname>
+    <refname>pam_vsyslog</refname>
+    <refpurpose>send messages to the system logger</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv id="pam_syslog-synopsis">
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;syslog.h&gt;</funcsynopsisinfo>
+      <funcsynopsisinfo>#include &lt;security/pam_ext.h&gt;</funcsynopsisinfo>
+      <funcprototype>
+        <funcdef>void <function>pam_syslog</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>priority</parameter></paramdef>
+        <paramdef>const char *<parameter>fmt</parameter></paramdef>
+        <paramdef><parameter>...</parameter></paramdef>
+      </funcprototype>
+      <funcprototype>
+        <funcdef>void <function>pam_vsyslog</function></funcdef>
+        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
+        <paramdef>int <parameter>priority</parameter></paramdef>
+        <paramdef>const char *<parameter>fmt</parameter></paramdef>
+        <paramdef>va_list <parameter>args</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_syslog-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_syslog</function> function logs messages using
+      <citerefentry>
+        <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> and is intended for internal use by Linux-PAM and
+      PAM service modules. The <emphasis>priority</emphasis> argument is
+      formed by ORing the facility and the level values as documented
+      in the <citerefentry>
+        <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> manual page.
+    </para>
+    <para>
+      The <function>pam_vsyslog</function> function performs the same
+      task as <function>pam_syslog()</function> with the difference
+      that it takes a set of arguments which have been obtained using
+      the <citerefentry>
+        <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> variable argument list macros.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_syslog-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_syslog-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_syslog</function> and <function>pam_vsyslog</function>
+      functions are Linux-PAM extensions.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/man/pam_verror.3 b/Linux-PAM/doc/man/pam_verror.3
new file mode 100644
index 00000000..6e052ef6
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_verror.3
@@ -0,0 +1 @@
+.so man3/pam_error.3
diff --git a/Linux-PAM/doc/man/pam_vinfo.3 b/Linux-PAM/doc/man/pam_vinfo.3
new file mode 100644
index 00000000..79f3a153
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_vinfo.3
@@ -0,0 +1 @@
+.so man3/pam_info.3
diff --git a/Linux-PAM/doc/man/pam_vprompt.3 b/Linux-PAM/doc/man/pam_vprompt.3
new file mode 100644
index 00000000..bba0b1d3
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_vprompt.3
@@ -0,0 +1 @@
+.so man3/pam_prompt.3
diff --git a/Linux-PAM/doc/man/pam_vsyslog.3 b/Linux-PAM/doc/man/pam_vsyslog.3
new file mode 100644
index 00000000..b987b067
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_vsyslog.3
@@ -0,0 +1 @@
+.so man3/pam_syslog.3
diff --git a/Linux-PAM/doc/man/template-man b/Linux-PAM/doc/man/template-man
deleted file mode 100644
index 11e7a061..00000000
--- a/Linux-PAM/doc/man/template-man
+++ /dev/null
@@ -1,52 +0,0 @@
-.\" Hey Emacs! This file is -*- nroff -*- source.
-.\" $Id: template-man,v 1.1.1.1 2000/06/20 22:10:58 agmorgan Exp $
-.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
-.TH PAM_???? 2 "1997 Jan 4" "Linux-PAM 0.55" "Application Programmers' Manual"
-.SH NAME
-
-function names \- brief summary of function
-
-.SH SYNOPSIS
-.B #include <security/pam_????.h>
-.sp
-.BI "int pam_???(pam_handle_t " pamh ", int  " flags);
-.sp 2
-.SH DESCRIPTION
-.TP
-.B pam_???
-Here goes the
-.I explanation
-it may be quite
-.IR long .
-.TP
-.SH "RETURN VALUE"
-.B pam_???
-On success...
-.BR PAM_SUCCESS
-is returned
-.TP
-.SH ERRORS
-May be translated to text with
-.BR pam_strerror "(2). "
-
-.SH "CONFORMING TO"
-.B pam_???
-DCE-RFC 86.0, October 1995.
-
-.SH BUGS
-.sp 2
-none known.
-
-.SH "SEE ALSO"
-
-.BR pam_??? "(2), "
-and
-.BR pam_??? "(2). "
-
-Also, see the three
-.BR Linux-PAM
-Guides, for
-.BR "System administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
diff --git a/Linux-PAM/doc/modules/README b/Linux-PAM/doc/modules/README
deleted file mode 100644
index 653448f3..00000000
--- a/Linux-PAM/doc/modules/README
+++ /dev/null
@@ -1,13 +0,0 @@
-$Id: README,v 1.2 2001/12/08 18:56:47 agmorgan Exp $
-
-This directory contains a number of sgml sub-files. One for each
-documented module. They contain a description of each module and give
-some indication of its reliability.
-
-Additionally, there is a 'module.sgml-template' file which should be
-used as a blank form for new module descriptions.
-
-Please feel free to submit amendments/comments etc. regarding these
-files to:
-
-	Andrew G. Morgan <morgan@kernel.org>
diff --git a/Linux-PAM/doc/modules/module.sgml-template b/Linux-PAM/doc/modules/module.sgml-template
deleted file mode 100644
index 3fffc754..00000000
--- a/Linux-PAM/doc/modules/module.sgml-template
+++ /dev/null
@@ -1,170 +0,0 @@
-<!--
-
-   $Id: module.sgml-template,v 1.2 2001/02/11 07:52:56 agmorgan Exp $
-   
-   This template file was written by Andrew G. Morgan
-					<morgan@kernel.org>
-
-[
-	Text that should be deleted/replaced, is enclosed within 
-		'[' .. ']'
-	marks. For example, this text should be deleted!
-]
-
--->
-
-<sect1> [*Familiar full name of module*, eg. The "allow all" module.]
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-[
-	insert the name of the module
-
-	Blank is not permitted.
-]
-
-<tag><bf>Author[s]:</bf></tag>
-
-[
-	Insert author names here
-
-	Blank is not permitted. If in doubt, put "unknown" if the
-	author wishes to remain anonymous, put "anonymous".
-]
-
-<tag><bf>Maintainer:</bf></tag>
-	
-[
-	Insert names and date-begun of most recent maintainer.
-]
-
-<tag><bf>Management groups provided:</bf></tag>
-
-[
-	list the subset of four management groups supported by the
-	module. Choose from: account; authentication; password;
-	session.
-
-	Blank entries are not permitted. Explicitly list all of the
-	management groups. In the future more may be added to libpam!
-]
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-[
-	Indicate whether this module contains code that can perform
-	reversible (strong) encryption. This field is primarily to
-	ensure that people redistributing it are not unwittingly
-	breaking laws...
-
-	Modules may also require the presence of some local library
-	that performs the necessary encryption via some standard API.
-	In this case "uses API" can be included in this field. The
-	library in question should be added to the system requirements
-	below.
-
-	Blank = no cryptography is used by module.
-]
-	
-<tag><bf>Security rating:</bf></tag>
-
-[
-	Initially, this field should be left blank. If someone takes
-	it upon themselves to test the strength of the module, it can
-	later be filled.
-
-	Blank = unknown.
-]
-
-<tag><bf>Clean code base:</bf></tag>
-
-[
-	This will probably be filled by the libpam maintainer.
-	It can be considered to be a public humiliation list. :*)
-
-	I am of the opinion that "gcc -with_all_those_flags" is
-	trying to tell us something about whether the program
-	works as intended. Since there is currently no Security
-	evaluation procedure for modules IMHO this is not a
-	completely unreasonable indication (a lower bound anyway)
-	of the reliability of a module.
-
-	This field would indicate the number and flavor of
-	warnings that gcc barfs up when trying to compile the
-	module as part of the tree. Is this too tyrannical?
-
-	Blank = Linux-PAM maintainer has not tested it :)
-]
-
-<tag><bf>System dependencies:</bf></tag>
-
-[
-	here we list config files, dynamic libraries needed, system
-	resources, kernel options.. etc.
-
-	Blank = nothing more than libc required.
-]
-
-<tag><bf>Network aware:</bf></tag>
-
-[
-	Does the module base its behavior on probing a network
-	connection? Does it expect to be protected by the
-	application?
-
-	Blank = Ignorance of network.
-]
-
-</descrip>
-
-<sect2>Overview of module
-
-[
-	some text describing the intended actions of the module
-	general comments mainly (specifics in sections
-	below).
-]
-
-[
-
-	[ now we have a <sect2> level subsection for each of the
-	  management groups. Include as many as there are groups
-	  listed above in the synopsis ]
-
-<sect2>[ Account | Authentication | Password | Session ] component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-[
-	List the supported arguments (leave their description for the
-	description below.
-
-	Blank = no arguments are read and nothing is logged to syslog
-		about any arguments that are passed. Note, this
-		behavior is contrary to the RFC!
-]
-
-<tag><bf>Description:</bf></tag>
-
-[
-	This component of the module performs the task of ...
-]
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-[
-	Here we list some doos and don'ts for this module.
-]
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_access.sgml b/Linux-PAM/doc/modules/pam_access.sgml
deleted file mode 100644
index 8a910d13..00000000
--- a/Linux-PAM/doc/modules/pam_access.sgml
+++ /dev/null
@@ -1,117 +0,0 @@
-<!--
-   
-   pam_access module docs added by Tim Berger <timb@transmeta.com>
-
--->
-
-<sect1> The access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-
-<tt>pam_access</tt>
-
-
-<tag><bf>Author[s]:</bf></tag>
-
-Alexei Nogin &lt;alexei@nogin.dnttm.ru&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-	
-<tag><bf>Management groups provided:</bf></tag>
-
-account
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag> 
-Requires a configuration file. By default 
-<tt>/etc/security/access.conf</tt> is used but this can be overridden. 
-
-<tag><bf>Network aware:</bf></tag>
-
-Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of
-the stdin file descriptor with <tt/ttyname()/.  Standard
-gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/
-calls.  <bf/NIS/ is used for netgroup support.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Provides logdaemon style login access control.
-
-<sect2> Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt>accessfile=<it>/path/to/file.conf</it></tt>;
-<tt>fieldsep=<it>separators</it></tt>
-
-<tag><bf>Description:</bf></tag>
-
-This module provides logdaemon style login access control based on
-login names and on host (or domain) names, internet addresses (or
-network numbers), or on terminal line names in case of non-networked
-logins. Diagnostics are reported through <tt/syslog(3)/.  Wietse
-Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with
-several changes by A. Nogin.
-
-<p> 
-The behavior of this module can be modified with the following 
-arguments: 
-<itemize> 
- 
-<item><tt>accessfile=/path/to/file.conf</tt> - 
-indicate an alternative <em/access/ configuration file to override 
-the default. This can be useful when different services need different 
-access lists. 
-
-<item><tt>fieldsep=<it>separators</it></tt> -
-this option modifies the field separator character that
-<tt/pam_access/ will recognize when parsing the access configuration
-file. For example: <tt>fieldsep=|</tt> will cause the default `:'
-character to be treated as part of a field value and `|' becomes the
-field separator. Doing this is useful in conjuction with a system that
-wants to use pam_access with X based applications, since the
-<tt/PAM_TTY/ item is likely to be of the form "hostname:0" which
-includes a `:' character in its value.
-
-</itemize> 
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Use of module is recommended, for example, on administrative machines
-such as <bf/NIS/ servers and mail servers where you need several accounts
-active but don't want them all to have login capability.
-
-For <tt>/etc/pam.d</tt> style configurations where your modules live
-in <tt>/lib/security</tt>, start by adding the following line to
-<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>,
-<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>:
-
-<tscreen>
-<verb>
-account  required       /lib/security/pam_access.so
-</verb>
-</tscreen>
-
-Note that use of this module is not effective unless your system ignores
-<tt>.rhosts</tt> files.  See the the pam_rhosts_auth documentation.
-
-A sample <tt>access.conf</tt> configuration file is included with the
-distribution.
-
-</descrip>
diff --git a/Linux-PAM/doc/modules/pam_chroot.sgml b/Linux-PAM/doc/modules/pam_chroot.sgml
deleted file mode 100644
index 2366880e..00000000
--- a/Linux-PAM/doc/modules/pam_chroot.sgml
+++ /dev/null
@@ -1,86 +0,0 @@
-<!--
-   $Id: pam_chroot.sgml,v 1.1.1.1 2000/06/20 22:10:59 agmorgan Exp $
-   
-   This file was written by Bruce Campbell <brucec@humbug.org.au>
--->
-
-<sect1>Chroot
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_chroot/
-
-<tag><bf>Author:</bf></tag>
-Bruce Campbell &lt;brucec@humbug.org.au&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author; proposed on 20/11/96 - email for status
-
-<tag><bf>Management groups provided:</bf></tag>
-account; session; authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Unwritten.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-Expects localhost.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is intended to provide a transparent wrapper around the
-average user, one that puts them in a fake file-system (eg, their
-'<tt>/</tt>' is really <tt>/some/where/else</tt>).
-
-<p>
-Useful if you have several classes of users, and are slightly paranoid
-about security.  Can be used to limit who else users can see on the
-system, and to limit the selection of programs they can run.
-
-<sect2>Account component:
-
-<p>
-<em/Need more info here./
-
-<sect2>Authentication component:
-
-<p>
-<em/Need more info here./
-
-<sect2>Session component:
-
-<p>
-<em/Need more info here./
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-Arguments and logging levels for the PAM version are being worked on.
-
-<tag><bf>Description:</bf></tag>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-Do provide a reasonable list of programs - just tossing 'cat', 'ls', 'rm',
-'cp' and 'ed' in there is a bit... 
-<p>
-Don't take it to extremes (eg, you can set up a separate environment for
-each user, but its a big waste of your disk space.)
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_cracklib.sgml b/Linux-PAM/doc/modules/pam_cracklib.sgml
deleted file mode 100644
index d6fc0c56..00000000
--- a/Linux-PAM/doc/modules/pam_cracklib.sgml
+++ /dev/null
@@ -1,304 +0,0 @@
-<!--
-   $Id: pam_cracklib.sgml,v 1.5 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
-   long password amendments are from Philip W. Dalrymple III <pwd@mdtsoft.com>
--->
-
-<sect1>Cracklib pluggable password strength-checker
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-
-pam_cracklib
-
-<tag><bf>Author:</bf></tag>
-
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-
-password
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag> 
-
-Requires the system library <tt/libcrack/ and a system dictionary:
-<tt>/usr/lib/cracklib_dict</tt>.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module can be plugged into the <tt/password/ stack of a given
-application to provide some plug-in strength-checking for passwords.
-
-<p>
-This module works in the following manner: it first calls the
-<em>Cracklib</em> routine to check the strength of the password; if
-crack likes the password, the module does an additional set of
-strength checks.  These checks are:
-<itemize>
-
-<item> <bf/Palindrome/ -
-
-Is the new password a palindrome of the old one?
-
-<item> <bf/Case Change Only/ -
-
-Is the new password the the old one with only a change of case?
-
-<item> <bf/Similar/ -
-
-Is the new password too much like the old one?  This is primarily
-controlled by one argument, <tt/difok/ which is a number of characters
-that if different between the old and new are enough to accept the new
-password, this defaults to 10 or 1/2 the size of the new password
-whichever is smaller.
-
-To avoid the lockup associated with trying to change a long and
-complicated password, <tt/difignore/ is available. This argument can
-be used to specify the minimum length a new password needs to be
-before the <tt/difok/ value is ignored. The default value for
-<tt/difignore/ is 23.
-
-
-<item> <bf/Simple/ -
-
-Is the new password too small?  This is controlled by 5 arguments
-<tt/minlen/, <tt/dcredit/, <tt/ucredit/, <tt/lcredit/, and
-<tt/ocredit/. See the section on the arguments for the details of how
-these work and there defaults.
-
-<item> <bf/Rotated/ -
-
-Is the new password a rotated version of the old password?
-
-<item> <bf/Already used/ -
-
-Was the password used in the past?  Previously used passwords are to
-be found in /etc/security/opasswd.
-
-</itemize>
-
-<p>
-This module with no arguments will work well for standard unix
-password encryption.  With md5 encryption, passwords can be longer
-than 8 characters and the default settings for this module can make it
-hard for the user to choose a satisfactory new password.  Notably, the
-requirement that the new password contain no more than 1/2 of the
-characters in the old password becomes a non-trivial constraint.  For
-example, an old password of the form "the quick brown fox jumped over
-the lazy dogs" would be difficult to change...  In addition, the
-default action is to allow passwords as small as 5 characters in
-length.  For a md5 systems it can be a good idea to increase the
-required minimum size of a password.  One can then allow more credit
-for different kinds of characters but accept that the new password may
-share most of these characters with the old password.
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/; <tt/type=XXX/; <tt/retry=N/; <tt/difok=N/; <tt/minlen=N/;
-<tt/dcredit=N/; <tt/ucredit=N/; <tt/lcredit=N/; <tt/ocredit=N/;
-<tt/use_authtok/;
-
-<tag><bf>Description:</bf></tag>
-
-The action of this module is to prompt the user for a password and
-check its strength against a system dictionary and a set of rules for
-identifying poor choices.
-
-<p>
-The default action is to prompt for a single password, check its
-strength and then, if it is considered strong, prompt for the password
-a second time (to verify that it was typed correctly on the first
-occasion). All being well, the password is passed on to subsequent
-modules to be installed as the new authentication token.
-
-<p>
-The default action may be modified in a number of ways using the
-arguments recognized by the module:
-<itemize>
-
-<item> <tt/debug/ -
-
-this option makes the module write information to syslog(3) indicating
-the behavior of the module (this option does <bf/not/ write password
-information to the log file).
-
-<item> <tt/type=XXX/ -
-
-the default action is for the module to use the following prompts when
-requesting passwords: ``New UNIX password: '' and ``Retype UNIX
-password: ''. Using this option you can replace the word UNIX with
-<tt/XXX/.
-
-<item> <tt/retry=N/ -
-
-the default number of times this module will request a new password
-(for strength-checking) from the user is 1. Using this argument this
-can be increased to <tt/N/.
-
-<item> <tt/difok=N/ -
-
-This argument will change the default of 10 for the number of
-characters in the new password that must not be present in the old
-password.  In addition, if 1/2 of the characters in the new password
-are different then the new password will be accepted anyway.
-
-<item> <tt/minlen=N/ -
-
-The minimum acceptable size for the new password (plus one if credits 
-are not disabled which is the default).
-In addition to the number of characters in the new password, credit (of
-+1 in length) is given for each different kind of character (<em>other,
-upper, lower</em> and <em/digit/).  The default for this parameter is
-9 which is good for a old style UNIX password all of the same type of
-character but may be too low to exploit the added security of a md5
-system.  Note that there is a pair of length limits in
-<em>Cracklib</em> itself, a "way too short" limit of 4 which is hard
-coded in and a defined limit (6) that will be checked without
-reference to <tt>minlen</tt>.  If you want to allow passwords as short
-as 5 characters you should either not use this module or recompile
-the crack library and then recompile this module.
-
-<item> <tt/dcredit=N/ -
-
-(N >= 0) This is the maximum credit for having digits in the new password. If
-you have less than or <tt/N/ digits, each digit will count +1 towards
-meeting the current <tt/minlen/ value.  The default for <tt/dcredit/
-is 1 which is the recommended value for <tt/minlen/ less than 10.
-(N < 0) This is the minimum number of digits that must be met for a new 
-password.
-
-<item> <tt/ucredit=N/ -
-
-(N >= 0) This is the maximum credit for having upper case letters in the new
-password.  If you have less than or <tt/N/ upper case letters each
-letter will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/ucredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10. (N < 0) This is the minimum number of upper 
-case letters that must be met for a new password.
-
-<item> <tt/lcredit=N/ -
-
-(N >= 0) This is the maximum credit for having lower case letters in the new
-password.  If you have less than or <tt/N/ lower case letters, each
-letter will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/lcredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10. (N < 0) This is the minimum number of lower 
-case letters that must be met for a new password.
-
-<item> <tt/ocredit=N/ -
-
-(N >= 0) This is the maximum credit for having other characters in the new
-password.  If you have less than or <tt/N/ other characters, each
-character will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/ocredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10. (N < 0) This is the minimum number of other 
-characters that must be met for a new password.
-
-<item> <tt/use_authtok/ -
-
-This argument is used to <em/force/ the module to not prompt the user
-for a new password but use the one provided by the previously stacked
-<tt/password/ module.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-<p>
-For an example of the use of this module, we show how it may be
-stacked with the password component of <tt/pam_pwdb/:
-<tscreen>
-<verb>
-#
-# These lines stack two password type modules. In this example the
-# user is given 3 opportunities to enter a strong password. The
-# "use_authtok" argument ensures that the pam_pwdb module does not
-# prompt for a password, but instead uses the one provided by
-# pam_cracklib.
-#
-passwd	password required	pam_cracklib.so retry=3
-passwd	password required	pam_pwdb.so use_authtok
-</verb>
-</tscreen>
-
-<p>
-Another example (in the <tt>/etc/pam.d/passwd</tt> format) is for the
-case that you want to use md5 password encryption:
-<tscreen>
-<verb>
-#%PAM-1.0
-#
-# These lines allow a md5 systems to support passwords of at least 14
-# bytes with extra credit of 2 for digits and 2 for others the new
-# password must have at least three bytes that are not present in the
-# old password
-#
-password  required pam_cracklib.so \
-               difok=3 minlen=15 dcredit= 2 ocredit=2
-password  required pam_pwdb.so use_authtok nullok md5
-</verb>
-</tscreen>
-
-<p>
-And here is another example in case you don't want to use credits:
-<tscreen>
-<verb>
-#%PAM-1.0
-#
-# These lines require the user to select a password with a minimum
-# length of 8 and with at least 1 digit number, 1 upper case letter,
-# and 1 other character
-#
-password  required pam_cracklib.so \
-               dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
-password  required pam_pwdb.so use_authtok nullok md5
-</verb>
-</tscreen>
-
-<p>
-In this example we simply say that the password must have a minimum 
-length of 8:
-<tscreen>
-<verb>
-#%PAM-1.0
-#
-# These lines require the user to select a password with a mimimum
-# length of 8. He gets no credits and he is not forced to use
-# digit numbers, upper case letters etc.
-#
-password  required pam_cracklib.so \
-               dcredit=0 ucredit=0 ocredit=0 lcredit=0 minlen=8
-password  required pam_pwdb.so use_authtok nullok md5
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_deny.sgml b/Linux-PAM/doc/modules/pam_deny.sgml
deleted file mode 100644
index bf9dfd2b..00000000
--- a/Linux-PAM/doc/modules/pam_deny.sgml
+++ /dev/null
@@ -1,177 +0,0 @@
-<!--
-   $Id: pam_deny.sgml,v 1.3 2002/05/10 04:03:02 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The locking-out module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_deny
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-current <bf/Linux-PAM/ maintainer
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module can be used to deny access. It always indicates a failure
-to the application through the PAM framework. As is commented in the
-overview section <ref id="overview-section" name="above">, this module
-might be suitable for using for default (the <tt/OTHER/) entries.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component does nothing other than return a failure. The
-failure type is <tt/PAM_ACCT_EXPIRED/.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Stacking this module with type <tt/account/ will prevent the user from
-gaining access to the system via applications that refer to
-<bf/Linux-PAM/'s account management function <tt/pam_acct_mgmt()/.
-
-<p>
-The following example would make it impossible to login:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to disable all accounts
-#
-login	account	 required	pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component does nothing other than return a failure. The failure
-type is <tt/PAM_AUTH_ERR/ in the case that <tt/pam_authenticate()/ is
-called (when the application tries to authenticate the user), and is
-<tt/PAM_CRED_UNAVAIL/ when the application calls <tt/pam_setcred()/
-(to establish and set the credentials of the user -- it is unlikely
-that this function will ever be called in practice).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To deny access to default applications with this component of the
-<tt/pam_deny/ module, you might include the following line in your
-<bf/Linux-PAM/ configuration file:
-<tscreen>
-<verb>
-#
-# add this line to your existing OTHER entries to prevent
-# authentication succeeding with default applications.
-#
-OTHER	auth	 required	pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module denies the user the opportunity to change
-their password. It always responds with <tt/PAM_AUTHTOK_ERR/ when
-invoked.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module should be used to prevent an application from updating the
-applicant user's password. For example, to prevent <tt/login/ from
-automatically prompting for a new password when the old one has
-expired you should include the following line in your configuration
-file:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to prevent the login
-# application from being able to change the user's password.
-#
-login	password required	pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This aspect of the module prevents an application from starting a
-session on the host computer.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Together with another session module, that displays a message of the
-day perhaps (<tt/pam_motd/ for example), this module can be used to
-block a user from starting a shell. We might use the following entries
-in the configuration file to inform the user it is system time:
-<tscreen>
-<verb>
-#
-# An example to see how to configure login to refuse the user a
-# session (politely)
-#
-login	session	 required	pam_motd.so \
-			motd=/etc/system_time
-login	session	 required	pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_env.sgml b/Linux-PAM/doc/modules/pam_env.sgml
deleted file mode 100644
index a6361cac..00000000
--- a/Linux-PAM/doc/modules/pam_env.sgml
+++ /dev/null
@@ -1,141 +0,0 @@
-<!--
-   $Id: pam_env.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $
-   
-   This file was written by Dave Kinchlea <kinch@kinch.ark.com>
-   Ed. AGM
--->
-
-<sect1>Set/unset environment variables
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_env/
-
-<tag><bf>Author:</bf></tag>
-Dave Kinchlea &lt;kinch@kinch.ark.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-Authentication (setcred)
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-<tt>/etc/security/pam_env.conf</tt>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module allows the (un)setting of environment variables. Supported
-is the use of previously set environment variables as well as
-<em>PAM_ITEM</em>s such as <tt>PAM_RHOST</tt>.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/conffile=/<em/configuration-file-name/;
-<tt/envfile/=<em/env-file-name/; <tt/readenv/=<em/0|1/
-
-<tag><bf>Description:</bf></tag>
-This module allows you to (un)set arbitrary environment variables
-using fixed strings, the value of previously set environment variables
-and/or <em/PAM_ITEM/s.
-
-<p>
-All is controlled via a configuration file (by default,
-<tt>/etc/security/pam_env.conf</tt> but can be overriden with
-<tt>conffile</tt> argument).  Each line starts with the variable name,
-there are then two possible options for each variable <bf>DEFAULT</bf>
-and <bf>OVERRIDE</bf>.  <bf>DEFAULT</bf> allows an administrator to
-set the value of the variable to some default value, if none is
-supplied then the empty string is assumed.  The <bf>OVERRIDE</bf>
-option tells pam_env that it should enter in its value (overriding the
-default value) if there is one to use.  <bf>OVERRIDE</bf> is not used,
-<tt>""</tt> is assumed and no override will be done.
-
-<p>
-<tscreen>
-<verb>
-VARIABLE   [DEFAULT=[value]]  [OVERRIDE=[value]]
-</verb>
-</tscreen>
-
-<p>
-(Possibly non-existent) environment variables may be used in values
-using the <tt>&dollar;&lcub;string&rcub;</tt> syntax and (possibly
-non-existent) <em/PAM_ITEM/s may be used in values using the
-<tt>&commat;&lcub;string&rcub;</tt> syntax. Both the <tt>&dollar;</tt>
-and <tt>&commat;</tt> characters can be backslash-escaped to be used
-as literal values (as in <tt>&bsol;&dollar;</tt>.  Double quotes may
-be used in values (but not environment variable names) when white
-space is needed <bf>the full value must be delimited by the quotes and
-embedded or escaped quotes are not supported</bf>.
-
-<p>
-This module can also parse a file with simple <tt>KEY=VAL</tt> pairs
-on seperate lines (<tt>/etc/environment</tt> by default). You can
-change the default file to parse, with the <em/envfile/ flag and turn
-it on or off by setting the <em/readenv/ flag to 1 or 0 respectively.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/conffile=/<em/filename/
-- by default the file <tt>/etc/security/pam_env.conf</tt> is used as
-the configuration file. This option overrides the default. You must
-supply a complete path + file name.
-
-<item><tt/envfile=/<em/filename/
-- by default the file <tt>/etc/environment</tt> is used to load KEY=VAL
-pairs directly into the env. This option overrides the default. You must
-supply a complete path + file name.
-
-<item><tt/readenv=/<em/0|1/
-- turns on or off the reading of the file specified by envfile (0 is off,
-1 is on). By default this option is on.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-See sample <tt>pam_env.conf</tt> for more information and examples.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
-
-
-
-
-
-
-
-
-
-
diff --git a/Linux-PAM/doc/modules/pam_filter.sgml b/Linux-PAM/doc/modules/pam_filter.sgml
deleted file mode 100644
index e22ad9b6..00000000
--- a/Linux-PAM/doc/modules/pam_filter.sgml
+++ /dev/null
@@ -1,150 +0,0 @@
-<!--
-   $Id: pam_filter.sgml,v 1.3 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The filter module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-
-pam_filter
-
-<tag><bf>Author:</bf></tag>
-
-Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-	
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-Not yet.
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-This module compiles cleanly on Linux based systems.
-
-<tag><bf>System dependencies:</bf></tag>
-
-To function it requires <em/filters/ to be installed on the system.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module was written to offer a plug-in alternative to programs
-like ttysnoop (XXX - need a reference). Since writing a filter that
-performs this function has not occurred, it is currently only a toy.
-The single filter provided with the module simply transposes upper and
-lower case letters in the input and output streams. (This can be very
-annoying and is not kind to termcap based editors).
-
-<sect2>Account+Authentication+Password+Session components
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/; <tt/new_term/; <tt/non_term/; <tt/runX/
-
-<tag><bf>Description:</bf></tag>
-
-Each component of the module has the potential to invoke the desired
-filter.  The filter is always <tt/execv(2)/d with the privilege of the
-calling application and <bf/not/ that of the user. For this reason it
-cannot usually be killed by the user without closing their session.
-
-<p>
-The behavior of the module can be significantly altered by the
-arguments passed to it in the <bf/Linux-PAM/ configuration file:
-<itemize>
-<item><tt/debug/ -
-
-this option increases the amount of information logged to
-<tt/syslog(3)/ as the module is executed.
-
-<item><tt/new_term/ -
-
-the default action of the filter is to set the <tt/PAM_TTY/ item to
-indicate the terminal that the user is using to connect to the
-application. This argument indicates that the filter should set
-<tt/PAM_TTY/ to the filtered pseudo-terminal.
-
-<item><tt/non_term/ -
-don't try to set the <tt/PAM_TTY/ item.
-
-<item><tt/runX/ -
-
-in order that the module can invoke a filter it should know when to
-invoke it. This argument is required to tell the filter when to do
-this. The arguments that follow this one are respectively the full
-pathname of the filter to be run and any command line arguments that
-the filter might expect.
-
-<p>
-Permitted values for <tt/X/ are <tt/1/ and <tt/2/. These indicate the
-precise time that the filter is to be run. To understand this concept
-it will be useful to have read the Linux-PAM Module developer's
-guide. Basically, for each management group there are up to two ways
-of calling the module's functions.
-
-In the case of the <em/authentication/ and <em/session/ components
-there are actually two separate functions.  For the case of
-authentication, these functions are <tt/_authenticate/ and
-<tt/_setcred/ -- here <tt/run1/ means run the filter from the
-<tt/_authenticate/ function and <tt/run2/ means run the filter from
-<tt/_setcred/. In the case of the session modules, <tt/run1/ implies
-that the filter is invoked at the <tt/_open_session/ stage, and
-<tt/run2/ for <tt/_close_session/.
-
-<p>
-For the case of the account component. Either <tt/run1/ or <tt/run2/
-may be used.
-
-<p>
-For the case of the password component, <tt/run1/ is used to indicate
-that the filter is run on the first occasion <tt/_chauthtok/ is run
-(the <tt/PAM_PRELIM_CHECK/ phase) and <tt/run2/ is used to indicate
-that the filter is run on the second occasion (the
-<tt/PAM_UPDATE_AUTHTOK/ phase).
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-At the time of writing there is little real use to be made of this
-module. For fun you might try adding the following line to your
-login's configuration entries
-<tscreen>
-<verb>
-#
-# An example to see how to configure login to transpose upper and
-# lower case letters once the user has logged in(!)
-#
-login	session	 required	pam_filter.so \
-			run1 /usr/sbin/pam_filter/upperLOWER
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_ftp.sgml b/Linux-PAM/doc/modules/pam_ftp.sgml
deleted file mode 100644
index cb4c4f33..00000000
--- a/Linux-PAM/doc/modules/pam_ftp.sgml
+++ /dev/null
@@ -1,93 +0,0 @@
-<!--
-   $Id: pam_ftp.sgml,v 1.3 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>Anonymous access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_ftp.so/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-prompts for email address of user; easily spoofed (XXX - needs work)
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-The purpose of this module is to provide a pluggable anonymous ftp
-mode of access.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/users=XXX,YYY,.../;
-<tt/ignore/
-
-<tag><bf>Description:</bf></tag>
-
-This module intercepts the user's name and password. If the name is
-``<tt/ftp/'' or ``<tt/anonymous/'', the user's password is broken up
-at the `<tt/@/' delimiter into a <tt/PAM_RUSER/ and a <tt/PAM_RHOST/
-part; these pam-items being set accordingly. The username
-(<tt/PAM_USER/) is set to ``<tt/ftp/''.  In this case the module
-succeeds.  Alternatively, the module sets the <tt/PAM_AUTHTOK/ item
-with the entered password and fails.
-
-<p>
-The behavior of the module can be modified with the following flags:
-<itemize>
-<item><tt/debug/ -
-log more information to with <tt/syslog(3)/.
-
-<item><tt/users=XXX,YYY,.../ - 
-instead of ``<tt/ftp/'' or ``<tt/anonymous/'', provide anonymous login
-to the comma separated list of users; ``<tt/XXX,YYY,.../''. Should the
-applicant enter one of these usernames the returned username is set to
-the first in the list; ``<tt/XXX/''.
-
-<item><tt/ignore/ -
-pay no attention to the email address of the user (if supplied).
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-An example of the use of this module is provided in the configuration
-file section <ref id="configuration" name="above">. With care, this
-module could be used to provide new/temporary account anonymous
-login.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_group.sgml b/Linux-PAM/doc/modules/pam_group.sgml
deleted file mode 100644
index 2d767275..00000000
--- a/Linux-PAM/doc/modules/pam_group.sgml
+++ /dev/null
@@ -1,108 +0,0 @@
-<!--
-   $Id: pam_group.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The group access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_group/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-Sensitive to <em/setgid/ status of file-systems accessible to users.
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires an <tt>/etc/security/group.conf</tt> file. Can be compiled
-with or without <tt/libpwdb/.
-
-<tag><bf>Network aware:</bf></tag>
-Only through correctly set <tt/PAM_TTY/ item.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module provides group-settings based on the user's name and the
-terminal they are requesting a given service from. It takes note of
-the time of day.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This module does not authenticate the user, but instead it grants
-group memberships (in the credential setting phase of the
-authentication module) to the user.  Such memberships are based on the
-service they are applying for. The group memberships are listed in
-text form in the <tt>/etc/security/group.conf</tt> file.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For this module to function correctly there must be a correctly
-formatted <tt>/etc/security/groups.conf</tt> file present. The format
-of this file is as follows. Group memberships are given based on the
-service application satisfying any combination of lines in the
-configuration file. Each line (barring comments which are preceded by
-`<tt/#/' marks) has the following
-syntax:
-<tscreen>
-<verb>
-services   ;   ttys   ;   users   ;   times   ;   groups
-</verb>
-</tscreen>
-Here the first four fields share the syntax of the <tt>pam_time</tt>
-configuration file; <tt>/etc/security/pam_time.conf</tt>, and the last
-field, the <tt/groups/ field, is a comma (or space) separated list of
-the text-names of a selection of groups. If the users application for
-service satisfies the first four fields, the user is granted membership
-of the listed groups.
-
-<p>
-As stated in above this module's usefulness relies on the file-systems
-accessible to the user.  The point being that once granted the
-membership of a group, the user may attempt to create a <em/setgid/
-binary with a restricted group ownership.  Later, when the user is not
-given membership to this group, they can recover group membership with
-the precompiled binary.  The reason that the file-systems that the user
-has access to are so significant, is the fact that when a system is
-mounted <em/nosuid/ the user is unable to create or execute such a
-binary file.  For this module to provide any level of security, all
-file-systems that the user has write access to should be mounted
-<em/nosuid/.
-
-<p>
-The <tt>pam_group</tt> module fuctions in parallel with the
-<tt>/etc/group</tt> file. If the user is granted any groups based on
-the behavior of this module, they are granted <em>in addition</em> to
-those entries <tt>/etc/group</tt> (or equivalent).
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_issue.sgml b/Linux-PAM/doc/modules/pam_issue.sgml
deleted file mode 100644
index 1f617e3b..00000000
--- a/Linux-PAM/doc/modules/pam_issue.sgml
+++ /dev/null
@@ -1,120 +0,0 @@
-<!--
-
-Ben Collins <bcollins@debian.org>
-
--->
-
-<sect1>Add issue file to user prompt
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_issue/
-
-<tag><bf>Author:</bf></tag>
-Ben Collins &lt;bcollins@debian.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-Authentication (pam_sm_authenticate)
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module prepends the issue file (<em>/etc/issue</em> by default) when
-prompting for a username.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/issue=issue-file-name/; <tt/noesc/;
-
-<tag><bf>Description:</bf></tag>
-This module allows you to prepend an issue file to the username prompt. It
-also by default parses escape codes in the issue file similar to some
-common getty's (using &bsol;x format).
-<p>
-Recognized escapes:
-<itemize>
-
-<item><tt/d/
-- current date
-
-<item><tt/s/
-- operating system name
-
-<item><tt/l/
-- name of this tty
-
-<item><tt/m/
-- architecture of this system (i686, sparc, powerpc, ...)
-
-<item><tt/n/
-- hostname of this system
-
-<item><tt/o/
-- domainname of this system
-
-<item><tt/r/
-- release number of the operation system (eg. 2.2.12)
-
-<item><tt/t/
-- current time
-
-<item><tt/u/
-- number of users currently logged in
-
-<item><tt/U/
-- same as <tt/u/, except it is suffixed with "user" or "users" (eg. "1
-user" or "10 users"
-
-<item><tt/v/
-- version/build-date of the operating system (eg. "&num;3 Mon Aug 23 14:38:16
-EDT 1999" on Linux).
-
-</itemize>
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-
-<item><tt/issue/
-- the file to output if not using the default
-
-<item><tt/noesc/
-- turns off escape code parsing
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-login  auth  pam_issue.so  issue=/etc/issue
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_krb4.sgml b/Linux-PAM/doc/modules/pam_krb4.sgml
deleted file mode 100644
index 51a46522..00000000
--- a/Linux-PAM/doc/modules/pam_krb4.sgml
+++ /dev/null
@@ -1,126 +0,0 @@
-<!--
-   $Id: pam_krb4.sgml,v 1.1.1.1 2000/06/20 22:11:01 agmorgan Exp $
-   
-   This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG>
--->
-
-<sect1>The Kerberos 4 module.
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_krb4/
-
-<tag><bf>Author:</bf></tag>
-Derrick J. Brashear &lt;shadow@dementia.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-uses API
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/;
-and a set of Kerberos include files.
-
-<tag><bf>Network aware:</bf></tag>
-Gets Kerberos ticket granting ticket via a Kerberos key distribution
-center reached via the network.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module provides an interface for doing Kerberos verification of a
-user's password, getting the user a Kerberos ticket granting ticket
-for use with the Kerberos ticket granting service, destroying the
-user's tickets at logout time, and changing a Kerberos password.
-
-<sect2> Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module currently sets the user's <tt/KRBTKFILE/
-environment variable (although there is currently no way to export
-this), as well as deleting the user's ticket file upon logout (until
-<tt/PAM_CRED_DELETE/ is supported by <em/login/).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This part of the module won't be terribly useful until we can change
-the environment from within a <tt/Linux-PAM/ module.
-
-</descrip>
-
-<sect2> Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/use_first_pass/; <tt/try_first_pass/
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module changes a user's Kerberos password
-by first getting and using the user's old password to get
-a session key for the password changing service, then sending
-a new password to that service.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This should only be used with a real Kerberos v4 <tt/kadmind/. It
-cannot be used with an AFS kaserver unless special provisions are
-made. Contact the module author for more information.
-
-</descrip>
-
-<sect2> Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/use_first_pass/; <tt/try_first_pass/
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module verifies a user's Kerberos password
-by requesting a ticket granting ticket from the Kerberos server
-and optionally using it to attempt to retrieve the local computer's
-host key and verifying using the key file on the local machine if 
-one exists.
-
-It also writes out a ticket file for the user to use later, and 
-deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/
-is called from <em/login/).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used with a real Kerberos server using MIT
-v4 Kerberos keys. The module or the system Kerberos libraries
-may be modified to support AFS style Kerberos keys. Currently
-this is not supported to avoid cryptography constraints.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_lastlog.sgml b/Linux-PAM/doc/modules/pam_lastlog.sgml
deleted file mode 100644
index 451bfaa2..00000000
--- a/Linux-PAM/doc/modules/pam_lastlog.sgml
+++ /dev/null
@@ -1,119 +0,0 @@
-<!--
-   $Id: pam_lastlog.sgml,v 1.2 2001/02/17 01:55:38 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The last login module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_lastlog/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-auth
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-uses information contained in the <tt>/var/log/lastlog</tt> file.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This session module maintains the <tt>/var/log/lastlog</tt> file.  Adding
-an open entry when called via the <tt>pam_open_seesion()</tt> function
-and completing it when <tt>pam_close_session()</tt> is called.  This
-module can also display a line of information about the last login of
-the user.  If an application already performs these tasks, it is not
-necessary to use this module.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/nodate/; <tt/noterm/; <tt/nohost/; <tt/silent/;
-<tt/never/
-
-<tag><bf>Description:</bf></tag>
-
-<p>
-This module can be used to provide a ``Last login on ...''
-message. when the user logs into the system from what ever application
-uses the PAM libraries.  In addition, the module maintains the
-<tt>/var/log/lastlog</tt> file.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/nodate/
-- neglect to give the date of the last login when displaying
-information about the last login on the system.
-
-<item><tt/noterm/ 
-- neglect to diplay the terminal name on which the last login was
-attempt.
-
-<item><tt/nohost/
-- neglect to indicate from which host the last login was attempted.
-
-<item><tt/silent/
-- neglect to inform the user about any previous login: just update
-the <tt>/var/log/lastlog</tt> file.
-
-<item><tt/never/
-- if the <tt>/var/log/lastlog</tt> file does not contain any old entries
-for the user, indicate that the user has never previously logged in
-with a ``welcome..." message.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used to indicate that the user has new mail when
-they <em/login/ to the system. Here is a sample entry for your
-<tt>/etc/pam.d/XXX</tt> file:
-<tscreen>
-<verb>
-#
-# When were we last here?
-#
-session	 optional	pam_lastlog.so
-</verb>
-</tscreen>
-
-<p>
-Note, some applications may perform this function themselves. In such
-cases, this module is not necessary.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_limits.sgml b/Linux-PAM/doc/modules/pam_limits.sgml
deleted file mode 100644
index 22674d42..00000000
--- a/Linux-PAM/doc/modules/pam_limits.sgml
+++ /dev/null
@@ -1,247 +0,0 @@
-<!--
-   $Id: pam_limits.sgml,v 1.7 2002/05/09 12:00:35 baggins Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
-   from information compiled by Cristian Gafton (author of module)
--->
-
-<sect1>The resource limits module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_limits/
-
-<tag><bf>Authors:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
-Thanks are also due to Elliot Lee &lt;sopwith@redhat.com&gt;
-for his comments on improving this module.
-
-<tag><bf>Maintainer:</bf></tag>
-Cristian Gafton - 1996/11/20
-
-<tag><bf>Management groups provided:</bf></tag>
-session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-requires an <tt>/etc/security/limits.conf</tt> file and kernel support
-for resource limits. Also uses the library, <tt/libpwdb/.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module, through the <bf/Linux-PAM/ <em/open/-session hook, sets
-limits on the system resources that can be obtained in a
-user-session. Its actions are dictated more explicitly through the
-configuration file discussed below.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt>conf=/path/to/file.conf</tt>; <tt>change_uid</tt>;
-<tt>utmp_early</tt>
-
-<tag><bf>Description:</bf></tag>
-
-Through the contents of the configuration file,
-<tt>/etc/security/limits.conf</tt>, resource limits are placed on
-users' sessions. Users of <tt/uid=0/ are not affected by this
-restriction.
-
-<p>
-The behavior of this module can be modified with the following
-arguments:
-<itemize>
-
-<item><tt/debug/ -
-verbose logging to <tt/syslog(3)/.
-
-<item><tt>conf=/path/to/file.conf</tt> -
-indicate an alternative <em/limits/ configuration file to the default.
-
-<item><tt/change_uid/ - 
-change real uid to the user for who the limits are set up.  Use this
-option if you have problems like login not forking a shell for user
-who has no processes. Be warned that something else may break when
-you do this.
-
-<item><tt/utmp_early/ - 
-some broken applications actually allocate a utmp entry for the user
-before the user is admitted to the system. If some of the services you
-are configuring PAM for do this, you can selectively use this module
-argument to compensate for this behavior and at the same time maintain
-system-wide consistency with a single limits.conf file.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In order to use this module the system administrator must first create
-a <em/root-only-readable/ file (default is
-<tt>/etc/security/limits.conf</tt>).  This file describes the resource
-limits the superuser wishes to impose on users and groups. No limits
-are imposed on <tt/uid=0/ accounts.
-
-<p>
-Each line of the configuration file describes a limit for a user in
-the form:
-<tscreen>
-<verb>
-<domain>	<type>	<item>		<value>
-</verb>
-</tscreen>
-
-<p>
-The fields listed above should be filled as follows...<newline>
-<tt>&lt;domain&gt;</tt> can be:
-<itemize>
-<item> a username
-<item> a groupname, with <tt>@group</tt> syntax
-<item> the wild-card <tt/*/, for default entry
-<item> the wild-card <tt/%/, for maxlogins limit only,
-can also be used with <tt>%group</tt> syntax
-</itemize>
-
-<p>
-<tt>&lt;type&gt;</tt> can have the three values:
-<itemize>
-
-<item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits
-are set by the superuser and enforced by the Linux Kernel. The user
-cannot raise his requirement of system resources above such values.
-
-<item> <tt/soft/ for enforcing <em/soft/ resource limits. These limits
-are ones that the user can move up or down within the permitted range
-by any pre-exisiting <em/hard/ limits. The values specified with this
-token can be thought of as <em/default/ values, for normal system
-usage.
-
-<item> <tt/-/ for enforcing both <em/soft/ and <em/hard/ limits
-together.
-
-</itemize>
-
-<p>
-<tt>&lt;item&gt;</tt> can be one of the following:
-<itemize>
-<item><tt/core/ - limits the core file size (KB)
-<item><tt/data/ - max data size (KB)
-<item><tt/fsize/ - maximum filesize (KB)
-<item><tt/memlock/ - max locked-in-memory address space (KB)
-<item><tt/nofile/ - max number of open files
-<item><tt/rss/ - max resident set size (KB)
-<item><tt/stack/ - max stack size (KB)
-<item><tt/cpu/ - max CPU time (MIN)
-<item><tt/nproc/ - max number of processes
-<item><tt/as/ - address space limit
-<item><tt/maxlogins/ - max number of logins for this user
-<item><tt/maxsyslogins/ - max number of logins on system
-<item><tt/priority/ - the priority to run user process with (negative
-values boost process priority)
-<item><tt/locks/ - max locked files (Linux 2.4 and higher)
-</itemize>
-
-<p>
-Note, if you specify a type of ``-'' but neglect to supply the
-<tt/item/ and <tt/value/ fields then the module will never enforce any
-limits on the corresponding user/group-members etc. . Note, the first
-entry of the form which applies to the authenticating user will
-override all other entries in the limits configuration file. In such
-cases, the <tt/pam_limits/ module will always return <tt/PAM_SUCCESS/.
-
-<p>
-In general, individual limits have priority over group limits, so if
-you impose no limits for <tt/admin/ group, but one of the members in
-this group have a limits line, the user will have its limits set
-according to this line.
-
-<p>
-Also, please note that all limit settings are set <em/per login/.
-They are not global, nor are they permanent; existing only for the
-duration of the session.
-
-<p>
-In the <em/limits/ configuration file, the ``<tt/#/'' character
-introduces a comment - after which the rest of the line is ignored.
-
-<p>
-The <tt/pam_limits/ module does its best to report configuration
-problems found in its configuration file via <tt/syslog(3)/.
-
-<p>
-The following is an example configuration file:
-<tscreen>
-<verb>
-# EXAMPLE /etc/security/limits.conf file:
-# =======================================
-# <domain>	<type>	<item>		<value>
-*               soft    core            0
-*               hard    rss             10000
-@student        hard    nproc           20
-@faculty        soft    nproc           20
-@faculty        hard    nproc           50
-ftp             hard    nproc           0
-@student        -       maxlogins       4
-</verb>
-</tscreen>
-Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource
-(see <tt/@faculty/) -- this establishes the <em/default/ and permitted
-<em/extreme/ level of resources that the user can obtain in a given
-service-session.
-
-<p>
-Note, that wild-cards <tt/*/ and <tt/%/ have the following meaning when
-used for maxlogins limit
-<itemize>
-<item> <tt/*/ every user
-<item> <tt/%/ all users, or entire group when <tt>%group</tt> is specified 
-</itemize>
-See the following examples:
-<tscreen>
-<verb>
-# EXAMPLE /etc/security/limits.conf file:
-# <domain>	<type>	<item>		<value>
-*               -       maxlogins       2
-@faculty        -       maxlogins       4
-%               -       maxlogins       30
-%student        -       maxlogins       10
-</verb>
-</tscreen>
-Explanation: every user can login 2 times, members of the <tt/faculty/
-group can login 4 times, there can be only 30 logins, only 10 from
-<tt/students/ group.
-
-<p>
-For the services that need resources limits (login for example) put
-the following line in <tt>/etc/pam.conf</tt> as the last line for that
-service (usually after the pam_unix session line:
-<tscreen>
-<verb>
-#
-# Resource limits imposed on login sessions via pam_limits
-#
-login   session    required     pam_limits.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_listfile.sgml b/Linux-PAM/doc/modules/pam_listfile.sgml
deleted file mode 100644
index 1284d1b6..00000000
--- a/Linux-PAM/doc/modules/pam_listfile.sgml
+++ /dev/null
@@ -1,138 +0,0 @@
-<!--
-   $Id: pam_listfile.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $
-   
-   This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The list-file module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_listfile/
-
-<tag><bf>Author:</bf></tag>
-Elliot Lee <tt>&lt;sopwith@cuc.edu&gt;</tt>
-
-<tag><bf>Maintainer:</bf></tag>
-Red Hat Software:<newline>
-Michael K. Johnson &lt;johnsonm@redhat.com&gt;  1996/11/18<newline>
-(if unavailable, contact Elliot Lee &lt;sopwith@cuc.edu&gt;).
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-clean
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-The list-file module provides a way to deny or allow services based on
-an arbitrary file.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt>onerr=succeed|fail</tt>;
-<tt>sense=allow|deny</tt>;
-<tt>file=</tt><it>filename</it>;
-<tt>item=user|tty|rhost|ruser|group|shell</tt>
-<tt>apply=user|@group</tt>
-
-<tag><bf>Description:</bf></tag>
-
-The module gets the item of the type specified -- <tt>user</tt> specifies
-the username, <tt>PAM_USER</tt>; tty specifies the name of the terminal
-over which the request has been made, <tt>PAM_TTY</tt>; rhost specifies
-the name of the remote host (if any) from which the request was made,
-<tt>PAM_RHOST</tt>; and ruser specifies the name of the remote user
-(if available) who made the request, <tt>PAM_RUSER</tt> -- and looks for
-an instance of that item in the file <it>filename</it>.  <it>filename</it>
-contains one line per item listed.  If the item is found, then if
-<tt>sense=allow</tt>, <tt>PAM_SUCCESS</tt> is returned, causing the
-authorization request to succeed; else if <tt>sense=deny</tt>,
-<tt>PAM_AUTH_ERR</tt> is returned, causing the authorization
-request to fail.
-
-<p>
-If an error is encountered (for instance, if <it>filename</it>
-does not exist, or a poorly-constructed argument is encountered),
-then if <tt>onerr=succeed</tt>, <tt>PAM_SUCCESS</tt> is returned,
-otherwise if <tt>onerr=fail</tt>, <tt>PAM_AUTH_ERR</tt> or
-<tt>PAM_SERVICE_ERR</tt> (as appropriate) will be returned.
-
-<p>
-An additional argument, <tt>apply=</tt>, can be used to restrict the
-application of the above to a specific user
-(<tt>apply=</tt><em>username</em>) or a given group
-(<tt>apply=@</tt><em>groupname</em>).  This added restriction is only
-meaningful when used with the <tt/tty/, <tt/rhost/ and <tt/shell/
-<em/items/.
-
-<p>
-Besides this last one, all arguments should be specified; do not count
-on any default behavior, as it is subject to change.
-
-<p>
-No credentials are awarded by this module.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Classic ``ftpusers'' authentication can be implemented with this entry
-in <tt>/etc/pam.conf</tt>:
-<tscreen>
-<verb>
-#
-# deny ftp-access to users listed in the /etc/ftpusers file
-#
-ftp	auth	 required	pam_listfile.so \
-	onerr=succeed item=user sense=deny file=/etc/ftpusers
-</verb>
-</tscreen>
-Note, users listed in <tt>/etc/ftpusers</tt> file are
-(counterintuitively) <bf/not/ allowed access to the ftp service.
-
-<p>
-To allow login access only for certain users, you can use a
-<tt/pam.conf/ entry like this:
-<tscreen>
-<verb>
-#
-# permit login to users listed in /etc/loginusers
-#
-login	auth	 required	pam_listfile.so \
-	onerr=fail item=user sense=allow file=/etc/loginusers
-</verb>
-</tscreen>
-
-<p>
-For this example to work, all users who are allowed to use the login
-service should be listed in the file <tt>/etc/loginusers</tt>.  Unless
-you are explicitly trying to lock out root, make sure that when you do
-this, you leave a way for root to log in, either by listing root in
-<tt>/etc/loginusers</tt>, or by listing a user who is able to <em/su/
-to the root account.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_mail.sgml b/Linux-PAM/doc/modules/pam_mail.sgml
deleted file mode 100644
index c157659a..00000000
--- a/Linux-PAM/doc/modules/pam_mail.sgml
+++ /dev/null
@@ -1,142 +0,0 @@
-<!--
-   $Id: pam_mail.sgml,v 1.4 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The mail module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_mail/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-Authentication (credential)
-Session (open)
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Default mail directory <tt>/var/spool/mail/</tt>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module looks at the user's mail directory and indicates
-whether the user has any mail in it.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/dir=/<em/directory-name/; <tt/nopen/; <tt/close/;
-<tt/noenv/; <tt/empty/; <tt/hash=/<em/hashcount/; <tt/standard/;
-<tt/quiet/;
-
-<tag><bf>Description:</bf></tag>
-
-This module provides the ``you have new mail'' service to the user. It
-can be plugged into any application that has credential hooks. It gives a
-single message indicating the <em/newness/ of any mail it finds in the
-user's mail folder. This module also sets the <bf/Linux-PAM/
-environment variable, <tt/MAIL/, to the user's mail directory.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/dir=/<em/pathname/
-- look for the users' mail in an alternative directory given by
-<em/pathname/.  The default location for mail is
-<tt>/var/spool/mail</tt>. Note, if the supplied <em/pathname/ is
-prefixed by a `<tt/&tilde;/', the directory is interpreted as
-indicating a file in the user's home directory.
-
-<item><tt/nopen/
-- instruct the module to <em/not/ print any mail information when the
-user's credentials are acquired. This flag is useful to get the <tt/MAIL/
-environment variable set, but to not display any information about it.
-
-<item><tt/close/
-- instruct the module to indicate if the user has any mail at the as
-the user's credentials are revoked.
-
-<item><tt/noenv/
-- do not set the <tt/MAIL/ environment variable.
-
-<item><tt/empty/
-- indicate that the user's mail directory is empty if this is found to
-be the case.
-
-<item><tt/hash=/<em/hashcount/
-- mail directory hash depth.  For example, a <em/hashcount/ of 2 would
-make the mailfile be <tt>/var/spool/mail/u/s/user</tt>.
-
-<item><tt/standard/
-- old style "You have..." format which doesn't show the mail spool being used.
-  this also implies "empty"
-
-<item><tt/quiet/
-- only report when there is new mail.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used to indicate that the user has new mail when
-they <em/login/ to the system. Here is a sample entry for your
-<tt>/etc/pam.conf</tt> file:
-<tscreen>
-<verb>
-#
-# do we have any mail?
-#
-login	session	 optional	pam_mail.so
-</verb>
-</tscreen>
-
-<p>
-Note, if the mail spool file (be it <tt>/var/spool/mail/$USER</tt> or
-a pathname given with the <tt>dir=</tt> parameter) is a directory then
-<tt>pam_mail</tt> assumes it is in the <it>Qmail Maildir</it> format.
-
-<p>
-Note, some applications may perform this function themselves. In such
-cases, this module is not necessary.
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-Then authentication companent works the same as the session component,
-except that everything is done during the <tt>pam_setcred()</tt> phase.
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_mkhomedir.sgml b/Linux-PAM/doc/modules/pam_mkhomedir.sgml
deleted file mode 100644
index 8428565d..00000000
--- a/Linux-PAM/doc/modules/pam_mkhomedir.sgml
+++ /dev/null
@@ -1,83 +0,0 @@
-<!--
-
-Ben Collins <bcollins@debian.org>
-
--->
-
-<sect1>Create home directories on initial login
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_mkhomedir/
-
-<tag><bf>Author:</bf></tag>
-Jason Gunthorpe &lt;jgg@ualberta.ca&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Ben Collins &lt;bcollins@debian.org&gt;
-
-<tag><bf>Management groups provided:</bf></tag>
-Session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Creates home directories on the fly for authenticated users.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/skel=skeleton-dir/; <tt/umask=octal-umask/;
-
-<tag><bf>Description:</bf></tag>
-This module is useful for distributed systems where the user account is
-managed in a central database (such as NIS, NIS+, or LDAP) and accessed
-through miltiple systems. It frees the administrator from having to create
-a default home directory on each of the systems by creating it upon the
-first succesfully authenticated login of that user. The skeleton directory
-(usually /etc/skel/) is used to copy default files and also set's a umask
-for the creation.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-
-<item><tt/skel/
-- The skeleton directory for default files to copy to the new home directory.
-
-<item><tt/umask/
-- An octal for of the same format as you would pass to the shells umask command.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_motd.sgml b/Linux-PAM/doc/modules/pam_motd.sgml
deleted file mode 100644
index 8ddc6392..00000000
--- a/Linux-PAM/doc/modules/pam_motd.sgml
+++ /dev/null
@@ -1,77 +0,0 @@
-<!--
-
-Ben Collins <bcollins@debian.org>
-
--->
-
-<sect1>Output the motd file
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_motd/
-
-<tag><bf>Author:</bf></tag>
-Ben Collins &lt;bcollins@debian.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-Session (open)
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module outputs the motd file (<em>/etc/motd</em> by default) upon
-successful login.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/motd=motd-file-name/;
-
-<tag><bf>Description:</bf></tag>
-This module allows you to have arbitrary motd's (message of the day)
-output after a succesful login. By default this file is <em>/etc/motd</em>,
-but is configurable to any file.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-
-<item><tt/motd/
-- the file to output if not using the default.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-login  session  pam_motd.so  motd=/etc/motd
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_nologin.sgml b/Linux-PAM/doc/modules/pam_nologin.sgml
deleted file mode 100644
index 241c24f0..00000000
--- a/Linux-PAM/doc/modules/pam_nologin.sgml
+++ /dev/null
@@ -1,81 +0,0 @@
-<!--
-   $Id: pam_nologin.sgml,v 1.3 2002/06/27 05:43:28 agmorgan Exp $
-   
-   This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The no-login module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_nologin/
-
-<tag><bf>Author:</bf></tag>
-Written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>
-
-<tag><bf>Maintainer:</bf></tag>
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Provides standard Unix <em/nologin/ authentication.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-successok, file=&lt;<em/filename/&gt;
-
-<tag><bf>Description:</bf></tag>
-
-Provides standard Unix <em/nologin/ authentication.  If the file
-<tt>/etc/nologin</tt> exists, only root is allowed to log in; other
-users are turned away with an error message (and the module returns
-<tt/PAM_AUTH_ERR/ or <tt/PAM_USER_UNKNOWN/).  All users (root or
-otherwise) are shown the contents of <tt>/etc/nologin</tt>.
-
-<p>
-If the file <tt>/etc/nologin</tt> does not exist, this module defaults
-to returning <tt/PAM_IGNORE/, but the <tt/successok/ module argument
-causes it to return <tt/PAM_SUCCESS/ in this case.
-
-<p>
-The administrator can override the default nologin file with the
-<tt/file=/<em/pathname/ module argument.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In order to make this module effective, all login methods should be
-secured by it.  It should be used as a <tt>required</tt> method listed
-before any <tt>sufficient</tt> methods in order to get standard Unix
-nologin semantics. Note, the use of <tt/successok/ module argument
-causes the module to return <tt/PAM_SUCCESS/ and as such would break
-such a configuration - failing <tt/sufficient/ modules would lead to a
-successful login because the nologin module <em/succeeded/.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_permit.sgml b/Linux-PAM/doc/modules/pam_permit.sgml
deleted file mode 100644
index 1d6bbce4..00000000
--- a/Linux-PAM/doc/modules/pam_permit.sgml
+++ /dev/null
@@ -1,83 +0,0 @@
-<!--
-   $Id: pam_permit.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The promiscuous module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_permit
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan, &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Linux-PAM maintainer.
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-VERY LOW. Use with extreme caution.
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is very dangerous. It should be used with extreme
-caution. Its action is always to permit access. It does nothing else.
-
-<sect2>Account+Authentication+Password+Session components
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-No matter what management group, the action of this module is to
-simply return <tt/PAM_SUCCESS/ -- operation successful.
-
-<p>
-In the case of authentication, the user's name will be acquired. Many
-applications become confused if this name is unknown.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-It is seldom a good idea to use this module. However, it does have
-some legitimate uses.  For example, if the system-administrator wishes
-to turn off the account management on a workstation, and at the same
-time continue to allow logins, then she might use the following
-configuration file entry for login:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to disable account
-# management, but continue to permit users to log in...
-#
-login	account	 required	pam_permit.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_pwdb.sgml b/Linux-PAM/doc/modules/pam_pwdb.sgml
deleted file mode 100644
index 7b237d2e..00000000
--- a/Linux-PAM/doc/modules/pam_pwdb.sgml
+++ /dev/null
@@ -1,257 +0,0 @@
-<!--
-   $Id: pam_pwdb.sgml,v 1.4 2002/07/11 05:43:50 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The Password-Database module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_pwdb
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
-and Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Red Hat.
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires properly configured <tt/libpwdb/
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is a pluggable replacement for the <tt/pam_unix_../
-modules. It uses the generic interface of the <em/Password Database/
-library <tt>libpwdb</tt>.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the accounting functions of this module
-<tt/syslog(3)/ more information on its actions. (Remaining arguments
-supported by the other functions of this module are silently ignored,
-but others are logged as errors through <tt/syslog(3)/).
-
-Based on the following <tt/pwdb_element/s:
-<tt/expire/;
-<tt/last_change/;
-<tt/max_change/;
-<tt/defer_change/;
-<tt/warn_change/,
-this module performs the task of establishing the status of the user's
-account and password. In the case of the latter, it may offer advice
-to the user on changing their password or, through the
-<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until
-they have established a new password. The entries listed above are
-documented in the <em/Password Database Library Guide/ (see pointer
-above). Should the user's record not contain one or more of these
-entries, the corresponding <em/shadow/ check is not performed.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In its accounting mode, this module can be inserted as follows:
-<tscreen>
-<verb>
-#
-# Ensure users account and password are still active
-#
-login	account	 required	pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/use_first_pass/;
-<tt/try_first_pass/;
-<tt/nullok/;
-<tt/nodelay/;
-<tt/likeauth/;
-<tt/noreap/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the authentication functions of this
-module <tt/syslog(3)/ more information on its actions.
-
-<p>
-The default action of this module is to not permit the user access to
-a service if their <em/official/ password is blank. The <tt/nullok/
-argument overrides this default.
-
-<p>
-When given the argument <tt/try_first_pass/, before prompting the user
-for their password, the module first tries the previous stacked
-<tt/auth/-module's password in case that satisfies this module as
-well. The argument <tt/use_first_pass/ forces the module to use such a
-recalled password and will never prompt the user - if no password is
-available or the password is not appropriate, the user will be denied
-access.
-
-<p>
-The argument, <tt>nodelay</tt>, can be used to discourage the
-authentication component from requesting a delay should the
-authentication as a whole fail.  The default action is for the module
-to request a delay-on-failure of the order of one second.
-
-<p>
-Remaining arguments, supported by the other functions of this module,
-are silently ignored. Other arguments are logged as errors through
-<tt/syslog(3)/.
-
-<p>
-A helper binary, <tt>pwdb_chkpwd</tt>, is provided to check the user's
-password when it is stored in a read protected database.  This binary
-is very simple and will only check the password of the user invoking
-it.  It is called transparently on behalf of the user by the
-authenticating component of this module.  In this way it is possible
-for applications like <em>xlock</em> to work without being
-setuid-root. The module, by default, will temporarily turn off
-<tt/SIGCHLD/ handling for the duration of execution of the helper
-binary. This is generally the right thing to do, as many applications
-are not prepared to handle this signal from a child they didn't know
-was <tt/fork()/d. The <tt/noreap/ module argument can be used to
-suppress this temporary shielding and may be needed for use with
-certain applications.
-
-<p>
-The <tt>likeauth</tt> argument makes the module return the same value
-when called as a credential setting module and an authentication
-module.  This will help libpam take a sane path through the auth
-component of your configuration file.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The correct functionality of this module is dictated by having an
-appropriate <tt>/etc/pwdb.conf</tt> file, the user
-databases specified there dictate the source of the authenticated
-user's record.
-
-</descrip>
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/nullok/; <tt/not_set_pass/; <tt/use_authtok/;
-<tt/try_first_pass/; <tt/use_first_pass/; <tt/md5/; <tt/bigcrypt/;
-<tt/shadow/; <tt/radius/; <tt/unix/
-
-<tag><bf>Description:</bf></tag>
-
-This part of the <tt/pam_pwdb/ module performs the task of updating
-the user's password.  Thanks to the flexibility of <tt/libpwdb/ this
-module is able to move the user's password from one database to
-another, perhaps securing the user's database entry in a dynamic
-manner (<em/this is very ALPHA code at the moment!/) - this is the
-purpose of the <tt/shadow/, <tt/radius/ and <tt/unix/ arguments.
-
-<p>
-In the case of conventional unix databases (which store the password
-encrypted) the <tt/md5/ argument is used to do the encryption with the
-MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call.
-As an alternative to this, the <tt/bigcrypt/ argument can be used to
-encrypt more than the first 8 characters of a password with DEC's
-(Digital Equipment Cooperation) `C2' extension to the standard UNIX
-<tt/crypt()/ algorithm.
-
-<p>
-The <tt/nullok/ module is used to permit the changing of a password
-<em/from/ an empty one. Without this argument, empty passwords are
-treated as account-locking ones.
-
-<p>
-The argument <tt/use_first_pass/ is used to lock the choice of old and
-new passwords to that dictated by the previously stacked <tt/password/
-module.  The <tt/try_first_pass/ argument is used to avoid the user
-having to re-enter an old password when <tt/pam_pwdb/ follows a module
-that possibly shared the user's old password - if this old password is
-not correct the user will be prompted for the correct one.  The
-argument <tt/use_authtok/ is used to <em/force/ this module to set the
-new password to the one provided by the previously stacked
-<tt/password/ module (this is used in an example of the stacking of
-the <em/Cracklib/ module documented above).
-
-<p>
-The <tt/not_set_pass/ argument is used to inform the module that it is
-not to pay attention to/make available the old or new passwords from/to
-other (stacked) password modules.
-
-<p>
-The <tt/debug/ argument makes the password functions of this module
-<tt/syslog(3)/ more information on its actions. Other arguments may be
-logged as erroneous to <tt/syslog(3)/.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-An example of the stacking of this module with respect to the
-pluggable password checking module, <tt/pam_cracklib/, is given in
-that modules section above.
-</descrip>
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-No arguments are recognized by this module component. Its action is
-simply to log the username and the service-type to
-<tt/syslog(3)/. Messages are logged at the beginning and end of the
-user's session.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The use of the session modules is straightforward:
-<tscreen>
-<verb>
-#
-# pwdb - unix like session opening and closing
-#
-login	session	 required	pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_radius.sgml b/Linux-PAM/doc/modules/pam_radius.sgml
deleted file mode 100644
index 8ebfa0a8..00000000
--- a/Linux-PAM/doc/modules/pam_radius.sgml
+++ /dev/null
@@ -1,117 +0,0 @@
-<!--
-   $Id: pam_radius.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $
-   
-   This file was written by Cristian Gafton <gafton@redhat.com>
--->
-
-<sect1>The RADIUS session module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_radius/
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-session
-
-<tag><bf>Cryptographically sensitive:</bf></tag> 
-This module does not deal with passwords
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-gcc reports 1 warning when compiling <tt>/usr/include/rpc/clnt.h</tt>.
-Hey, is not my fault !
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-yes; this is a network module (independent of application).
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is intended to provide the session service for users
-authenticated with a RADIUS server.  At the present stage, the only
-option supported is the use of the RADIUS server as an accounting
-server.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/ - verbose logging to <tt/syslog(3)/.
-
-<tag><bf>Description:</bf></tag>
-
-This module is intended to provide the session service for users
-authenticated with a RADIUS server. At the present stage, the only
-option supported is the use of the RADIUS server as an <em/accounting/
-server.  
-
-<p>
-(There are few things which needs to be cleared out first in
-the PAM project until one will be able to use this module and expect
-it to magically start pppd in response to a RADIUS server command to
-use PPP for this user, or to initiate a telnet connection to another
-host, or to hang and call back the user using parameters provided in
-the RADIUS server response. Most of these things are better suited for
-the radius login application. I hope to make available Real Soon (tm)
-patches for the login apps to make it work this way.)
-
-<p>
-When opening a session, this module sends an ``Accounting-Start''
-message to the RADIUS server, which will log/update/whatever a
-database for this user. On close, an ``Accounting-Stop'' message is
-sent to the RADIUS server.
-
-<p>
-This module has no other prerequisites for making it work.  One can
-install a RADIUS server just for fun and use it as a centralized
-accounting server and forget about wtmp/last/sac etc. .
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For the services that need this module (<em/login/ for example) put
-the following line in <tt>/etc/pam.conf</tt> as the last line for that
-service (usually after the pam_unix session line):
-<tscreen>
-<verb>
-login	session	 required	pam_radius.so
-</verb>
-</tscreen>
-Replace <tt/login/ for each service you are using this module.
-
-<p>
-This module make extensive use of the API provided in libpwdb
-0.54preB or later. By default, it will read the radius server
-configuration (hostname and secret) from <tt>/etc/raddb/server</tt>.
-This is a default compiled into libpwdb, and curently there is no way to
-modify this default without recompiling libpwdb. I am working on
-extending the radius support from libpwdb to provide a possibility
-to make this runtime-configurable.
-
-Also please note that libpwdb will require also the RADIUS
-dictionary to be present (<tt>/etc/raddb/dictionary</tt>).
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
-
diff --git a/Linux-PAM/doc/modules/pam_rhosts.sgml b/Linux-PAM/doc/modules/pam_rhosts.sgml
deleted file mode 100644
index ded5697b..00000000
--- a/Linux-PAM/doc/modules/pam_rhosts.sgml
+++ /dev/null
@@ -1,164 +0,0 @@
-<!--
-   $Id: pam_rhosts.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The rhosts module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_rhosts_auth/
-
-<tag><bf>Author:</bf></tag>
-Al Longyear &lt;longyear@netcom.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-Standard <tt/inet_addr()/, <tt/gethostbyname()/ function calls.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module performs the standard network authentication for services,
-as used by traditional implementations of <em/rlogin/ and <em/rsh/
-etc.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/no_hosts_equiv/; <tt/no_rhosts/; <tt/debug/; <tt/no_warn/;
-<tt/privategroup/; <tt/promiscuous/; <tt/suppress/
-
-<tag><bf>Description:</bf></tag>
-
-The authentication mechanism of this module is based on the contents
-of two files; <tt>/etc/hosts.equiv</tt> (or <tt/_PATH_HEQUIV/ in
-<tt>#include &lt;netdb.h&gt;</tt>) and <tt>~/.rhosts</tt>.  Firstly,
-hosts listed in the former file are treated as equivalent to the
-localhost. Secondly, entries in the user's own copy of the latter file
-is used to map "<tt/remote-host remote-user/" pairs to that user's
-account on the current host. Access is granted to the user if their
-host is present in <tt>/etc/hosts.equiv</tt> and their remote account
-is identical to their local one, or if their remote account has an
-entry in their personal configuration file.
-
-<p>
-Some restrictions are applied to the attributes of the user's personal
-configuration file: it must be a regular file (as defined by
-<tt/S_ISREG(x)/ of POSIX.1); it must be owned by the <em/superuser/ or
-the user; it must not be writable by any user besides its owner.
-
-<p>
-The module authenticates a remote user (internally specified by the
-item <tt/PAM_RUSER/) connecting from the remote host (internally
-specified by the item <tt/PAM_RHOST/).  Accordingly, for applications
-to be compatible this authentication module they must set these items
-prior to calling <tt/pam_authenticate()/.  The module is not capable
-of independently probing the network connection for such information.
-
-<p>
-In the case of <tt/root/-access, the <tt>/etc/host.equiv</tt> file is
-<em/ignored/ unless the <tt>hosts_equiv_rootok</tt> option
-should be used.  Instead, the superuser must have a correctly configured
-personal configuration file.
-
-<p>
-The behavior of the module is modified by flags:
-<itemize>
-<item>
-<tt/debug/ -
-log more information to <tt/syslog(3)/. (XXX - actually, this module
-does not do any logging currently, please volunteer to fix this!)
-
-<item>
-<tt/no_warn/ -
-do not give verbal warnings to the user about failures etc. (XXX -
-this module currently does not issue any warnings, please volunteer to
-fix this!)
-
-<item>
-<tt/no_hosts_equiv/ -
-ignore the contents of the <tt>/etc/hosts.equiv</tt> file.
-
-<item>
-<tt/hosts_equiv_rootok/ -
-allow the use of <tt>/etc/hosts.equiv</tt> for superuser.  Without this
-option <tt>/etc/hosts.equiv</tt> is not consulted for the superuser account.
-This option has no effect if the <tt>no_hosts_equiv</tt> option is used.
-
-<item>
-<tt/no_rhosts/ -
-ignore the contents of all user's personal configuration file
-<tt>~/.rhosts</tt>.
-
-<item>
-<tt/privategroup/ -
-normally, the <tt>~/.rhosts</tt> file must not be writable by anyone
-other than its owner.  This option overlooks group write access in the
-case that the group owner of this file has the same name as the
-user being authenticated.  To lessen the security problems associated
-with this option, the module also checks that the user is the only
-member of their private group.
-
-<item>
-<tt/promiscuous/ -
-A host entry of `+' will lead to all hosts being granted
-access. Without this option, '+' entries will be ignored. Note, that
-the <tt/debug/ option will syslog a warning in this latter case.
-
-<item>
-<tt/suppress/ -
-This will prevent the module from <tt/syslog(3)/ing a warning message
-when this authentication fails.  This option is mostly for keeping
-logs free of meaningless errors, in particular when the module is used
-with the <tt/sufficient/ control flag.
-
-</itemize>
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To allow users to login from trusted remote machines, you should try
-adding the following line to your <tt>/etc/pam.conf</tt> file
-<em/before/ the line that would otherwise prompt the user for a
-password:
-<tscreen>
-<verb>
-#
-# No passwords required for users from hosts listed above.
-#
-login  auth  sufficient  pam_rhosts_auth.so no_rhosts
-</verb>
-</tscreen>
-Note, in this example, the system administrator has turned off all
-<em/personal/ <em/rhosts/ configuration files. Also note, that this module
-can be used to <em/only/ allow remote login from hosts specified in
-the <tt>/etc/host.equiv</tt> file, by replacing <tt/sufficient/ in the
-above example with <tt/required/.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_rootok.sgml b/Linux-PAM/doc/modules/pam_rootok.sgml
deleted file mode 100644
index b5ae6921..00000000
--- a/Linux-PAM/doc/modules/pam_rootok.sgml
+++ /dev/null
@@ -1,85 +0,0 @@
-<!--
-   $Id: pam_rootok.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The root access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_rootok
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-<bf>Linux-PAM</bf> maintainer
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is for use in situations where the superuser wishes
-to gain access to a service without having to enter a password.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/
-
-<tag><bf>Description:</bf></tag>
-
-This module authenticates the user if their <tt/uid/ is <tt/0/.
-Applications that are created <em/setuid/-root generally retain the
-<tt/uid/ of the user but run with the authority of an enhanced
-<em/effective-/<tt/uid/. It is the real <tt/uid/ that is checked.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In the case of the <tt/su/ application the historical usage is to
-permit the superuser to adopt the identity of a lesser user without
-the use of a password. To obtain this behavior under <tt/Linux-PAM/
-the following pair of lines are needed for the corresponding entry in
-the configuration file:
-<tscreen>
-<verb>
-#
-# su authentication. Root is granted access by default.
-#
-su	auth	 sufficient	pam_rootok.so
-su	auth	 required	pam_unix_auth.so
-</verb>
-</tscreen>
-
-<p>
-Note. For programs that are run by the superuser (or started when the
-system boots) this module should not be used to authenticate users.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_securetty.sgml b/Linux-PAM/doc/modules/pam_securetty.sgml
deleted file mode 100644
index fc89af23..00000000
--- a/Linux-PAM/doc/modules/pam_securetty.sgml
+++ /dev/null
@@ -1,72 +0,0 @@
-<!--
-   $Id: pam_securetty.sgml,v 1.1.1.1 2000/06/20 22:11:04 agmorgan Exp $
-   
-   This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The securetty module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_securetty/
-
-<tag><bf>Author[s]:</bf></tag>
-Elliot Lee &lt;sopwith@cuc.edu&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Red Hat Software:<newline>
-<em/currently/ Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>
-(if unavailable, contact Elliot Lee &lt;sopwith@cuc.edu&gt;).
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-<tt>/etc/securetty</tt> file
-
-<tag><bf>Network aware:</bf></tag>
-
-Requires the application to fill in the <tt>PAM_TTY</tt> item
-correctly in order to act meaningfully.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Provides standard Unix securetty checking.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-Provides standard Unix securetty checking, which causes authentication
-for root to fail unless <tt>PAM_TTY</tt> is set to a string listed in
-the <tt>/etc/securetty</tt> file.  For all other users, it succeeds.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For canonical usage, should be listed as a <tt>required</tt>
-authentication method before any <tt>sufficient</tt> authentication
-methods.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_tally.sgml b/Linux-PAM/doc/modules/pam_tally.sgml
deleted file mode 100644
index ee6fad46..00000000
--- a/Linux-PAM/doc/modules/pam_tally.sgml
+++ /dev/null
@@ -1,203 +0,0 @@
-<!--
-
-   $Id: pam_tally.sgml,v 1.3 2005/01/16 22:12:25 toady Exp $
-   
-   This template file was written by Andrew G. Morgan <morgan@kernel.org>
-   adapted from text provided by Tim Baverstock.
--->
-
-<sect1>The login counter (tallying) module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_tally
-
-<tag><bf>Author[s]:</bf></tag>
-Tim Baverstock
-Tomas Mraz
-
-<tag><bf>Maintainer:</bf></tag>
-
-<tag><bf>Management groups provided:</bf></tag>
-auth; account
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-A faillog file (default location /var/log/faillog)
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module maintains a count of attempted accesses, can reset count
-on success, can deny access if too many attempts fail.
-
-<p>
-pam_tally comes in two parts: <tt>pam_tally.so</tt> and
-<tt>pam_tally</tt>. The former is the PAM module and the latter, a
-stand-alone program. <tt>pam_tally</tt> is an (optional) application
-which can be used to interrogate and manipulate the counter file. It
-can display users' counts, set individual counts, or clear all
-counts. Setting artificially high counts may be useful for blocking
-users without changing their passwords. For example, one might find it
-useful to clear all counts every midnight from a cron job.
-
-<p>
-The counts file is organized as a binary-word array, indexed by
-uid. You can probably make sense of it with <tt>od</tt>, if you don't
-want to use the supplied appliction.
-
-<p>
-Note, there are some outstanding issues with this module:
-<tt>pam_tally</tt> is very dependant on <tt>getpw*()</tt> - a database
-of usernames would be much more flexible
-
-<sect3>Generic options accepted by both components
-<p>
-<itemize>
-<item> <tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>):
-   if something weird happens, such as unable to open the file, how
-   should the module react?
-<item> <tt>file=</tt><em>/where/to/keep/counts</em>:
-   specify the file location for the counts.
-   The default location is <tt>/var/log/faillog</tt>.
-<item> <tt>audit</tt>:
-   display the username typed if the user is not found. It may be 
-   useful for scripts, but you should know users often type their
-   password instead making your system weaker. Activate it only if you
-   know what you are doing.
-</itemize>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>);
-<tt>file=</tt>/where/to/keep/counts;
-<tt>deny=</tt><em>n</em>;
-<tt>lock_time=</tt><em>n</em>;
-<tt>unlock_time=</tt><em>n</em>;
-<tt>magic_root</tt>;
-<tt>even_deny_root_account</tt>;
-<tt>per_user</tt>;
-<tt>no_lock_time</tt>
-<tt>no_reset</tt>;
-
-<tag><bf>Description:</bf></tag>
-
-<p>
-The authentication component first checks if the user should be denied
-access and if not it increments attempted login counter.
-Then on call to <tt>pam_setcred</tt> it resets the attempts counter 
-if the user is NOT magic root.
-
-<p>
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-<p>
-The <tt>deny=</tt><em>n</em> option is used to deny access if tally
-for this user exceeds <em>n</em>.
-
-<p>
-The <tt>lock_time=</tt><em>n</em> option is used to always deny access
-for at least <em>n</em> seconds after a failed attempt.
-
-<p>
-The <tt>unlock_time=</tt><em>n</em> option is used to allow access after
-<em>n</em> seconds after the last failed attempt with exceeded tally.
-If this option is used the user will be locked out only for the specified
-amount of time after he exceeded his maximum allowed attempts. Otherwise
-the lock is removed only by a manual intervention of the system administrator.
-
-<p>
-The <tt>magic_root</tt> option is used to indicate that if
-the module is invoked by a user with uid=0, then the counter is not
-incremented. The sys-admin should use this for user launched services,
-like <tt>su</tt>, otherwise this argument should be omitted.
-
-<p>
-By way of more explanation, when a process already running as root
-tries to access some service, the access is <em>magic</em>, and
-bypasses <tt>pam_tally</tt>'s checks: this is handy for <tt>su</tt>ing
-from root into an account otherwise blocked. However, for services
-like <tt>telnet</tt> or <tt>login</tt>, which always effectively run
-from the root account, root (ie everyone) shouldn't be granted this
-magic status, and the flag `magic_root' should not be set in this
-situation, as noted in the summary above.
-
-<p>
-Normally, failed attempts to access root will <bf>NOT</bf> cause the
-root account to become blocked, to prevent denial-of-service: if your
-users aren't given shell accounts and root may only login via
-<tt>su</tt> or at the machine console (not
-<tt>telnet</tt>/<tt>rsh</tt>, etc), this is safe. If you really want
-root to be blocked for some given service, use
-<tt>even_deny_root_account</tt>.
-
-<p>
-If <tt>/var/log/faillog</tt> contains a non-zero <tt>.fail_max/.fail_locktime</tt>
-field for this user then the <tt>per_user</tt> module argument will
-ensure that the module uses this value and not the global
-<tt>deny/lock_time=</tt><em>n</em> parameter.
-
-<p>
-The <tt>no_lock_time</tt> option is for ensuring that the module does
-not use the <tt>.fail_locktime</tt> field in /var/log/faillog for this
-user.
-
-<p>
-The <tt>no_reset</tt> option is used to instruct the module to not reset
-the count on successful entry.
-
-</descrip>
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>);
-<tt>file=</tt>/where/to/keep/counts;
-<tt>magic_root</tt>;
-<tt>no_reset</tt>;
-
-<tag><bf>Description:</bf></tag>
-
-<p>
-The account component resets attempts counter if the user is NOT 
-magic root. This phase can be used optionaly for services which don't call
-pam_setcred correctly or if the reset should be done regardless
-of the failure of the account phase of other modules.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-<p>
-The <tt>magic_root</tt> option is used to indicate that if
-the module is invoked by a user with uid=0, then the counter is not
-decremented/reset. The sys-admin should use this for user launched services,
-like <tt>su</tt>, otherwise this argument should be omitted.
-
-<p>
-The <tt>no_reset</tt> option is used to instruct the module to not reset
-the count on successful entry.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_time.sgml b/Linux-PAM/doc/modules/pam_time.sgml
deleted file mode 100644
index ef761223..00000000
--- a/Linux-PAM/doc/modules/pam_time.sgml
+++ /dev/null
@@ -1,166 +0,0 @@
-<!--
-   $Id: pam_time.sgml,v 1.4 2002/05/10 04:03:02 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>Time control
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_time/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan <tt>&lt;morgan@kernel.org&gt;</tt>
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-account
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires a configuration file <tt>/etc/security/time.conf</tt>
-
-<tag><bf>Network aware:</bf></tag>
-Through the <tt/PAM_TTY/ item only
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Running a well regulated system occasionally involves restricting
-access to certain services in a selective manner.  This module offers
-some time control for access to services offered by a system.  Its
-actions are determined with a configuration file.  This module can be
-configured to deny access to (individual) users based on their name,
-the time of day, the day of week, the service they are applying for
-and their terminal from which they are making their request.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This module bases its actions on the rules listed in its configuration
-file: <tt>/etc/security/time.conf</tt>.  Each rule has the following
-form,
-<tscreen>
-<em/services/<tt/;/<em/ttys/<tt/;/<em/users/<tt/;/<em/times/
-</tscreen>
-In words, each rule occupies a line, terminated with a newline or the
-beginning of a comment; a `<tt/#/'.  It contains four fields separated
-with semicolons, `<tt/;/'. The fields are as follows:
-
-<p>
-<itemize>
-<item><em/services/ -
-a logic list of service names that are affected by this rule.
-
-<item><em/ttys/ -
-a logic list of terminal names indicating those terminals covered by
-the rule.
-
-<item><em/user/ -
-a logic list of usernames to which this rule applies
-
-<p>
-By a logic list we mean a sequence of tokens (associated with the
-appropriate <tt/PAM_/ item), containing no more than one wildcard
-character; `<tt/*/', and optionally prefixed with a negation operator;
-`<tt/!/'. Such a sequence is concatenated with one of two logical
-operators: <tt/&amp;/ (logical AND) and <tt/|/ (logical OR).  Two
-examples are: <tt>!morgan&amp;!root</tt>, indicating that this rule
-does not apply to the user <tt>morgan</tt> nor to <tt>root</tt>; and
-<tt>tty*&amp;!ttyp*</tt>, which indicates that the rule applies only
-to console terminals but not pseudoterminals.
-
-<item><em/times/ - a logic list of times at which this rule
-applies. The format of each element is a day/time-range. The days are
-specified by a sequence of two character entries.  For example,
-<tt/MoTuSa/, indicates Monday Tuesday and Saturday.  Note that
-repeated days are <em/unset/; <tt/MoTuMo/ indicates Tuesday, and
-<tt/MoWk/ means all weekdays bar Monday.  The two character
-combinations accepted are,
-<tscreen>
-<verb>
-Mo Tu We Th Fr Sa Su Wk Wd Al
-</verb>
-</tscreen>
-The last two of these being <em/weekend/ days and <em/all 7 days/ of
-the week respectively.
-
-<p>
-The time range part is a pair of 24-hour times, <em/HHMM/, separated
-by a hyphen -- indicating the start and finish time for the rule.  If
-the finsish time is smaller than the start time, it is assumed to
-apply on the following day. For an example, <tt/Mo1800-0300/ indicates
-that the permitted times are Monday night from 6pm to 3am the
-following morning.
-
-</itemize>
-
-<p>
-Note, that the given time restriction is only applied when the first
-three fields are satisfied by a user's application for service.
-
-<p>
-For convenience and readability a rule can be extended beyond a single
-line with a `<tt>&bsol;</tt><em/newline/'.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The use of this module is initiated with an entry in the
-<bf/Linux-PAM/ configuration file of the following type:
-<tscreen>
-<verb>
-#
-# apply pam_time accounting to login requests
-#
-login	account	 required	pam_time.so
-</verb>
-</tscreen>
-where, here we are applying the module to the <em/login/ application.
-
-<p>
-Some examples of rules that can be placed in the
-<tt>/etc/security/time.conf</tt> configuration file are the following:
-<descrip>
-
-<tag><tt>login ; tty* &amp; !ttyp* ; !root ; !Al0000-2400</tt></tag>
-all users except for <tt/root/ are denied access to console-login at
-all times.
-
-<tag><tt>games ; * ; !waster ; Wd0000-2400 | Wk1800-0800</tt></tag>
-games (configured to use Linux-PAM) are only to be accessed out of
-working hours.  This rule does not apply to the user <tt/waster/.
-
-</descrip>
-
-<p>
-Note, currently there is no daemon enforcing the end of a session.
-This needs to be remedied.
-
-<p>
-Poorly formatted rules are logged as errors using <tt/syslog(3)/.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_unix.sgml b/Linux-PAM/doc/modules/pam_unix.sgml
deleted file mode 100644
index 86c584a8..00000000
--- a/Linux-PAM/doc/modules/pam_unix.sgml
+++ /dev/null
@@ -1,296 +0,0 @@
-<!--
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
-
-   Converted from the pam_pwdb.sgml file for pam_unix by Ben Collins <bcollins@debian.org>
--->
-
-<sect1>The Unix Password module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_unix
-
-<tag><bf>Author:</bf></tag>
-
-<tag><bf>Maintainer:</bf></tag>
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This is the standard Unix authentication module. It uses standard calls
-from the system's libraries to retrieve and set account information as
-well as authentication. Usually this is obtained from the /etc/passwd
-and the /etc/shadow file as well if shadow is enabled.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/audit/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the accounting functions of this module
-<tt/syslog(3)/ more information on its actions. (Remaining arguments
-supported by the other functions of this module are silently ignored,
-but others are logged as errors through <tt/syslog(3)/). The <tt/audit/
-argument causes even more logging.
-
-Based on the following <tt/shadow/ elements:
-<tt/expire/;
-<tt/last_change/;
-<tt/max_change/;
-<tt/min_change/;
-<tt/warn_change/,
-this module performs the task of establishing the status of the user's
-account and password. In the case of the latter, it may offer advice
-to the user on changing their password or, through the
-<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until
-they have established a new password. The entries listed above are
-documented in the <em/GNU Libc/ info documents. Should the user's record
-not contain one or more of these entries, the corresponding <em/shadow/
-check is not performed.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In its accounting mode, this module can be inserted as follows:
-<tscreen>
-<verb>
-#
-# Ensure users account and password are still active
-#
-login	account	 required	pam_unix.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/audit/;
-<tt/use_first_pass/;
-<tt/try_first_pass/;
-<tt/nullok/;
-<tt/nodelay/;
-<tt/noreap/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the authentication functions of this
-module <tt/syslog(3)/ more information on its actions. The <tt/audit/
-causes even more information to be logged.
-
-<p>
-The default action of this module is to not permit the user access to
-a service if their <em/official/ password is blank. The <tt/nullok/
-argument overrides this default.
-
-<p>
-When given the argument <tt/try_first_pass/, before prompting the user
-for their password, the module first tries the previous stacked
-<tt/auth/-module's password in case that satisfies this module as
-well. The argument <tt/use_first_pass/ forces the module to use such a
-recalled password and will never prompt the user - if no password is
-available or the password is not appropriate, the user will be denied
-access.
-
-<p>
-The argument, <tt>nodelay</tt>, can be used to discourage the
-authentication component from requesting a delay should the
-authentication as a whole fail.  The default action is for the module
-to request a delay-on-failure of the order of one second.
-
-<p>
-A helper binary, <tt>unix_chkpwd</tt>, is provided to check the user's
-password when it is stored in a read protected database.  This binary
-is very simple and will only check the password of the user invoking
-it.  It is called transparently on behalf of the user by the
-authenticating component of this module.  In this way it is possible
-for applications like <em>xlock</em> to work without being
-setuid-root. The module, by default, will temporarily turn off
-<tt/SIGCHLD/ handling for the duration of execution of the helper
-binary. This is generally the right thing to do, as many applications
-are not prepared to handle this signal from a child they didn't know
-was <tt/fork()/d. The <tt/noreap/ module argument can be used to
-suppress this temporary shielding and may be needed for use with
-certain applications.
-
-<p>
-Remaining arguments, supported by the other functions of this module,
-are silently ignored. Other arguments are logged as errors through
-<tt/syslog(3)/.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The correct functionality of this module is dictated by having an
-appropriate <tt>/etc/nsswitch.conf</tt> file, the user
-databases specified there dictate the source of the authenticated
-user's record.
-<p>
-In its authentication mode, this module can be inserted as follows:
-<tscreen>
-<verb>
-#
-# Authenticate the user
-#
-login   auth  required       pam_unix.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/audit/;
-<tt/nullok/;
-<tt/not_set_pass/;
-<tt/use_authtok/;
-<tt/try_first_pass/;
-<tt/use_first_pass/;
-<tt/md5/;
-<tt/bigcrypt/;
-<tt/shadow/;
-<tt/nis/;
-<tt/remember/
-
-<tag><bf>Description:</bf></tag>
-
-This part of the <tt/pam_unix/ module performs the task of updating
-the user's password.
-
-<p>
-In the case of conventional unix databases (which store the password
-encrypted) the <tt/md5/ argument is used to do the encryption with the
-MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call.
-As an alternative to this, the <tt/bigcrypt/ argument can be used to
-encrypt more than the first 8 characters of a password with DEC's
-(Digital Equipment Cooperation) `C2' extension to the standard UNIX
-<tt/crypt()/ algorithm.
-
-<p>
-The <tt/nullok/ argument is used to permit the changing of a password
-<em/from/ an empty one. Without this argument, empty passwords are
-treated as account-locking ones.
-
-<p>
-The argument <tt/use_first_pass/ is used to lock the choice of old and
-new passwords to that dictated by the previously stacked <tt/password/
-module.  The <tt/try_first_pass/ argument is used to avoid the user
-having to re-enter an old password when <tt/pam_unix/ follows a module
-that possibly shared the user's old password - if this old password is
-not correct the user will be prompted for the correct one.  The
-argument <tt/use_authtok/ is used to <em/force/ this module to set the
-new password to the one provided by the previously stacked
-<tt/password/ module (this is used in an example of the stacking of
-the <em/Cracklib/ module documented above).
-
-<p>
-The <tt/not_set_pass/ argument is used to inform the module that it is
-not to pay attention to/make available the old or new passwords from/to
-other (stacked) password modules.
-
-<p>
-The <tt/debug/ argument makes the password functions of this module
-<tt/syslog(3)/ more information on its actions. Other arguments may be
-logged as erroneous to <tt/syslog(3)/. The <tt/audit/ argument causes
-even more information to be logged.
-
-<p>
-With the <tt/nis/ argument, <tt/pam_unix/ will attempt to use NIS RPC
-for setting new passwords.
-
-<p>
-The <tt/remember/ argument takes one value. This is the number of most
-recent passwords to save for each user. These are saved in
-<tt>/etc/security/opasswd</tt> in order to force password change history
-and keep the user from alternating between the same password too frequently.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Standard usage:
-<tscreen>
-<verb>
-#
-# Change the users password
-#
-passwd   password   required   pam_unix.so
-</verb>
-</tscreen>
-
-<p>
-An example of the stacking of this module with respect to the
-pluggable password checking module, <tt/pam_cracklib/:
-<tscreen>
-<verb>
-#
-# Change the users password
-#
-passwd   password   required   pam_cracklib.so retry=3 minlen=6 difok=3
-passwd   password   required   pam_unix.so use_authtok nullok md5
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-No arguments are recognized by this module component. Its action is
-simply to log the username and the service-type to
-<tt/syslog(3)/. Messages are logged at the beginning and end of the
-user's session.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The use of the session modules is straightforward:
-<tscreen>
-<verb>
-#
-# session opening and closing
-#
-login	session	 required	pam_unix.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_userdb.sgml b/Linux-PAM/doc/modules/pam_userdb.sgml
deleted file mode 100644
index 155a2668..00000000
--- a/Linux-PAM/doc/modules/pam_userdb.sgml
+++ /dev/null
@@ -1,126 +0,0 @@
-<!--
-   This file was written by Cristian Gafton <gafton@redhat.com>
--->
-
-<sect1>The userdb module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_userdb/
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires Berkeley DB.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Look up users in a .db database and verify their password against
-what is contained in that database.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/icase/;
-<tt/dump/;
-<tt/db=XXXX/;
-<tt/use_authtok/;
-<tt/unknown_ok/;
-
-<tag><bf>Description:</bf></tag>
-
-This module is used to verify a username/password pair against values stored in
-a Berkeley DB database. The database is indexed by the username, and the data 
-fields corresponding to the username keys are the passwords, in unencrypted form,
-so caution must be exercised over the access rights to the DB database itself..
-
-The module will read the password from the user using the conversation mechanism. If
-you are using this module on top of another authentication module (like <tt/pam_pwdb/;)
-then you should tell that module to read the entered password from the PAM_AUTHTOK field, which is set by this module.
-
-<p>
-The action of the module may be modified from this default by one or
-more of the following flags in the <tt>/etc/pam.d/&lt;service&gt;</tt> file.
-<itemize>
-<item>
-<tt/debug/ -
-Supply more debugging information to <tt/syslog(3)/.
-
-<item>
-<tt/icase/ -
-Perform the password comparisons case insensitive.
-
-<item>
-<tt/dump/ -
-dump all the entries in the database to the log (eek,
-don't do this by default!)
-
-<item>
-<tt/db=XXXX/ - 
-use the database found on pathname XXXX. Note that Berkeley DB usually adds the 
-needed filename extension for you, so you should use something like <tt>/etc/foodata</tt>
-instead of <tt>/etc/foodata.db</tt>.
-
-<item> <tt/use_authtok/ - 
-use the authentication token previously obtained by another module that did the
-conversation with the application. If this token can not be obtained then
-the module will try to converse again. This option can be used for stacking
-different modules that need to deal with the authentication tokens.
-
-<item>
-<tt/unknown_ok/ -
-do not return error when checking for a user that is not in the database.
-This can be used to stack more than one pam_userdb module that will check a
-username/password pair in more than a database.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This is a normal ftp configuration file (usually placed as <tt>/etc/pam.d/ftp</tt> 
-on most systems) that will accept for login users whose username/password pairs are 
-provided in the <tt>/tmp/dbtest.db</tt> file:
-
-<tscreen>
-<verb>
-#%PAM-1.0
-auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
-auth       sufficient   pam_userdb.so icase db=/tmp/dbtest
-auth       required     pam_pwdb.so shadow nullok try_first_pass
-auth       required     pam_shells.so
-account    required     pam_pwdb.so
-session    required     pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_warn.sgml b/Linux-PAM/doc/modules/pam_warn.sgml
deleted file mode 100644
index b015554d..00000000
--- a/Linux-PAM/doc/modules/pam_warn.sgml
+++ /dev/null
@@ -1,67 +0,0 @@
-<!--
-   $Id: pam_warn.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>Warning logger module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_warn/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication; password
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-logs information about the remote user and host (if pam-items are known)
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is principally for logging information about a
-proposed authentication or application to update a password.
-
-<sect2>Authentication+Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-Log the service, terminal, user, remote user and remote host to
-<tt/syslog(3)/. The items are not probed for, but instead obtained
-from the standard pam-items.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-an example is provided in the configuration file section <ref
-id="configuration" name="above">.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/modules/pam_wheel.sgml b/Linux-PAM/doc/modules/pam_wheel.sgml
deleted file mode 100644
index e4dc501a..00000000
--- a/Linux-PAM/doc/modules/pam_wheel.sgml
+++ /dev/null
@@ -1,131 +0,0 @@
-<!--
-   $Id: pam_wheel.sgml,v 1.3 2002/07/13 05:48:19 agmorgan Exp $
-   
-   This file was written by Andrew G. Morgan <morgan@kernel.org>
-	from notes provided by Cristian Gafton.
--->
-
-<sect1>The wheel module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_wheel/
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication; account
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-	
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Only permit root access to members of the wheel (<tt/gid=0/) group.
-
-<sect2>Authentication and Account components
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/use_uid/;
-<tt/trust/;
-<tt/deny/;
-<tt/group=XXXX/
-
-<tag><bf>Description:</bf></tag>
-
-This module is used to enforce the so-called <em/wheel/ group.  By
-default, it permits root access to the system if the applicant user is
-a member of the <tt/wheel/ group (first, the module checks for the
-existence of a '<tt/wheel/' group. Otherwise the module defines the
-group with group-id <tt/0/ to be the <em/wheel/ group).
-
-<p>
-The module can be used as either an '<tt/auth/' or an '<tt/account/'
-module.
-
-<p>
-The action of the module may be modified from this default by one or
-more of the following flags in the <tt>/etc/pam.conf</tt> file.
-<itemize>
-<item>
-<tt/debug/ -
-Supply more debugging information to <tt/syslog(3)/.
-
-<item>
-<tt/use_uid/ -
-This option modifies the behavior of the module by using the current
-<tt/uid/ of the process and not the <tt/getlogin(3)/ name of the user.
-This option is useful for being able to jump from one account to
-another, for example with 'su'.
-
-<item>
-<tt/trust/ -
-This option instructs the module to return <tt/PAM_SUCCESS/ should it
-find the user applying for root privilege is a member of the wheel
-group. The default action is to return <tt/PAM_IGNORE/ in this
-situation. By using the <tt/trust/ option it is possible to arrange
-for <tt/wheel/-group members to become root without typing a
-password. <bf/USE WITH CARE/.
-
-<item>
-<tt/deny/ - 
-This is used to reverse the logic of the module's behavior.  If the
-user is trying to get <tt/uid=0/ access and is a member of the wheel
-group, deny access (for the wheel group, this is perhaps nonsense!):
-it is intended for use in conjunction with the <tt/group=/ argument...
-Conversely, if the user is not in the group, return <tt/PAM_IGNORE/
-(unless <tt/trust/ was also specified, in which case we return
-<tt/PAM_SUCCESS/).
-
-<item>
-<tt/group=XXXX/ -
-Instead of checking the <tt/gid=0/ group, use the user's <tt/XXXX/
-group membership for the authentication. Here, <tt/XXXX/ is the name
-of the group and <bf/not/ its numeric identifier.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To restrict access to superuser status to the members of the
-<tt/wheel/ group, use the following entries in your configuration
-file:
-<tscreen>
-<verb>
-#
-# root gains access by default (rootok), only wheel members can 
-# become root (wheel) but Unix authenticate non-root applicants.
-#
-su	auth	 sufficient	pam_rootok.so
-su	auth	 required	pam_wheel.so
-su	auth	 required	pam_unix.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/Linux-PAM/doc/mwg/Linux-PAM_MWG.xml b/Linux-PAM/doc/mwg/Linux-PAM_MWG.xml
new file mode 100644
index 00000000..a7d97e4e
--- /dev/null
+++ b/Linux-PAM/doc/mwg/Linux-PAM_MWG.xml
@@ -0,0 +1,656 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+	"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<book id="mwg">
+  <bookinfo>
+    <title>The Linux-PAM Module Writers' Guide</title>
+    <authorgroup>
+      <author>
+        <firstname>Andrew G.</firstname>
+        <surname>Morgan</surname>
+        <email>morgan@kernel.org</email>
+      </author>
+      <author>
+        <firstname>Thorsten</firstname>
+        <surname>Kukuk</surname>
+        <email>kukuk@thkukuk.de</email>
+      </author>
+    </authorgroup>
+    <releaseinfo>Version 0.99.6.0, 5. August 2006</releaseinfo>
+    <abstract>
+      <para>
+        This manual documents what a programmer needs to know in order
+        to write a module that conforms to the
+        <emphasis remap='B'>Linux-PAM</emphasis> standard.It also
+        discusses some security issues from the point of view of the
+        module programmer.
+      </para>
+    </abstract>
+  </bookinfo>
+
+  <chapter id="mwg-introduction">
+    <title>Introduction</title>
+    <section id="mwg-introduction-description">
+      <title>Description</title>
+      <para>
+        <emphasis remap='B'>Linux-PAM</emphasis> (Pluggable Authentication
+        Modules for Linux) is a library that enables the local system
+        administrator to choose how individual applications authenticate
+        users. For an overview of the
+        <emphasis remap='B'>Linux-PAM</emphasis> library see the
+        <emphasis>Linux-PAM System Administrators' Guide</emphasis>.
+      </para>
+      <para>
+        A <emphasis remap='B'>Linux-PAM</emphasis> module is a single
+        executable binary file that can be loaded by the
+        <emphasis remap='B'>Linux-PAM</emphasis> interface library.
+        This PAM library is configured locally with a system file,
+        <filename>/etc/pam.conf</filename>, to authenticate a user
+        request via the locally available authentication modules. The
+        modules themselves will usually be located in the directory
+        <filename>/lib/security</filename> (or
+        <filename>/lib64/security</filename>, depending on the architecture)
+        and take the form of dynamically loadable object files (see
+        <citerefentry>
+          <refentrytitle>dlopen</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry>. Alternatively, the modules can be statically
+        linked into the <emphasis remap='B'>Linux-PAM</emphasis> library;
+        this is mostly to allow <emphasis remap='B'>Linux-PAM</emphasis> to
+        be used on platforms without dynamic linking available, but this is
+        a <emphasis>deprecated</emphasis> functionality. It is the
+        <emphasis remap='B'>Linux-PAM</emphasis> interface that is called
+        by an application and it is the responsibility of the library to
+        locate, load and call the appropriate functions in a
+        <emphasis remap='B'>Linux-PAM</emphasis>-module.
+      </para>
+      <para>
+        Except for the immediate purpose of interacting with the user
+        (entering a password etc..) the module should never call the
+        application directly. This exception requires a "conversation
+        mechanism" which is documented below.
+      </para>
+    </section>
+
+    <section id="mwg-introducton-synopsis">
+      <title>Synopsis</title>
+      <programlisting>
+#include &lt;security/pam_modules.h&gt;
+
+gcc -fPIC -c pam_module.c
+gcc -shared -o pam_module.so pam_module.o -lpam
+      </programlisting>
+    </section>
+  </chapter>
+
+  <chapter id="mwg-expected-by-module">
+    <title>What can be expected by the module</title>
+    <para>
+      Here we list the interface that the conventions that all
+      <emphasis remap='B'>Linux-PAM</emphasis> modules must adhere to.
+    </para>
+    <section id="mwg-expected-by-module-item">
+      <title>
+        Getting and setting <emphasis>PAM_ITEM</emphasis>s and
+        <emphasis>data</emphasis>
+      </title>
+      <para>
+        First, we cover what the module should expect from the
+        <emphasis remap='B'>Linux-PAM</emphasis> library and a
+        <emphasis remap='B'>Linux-PAM</emphasis> aware application.
+        Essesntially this is the <filename>libpam.*</filename> library.
+      </para>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_set_data.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_get_data.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_set_item.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_get_item.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_get_user.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_conv.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_putenv.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_getenv.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_getenvlist.xml"/>
+    </section>
+    <section id="mwg-expected-by-module-other">
+      <title>
+        Other functions provided by <filename>libpam</filename>
+      </title>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_strerror.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_fail_delay.xml"/>
+    </section>
+  </chapter>
+
+  <chapter id="mwg-expected-of-module">
+    <title>What is expected of a module</title>
+    <para>
+      The module must supply a sub-set of the six functions listed
+      below. Together they define the function of a
+      <emphasis remap='B'>Linux-PAM module</emphasis>. Module developers
+      are strongly urged to read the comments on security that follow
+      this list.
+    </para>
+    <section id="mwg-expected-of-module-overview">
+      <title>Overview</title>
+      <para>
+        The six module functions are grouped into four independent
+        management groups. These groups are as follows:
+        <emphasis>authentication</emphasis>, <emphasis>account</emphasis>,
+        <emphasis>session</emphasis> and <emphasis>password</emphasis>.
+        To be properly defined, a module must define all functions within
+        at least one of these groups. A single module may contain the
+        necessary functions for <emphasis>all</emphasis> four groups.
+      </para>
+      <section id="mwg-expected-of-module-overview-1">
+        <title>Functional independence</title>
+        <para>
+          The independence of the four groups of service a module can
+          offer means that the module should allow for the possibility
+          that any one of these four services may legitimately be called
+          in any order. Thus, the module writer should consider the
+          appropriateness of performing a service without the prior
+          success of some other part of the module.
+        </para>
+        <para>
+          As an informative example, consider the possibility that an
+          application applies to change a user's authentication token,
+          without having first requested that
+          <emphasis remap='B'>Linux-PAM</emphasis> authenticate the
+          user. In some cases this may be deemed appropriate: when
+          <command>root</command> wants to change the authentication
+          token of some lesser user. In other cases it may not be
+          appropriate: when <command>joe</command> maliciously wants
+          to reset <command>alice</command>'s password; or when anyone
+          other than the user themself wishes to reset their
+          <emphasis>KERBEROS</emphasis> authentication token. A policy
+          for this action should be defined by any reasonable
+          authentication scheme, the module writer should consider
+          this when implementing a given module.
+        </para>
+      </section>
+      <section id="mwg-expected-of-module-overview-2">
+        <title>Minimizing administration problems</title>
+        <para>
+          To avoid system administration problems and the poor
+          construction of a <filename>/etc/pam.conf</filename> file,
+          the module developer may define all six of the following
+          functions. For those functions that would not be called,
+          the module should return <errorname>PAM_SERVICE_ERR</errorname>
+          and write an appropriate message to the system log. When
+          this action is deemed inappropriate, the function would
+          simply return <errorname>PAM_IGNORE</errorname>.
+        </para>
+      </section>
+      <section id="mwg-expected-of-module-overview-3">
+        <title>Arguments supplied to the module</title>
+        <para>
+          The <parameter>flags</parameter> argument of each of
+          the following functions can be logically OR'd with
+          <parameter>PAM_SILENT</parameter>, which is used to inform the
+          module to not pass any <emphasis>text</emphasis> (errors or
+          warnings) application.
+        </para>
+        <para>
+          The <parameter>argc</parameter> and <parameter>argv</parameter>
+          arguments are taken from the line appropriate to this
+          module---that is, with the <emphasis>service_name</emphasis>
+          matching that of the application---in the configuration file
+          (see the <emphasis remap='B'>Linux-PAM</emphasis>
+          System Administrators' Guide). Together these two parameters
+          provide the number of arguments and an array of pointers to
+          the individual argument tokens. This will be familiar to C
+          programmers as the ubiquitous method of passing command arguments
+          to the function <function>main()</function>. Note, however, that
+          the first argument (<parameter>argv[0]</parameter>) is a true
+          argument and <emphasis>not</emphasis> the name of the module.
+        </para>
+      </section>
+    </section>
+    <section id="mwg-expected-of-module-auth">
+      <title>Authentication management</title>
+      <para>
+        To be correctly initialized, <parameter>PAM_SM_AUTH</parameter>
+        must be <command>#define</command>'d prior to including
+        <function>&lt;security/pam_modules.h&gt;</function>. This will
+        ensure that the prototypes for static modules are properly declared.
+      </para>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_sm_authenticate.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_sm_setcred.xml"/>
+    </section>
+    <section id="mwg-expected-of-module-acct">
+      <title>Account management</title>
+      <para>
+        To be correctly initialized, <parameter>PAM_SM_ACCOUNT</parameter>
+        must be <command>#define</command>'d prior to including
+        <function>&lt;security/pam_modules.h&gt;</function>. This will
+        ensure that the prototypes for static modules are properly declared.
+      </para>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_sm_acct_mgmt.xml"/>
+    </section>
+    <section id="mwg-expected-of-module-session">
+      <title>Session management</title>
+      <para>
+        To be correctly initialized, <parameter>PAM_SM_SESSION</parameter>
+        must be <command>#define</command>'d prior to including
+        <function>&lt;security/pam_modules.h&gt;</function>. This will
+        ensure that the prototypes for static modules are properly declared.
+      </para>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_sm_open_session.xml"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_sm_close_session.xml"/>
+    </section>
+    <section id="mwg-expected-of-module-chauthtok">
+      <title>Authentication token management</title>
+      <para>
+        To be correctly initialized, <parameter>PAM_SM_PASSWORD</parameter>
+        must be <command>#define</command>'d prior to including
+        <function>&lt;security/pam_modules.h&gt;</function>. This will
+        ensure that the prototypes for static modules are properly declared.
+      </para>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_sm_chauthtok.xml"/>
+    </section>
+  </chapter>
+
+  <chapter id="mwg-see-options">
+    <title>Generic optional arguments</title>
+    <para>
+      Here we list the generic arguments that all modules can expect to
+      be passed. They are not mandatory, and their absence should be
+      accepted without comment by the module.
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>debug</term>
+        <listitem>
+           <para>
+             Use the <citerefentry>
+             <refentrytitle>pam_syslog</refentrytitle><manvolnum>3</manvolnum>
+             </citerefentry> call to log debugging information to the system
+             log files.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>use_first_pass</term>
+        <listitem>
+           <para>
+             The module should not prompt the user for a password.
+             Instead, it should obtain the previously typed password
+             (by a call to <function>pam_get_item()</function> for the
+             <parameter>PAM_AUTHTOK</parameter> item), and use that. If
+             that doesn't work, then the user will not be authenticated.
+             (This option is intended for <command>auth</command> and
+             <command>passwd</command> modules only).
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </chapter>
+
+  <chapter id="mwg-see-programming">
+    <title>Programming notes</title>
+    <para>
+      Here we collect some pointers for the module writer to bear in mind
+      when writing/developing a <emphasis remap='B'>Linux-PAM</emphasis>
+      compatible module.
+    </para>
+
+    <section id="mwg-see-programming-sec">
+      <title>Security issues for module creation</title>
+      <section id="mwg-see-programming-sec-res">
+        <title>Sufficient resources</title>
+        <para>
+          Care should be taken to ensure that the proper execution
+          of a module is not compromised by a lack of system resources.
+          If a module is unable to open sufficient files to perform its
+          task, it should fail gracefully, or request additional resources.
+          Specifically, the quantities manipulated by the <citerefentry>
+          <refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum>
+          </citerefentry> family of commands should be taken into
+          consideration.
+        </para>
+      </section>
+      <section id="mwg-see-programming-sec-who">
+        <title>Who´s who?</title>
+        <para>
+          Generally, the module may wish to establish the identity of
+          the user requesting a service. This may not be the same as
+          the username returned by <function>pam_get_user()</function>.
+          Indeed, that is only going to be the name of the user under
+          whose identity the service will be given. This is not
+          necessarily the user that requests the service.
+        </para>
+        <para>
+          In other words, user X runs a program that is setuid-Y, it
+          grants the user to have the permissions of Z. A specific example
+          of this sort of service request is the <command>su</command>
+          program: user <command>joe</command> executes
+          <command>su</command> to become the user <command>jane</command>.
+          In this situation X=<command>joe</command>, Y=<command>root</command>
+          and Z=<command>jane</command>. Clearly, it is important that
+          the module does not confuse these different users and grant an
+          inappropriate level of privilege.
+        </para>
+        <para>
+          The following is the convention to be adhered to when juggling
+          user-identities.
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              X, the identity of the user invoking the service request.
+              This is the user identifier; returned by the function
+              <citerefentry>
+                <refentrytitle>getuid</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              Y, the privileged identity of the application used to
+              grant the requested service. This is the
+              <emphasis>effective</emphasis> user identifier;
+              returned by the function <citerefentry>
+              <refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              Z, the user under whose identity the service will be granted.
+              This is the username returned by
+              <function>pam_get_user()</function> and also stored in the
+              <emphasis remap='B'>Linux-PAM</emphasis> item,
+              <emphasis>PAM_USER</emphasis>.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <emphasis remap='B'>Linux-PAM</emphasis> has a place for
+              an additional user identity that a module may care to make
+              use of. This is the <emphasis>PAM_RUSER</emphasis> item.
+              Generally, network sensitive modules/applications may wish
+              to set/read this item to establish the identity of the user
+              requesting a service from a remote location.
+            </para>
+          </listitem>
+        </itemizedlist>
+        <para>
+          Note, if a module wishes to modify the identity of either the
+          <emphasis>uid</emphasis> or <emphasis>euid</emphasis> of the
+          running process, it should take care to restore the original
+          values prior to returning control to the
+          <emphasis remap='B'>Linux-PAM</emphasis> library.
+        </para>
+      </section>
+      <section id="mwg-see-programming-sec-conv">
+        <title>Using the conversation function</title>
+        <para>
+          Prior to calling the conversation function, the module should
+          reset the contents of the pointer that will return the applications
+          response. This is a good idea since the application may fail
+          to fill the pointer and the module should be in a position to
+          notice!
+        </para>
+        <para>
+          The module should be prepared for a failure from the
+          conversation. The generic error would be
+          <emphasis>PAM_CONV_ERR</emphasis>, but anything other than
+          <emphasis>PAM_SUCCESS</emphasis> should be treated as
+          indicating failure.
+        </para>
+      </section>
+      <section id="mwg-see-programming-sec-token">
+        <title>Authentication tokens</title>
+        <para>
+          To ensure that the authentication tokens are not left lying
+          around the items, <emphasis>PAM_AUTHTOK</emphasis> and
+          <emphasis>PAM_OLDAUTHTOK</emphasis>, are not available to
+          the application: they are defined in
+          <filename>&lt;security/pam_modules.h&gt;</filename>. This
+          is ostensibly for security reasons, but a maliciously
+          programmed application will always have access to all memory
+          of the process, so it is only superficially enforced. As a
+          general rule the module should overwrite authentication tokens
+          as soon as they are no longer needed. Especially before
+          <function>free()</function>'ing them. The
+          <emphasis remap='B'>Linux-PAM</emphasis> library is
+          required to do this when either of these authentication
+          token items are (re)set.
+        </para>
+        <para>
+          Not to dwell too little on this concern; should the module
+          store the authentication tokens either as (automatic) function
+          variables or using <function>pam_[gs]et_data()</function> the
+          associated memory should be over-written explicitly before it
+          is released. In the case of the latter storage mechanism, the
+          associated <function>cleanup()</function> function should
+          explicitly overwrite the <varname>*data</varname> before
+          <function>free()</function>'ing it: for example,
+          <programlisting>
+/*
+ * An example cleanup() function for releasing memory that was used to
+ * store a password.
+ */
+
+int cleanup(pam_handle_t *pamh, void *data, int error_status)
+{
+    char *xx;
+
+    if ((xx = data)) {
+        while (*xx)
+            *xx++ = '\0';
+        free(data);
+    }
+    return PAM_SUCCESS;
+}
+          </programlisting>
+        </para>
+      </section>
+    </section>
+    <section id="mwg-see-programming-syslog">
+      <title>Use of <citerefentry>
+        <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry></title>
+      <para>
+        Only rarely should error information be directed to the user.
+        Usually, this is to be limited to
+        <quote><emphasis>sorry you cannot login now</emphasis></quote>
+        type messages. Information concerning errors in the configuration
+        file, <filename>/etc/pam.conf</filename>, or due to some system
+        failure encountered by the module, should be written to
+        <citerefentry>
+        <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+        </citerefentry> with <emphasis>facility-type</emphasis>
+        <emphasis remap='B'>LOG_AUTHPRIV</emphasis>.
+      </para>
+      <para>
+        With a few exceptions, the level of logging is, at the discretion
+        of the module developer. Here is the recommended usage of different
+        logging levels:
+      </para>
+      <itemizedlist>
+        <listitem>
+          <para>
+            As a general rule, errors encountered by a module should be
+            logged at the <emphasis>LOG_ERR</emphasis> level. However,
+            information regarding an unrecognized argument, passed to a
+            module from an entry in the <filename>/etc/pam.conf</filename>
+            file, is <emphasis>required</emphasis> to be logged at the
+            <emphasis>LOG_ERR</emphasis> level.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            Debugging information, as activated by the
+            <command>debug</command> argument to the module in
+            <filename>/etc/pam.conf</filename>, should be logged
+            at the <emphasis>LOG_DEBUG</emphasis> level.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            If a module discovers that its personal configuration
+            file or some system file it uses for information is
+            corrupted or somehow unusable, it should indicate this
+            by logging messages at level, <emphasis>LOG_ALERT</emphasis>.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            Shortages of system resources, such as a failure to
+            manipulate a file or <function>malloc()</function> failures
+            should be logged at level <emphasis>LOG_CRIT</emphasis>.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            Authentication failures, associated with an incorrectly
+            typed password should be logged at level,
+            <emphasis>LOG_NOTICE</emphasis>.
+          </para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section id="mwg-see-programming-libs">
+      <title>Modules that require system libraries</title>
+      <para>
+        Writing a module is much like writing an application. You
+        have to provide the "conventional hooks" for it to work
+        correctly, like <function>pam_sm_authenticate()</function>
+        etc., which would correspond to the <function>main()</function>
+        function in a normal function.
+      </para>
+      <para>
+        Typically, the author may want to link against some standard system
+        libraries. As when one compiles a normal program, this can be
+        done for modules too: you simply append the
+        <parameter>-l</parameter><emphasis>XXX</emphasis> arguments
+        for the desired libraries when you create the shared module object.
+        To make sure a module is linked to the
+        <command>libwhatever.so</command> library
+        when it is <function>dlopen()</function>ed, try:
+        <programlisting>
+% gcc -shared -o pam_module.so pam_module.o -lwhatever
+        </programlisting>
+      </para>
+    </section>
+  </chapter>
+
+  <chapter id="mwg-example">
+    <title>An example module</title>
+    <para>
+      At some point, we may include a fully commented example of a module in
+      this document. For now, please look at the modules directory of the
+      <emphasis remap='B'>Linux-PAM</emphasis> sources.
+    </para>
+  </chapter>
+
+  <chapter id="mwg-see-also">
+    <title>See also</title>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The Linux-PAM System Administrators' Guide.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The Linux-PAM Application Developers' Guide.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH
+          PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation
+          Request For Comments 86.0, October 1995.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </chapter>
+
+  <chapter id='mwg-author'>
+    <title>Author/acknowledgments</title>
+    <para>
+      This document was written by Andrew G. Morgan (morgan@kernel.org)
+      with many contributions from
+      Chris Adams, Peter Allgeyer, Tim Baverstock, Tim Berger, Craig S. Bell,
+      Derrick J. Brashear, Ben Buxton, Seth Chaiklin, Oliver Crow, Chris Dent,
+      Marc Ewing, Cristian Gafton, Emmanuel Galanos, Brad M. Garcia,
+      Eric Hester, Roger Hu, Eric Jacksch, Michael K. Johnson, David Kinchlea,
+      Olaf Kirch, Marcin Korzonek, Thorsten Kukuk, Stephen Langasek,
+      Nicolai Langfeldt, Elliot Lee, Luke Kenneth Casson Leighton,
+      Al Longyear, Ingo Luetkebohle, Marek Michalkiewicz, Robert Milkowski,
+      Aleph One, Martin Pool, Sean Reifschneider, Jan Rekorajski, Erik Troan,
+      Theodore Ts'o, Jeff Uphoff, Myles Uyema, Savochkin Andrey Vladimirovich,
+      Ronald Wahl, David Wood, John Wilmes, Joseph S. D. Yao
+      and Alex O. Yuriev.
+    </para>
+    <para>
+      Thanks are also due to Sun Microsystems, especially to Vipin Samar and
+      Charlie Lai for their advice. At an early stage in the development of
+      <emphasis remap='B'>Linux-PAM</emphasis>, Sun graciously made the
+      documentation for their implementation of PAM available. This act
+      greatly accelerated the development of
+      <emphasis remap='B'>Linux-PAM</emphasis>.
+    </para>
+  </chapter>
+
+  <chapter id='mwg-copyright'>
+    <title>Copyright information for this document</title>
+    <programlisting>
+Copyright (c) 2006 Thorsten Kukuk &lt;kukuk@thkukuk.de&gt;
+Copyright (c) 1996-2002 Andrew G. Morgan &lt;morgan@kernel.org&gt;
+    </programlisting>
+    <para>
+      Redistribution and use in source and binary forms, with or without
+      modification, are permitted provided that the following conditions are
+      met:
+    </para>
+    <programlisting>
+1. Redistributions of source code must retain the above copyright
+   notice, and the entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. The name of the author may not be used to endorse or promote
+   products derived from this software without specific prior
+   written permission.
+    </programlisting>
+    <para>
+      Alternatively, this product may be distributed under the terms of
+      the GNU General Public License (GPL), in which case the provisions
+      of the GNU GPL are required instead of the above restrictions.
+      (This clause is necessary due to a potential bad interaction between
+      the GNU GPL and the restrictions contained in a BSD-style copyright.)
+    </para>
+    <programlisting>
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+    </programlisting>
+  </chapter>
+</book>
diff --git a/Linux-PAM/doc/mwg/Makefile.am b/Linux-PAM/doc/mwg/Makefile.am
new file mode 100644
index 00000000..77296189
--- /dev/null
+++ b/Linux-PAM/doc/mwg/Makefile.am
@@ -0,0 +1,97 @@
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+#
+
+CLEANFILES = Linux-PAM_MWG.fo *~
+
+EXTRA_DIST = $(XMLS)
+
+XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml)
+DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
+
+if ENABLE_REGENERATE_MAN
+MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html
+
+all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf
+
+Linux-PAM_MWG.pdf: $(XMLS) $(DEP_XMLS)
+if ENABLE_GENERATE_PDF
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam generate.toc "book toc" \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 3 --xinclude --nonet \
+	http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_MWG.fo
+	$(FO2PDF) Linux-PAM_MWG.fo $@
+else
+	echo "No fo2pdf processor installed, skip PDF generation"
+endif
+
+Linux-PAM_MWG.txt: $(XMLS) $(DEP_XMLS)
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam generate.toc "book toc" \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 3 --xinclude --nonet \
+	  http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@
+
+html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS)
+	@test -d html || mkdir -p html
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam base.dir html/ \
+	  --stringparam root.filename Linux-PAM_MWG \
+	  --stringparam use.id.as.filename 1 \
+	  --stringparam chunk.first.sections 1 \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 3 --xinclude --nonet \
+	  http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $<
+
+distclean-local:
+	-rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf
+
+endif
+
+install-data-local:
+	$(mkinstalldirs) $(DESTDIR)$(docdir)
+	$(mkinstalldirs) $(DESTDIR)$(pdfdir)
+	$(mkinstalldirs) $(DESTDIR)$(htmldir)
+	test -f html/Linux-PAM_MWG.html || exit 0; \
+	    $(install_sh_DATA) html/Linux-PAM_MWG.html html/mwg-*.html \
+		$(DESTDIR)$(htmldir)/ || \
+	    $(install_sh_DATA) $(srcdir)/html/Linux-PAM_MWG.html \
+		$(srcdir)/html/sag-*.html \
+		$(DESTDIR)$(htmldir)/
+	test -f Linux-PAM_MWG.txt || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_MWG.txt $(DESTDIR)$(docdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_MWG.txt \
+		$(DESTDIR)$(docdir)/
+	test -f Linux-PAM_MWG.pdf || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_MWG.pdf $(DESTDIR)$(pdfdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_MWG.pdf \
+		$(DESTDIR)$(pdfdir)/
+
+uninstall-local:
+	-rm $(DESTDIR)$(htmldir)/Linux-PAM_MWG.html
+	-rm $(DESTDIR)$(htmldir)/mwg-*.html
+	-rm $(DESTDIR)$(docdir)/Linux-PAM_MWG.txt
+	-rm $(DESTDIR)$(pdfdir)/Linux-PAM_MWG.pdf
+
+releasedocs: all
+	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html
+	test -f html/Linux-PAM_MWG.html || exit 0; \
+	    cp -ap html/Linux-PAM_MWG.html html/mwg-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html/ || \
+	    cp -ap $(srcdir)/html/Linux-PAM_MWG.html \
+		$(srcdir)/html/mwg-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html/
+	test -f Linux-PAM_MWG.txt || exit 0; \
+	    cp -p Linux-PAM_MWG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/ || \
+	    cp -p $(srcdir)/Linux-PAM_MWG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/
+	test -f Linux-PAM_MWG.pdf || exit 0; \
+	    cp -p Linux-PAM_MWG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/ || \
+	    cp -p $(srcdir)/Linux-PAM_MWG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/
diff --git a/Linux-PAM/doc/mwg/Makefile.in b/Linux-PAM/doc/mwg/Makefile.in
new file mode 100644
index 00000000..891768fc
--- /dev/null
+++ b/Linux-PAM/doc/mwg/Makefile.in
@@ -0,0 +1,470 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+#
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = doc/mwg
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 \
+	$(top_srcdir)/m4/jh_path_xml_catalog.m4 \
+	$(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BROWSER = @BROWSER@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+FO2PDF = @FO2PDF@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBDB = @LIBDB@
+LIBDL = @LIBDL@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBNSL = @LIBNSL@
+LIBOBJS = @LIBOBJS@
+LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
+LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
+LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@
+LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@
+LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@
+LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@
+LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SCONFIGDIR = @SCONFIGDIR@
+SECUREDIR = @SECUREDIR@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+WITH_DEBUG = @WITH_DEBUG@
+WITH_PAMLOCKING = @WITH_PAMLOCKING@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XMLCATALOG = @XMLCATALOG@
+XMLLINT = @XMLLINT@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libc_cv_fpie = @libc_cv_fpie@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pam_cv_ld_as_needed = @pam_cv_ld_as_needed@
+pam_xauth_path = @pam_xauth_path@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+CLEANFILES = Linux-PAM_MWG.fo *~
+EXTRA_DIST = $(XMLS)
+XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml)
+DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
+@ENABLE_REGENERATE_MAN_TRUE@MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  doc/mwg/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  doc/mwg/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+@ENABLE_REGENERATE_MAN_FALSE@distclean-local:
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-local
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-data-local
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-local
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distclean-local \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-local \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am uninstall uninstall-am uninstall-local
+
+
+@ENABLE_REGENERATE_MAN_TRUE@all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf
+
+@ENABLE_REGENERATE_MAN_TRUE@Linux-PAM_MWG.pdf: $(XMLS) $(DEP_XMLS)
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam generate.toc "book toc" \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 3 --xinclude --nonet \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_MWG.fo
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(FO2PDF) Linux-PAM_MWG.fo $@
+@ENABLE_GENERATE_PDF_FALSE@@ENABLE_REGENERATE_MAN_TRUE@	echo "No fo2pdf processor installed, skip PDF generation"
+
+@ENABLE_REGENERATE_MAN_TRUE@Linux-PAM_MWG.txt: $(XMLS) $(DEP_XMLS)
+@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam generate.toc "book toc" \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 3 --xinclude --nonet \
+@ENABLE_REGENERATE_MAN_TRUE@	  http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@
+
+@ENABLE_REGENERATE_MAN_TRUE@html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS)
+@ENABLE_REGENERATE_MAN_TRUE@	@test -d html || mkdir -p html
+@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam base.dir html/ \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam root.filename Linux-PAM_MWG \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam use.id.as.filename 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam chunk.first.sections 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 3 --xinclude --nonet \
+@ENABLE_REGENERATE_MAN_TRUE@	  http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $<
+
+@ENABLE_REGENERATE_MAN_TRUE@distclean-local:
+@ENABLE_REGENERATE_MAN_TRUE@	-rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf
+
+install-data-local:
+	$(mkinstalldirs) $(DESTDIR)$(docdir)
+	$(mkinstalldirs) $(DESTDIR)$(pdfdir)
+	$(mkinstalldirs) $(DESTDIR)$(htmldir)
+	test -f html/Linux-PAM_MWG.html || exit 0; \
+	    $(install_sh_DATA) html/Linux-PAM_MWG.html html/mwg-*.html \
+		$(DESTDIR)$(htmldir)/ || \
+	    $(install_sh_DATA) $(srcdir)/html/Linux-PAM_MWG.html \
+		$(srcdir)/html/sag-*.html \
+		$(DESTDIR)$(htmldir)/
+	test -f Linux-PAM_MWG.txt || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_MWG.txt $(DESTDIR)$(docdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_MWG.txt \
+		$(DESTDIR)$(docdir)/
+	test -f Linux-PAM_MWG.pdf || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_MWG.pdf $(DESTDIR)$(pdfdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_MWG.pdf \
+		$(DESTDIR)$(pdfdir)/
+
+uninstall-local:
+	-rm $(DESTDIR)$(htmldir)/Linux-PAM_MWG.html
+	-rm $(DESTDIR)$(htmldir)/mwg-*.html
+	-rm $(DESTDIR)$(docdir)/Linux-PAM_MWG.txt
+	-rm $(DESTDIR)$(pdfdir)/Linux-PAM_MWG.pdf
+
+releasedocs: all
+	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html
+	test -f html/Linux-PAM_MWG.html || exit 0; \
+	    cp -ap html/Linux-PAM_MWG.html html/mwg-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html/ || \
+	    cp -ap $(srcdir)/html/Linux-PAM_MWG.html \
+		$(srcdir)/html/mwg-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html/
+	test -f Linux-PAM_MWG.txt || exit 0; \
+	    cp -p Linux-PAM_MWG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/ || \
+	    cp -p $(srcdir)/Linux-PAM_MWG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/
+	test -f Linux-PAM_MWG.pdf || exit 0; \
+	    cp -p Linux-PAM_MWG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/ || \
+	    cp -p $(srcdir)/Linux-PAM_MWG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/Linux-PAM/doc/mwg/pam_conv.xml b/Linux-PAM/doc/mwg/pam_conv.xml
new file mode 100644
index 00000000..a2b470af
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_conv.xml
@@ -0,0 +1,35 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_conv'>
+  <title>The conversation function</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_conv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_conv-synopsis"]/*)'/>
+  </funcsynopsis>
+  <programlisting>
+struct pam_message {
+    int msg_style;
+    const char *msg;
+};
+
+struct pam_response {
+    char *resp;
+    int resp_retcode;
+};
+
+struct pam_conv {
+    int (*conv)(int num_msg, const struct pam_message **msg,
+                struct pam_response **resp, void *appdata_ptr);
+    void *appdata_ptr;
+};
+  </programlisting>
+  <section id='mwg-pam_conv-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_conv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_conv-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_conv-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_conv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_conv-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_fail_delay.xml b/Linux-PAM/doc/mwg/pam_fail_delay.xml
new file mode 100644
index 00000000..589e1148
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_fail_delay.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_fail_delay'>
+  <title>Request a delay on failure</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_fail_delay-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_fail_delay-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//refsect1[@id = "pam_fail_delay-description"]/*)'/>
+  </section>
+  <section id='adg-pam_fail_delay-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//refsect1[@id = "pam_fail_delay-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_get_data.xml b/Linux-PAM/doc/mwg/pam_get_data.xml
new file mode 100644
index 00000000..b1afdb3f
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_get_data.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_get_data'>
+  <title>Get module internal data</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_data.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_get_data-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_get_data-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_data.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_data-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_get_data-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_data.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_data-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_get_item.xml b/Linux-PAM/doc/mwg/pam_get_item.xml
new file mode 100644
index 00000000..370a10a1
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_get_item.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_get_item'>
+  <title>Getting PAM items</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_item.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_get_item-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_get_item-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_item-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_get_item-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_item-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_get_user.xml b/Linux-PAM/doc/mwg/pam_get_user.xml
new file mode 100644
index 00000000..1cb7fdf3
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_get_user.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_get_user'>
+  <title>Get user name</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_user.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_get_user-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_get_user-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_user.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_user-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_get_user-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_get_user.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_user-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_getenv.xml b/Linux-PAM/doc/mwg/pam_getenv.xml
new file mode 100644
index 00000000..61d69c33
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_getenv.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_getenv'>
+  <title>Get a PAM environment variable</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_getenv-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_getenv-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenv-description"]/*)'/>
+  </section>
+  <section id='adg-pam_getenv-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenv-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_getenvlist.xml b/Linux-PAM/doc/mwg/pam_getenvlist.xml
new file mode 100644
index 00000000..d3c2fcd3
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_getenvlist.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_getenvlist'>
+  <title>Getting the PAM environment</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_getenvlist-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_getenvlist-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenvlist-description"]/*)'/>
+  </section>
+  <section id='adg-pam_getenvlist-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenvlist-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_putenv.xml b/Linux-PAM/doc/mwg/pam_putenv.xml
new file mode 100644
index 00000000..e55f1a42
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_putenv.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_putenv'>
+  <title>Set or change PAM environment variable</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_putenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_putenv-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_putenv-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_putenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_putenv-description"]/*)'/>
+  </section>
+  <section id='adg-pam_putenv-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_putenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_putenv-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_set_data.xml b/Linux-PAM/doc/mwg/pam_set_data.xml
new file mode 100644
index 00000000..18b2711b
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_set_data.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_set_data'>
+  <title>Set module internal data</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_data.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_set_data-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_set_data-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_data.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_data-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_set_data-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_data.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_data-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_set_item.xml b/Linux-PAM/doc/mwg/pam_set_item.xml
new file mode 100644
index 00000000..7d19925e
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_set_item.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_set_item'>
+  <title>Setting PAM items</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_item.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_set_item-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_set_item-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_item-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_set_item-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_set_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_item-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_sm_acct_mgmt.xml b/Linux-PAM/doc/mwg/pam_sm_acct_mgmt.xml
new file mode 100644
index 00000000..10b3c9e9
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_sm_acct_mgmt.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_sm_acct_mgmt'>
+  <title>Service function for account management</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_acct_mgmt.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_acct_mgmt-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_sm_acct_mgmt-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_acct_mgmt.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_acct_mgmt-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_sm_acct_mgmt-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_acct_mgmt.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_acct_mgmt-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_sm_authenticate.xml b/Linux-PAM/doc/mwg/pam_sm_authenticate.xml
new file mode 100644
index 00000000..54c79af6
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_sm_authenticate.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_sm_authenticate'>
+  <title>Service function for user authentication</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_authenticate.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_authenticate-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_sm_authenticate-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_authenticate.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_authenticate-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_sm_authenticate-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_authenticate.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_authenticate-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_sm_chauthtok.xml b/Linux-PAM/doc/mwg/pam_sm_chauthtok.xml
new file mode 100644
index 00000000..a1364315
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_sm_chauthtok.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_sm_chauthtok'>
+  <title>Service function to alter authentication token</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_chauthtok.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_chauthtok-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_sm_chauthtok-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_chauthtok.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_chauthtok-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_sm_chauthtok-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_chauthtok.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_chauthtok-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_sm_close_session.xml b/Linux-PAM/doc/mwg/pam_sm_close_session.xml
new file mode 100644
index 00000000..9346c506
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_sm_close_session.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-close.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_sm_close_session'>
+  <title>Service function to terminate session management</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_close_session.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_close_session-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_sm_close_session-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_close_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_close_session-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_sm_close_session-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_close_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_close_session-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_sm_open_session.xml b/Linux-PAM/doc/mwg/pam_sm_open_session.xml
new file mode 100644
index 00000000..b8e3fa90
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_sm_open_session.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_sm_open_session'>
+  <title>Service function to start session management</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_open_session.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_open_session-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_sm_open_session-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_open_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_open_session-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_sm_open_session-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_open_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_open_session-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_sm_setcred.xml b/Linux-PAM/doc/mwg/pam_sm_setcred.xml
new file mode 100644
index 00000000..eee8e1d6
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_sm_setcred.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='mwg-pam_sm_setcred'>
+  <title>Service function to alter credentials</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_setcred.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_setcred-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='mwg-pam_sm_setcred-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_setcred.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_setcred-description"]/*)'/>
+  </section>
+  <section id='mwg-pam_sm_setcred-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_sm_setcred.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_setcred-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/mwg/pam_strerror.xml b/Linux-PAM/doc/mwg/pam_strerror.xml
new file mode 100644
index 00000000..35b08a27
--- /dev/null
+++ b/Linux-PAM/doc/mwg/pam_strerror.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='adg-pam_strerror'>
+  <title>Strings describing PAM error codes</title>
+  <funcsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_strerror.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_strerror-synopsis"]/*)'/>
+  </funcsynopsis>
+  <section id='adg-pam_strerror-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_strerror.3.xml" xpointer='xpointer(//refsect1[@id = "pam_strerror-description"]/*)'/>
+  </section>
+  <section id='adg-pam_strerror-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam_strerror.3.xml" xpointer='xpointer(//refsect1[@id = "pam_strerror-return_values"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/pam_appl.sgml b/Linux-PAM/doc/pam_appl.sgml
deleted file mode 100644
index 33fdcba6..00000000
--- a/Linux-PAM/doc/pam_appl.sgml
+++ /dev/null
@@ -1,1777 +0,0 @@
-<!doctype linuxdoc system>
-
-<!--
-
- $Id: pam_appl.sgml,v 1.10 2004/09/22 09:37:47 kukuk Exp $
-
-    Copyright (C) Andrew G. Morgan 1996-2001.  All rights reserved.
-
-Redistribution and use in source (sgml) and binary (derived) forms,
-with or without modification, are permitted provided that the
-following conditions are met:
-
-1. Redistributions of source code must retain the above copyright
-   notice, and the entire permission notice in its entirety,
-   including the disclaimer of warranties.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-3. The name of the author may not be used to endorse or promote
-   products derived from this software without specific prior
-   written permission.
-
-ALTERNATIVELY, this product may be distributed under the terms of the
-GNU General Public License, in which case the provisions of the GNU
-GPL are required INSTEAD OF the above restrictions.  (This clause is
-necessary due to a potential bad interaction between the GNU GPL and
-the restrictions contained in a BSD-style copyright.)
-
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
-OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
-TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGE.
-
- -->
-
-<article>
-
-<title>The Linux-PAM Application Developers' Guide
-<author>Andrew G. Morgan, <tt>morgan@kernel.org</tt>
-<date>DRAFT v0.76 2001/12/08
-<abstract>
-This manual documents what an application developer needs to know
-about the <bf>Linux-PAM</bf> library. It describes how an application
-might use the <bf>Linux-PAM</bf> library to authenticate users. In
-addition it contains a description of the funtions to be found in
-<tt/libpam_misc/ library, that can be used in general applications.
-Finally, it contains some comments on PAM related security issues for
-the application developer.
-</abstract>
-
-<toc>
-
-<sect>Introduction
-
-<sect1>Synopsis
-
-<p>
-For general applications that wish to use the services provided by
-<bf/Linux-PAM/ the following is a summary of the relevant linking
-information:
-<tscreen>
-<verb>
-#include <security/pam_appl.h>
-
-cc -o application .... -lpam -ldl
-</verb>
-</tscreen>
-
-<p>
-In addition to <tt/libpam/, there is a library of miscellaneous
-functions that make the job of writing <em/PAM-aware/ applications
-easier (this library is not covered in the DCE-RFC for PAM and is
-specific to the Linux-PAM distribution):
-<tscreen>
-<verb>
-...
-#include <security/pam_misc.h>
-
-cc -o application .... -lpam -lpam_misc -ldl
-</verb>
-</tscreen>
-
-<sect1> Description
-
-<p>
-<bf>Linux-PAM</bf> (Pluggable Authentication Modules for Linux) is a
-library that enables the local system administrator to choose how
-individual applications authenticate users.  For an overview of the
-<bf>Linux-PAM</bf> library see the <bf/Linux-PAM/ System
-Administrators' Guide.
-
-<p>
-It is the purpose of the <bf>Linux-PAM</bf> project to liberate the
-development of privilege granting software from the development of
-secure and appropriate authentication schemes.  This is accomplished
-by providing a documented library of functions that an application may
-use for all forms of user authentication management. This library
-dynamically loads locally configured authentication modules that
-actually perform the authentication tasks.
-
-<p>
-From the perspective of an application developer the information
-contained in the local configuration of the PAM library should not be
-important.  Indeed it is intended that an application treat the
-functions documented here as a ``black box'' that will deal with all
-aspects of user authentication. ``All aspects'' includes user
-verification, account management, session initialization/termination
-and also the resetting of passwords (<em/authentication tokens/).
-
-<sect>Overview
-
-<p>
-Most service-giving applications are restricted.  In other words,
-their service is not available to all and every prospective client.
-Instead, the applying client must jump through a number of hoops to
-convince the serving application that they are authorized to obtain
-service.
-
-The process of <em/authenticating/ a client is what PAM is designed to
-manage.  In addition to authentication, PAM provides account
-management, credential management, session management and
-authentication-token (password changing) management services.  It is
-important to realize when writing a PAM based application that these
-services are provided in a manner that is <bf>transparent</bf> to
-the application.  That is to say, when the application is written, no
-assumptions can be made about <em>how</em> the client will be
-authenticated.
-
-<p>
-The process of authentication is performed by the PAM library via a
-call to <tt>pam_authenticate()</tt>.  The return value of this
-function will indicate whether a named client (the <em>user</em>) has
-been authenticated.  If the PAM library needs to prompt the user for
-any information, such as their <em>name</em> or a <em>password</em>
-then it will do so.  If the PAM library is configured to authenticate
-the user using some silent protocol, it will do this too.  (This
-latter case might be via some hardware interface for example.)
-
-<p>
-It is important to note that the application must leave all decisions
-about when to prompt the user at the discretion of the PAM library.
-
-<p>
-The PAM library, however, must work equally well for different styles
-of application.  Some applications, like the familiar <tt>login</tt>
-and <tt>passwd</tt> are terminal based applications, exchanges of
-information with the client in these cases is as plain text messages.
-Graphically based applications, however, have a more sophisticated
-interface.  They generally interact with the user via specially
-constructed dialogue boxes.  Additionally, network based services
-require that text messages exchanged with the client are specially
-formatted for automated processing: one such example is <tt>ftpd</tt>
-which prefixes each exchanged message with a numeric identifier.
-
-<p>
-The presentation of simple requests to a client is thus something very
-dependent on the protocol that the serving application will use.  In
-spite of the fact that PAM demands that it drives the whole
-authentication process, it is not possible to leave such protocol
-subtleties up to the PAM library.  To overcome this potential problem,
-the application provides the PAM library with a <em>conversation</em>
-function.  This function is called from <bf>within</bf> the PAM
-library and enables the PAM to directly interact with the client.  The
-sorts of things that this conversation function must be able to do are
-prompt the user with text and/or obtain textual input from the user
-for processing by the PAM library.  The details of this function are
-provided in a later section.
-
-<p>
-For example, the conversation function may be called by the PAM library
-with a request to prompt the user for a password.  Its job is to
-reformat the prompt request into a form that the client will
-understand.  In the case of <tt>ftpd</tt>, this might involve prefixing
-the string with the number <tt>331</tt> and sending the request over
-the network to a connected client.  The conversation function will
-then obtain any reply and, after extracting the typed password, will
-return this string of text to the PAM library.  Similar concerns need
-to be addressed in the case of an X-based graphical server.
-
-<p>
-There are a number of issues that need to be addressed when one is
-porting an existing application to become PAM compliant.  A section
-below has been devoted to this: Porting legacy applications.
-
-<p>
-Besides authentication, PAM provides other forms of management.
-Session management is provided with calls to
-<tt>pam_open_session()</tt> and <tt>pam_close_session()</tt>.  What
-these functions actually do is up to the local administrator.  But
-typically, they could be used to log entry and exit from the system or
-for mounting and unmounting the user's home directory.  If an
-application provides continuous service for a period of time, it
-should probably call these functions, first open after the user is
-authenticated and then close when the service is terminated.
-
-<p>
-Account management is another area that an application developer
-should include with a call to <tt/pam_acct_mgmt()/.  This call will
-perform checks on the good health of the user's account (has it
-expired etc.). One of the things this function may check is whether
-the user's authentication token has expired - in such a case the
-application may choose to attempt to update it with a call to
-<tt/pam_chauthtok()/, although some applications are not suited to
-this task (<em>ftp</em> for example) and in this case the application
-should deny access to the user.
-
-<p>
-PAM is also capable of setting and deleting the users credentials with
-the call <tt>pam_setcred()</tt>.  This function should always be
-called after the user is authenticated and before service is offered
-to the user.  By convention, this should be the last call to the PAM
-library before the PAM session is opened.  What exactly a credential
-is, is not well defined.  However, some examples are given in the
-glossary below.
-
-<sect>The public interface to <bf>Linux-PAM</bf>
- 
-<p>
-Firstly, the relevant include file for the <bf>Linux-PAM</bf> library
-is <tt>&lt;security/pam_appl.h&gt;</tt>. It contains the definitions
-for a number of functions. After listing these functions, we collect
-some guiding remarks for programmers.
-
-<sect1>What can be expected by the application
-
-<p>
-Below we document those functions in the <bf/Linux-PAM/ library that
-may be called from an application.
-
-<sect2>Initialization of Linux-PAM
-<label id="pam-start-section">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_start(const char *service_name, const char *user,
-		     const struct pam_conv *pam_conversation,
-		     pam_handle_t **pamh);
-</verb>
-</tscreen>
-
-<p>
-This is the first of the <bf>Linux-PAM</bf> functions that must be
-called by an application. It initializes the interface and reads the
-system configuration file, <tt>/etc/pam.conf</tt> (see the
-<bf/Linux-PAM/ System Administrators' Guide).  Following a successful
-return (<tt/PAM_SUCCESS/) the contents of <tt/*pamh/ is a handle that
-provides continuity for successive calls to the <bf/Linux-PAM/
-library.  The arguments expected by <tt/pam_start/ are as follows: the
-<tt/service_name/ of the program, the <tt/user/name of the individual
-to be authenticated, a pointer to an application-supplied
-<tt/pam_conv/ structure and a pointer to a <tt/pam_handle_t/
-<em/pointer/.
-
-<p>
-The <tt>pam_conv</tt> structure is discussed more fully in the section
-<ref id="the-conversation-function" name="below">.  The
-<tt>pam_handle_t</tt> is a <em>blind</em> structure and the
-application should not attempt to probe it directly for information.
-Instead the <bf>Linux-PAM</bf> library provides the functions
-<tt>pam_set_item</tt> and <tt>pam_get_item</tt>.  These functions are
-documented below.
-
-<sect2>Termination of the library
-<label id="pam-end-section">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_end(pam_handle_t *pamh, int pam_status);
-</verb>
-</tscreen>
-
-<p>
-This function is the last function an application should call in the
-<bf>Linux-PAM</bf> library.  Upon return the handle <tt/pamh/ is no
-longer valid and all memory associated with it will be invalid (likely
-to cause a segmentation fault if accessed).
-
-<p>
-Under normal conditions the argument <tt/pam_status/ has the value
-PAM_SUCCESS, but in the event of an unsuccessful application for
-service the appropriate <bf/Linux-PAM/ error-return value should be
-used here. Note, <tt/pam_end()/ unconditionally shuts down the
-authentication stack associated with the <tt/pamh/ handle. The value
-taken by <tt/pam_status/ is used as an argument to the module specific
-callback functions, <tt/cleanup()/ (see the <bf/Linux-PAM/ <htmlurl
-url="pam_modules.html" name="Module Developers' Guide">). In this way,
-the module can be given notification of the pass/fail nature of the
-tear-down process, and perform any last minute tasks that are
-appropriate to the module before it is unlinked.
-
-<sect2>Setting PAM items
-<label id="pam-set-item-section">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_set_item(pam_handle_t *pamh, int item_type,
-			const void *item);
-</verb>
-</tscreen>
-
-<p>This function is used to (re)set the value of one of the following
-<bf/item_type/s:
-
-<p><descrip>
-<tag><tt/PAM_SERVICE/</tag>
-
-     	The service name (which identifies that PAM stack that
-     	<tt/libpam/ will use to authenticate the program).
-
-<tag><tt/PAM_USER/</tag>
-
-	The username of the entity under who's identity service will
-	be given. That is, following authentication, <tt/PAM_USER/
-	identifies the local entity that gets to use the
-	service. Note, this value can be mapped from something (eg.,
-	"<tt/anonymous/") to something else (eg. "<tt/guest119/") by
-	any module in the PAM stack. As such an application should
-	consult the value of <tt/PAM_USER/ after each call to a
-	<tt/pam_*()/ function.
-
-<tag><tt/PAM_USER_PROMPT/</tag>
-
-	The string used when prompting for a user's name. The default
-        value for this string is ``Please enter username: ''.
-
-<tag><tt/PAM_TTY/</tag>
-
-	The terminal name: prefixed by <tt>/dev/</tt> if it is a
-        device file; for graphical, X-based, applications the value
-        for this item should be the <tt/&dollar;DISPLAY/ variable.
-
-<tag><tt/PAM_RUSER/</tag>
-
-        The requesting entity: user's username for a locally
-	requesting user or a remote requesting user - generally an
-	application or module will attempt to supply the value that is
-	most strongly authenticated (a local account before a remote
-	one. The level of trust in this value is embodied in the
-	actual authentication stack associated with the application,
-	so it is ultimately at the discretion of the system
-	administrator. It should generally match the current
-	<tt/PAM_RHOST/ value. That is, "<tt/PAM_RUSER@PAM_RHOST/"
-	should always identify the requesting user. In some cases,
-	<tt/PAM_RUSER/ may be NULL. In such situations, it is unclear
-	who the requesting entity is.
-
-<tag><tt/PAM_RHOST/</tag>
-
-	The requesting hostname (the hostname of the machine from
-	which the <tt/PAM_RUSER/ entity is requesting service). That
-	is "<tt/PAM_RUSER@PAM_RHOST/" does identify the requesting
-	user.  "<tt/luser@localhost/" or "<tt/evil@evilcom.com/" are
-	valid "<tt/PAM_RUSER@PAM_RHOST/" examples. In some
-	applications, <tt/PAM_RHOST/ may be NULL. In such situations,
-	it is unclear where the authentication request is originating
-	from.
-
-<tag><tt/PAM_CONV/</tag>
-
-	The conversation structure (see section <ref
-        id="the-conversation-function" name="below">).
-
-<tag><tt/PAM_FAIL_DELAY/</tag> A function pointer to redirect
-        centrally managed failure delays (see section <ref
-        id="the-failure-delay-function" name="below">).
-
-</descrip>
-
-<p>
-For all <tt/item_type/s, other than <tt/PAM_CONV/ and
-<tt/PAM_FAIL_DELAY/, <tt/item/ is a pointer to a <tt>&lt;NUL&gt;</tt>
-terminated character string.  In the case of <tt/PAM_CONV/, <tt/item/
-points to an initialized <tt/pam_conv/ structure (see section <ref
-id="the-conversation-function" name="below">). In the case of
-<tt/PAM_FAIL_DELAY/, <tt/item/ is a function pointer: <tt/void
-(*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)/ (see
-section <ref id="the-failure-delay-function" name="below">).
-
-<p>
-A successful call to this function returns <tt/PAM_SUCCESS/.  However,
-the application should expect at least one the following errors:
-
-<p>
-<descrip>
-<tag><tt/PAM_SYSTEM_ERR/</tag>
-        The <tt/pam_handle_t/ passed as a first argument to this
-        function was invalid.
-<tag><tt/PAM_PERM_DENIED/</tag>
-	An attempt was made to replace the conversation structure with
-        a <tt/NULL/ value.
-<tag><tt/PAM_BUF_ERR/</tag>
-	The function ran out of memory making a copy of the item.
-<tag><tt/PAM_BAD_ITEM/</tag>
-	The application attempted to set an undefined or inaccessible
-	item.
-</descrip>
-
-<sect2>Getting PAM items
-<label id="pam-get-item-section">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_get_item(const pam_handle_t *pamh, int item_type,
-			const void **item);
-</verb>
-</tscreen>
-
-<p>
-This function is used to obtain the value of the indicated
-<tt/item_type/.  Upon successful return, <tt/*item/ contains a pointer
-to the value of the corresponding item.  Note, this is a pointer to
-the <em/actual/ data and should <em/not/ be <tt/free()/'ed or
-over-written!
-
-<p>
-A successful call is signaled by a return value of <tt/PAM_SUCCESS/.
-However, the application should expect one of the following errors:
-
-<p>
-<descrip>
-<tag><tt/PAM_SYSTEM_ERR/</tag>
-        The <tt/pam_handle_t/ passed as a first argument to this
-        function was invalid.
-<tag><tt/PAM_PERM_DENIED/</tag>
-	The value of <tt/item/ was <tt/NULL/.
-<tag><tt/PAM_BAD_ITEM/</tag>
-	The application attempted to set an undefined or inaccessible
-	item.
-</descrip>
-
-<p>
-In the case of an error, the contents of <tt/item/ is set to <tt/NULL/.
-
-<sect2>Understanding errors
-<label id="pam-strerror-section">
-
-<p>
-<tscreen>
-<verb>
-extern const char *pam_strerror(pam_handle_t *pamh, int errnum);
-</verb>
-</tscreen>
-
-<p>
-This function returns some text describing the <bf>Linux-PAM</bf>
-error associated with the argument <tt/errnum/.  If the error is not
-recognized ``<tt/Unknown Linux-PAM error/'' is returned.
-
-<sect2>Planning for delays
-<label id="the-failure-delay-function">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_fail_delay(pam_handle_t *pamh, unsigned int micro_sec);
-</verb>
-</tscreen>
-
-<p>
-This function is offered by <bf/Linux-PAM/ to facilitate time delays
-following a failed call to <tt/pam_authenticate()/ and before control
-is returned to the application. When using this function the
-application programmer should check if it is available with,
-<tscreen>
-<verb>
-#ifdef PAM_FAIL_DELAY
-    ....
-#endif /* PAM_FAIL_DELAY */
-</verb>
-</tscreen>
-
-
-<p>
-Generally, an application requests that a user is authenticated by
-<bf/Linux-PAM/ through a call to <tt/pam_authenticate()/ or
-<tt/pam_chauthtok()/.  These functions call each of the <em/stacked/
-authentication modules listed in the relevant <bf/Linux-PAM/
-configuration file.  As directed by this file, one of more of the
-modules may fail causing the <tt/pam_...()/ call to return an error.
-It is desirable for there to also be a pause before the application
-continues. The principal reason for such a delay is security: a delay
-acts to discourage <em/brute force/ dictionary attacks primarily, but
-also helps hinder <em/timed/ (covert channel) attacks.
-
-<p>
-The <tt/pam_fail_delay()/ function provides the mechanism by which an
-application or module can suggest a minimum delay (of <tt/micro_sec/
-<em/micro-seconds/). <bf/Linux-PAM/ keeps a record of the longest time
-requested with this function. Should <tt/pam_authenticate()/ fail,
-the failing return to the application is delayed by an amount of time
-randomly distributed (by up to 25%) about this longest value.
-
-<p>
-Independent of success, the delay time is reset to its zero default
-value when <bf/Linux-PAM/ returns control to the application.
-
-<p>
-For applications written with a single thread that are event driven in
-nature, <tt/libpam/ generating this delay may be undesirable. Instead,
-the application may want to register the delay in some other way. For
-example, in a single threaded server that serves multiple
-authentication requests from a single event loop, the application
-might want to simply mark a given connection as blocked until an
-application timer expires. For this reason, <bf/Linux-PAM/ supplies
-the <tt/PAM_FAIL_DELAY/ item. It can be queried and set with
-<tt/pam_get_item()/ and <tt/pam_set_item()/ respectively. The value
-used to set it should be a function pointer of the following
-prototype:
-
-<tscreen>
-<verb>
-void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
-</verb>
-</tscreen>
-
-The arguments being the <tt/retval/ return code of the module stack,
-the <tt/usec_delay/ micro-second delay that libpam is requesting and
-the <tt/appdata_ptr/ that the application has associated with the
-current <tt/pamh/ (<tt/pam_handle_t/). This last value was set by the
-application when it called <tt/pam_start/ or explicitly with
-<tt/pam_set_item(... , PAM_CONV, ...)/. Note, if <tt/PAM_FAIL_DELAY/
-is unset (or set to <tt/NULL/), then <tt/libpam/ will perform any
-delay.
-
-<sect2>Authenticating the user
-
-<p>
-<tscreen>
-<verb>
-extern int pam_authenticate(pam_handle_t *pamh, int flags);
-</verb>
-</tscreen>
-
-<p>
-This function serves as an interface to the authentication mechanisms
-of the loaded modules.  The single <em/optional/ flag, which may be
-logically OR'd with <tt/PAM_SILENT/, takes the following value,
-
-<p><descrip>
-
-<tag><tt/PAM_DISALLOW_NULL_AUTHTOK/</tag>
-	Instruct the authentication modules to return
-<tt/PAM_AUTH_ERR/ if the user does not have a registered
-authorization token---it is set to <tt/NULL/ in the system database.
-</descrip>
-
-<p>
-The value returned by this function is one of the following:
-
-<p><descrip>
-
-<tag><tt/PAM_AUTH_ERR/</tag>
-	The user was not authenticated
-<tag><tt/PAM_CRED_INSUFFICIENT/</tag>
-	For some reason the application does not have sufficient
-credentials to authenticate the user.
-<tag><tt/PAM_AUTHINFO_UNAVAIL/</tag>
-	The modules were not able to access the authentication
-information. This might be due to a network or hardware failure etc.
-<tag><tt/PAM_USER_UNKNOWN/</tag>
-	The supplied username is not known to the authentication
-service
-<tag><tt/PAM_MAXTRIES/</tag>
-	One or more of the authentication modules has reached its
-limit of tries authenticating the user. Do not try again.
-
-</descrip>
-
-<p>
-If one or more of the authentication modules fails to load, for
-whatever reason, this function will return <tt/PAM_ABORT/.
-
-<sect2>Setting user credentials
-<label id="pam-setcred-section">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_setcred(pam_handle_t *pamh, int flags);
-</verb>
-</tscreen>
-
-<p>
-This function is used to set the module-specific credentials of the
-user.  It is usually called after the user has been authenticated,
-after the account management function has been called but before a
-session has been opened for the user.
-
-<p>
-A credential is something that the user possesses.  It is some
-property, such as a <em>Kerberos</em> ticket, or a supplementary group
-membership that make up the uniqueness of a given user.  On a Linux
-(or UN*X system) the user's <tt>UID</tt> and <tt>GID</tt>'s are
-credentials too.  However, it has been decided that these properties
-(along with the default supplementary groups of which the user is a
-member) are credentials that should be set directly by the application
-and not by PAM.
-
-<p>
-This function simply calls the <tt/pam_sm_setcred/ functions of each
-of the loaded modules.  Valid <tt/flags/, any one of which, may be
-logically OR'd with <tt/PAM_SILENT/, are:
-
-<p><descrip>
-<tag><tt/PAM_ESTABLISH_CRED/</tag>
-	Set the credentials for the authentication service,
-<tag><tt/PAM_DELETE_CRED/</tag>
-	Delete the credentials associated with the authentication service,
-<tag><tt/PAM_REINITIALIZE_CRED/</tag>
-	Reinitialize the user credentials, and
-<tag><tt/PAM_REFRESH_CRED/</tag>
-	Extend the lifetime of the user credentials.
-</descrip>
-
-<p>
-A successful return is signalled with <tt/PAM_SUCCESS/. Errors that
-are especially relevant to this function are the following:
-
-<p><descrip>
-<tag><tt/PAM_CRED_UNAVAIL/</tag>
-	A module cannot retrieve the user's credentials.
-<tag><tt/PAM_CRED_EXPIRED/</tag>
-	The user's credentials have expired.
-<tag><tt/PAM_USER_UNKNOWN/</tag>
-	The user is not known to an authentication module.
-<tag><tt/PAM_CRED_ERR/</tag>
-	A module was unable to set the credentials of the user.
-</descrip>
-
-<sect2>Account management
-
-<p>
-<tscreen>
-<verb>
-extern int pam_acct_mgmt(pam_handle_t *pamh, int flags);
-</verb>
-</tscreen>
-
-<p>
-This function is typically called after the user has been
-authenticated.  It establishes whether the user's account is healthy.
-That is to say, whether the user's account is still active and whether
-the user is permitted to gain access to the system at this time.
-Valid flags, any one of which, may be logically OR'd with
-<tt/PAM_SILENT/, and are the same as those applicable to the
-<tt/flags/ argument of <tt/pam_authenticate/.
-
-<p>
-This function simply calls the corresponding functions of each of the
-loaded modules, as instructed by the configuration file,
-<tt>/etc/pam.conf</tt>.
-
-<p>
-The normal response from this function is <tt/PAM_SUCCESS/, however,
-specific failures are indicated by the following error returns:
-
-<descrip>
-<tag><tt/PAM_AUTHTOKEN_REQD/</tag>
-The user <bf/is/ valid but their authentication token has
-<em/expired/.  The correct response to this return-value is to require
-that the user satisfies the <tt/pam_chauthtok()/ function before
-obtaining service.  It may not be possible for some applications to do
-this.  In such cases, the user should be denied access until such time
-as they can update their password.
-
-<tag><tt/PAM_ACCT_EXPIRED/</tag>
-	The user is no longer permitted to access the system.
-<tag><tt/PAM_AUTH_ERR/</tag>
-	There was an authentication error.
-
-<tag><tt/PAM_PERM_DENIED/</tag>
-	The user is not permitted to gain access at this time.
-<tag><tt/PAM_USER_UNKNOWN/</tag>
-	The user is not known to a module's account management
-component.
-
-</descrip>
-
-<sect2>Updating authentication tokens
-<label id="pam-chauthtok-section">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_chauthtok(pam_handle_t *pamh, const int flags);
-</verb>
-</tscreen>
-
-<p>
-This function is used to change the authentication token for a given
-user (as indicated by the state associated with the handle,
-<tt/pamh/). The following is a valid but optional flag which may be
-logically OR'd with <tt/PAM_SILENT/,
-
-<descrip>
-<tag><tt/PAM_CHANGE_EXPIRED_AUTHTOK/</tag>
-	This argument indicates to the modules that the users
-authentication token (password) should only be changed if it has
-expired.
-</descrip>
-
-<p>
-Note, if this argument is not passed, the application requires that
-<em/all/ authentication tokens are to be changed.
-
-<p>
-<tt/PAM_SUCCESS/ is the only successful return value, valid
-error-returns are:
-
-<descrip>
-<tag><tt/PAM_AUTHTOK_ERR/</tag>
-	A module was unable to obtain the new authentication token.
-	
-<tag><tt/PAM_AUTHTOK_RECOVERY_ERR/</tag>
-	A module was unable to obtain the old authentication token.
-
-<tag><tt/PAM_AUTHTOK_LOCK_BUSY/</tag>
-	One or more of the modules was unable to change the
-authentication token since it is currently locked.
-	
-<tag><tt/PAM_AUTHTOK_DISABLE_AGING/</tag>
-	Authentication token aging has been disabled for at least one
-of the modules.
-
-<tag><tt/PAM_PERM_DENIED/</tag>
-	Permission denied.
-
-<tag><tt/PAM_TRY_AGAIN/</tag>
-	Not all of the modules were in a position to update the
-authentication token(s). In such a case none of the user's
-authentication tokens are updated.
-
-<tag><tt/PAM_USER_UNKNOWN/</tag>
-	The user is not known to the authentication token changing
-service.
-
-</descrip>
-
-<sect2>Session initialization
-<label id="pam-open-session-section">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_open_session(pam_handle_t *pamh, int flags);
-</verb>
-</tscreen>
-
-<p>
-This function is used to indicate that an authenticated session has
-begun.  It is used to inform the modules that the user is currently in
-a session.  It should be possible for the <bf>Linux-PAM</bf> library
-to open a session and close the same session (see section <ref
-id="pam-close-session-section" name="below">) from different
-applications.
-
-<p>
-Currently, this function simply calls each of the corresponding
-functions of the loaded modules. The only valid flag is
-<tt/PAM_SILENT/ and this is, of course, <em/optional/.
-
-<p>
-If any of the <em/required/ loaded modules are unable to open a
-session for the user, this function will return <tt/PAM_SESSION_ERR/.
-
-<sect2>Terminating sessions
-<label id="pam-close-session-section">
-
-<p>
-<tscreen>
-<verb>
-extern int pam_close_session(pam_handle_t *pamh, int flags);
-</verb>
-</tscreen>
-
-<p>
-This function is used to indicate that an authenticated session has
-ended. It is used to inform the modules that the user is exiting a
-session. It should be possible for the <bf>Linux-PAM</bf> library to
-open a session and close the same session from different applications.
-
-<p>
-This function simply calls each of the corresponding functions of the
-loaded modules in the same order that they were invoked with
-<tt/pam_open_session()/.  The only valid flag is <tt/PAM_SILENT/ and
-this is, of course, <em/optional/.
-
-<p>
-If any of the <em/required/ loaded modules are unable to close a
-session for the user, this function will return <tt/PAM_SESSION_ERR/.
-
-<sect2>Setting PAM environment variables
-<label id="pam-putenv-section">
-
-<p>
-The <tt/libpam/ library associates with each PAM-handle (<tt/pamh/), a
-set of <it/PAM environment variables/. These variables are intended to
-hold the session environment variables that the user will inherit when
-the session is granted and the authenticated user obtains access to
-the requested service. For example, when <tt/login/ has finally given
-the user a shell, the environment (as viewed with the command
-<tt/env/) will be what <tt/libpam/ was maintaining as the PAM
-environment for that service application. Note, these variables are not
-the environment variables of the <tt/login/ application. This is
-principally for two reasons: <tt/login/ may want to have an
-environment that cannot be seen or manipulated by a user; and
-<tt/login/ (or whatever the serving application is) may be maintaining
-a number of parallel sessions, via different <tt/pamh/ values, at the
-same time and a single environment may not be appropriately shared
-between each of these. The PAM environment may contain variables
-seeded by the applicant user's client program, for example, and as
-such it is not appropriate for one applicant to interfere with the
-environment of another applicant.
-
-<p>
-<tscreen>
-<verb>
-extern int pam_putenv(pam_handle_t *pamh, const char *name_value);
-</verb>
-</tscreen>
-
-<p>
-This function attempts to (re)set a <bf/Linux-PAM/ environment
-variable. The <tt/name_value/ argument is a single <tt/NUL/ terminated
-string of one of the following forms:
-<descrip>
-<tag>``<tt/NAME=value of variable/''</tag>
-
-In this case the environment variable of the given <tt/NAME/ is set to
-the indicated value: ``<tt/value of variable/''.  If this variable is
-already known, it is overwritten. Otherwise it is added to the
-<bf/Linux-PAM/ environment.
-
-<tag>``<tt/NAME=/''</tag>
-
-This function sets the variable to an empty value. It is listed
-separately to indicate that this is the correct way to achieve such a
-setting.
-
-<tag>``<tt/NAME/''</tag>
-
-Without an `<tt/=/' the <tt/pam_putenv()/ function will delete the
-corresponding variable from the <bf/Linux-PAM/ environment.
-
-</descrip>
-
-<p>
-Success is indicated with a return value of <tt/PAM_SUCCESS/. Failure
-is indicated by one of the following returns:
-
-<descrip>
-<tag><tt/PAM_PERM_DENIED/</tag>
-	name given is a <tt/NULL/ pointer
-
-<tag><tt/PAM_BAD_ITEM/</tag>
-	variable requested (for deletion) is not currently set
-
-<tag><tt/PAM_ABORT/</tag>
-	the <bf/Linux-PAM/ handle, <tt/pamh/, is corrupt
-
-<tag><tt/PAM_BUF_ERR/</tag>
-	failed to allocate memory when attempting update
-
-</descrip>
-
-<sect2>Getting a PAM environment variable
-<label id="pam-getenv-section">
-
-<p>
-<tscreen>
-<verb>
-extern const char *pam_getenv(pam_handle_t *pamh, const char *name);
-</verb>
-</tscreen>
-
-<p>
-Obtain the value of the indicated <bf/Linux-PAM/ environment
-variable. On error, internal failure or the unavailability of the
-given variable (unspecified), this function simply returns <tt/NULL/.
-
-<sect2>Getting the PAM environment
-<label id="pam-getenvlist-section">
-
-<p>
-<tscreen>
-<verb>
-extern const char * const *pam_getenvlist(pam_handle_t *pamh);
-</verb>
-</tscreen>
-
-<p>
-The PAM environment variables (see section <ref
-id="pam-putenv-section" name="above">) are a complete set of enviroment
-variables that are associated with a PAM-handle (<tt/pamh/). They
-represent the contents of the <it/regular/ environment variables of
-the authenticated user when service is granted.
-
-<p>
-Th function, <tt>pam_getenvlist()</tt> returns a pointer to a complete,
-<tt/malloc()/'d, copy of the PAM environment.  It is a pointer to a
-duplicated list of environment variables.  It should be noted that
-this memory will never be <tt/free()'d/ by <tt/libpam/.  Once obtained
-by a call to <tt/pam_getenvlist()/, <bf>it is the responsibility of
-the calling application</bf> to <tt/free()/ this memory.
-
-<p>
-The format of the memory is a <tt/malloc()/'d array of <tt/char */
-pointers, the last element of which is set to <tt/NULL/. Each of the
-non-<tt/NULL/ entries in this array point to a <tt/NUL/ terminated and
-<tt/malloc()/'d <tt/char/ string of the form:
-<tt/"/<it/name/<tt/=/<it/value/<tt/"/.
-
-<p>
-It is by design, and not a coincidence, that the format and contents
-of the returned array matches that required for the third argument of
-the <tt/execle(3)/ function call.
-
-<sect1>What is expected of an application
-
-<sect2>The conversation function
-<label id="the-conversation-function">
-
-<p>
-An application must provide a ``conversation function''. It is used
-for direct communication between a loaded module and the application
-and will typically provide a means for the module to prompt the user
-for a password etc. . The structure, <tt/pam_conv/, is defined by
-including <tt>&lt;security/pam_appl.h&gt</tt>; to be,
-
-<p>
-<tscreen>
-<verb>
-struct pam_conv {
-    int (*conv)(int num_msg,
-        const struct pam_message **msg,
-        struct pam_response **resp,
-        void *appdata_ptr);
-    void *appdata_ptr;
-};
-</verb>
-</tscreen>
-
-<p>
-It is initialized by the application before it is passed to the
-library.  The <em/contents/ of this structure are attached to the
-<tt/*pamh/ handle.  The point of this argument is to provide a
-mechanism for any loaded module to interact directly with the
-application program. This is why it is called a <em/conversation/
-structure.
-
-<p>
-When a module calls the referenced <tt/conv()/ function, the argument
-<tt/*appdata_ptr/ is set to the second element of this structure.
-
-<p>
-The other arguments of a call to <tt/conv()/ concern the information
-exchanged by module and application. That is to say, <tt/num_msg/
-holds the length of the array of pointers, <tt/msg/. After a
-successful return, the pointer <tt/*resp/ points to an array of
-<tt/pam_response/ structures, holding the application supplied text.
-Note, <tt/*resp/ is an <tt/struct pam_response/ array and <em/not/ an
-array of pointers.
-
-<p>
-The message (from the module to the application) passing structure is
-defined by <tt>&lt;security/pam_appl.h&gt;</tt> as:
-
-<p>
-<tscreen>
-<verb>
-struct pam_message {
-    int msg_style;
-    const char *msg;
-};
-</verb>
-</tscreen>
-
-<p>
-Valid choices for <tt/msg_style/ are:
-
-<p><descrip>
-<tag><tt/PAM_PROMPT_ECHO_OFF/</tag>
-	Obtain a string without echoing any text
-<tag><tt/PAM_PROMPT_ECHO_ON/</tag>
-	Obtain a string whilst echoing text
-<tag><tt/PAM_ERROR_MSG/</tag>
-	Display an error
-<tag><tt/PAM_TEXT_INFO/</tag>
-	Display some text.
-</descrip>
-
-<p>
-The point of having an array of messages is that it becomes possible
-to pass a number of things to the application in a single call from
-the module. It can also be convenient for the application that related
-things come at once: a windows based application can then present a
-single form with many messages/prompts on at once.
-
-<p>
-In passing, it is worth noting that there is a descrepency between the
-way Linux-PAM handles the <tt/const struct pam_message **msg/
-conversation function argument from the way that Solaris' PAM (and
-derivitives, known to include HP/UX, <em/are there others?/)
-does. Linux-PAM interprets the <tt/msg/ argument as entirely
-equivalent to the following prototype <tt/const struct pam_message
-*msg[]/ (which, in spirit, is consistent with the commonly used
-prototypes for <tt/argv/ argument to the familiar <tt/main()/
-function: <tt/char **argv/; and <tt/char *argv[]/). Said another way
-Linux-PAM interprets the <tt/msg/ argument as a pointer to an array of
-<tt/num_meg/ read only 'struct pam_message' <em/pointers/.  Solaris'
-PAM implementation interprets this argument as a pointer to a pointer
-to an array of <tt/num_meg/ <tt/pam_message/ structures.  Fortunately,
-perhaps, for most module/application developers when <tt/num_msg/ has
-a value of one these two definitions are entirely
-equivalent. Unfortunately, casually raising this number to two has led
-to unanticipated compatibility problems.
-
-<p>
-For what its worth the two known module writer work-arounds for trying
-to maintain source level compatibility with both PAM implementations
-are:
-<itemize>
-<item> never call the conversation function with <tt/num_msg/ greater
-than one.
-<item> set up <tt/msg/ as doubly referenced so both types of
-conversation function can find the messages. That is, make
-<p><tscreen>
-<verb>
-msg[n] = & (( *msg )[n])
-</verb>
-</tscreen>
-</itemize>
-<p>
-The response (from the application to the module) passing structure is
-defined by including <tt>&lt;security/pam_appl.h&gt;</tt> as:
-
-<p><tscreen><verb>
-struct pam_response {
-    char *resp;
-    int resp_retcode;
-};
-</verb></tscreen>
-
-<p>
-Currently, there are no definitions for <tt/resp_retcode/ values; the
-normal value is <tt/0/.
-
-<p>
-Prior to the 0.59 release of Linux-PAM, the length of the returned
-<tt/pam_response/ array was equal to the number of <em/prompts/ (types
-<tt/PAM_PROMPT_ECHO_OFF/ and <tt/PAM_PROMPT_ECHO_ON/) in the
-<tt/pam_message/ array with which the conversation function was
-called.  This meant that it was not always necessary for the module to
-<tt/free(3)/ the responses if the conversation function was only used
-to display some text.
-
-<p>
-Post Linux-PAM-0.59.  The number of responses is always equal to the
-<tt/num_msg/ conversation function argument.  This is slightly easier
-to program but does require that the response array is <tt/free(3)/'d
-after every call to the conversation function.  The index of the
-responses corresponds directly to the prompt index in the
-<tt/pam_message/ array.
-
-<p>
-The maximum length of the <tt/pam_msg.msg/ and <tt/pam_response.resp/
-character strings is <tt/PAM_MAX_MSG_SIZE/.  (This is not enforced by
-Linux-PAM.)
-
-<p>
-<tt/PAM_SUCCESS/ is the expected return value of this
-function.  However, should an error occur the application should not
-set <tt/*resp/ but simply return <tt/PAM_CONV_ERR/.
-
-<p>
-Note, if an application wishes to use two conversation functions, it
-should activate the second with a call to <tt/pam_set_item()/.
-
-<p>
-<bf>Notes:</bf> New item types are being added to the conversation
-protocol.  Currently Linux-PAM supports: <tt>PAM_BINARY_PROMPT</tt>
-and <tt>PAM_BINARY_MSG</tt>.  These two are intended for server-client
-hidden information exchange and may be used as an interface for
-maching-machine authentication.
-
-<sect1>Programming notes
-
-<p>
-Note, all of the authentication service function calls accept the
-token <tt/PAM_SILENT/, which instructs the modules to not send
-messages to the application. This token can be logically OR'd with any
-one of the permitted tokens specific to the individual function calls.
-<tt/PAM_SILENT/ does not override the prompting of the user for
-passwords etc., it only stops informative messages from being
-generated.
-
-<sect>Security issues of <bf>Linux-PAM</bf>
-
-<p>
-PAM, from the perspective of an application, is a convenient API for
-authenticating users. PAM modules generally have no increased
-privilege over that possessed by the application that is making use of
-it. For this reason, the application must take ultimate responsibility
-for protecting the environment in which PAM operates.
-
-<p>
-A poorly (or maliciously) written application can defeat any
-<bf/Linux-PAM/ module's authentication mechanisms by simply ignoring
-it's return values.  It is the applications task and responsibility to
-grant privileges and access to services.  The <bf/Linux-PAM/ library
-simply assumes the responsibility of <em/authenticating/ the user;
-ascertaining that the user <em/is/ who they say they are.  Care should
-be taken to anticipate all of the documented behavior of the
-<bf/Linux-PAM/ library functions.  A failure to do this will most
-certainly lead to a future security breach.
-
-<sect1>Care about standard library calls
-
-<p>
-In general, writers of authorization-granting applications should
-assume that each module is likely to call any or <em/all/ `libc'
-functions.  For `libc' functions that return pointers to
-static/dynamically allocated structures (ie. the library allocates the
-memory and the user is not expected to `<tt/free()/' it) any module
-call to this function is likely to corrupt a pointer previously
-obtained by the application.  The application programmer should either
-re-call such a `libc' function after a call to the <bf/Linux-PAM/
-library, or copy the structure contents to some safe area of memory
-before passing control to the <bf/Linux-PAM/ library.
-
-<p>
-Two important function classes that fall into this category are
-<tt>getpwnam(3)</tt> and <tt>syslog(3)</tt>.
-
-<sect1>Choice of a service name
-
-<p>
-When picking the <em/service-name/ that corresponds to the first entry
-in the <bf/Linux-PAM/ configuration file, the application programmer
-should <bf/avoid/ the temptation of choosing something related to
-<tt/argv[0]/.  It is a trivial matter for any user to invoke any
-application on a system under a different name and this should not be
-permitted to cause a security breach.
-
-<p>
-In general, this is always the right advice if the program is setuid,
-or otherwise more privileged than the user that invokes it. In some
-cases, avoiding this advice is convenient, but as an author of such an
-application, you should consider well the ways in which your program
-will be installed and used. (Its often the case that programs are not
-intended to be setuid, but end up being installed that way for
-convenience. If your program falls into this category, don't fall into
-the trap of making this mistake.)
-
-<p>
-To invoke some <tt/target/ application by another name, the user may
-symbolically link the target application with the desired name.  To be
-precise all the user need do is,
-<tscreen>
-<verb>
-ln -s /target/application ./preferred_name
-</verb>
-</tscreen>
-and then <em/run/ <tt>./preferred_name</tt>
-
-<p>
-By studying the <bf/Linux-PAM/ configuration file(s), an attacker can
-choose the <tt/preferred_name/ to be that of a service enjoying
-minimal protection; for example a game which uses <bf/Linux-PAM/ to
-restrict access to certain hours of the day.  If the service-name were
-to be linked to the filename under which the service was invoked, it
-is clear that the user is effectively in the position of dictating
-which authentication scheme the service uses.  Needless to say, this
-is not a secure situation.
-
-<p>
-The conclusion is that the application developer should carefully
-define the service-name of an application. The safest thing is to make
-it a single hard-wired name.
-
-<sect1>The conversation function
-
-<p>
-Care should be taken to ensure that the <tt/conv()/ function is
-robust. Such a function is provided in the library <tt/libpam_misc/
-(see <ref id="libpam-misc-section" name="below">).
-
-<sect1>The identity of the user
-
-<p>
-The <bf/Linux-PAM/ modules will need to determine the identity of the
-user who requests a service, and the identity of the user who grants
-the service.  These two users will seldom be the same.  Indeed there
-is generally a third user identity to be considered, the new (assumed)
-identity of the user once the service is granted.
-
-<p>
-The need for keeping tabs on these identities is clearly an issue of
-security.  One convention that is actively used by some modules is
-that the identity of the user requesting a service should be the
-current <tt/uid/ (userid) of the running process; the identity of the
-privilege granting user is the <tt/euid/ (effective userid) of the
-running process; the identity of the user, under whose name the
-service will be executed, is given by the contents of the
-<tt/PAM_USER/ <tt/pam_get_item(3)/. Note, modules can change the
-values of <tt/PAM_USER/ and <tt/PAM_RUSER/ during any of the
-<tt/pam_*()/ library calls. For this reason, the application should
-take care to use the <tt/pam_get_item()/ every time it wishes to
-establish who the authenticated user is (or will currently be).
-
-<p>
-For network-serving databases and other applications that provide
-their own security model (independent of the OS kernel) the above
-scheme is insufficient to identify the requesting user.
-
-<p>
-A more portable solution to storing the identity of the requesting
-user is to use the <tt/PAM_RUSER/ <tt/pam_get_item(3)/. The
-application should supply this value before attempting to authenticate
-the user with <tt/pam_authenticate()/. How well this name can be
-trusted will ultimately be at the discretion of the local
-administrator (who configures PAM for your application) and a selected
-module may attempt to override the value where it can obtain more
-reliable data. If an application is unable to determine the identity
-of the requesting entity/user, it should not call <tt/pam_set_item(3)/
-to set <tt/PAM_RUSER/.
-
-<p>
-In addition to the <tt/PAM_RUSER/ item, the application should supply
-the <tt/PAM_RHOST/ (<em/requesting host/) item. As a general rule, the
-following convention for its value can be assumed: <tt/&lt;unset&gt;/
-= unknown; <tt/localhost/ = invoked directly from the local system;
-<em/other.place.xyz/ = some component of the user's connection
-originates from this remote/requesting host. At present, PAM has no
-established convention for indicating whether the application supports
-a trusted path to communication from this host.
-
-<sect1>Sufficient resources
-
-<p>
-Care should be taken to ensure that the proper execution of an
-application is not compromised by a lack of system resources.  If an
-application is unable to open sufficient files to perform its service,
-it should fail gracefully, or request additional resources.
-Specifically, the quantities manipulated by the <tt/setrlimit(2)/
-family of commands should be taken into consideration.
-
-<p>
-This is also true of conversation prompts. The application should not
-accept prompts of arbitrary length with out checking for resource
-allocation failure and dealing with such extreme conditions gracefully
-and in a mannor that preserves the PAM API. Such tolerance may be
-especially important when attempting to track a malicious adversary.
-
-<sect>A library of miscellaneous helper functions
-<label id="libpam-misc-section">
-
-<p>
-To aid the work of the application developer a library of
-miscellaneous functions is provided.  It is called <tt/libpam_misc/,
-and contains functions for allocating memory (securely), a text based
-conversation function, and routines for enhancing the standard
-PAM-environment variable support.
-
-<sect1>Requirements
-
-<p>
-The functions, structures and macros, made available by this library
-can be defined by including <tt>&lt;security/pam_misc.h&gt;</tt>.  It
-should be noted that this library is specific to <bf/Linux-PAM/ and is
-not referred to in the defining DCE-RFC (see <ref id="bibliography"
-name="the bibliography">) below.
-
-<sect1>Macros supplied
-
-<sect2>Safe duplication of strings
-
-<p>
-<tscreen>
-<verb>
-x_strdup(const char *s)
-</verb>
-</tscreen>
-
-<p>
-This macro is a replacement for the <tt/xstrdup()/ function that was
-present in earlier versions of the library and which clashed horribly
-with a number of applications. It returns a duplicate copy of the
-<tt/NUL/ terminated string, <tt/s/. <tt/NULL/ is returned if there is
-insufficient memory available for the duplicate or if <tt/s/ is
-<tt/NULL/ to begin with.
-
-<sect1>Functions supplied
-
-<sect2>A text based conversation function
-
-<p>
-<tscreen>
-<verb>
-extern int misc_conv(int num_msg, const struct pam_message **msgm,
-		     struct pam_response **response, void *appdata_ptr);
-</verb>
-</tscreen>
-
-<p>
-This is a function that will prompt the user with the appropriate
-comments and obtain the appropriate inputs as directed by
-authentication modules.
-
-<p>
-In addition to simply slotting into the appropriate <tt/struct
-pam_conv/, this function provides some time-out facilities.  The
-function exports five variables that can be used by an application
-programmer to limit the amount of time this conversation function will
-spend waiting for the user to type something.
-
-<p>
-The five variables are as follows:
-<descrip>
-<tag><tt>extern time_t pam_misc_conv_warn_time;</tt></tag>
-
-This variable contains the <em/time/ (as returned by <tt/time()/) that
-the user should be first warned that the clock is ticking. By default
-it has the value <tt/0/, which indicates that no such warning will be
-given. The application may set its value to sometime in the future,
-but this should be done prior to passing control to the <bf/Linux-PAM/
-library.
-
-<tag><tt>extern const char *pam_misc_conv_warn_line;</tt></tag>
-
-Used in conjuction with <tt/pam_misc_conv_warn_time/, this variable is
-a pointer to the string that will be displayed when it becomes time to
-warn the user that the timeout is approaching. Its default value is
-``..&bsol;a.Time is running out...&bsol;n'', but this can be changed
-by the application prior to passing control to <bf/Linux-PAM/.
-
-<tag><tt>extern time_t pam_misc_conv_die_time;</tt></tag>
-
-This variable contains the <em/time/ (as returned by <tt/time()/) that
-the conversation will time out. By default it has the value <tt/0/,
-which indicates that the conversation function will not timeout. The
-application may set its value to sometime in the future, this should
-be done prior to passing control to the <bf/Linux-PAM/ library.
-
-<tag><tt>extern const char *pam_misc_conv_die_line;</tt></tag>
-
-Used in conjuction with <tt/pam_misc_conv_die_time/, this variable is
-a pointer to the string that will be displayed when the conversation
-times out. Its default value is ``..&bsol;a.Sorry, your time is
-up!&bsol;n'', but this can be changed by the application prior to
-passing control to <bf/Linux-PAM/.
-
-<tag><tt>extern int pam_misc_conv_died;</tt></tag>
-
-Following a return from the <bf/Linux-PAM/ libraray, the value of this
-variable indicates whether the conversation has timed out. A value of
-<tt/1/ indicates the time-out occurred.
-
-</descrip>
-
-<p>
-The following two function pointers are available for supporting binary
-prompts in the conversation function. They are optimized for the
-current incarnation of the <tt/libpamc/ library and are subject to
-change.
-<descrip>
-<tag><tt>extern int (*pam_binary_handler_fn)(void *appdata, pamc_bp_t
-*prompt_p);</tt></tag>
-
-This function pointer is initialized to <tt/NULL/ but can be filled
-with a function that provides machine-machine (hidden) message
-exchange.  It is intended for use with hidden authentication protocols
-such as RSA or Diffie-Hellman key exchanges.  (This is still under
-development.)
-
-<tag><tt>extern int (*pam_binary_handler_free)(void *appdata,
-pamc_bp_t *delete_me);</tt></tag>
-
-This function pointer is initialized to <tt/PAM_BP_RENEW(delete_me, 0,
-0)/, but can be redefined as desired by the application.
-
-</descrip>
-
-<sect2>Transcribing an environment to that of Linux-PAM
-<p>
-<tscreen>
-<verb>
-extern int pam_misc_paste_env(pam_handle_t *pamh,
-			      const char * const * user_env);
-</verb>
-</tscreen>
-
-This function takes the supplied list of environment pointers and
-<em/uploads/ its contents to the <bf/Linux-PAM/ environment. Success
-is indicated by <tt/PAM_SUCCESS/.
-
-<sect2>Liberating a locally saved environment
-<p>
-<tscreen>
-<verb>
-extern char **pam_misc_drop_env(char **env);
-</verb>
-</tscreen>
-
-This function is defined to complement the <tt/pam_getenvlist()/
-function.  It liberates the memory associated with <tt/env/,
-<em/overwriting/ with <tt/0/ all memory before <tt/free()/ing it.
-
-<sect2>BSD like Linux-PAM environment variable setting
-<p>
-<tscreen>
-<verb>
-extern int pam_misc_setenv(pam_handle_t *pamh, const char *name,
-			   const char *value, int readonly);
-</verb>
-</tscreen>
-
-This function performs a task equivalent to <tt/pam_putenv()/, its
-syntax is, however, more like the BSD style function; <tt/setenv()/.
-The <tt/name/ and <tt/value/ are concatenated with an ``<tt/=/'' to
-form a <tt/name_value/ and passed to <tt/pam_putenv()/. If, however,
-the <bf/Linux-PAM/ variable is already set, the replacement will only
-be applied if the last argument, <tt/readonly/, is zero.
-
-<sect>Porting legacy applications
-
-<p>
-The following is extracted from an email.  I'll tidy it up later.
-
-<p>
-The point of PAM is that the application is not supposed to have any
-idea how the attached authentication modules will choose to
-authenticate the user.  So all they can do is provide a conversation
-function that will talk directly to the user(client) on the modules'
-behalf.
-
-<p>
-Consider the case that you plug a retinal scanner into the login
-program.  In this situation the user would be prompted: "please look
-into the scanner".  No username or password would be needed - all this
-information could be deduced from the scan and a database lookup.  The
-point is that the retinal scanner is an ideal task for a "module".
-
-<p>
-While it is true that a pop-daemon program is designed with the POP
-protocol in mind and no-one ever considered attaching a retinal
-scanner to it, it is also the case that the "clean" PAM'ification of
-such a daemon would allow for the possibility of a scanner module
-being be attached to it.  The point being that the "standard"
-pop-authentication protocol(s) [which will be needed to satisfy
-inflexible/legacy clients] would be supported by inserting an
-appropriate pam_qpopper module(s).  However, having rewritten popd
-once in this way any new protocols can be implemented in-situ.
-
-<p>
-One simple test of a ported application would be to insert the
-<tt/pam_permit/ module and see if the application demands you type a
-password...  In such a case, <tt/xlock/ would fail to lock the
-terminal - or would at best be a screen-saver, ftp would give password
-free access to all etc..  Neither of these is a very secure thing to
-do, but they do illustrate how much flexibility PAM puts in the hands
-of the local admin.
-
-<p>
-The key issue, in doing things correctly, is identifying what is part
-of the authentication procedure (how many passwords etc..) the
-exchange protocol (prefixes to prompts etc., numbers like 331 in the
-case of ftpd) and what is part of the service that the application
-delivers.  PAM really needs to have total control in the
-authentication "procedure", the conversation function should only
-deal with reformatting user prompts and extracting responses from raw
-input.
-
-<sect>Glossary of PAM related terms
-
-<p>
-The following are a list of terms used within this document.
-
-<p>
-<descrip>
-
-<tag>Authentication token</tag>
-Generally, this is a password.  However, a user can authenticate
-him/herself in a variety of ways.  Updating the user's authentication
-token thus corresponds to <em>refreshing</em> the object they use to
-authenticate themself with the system.  The word password is avoided
-to keep open the possibility that the authentication involves a
-retinal scan or other non-textual mode of challenge/response.
-
-<tag>Credentials</tag>
-Having successfully authenticated the user, PAM is able to establish
-certain characteristics/attributes of the user.  These are termed
-<em>credentials</em>.  Examples of which are group memberships to
-perform privileged tasks with, and <em>tickets</em> in the form of
-environment variables etc. .  Some user-credentials, such as the
-user's UID and GID (plus default group memberships) are not deemed to
-be PAM-credentials.  It is the responsibility of the application to
-grant these directly.
-
-</descrip>
-
-<sect>An example application
-
-<p>
-To get a flavor of the way a <tt/Linux-PAM/ application is written we
-include the following example. It prompts the user for their password
-and indicates whether their account is valid on the standard output,
-its return code also indicates the success (<tt/0/ for success; <tt/1/
-for failure).
-
-<p>
-<tscreen>
-<verb>
-/*
-  This program was contributed by Shane Watts
-  [modifications by AGM]
-
-  You need to add the following (or equivalent) to the /etc/pam.conf file.
-  # check authorization
-  check_user   auth       required     /usr/lib/security/pam_unix_auth.so
-  check_user   account    required     /usr/lib/security/pam_unix_acct.so
- */
-
-#include <security/pam_appl.h>
-#include <security/pam_misc.h>
-#include <stdio.h>
-
-static struct pam_conv conv = {
-    misc_conv,
-    NULL
-};
-
-int main(int argc, char *argv[])
-{
-    pam_handle_t *pamh=NULL;
-    int retval;
-    const char *user="nobody";
-
-    if(argc == 2) {
-	user = argv[1];
-    }
-
-    if(argc > 2) {
-	fprintf(stderr, "Usage: check_user [username]\n");
-	exit(1);
-    }
-
-    retval = pam_start("check_user", user, &ero;conv, &ero;pamh);
-	
-    if (retval == PAM_SUCCESS)
-        retval = pam_authenticate(pamh, 0);    /* is user really user? */
-
-    if (retval == PAM_SUCCESS)
-        retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */
-
-    /* This is where we have been authorized or not. */
-
-    if (retval == PAM_SUCCESS) {
-	fprintf(stdout, "Authenticated\n");
-    } else {
-	fprintf(stdout, "Not Authenticated\n");
-    }
-
-    if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close Linux-PAM */
-	pamh = NULL;
-	fprintf(stderr, "check_user: failed to release authenticator\n");
-	exit(1);
-    }
-
-    return ( retval == PAM_SUCCESS ? 0:1 );       /* indicate success */
-}
-</verb>
-</tscreen>
-
-<sect>Files
-
-<p><descrip>
-
-<tag><tt>/usr/include/security/pam_appl.h</tt></tag>
-
-header file for <bf/Linux-PAM/ applications interface
-
-<tag><tt>/usr/include/security/pam_misc.h</tt></tag>
-
-header file for useful library functions for making applications
-easier to write
-
-<tag><tt>/usr/lib/libpam.so.*</tt></tag>
-
-the shared library providing applications with access to
-<bf/Linux-PAM/.
-
-<tag><tt>/etc/pam.conf</tt></tag>
-
-the <bf/Linux-PAM/ configuration file.
-
-<tag><tt>/usr/lib/security/pam_*.so</tt></tag>
-
-the primary location for <bf/Linux-PAM/ dynamically loadable object
-files; the modules.
-
-</descrip>
-
-<sect>See also
-<label id="bibliography">
-
-<p><itemize>
-
-<item>The <bf/Linux-PAM/
-<htmlurl url="pam.html" name="System Administrators' Guide">.
-
-<item>The <bf/Linux-PAM/
-<htmlurl url="pam_modules.html" name="Module Writers' Guide">.
-
-<item>The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH
-PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation Request
-For Comments 86.0, October 1995.
-
-</itemize>
-
-<sect>Notes
-
-<p>
-I intend to put development comments here... like ``at the moment
-this isn't actually supported''. At release time what ever is in
-this section will be placed in the Bugs section below! :)
-
-<p>
-<itemize>
-
-<item> <tt/pam_strerror()/ should be internationalized....
-
-<item>
-Note, the <tt/resp_retcode/ of struct <tt/pam_message/, has no
-purpose at the moment. Ideas/suggestions welcome!
-
-<item> more security issues are required....
-
-</itemize>
-
-<sect>Author/acknowledgments
-
-<p>
-This document was written by Andrew G. Morgan
-(morgan@kernel.org) with many contributions from
-<!-- insert credits here -->
-<!--
- an sgml list of people to credit for their contributions to Linux-PAM
- $Id: pam_appl.sgml,v 1.10 2004/09/22 09:37:47 kukuk Exp $
-  -->
-Chris Adams,
-Peter Allgeyer,
-Tim Baverstock,
-Tim Berger,
-Craig S. Bell,
-Derrick J. Brashear,
-Ben Buxton,
-Seth Chaiklin,
-Oliver Crow,
-Chris Dent,
-Marc Ewing,
-Cristian Gafton,
-Emmanuel Galanos,
-Brad M. Garcia,
-Eric Hester,
-Roger Hu,
-Eric Jacksch,
-Michael K. Johnson,
-David Kinchlea,
-Olaf Kirch,
-Marcin Korzonek,
-Stephen Langasek,
-Nicolai Langfeldt,
-Elliot Lee,
-Luke Kenneth Casson Leighton,
-Al Longyear,
-Ingo Luetkebohle,
-Marek Michalkiewicz,
-Robert Milkowski,
-Aleph One,
-Martin Pool,
-Sean Reifschneider,
-Jan Rekorajski,
-Erik Troan,
-Theodore Ts'o,
-Jeff Uphoff,
-Myles Uyema,
-Savochkin Andrey Vladimirovich,
-Ronald Wahl,
-David Wood,
-John Wilmes,
-Joseph S. D. Yao
-and
-Alex O.  Yuriev.
-
-<p>
-Thanks are also due to Sun Microsystems, especially to Vipin Samar and
-Charlie Lai for their advice. At an early stage in the development of
-<bf/Linux-PAM/, Sun graciously made the documentation for their
-implementation of PAM available. This act greatly accelerated the
-development of <bf/Linux-PAM/.
-
-<sect>Bugs/omissions
-
-<p>
-This manual is hopelessly unfinished. Only a partial list of people is
-credited for all the good work they have done.
-
-<sect>Copyright information for this document
-
-<p>
-Copyright (c) Andrew G. Morgan 1996-9,2000-1.  All rights reserved.
-<newline>
-Email: <tt>&lt;morgan@kernel.org&gt;</tt>
-
-<p>
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-<p>
-<itemize>
-
-<item>
-1. Redistributions of source code must retain the above copyright
-   notice, and the entire permission notice in its entirety,
-   including the disclaimer of warranties.
-
-<item>
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-<item>
-3. The name of the author may not be used to endorse or promote
-   products derived from this software without specific prior
-   written permission.
-
-</itemize>
-
-<p>
-<bf/Alternatively/, this product may be distributed under the terms of
-the GNU General Public License (GPL), in which case the provisions of
-the GNU GPL are required <bf/instead of/ the above restrictions.
-(This clause is necessary due to a potential bad interaction between
-the GNU GPL and the restrictions contained in a BSD-style copyright.)
-
-<p>
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
-OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
-TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGE.
-
-<p>
-<tt>$Id: pam_appl.sgml,v 1.10 2004/09/22 09:37:47 kukuk Exp $</tt>
-
-</article>
diff --git a/Linux-PAM/doc/pam_modules.sgml b/Linux-PAM/doc/pam_modules.sgml
deleted file mode 100644
index 9d77b25f..00000000
--- a/Linux-PAM/doc/pam_modules.sgml
+++ /dev/null
@@ -1,1505 +0,0 @@
-<!doctype linuxdoc system>
-
-<!--
-
- $Id: pam_modules.sgml,v 1.9 2002/05/10 06:00:12 agmorgan Exp $
-
-    Copyright (c) Andrew G. Morgan 1996-2001.  All rights reserved.
-
-	** some sections, in this document, were contributed by other
-	** authors. They carry individual copyrights.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-1. Redistributions of source code must retain the above copyright
-   notice, and the entire permission notice in its entirety,
-   including the disclaimer of warranties.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-3. The name of the author may not be used to endorse or promote
-   products derived from this software without specific prior
-   written permission.
-
-ALTERNATIVELY, this product may be distributed under the terms of the
-GNU General Public License, in which case the provisions of the GNU
-GPL are required INSTEAD OF the above restrictions.  (This clause is
-necessary due to a potential bad interaction between the GNU GPL and
-the restrictions contained in a BSD-style copyright.)
-
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
-OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
-TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGE.
-
- -->
-
-<article>
-
-<title>The Linux-PAM Module Writers' Guide
-<author>Andrew G. Morgan, <tt>morgan@kernel.org</tt>
-<date>DRAFT v0.76 2002/05/09
-<abstract>
-This manual documents what a programmer needs to know in order to
-write a module that conforms to the <bf/Linux-PAM/ standard. It also
-discusses some security issues from the point of view of the module
-programmer.
-</abstract>
-
-<toc>
-
-<sect>Introduction
-
-<sect1> Synopsis
-<p>
-<tscreen>
-<verb>
-#include <security/pam_modules.h>
-
-gcc -fPIC -c pam_module-name.c
-ld -x --shared -o pam_module-name.so pam_module-name.o
-</verb>
-</tscreen>
-
-<sect1> Description
-
-<p>
-<bf/Linux-PAM/ (Pluggable Authentication Modules for Linux) is a
-library that enables the local system administrator to choose how
-individual applications authenticate users.  For an overview of the
-<bf/Linux-PAM/ library see the <bf/Linux-PAM/ System Administrators'
-Guide.
-
-<p>
-A <bf/Linux-PAM/ module is a single executable binary file that can be
-loaded by the <bf/Linux-PAM/ interface library. This PAM library is
-configured locally with a system file, <tt>/etc/pam.conf</tt>, to
-authenticate a user request via the locally available authentication
-modules. The modules themselves will usually be located in the
-directory <tt>/usr/lib/security</tt> and take the form of dynamically
-loadable object files (see dlopen(3)). Alternatively, the modules can
-be statically linked into the <bf/Linux-PAM/ library; this is mostly to
-allow <bf/Linux-PAM/ to be used on platforms without dynamic linking
-available, but the two forms can be used together.  It is the
-<bf/Linux-PAM/ interface that is called by an application and it is
-the responsibility of the library to locate, load and call the
-appropriate functions in a <bf/Linux-PAM/-module.
-
-<p>
-Except for the immediate purpose of interacting with the user
-(entering a password etc..) the module should never call the
-application directly. This exception requires a "conversation
-mechanism" which is documented below.
-
-<sect>What can be expected by the module
-
-<p>
-Here we list the interface that the conventions that all
-<bf/Linux-PAM/ modules must adhere to.
-
-<sect1>Getting and setting <tt/PAM_ITEM/s and <em/data/
-
-<p>
-First, we cover what the module should expect from the <bf/Linux-PAM/
-library and a <bf/Linux-PAM/ <em/aware/ application. Essesntially this
-is the <tt/libpam.*/ library.
-
-<sect2>
-Setting data
-
-<p>
-Synopsis:
-<tscreen>
-<verb>
-extern int pam_set_data(pam_handle_t *pamh,
-                        const char *module_data_name,
-			void *data,
-			void (*cleanup)(pam_handle_t *pamh,
-			                void *data, int error_status) );
-</verb>
-</tscreen>
-
-<p>
-The modules may be dynamically loadable objects. In general such files
-should not contain <tt/static/ variables. This and the subsequent
-function provide a mechanism for a module to associate some data with
-the handle <tt/pamh/. Typically a module will call the
-<tt/pam_set_data()/ function to register some data under a (hopefully)
-unique <tt/module_data_name/. The data is available for use by other
-modules too but <em/not/ by an application.
-
-<p>
-The function <tt/cleanup()/ is associated with the <tt/data/ and, if
-non-<tt/NULL/, it is called when this data is over-written or
-following a call to <tt/pam_end()/ (see the Linux-PAM Application
-Developers' Guide).
-
-<p>
-The <tt/error_status/ argument is used to indicate to the module the
-sort of action it is to take in cleaning this data item. As an
-example, Kerberos creates a ticket file during the authentication
-phase, this file might be associated with a data item. When
-<tt/pam_end()/ is called by the module, the <tt/error_status/
-carries the return value of the <tt/pam_authenticate()/ or other
-<tt/libpam/ function as appropriate. Based on this value the Kerberos
-module may choose to delete the ticket file (<em/authentication
-failure/) or leave it in place.
-
-<p>
-The <tt/error_status/ may have been logically OR'd with either of the
-following two values:
-
-<p>
-<descrip>
-<tag><tt/PAM_DATA_REPLACE/</tag>
-	When a data item is being replaced (through a second call to
-<tt/pam_set_data()/) this mask is used. Otherwise, the call is assumed
-to be from <tt/pam_end()/.
-
-<tag><tt/PAM_DATA_SILENT/</tag>
-	Which indicates that the process would prefer to perform the
-<tt/cleanup()/ quietly. That is, discourages logging/messages to the
-user.
-
-</descrip>
-
-
-<sect2>
-Getting data
-
-<p>
-Synopsis:
-<tscreen>
-<verb>
-extern int pam_get_data(const pam_handle_t *pamh,
-			const char *module_data_name,
-			const void **data);
-</verb>
-</tscreen>
-
-<p>
-This function together with the previous one provides a method of
-associating module-specific data with the handle <tt/pamh/. A
-successful call to <tt/pam_get_data/ will result in <tt/*data/
-pointing to the data associated with the <tt/module_data_name/. Note,
-this data is <em/not/ a copy and should be treated as <em/constant/
-by the module.
-
-<p>
-Note, if there is an entry but it has the value <tt/NULL/, then this
-call returns <tt/PAM_NO_MODULE_DATA/.
-
-<sect2>
-Setting items
-
-<p>
-Synopsis:
-<tscreen>
-<verb>
-extern int pam_set_item(pam_handle_t *pamh,
-                        int item_type,
-			const void *item);
-</verb>
-</tscreen>
-
-<p>
-This function is used to (re)set the value of one of the
-<tt/item_type/s.  The reader is urged to read the entry for this
-function in the <bf/Linux-PAM/ application developers' manual.
-
-<p>
-In addition to the <tt/item/s listed there, the module can set the
-following two <tt/item_type/s:
-
-<p>
-<descrip>
-<tag><tt/PAM_AUTHTOK/</tag>
-
-The authentication token (often a password). This token should be
-ignored by all module functions besides <tt/pam_sm_authenticate()/ and
-<tt/pam_sm_chauthtok()/. In the former function it is used to pass the
-most recent authentication token from one stacked module to
-another. In the latter function the token is used for another
-purpose. It contains the currently active authentication token.
-
-<tag><tt/PAM_OLDAUTHTOK/</tag>
-
-The old authentication token. This token should be ignored by all
-module functions except <tt/pam_sm_chauthtok()/.
-
-</descrip>
-
-<p>
-Both of these items are reset before returning to the application.
-When resetting these items, the <bf/Linux-PAM/ library first writes
-<tt/0/'s to the current tokens and then <tt/free()/'s the associated
-memory.
-
-<p>
-The return values for this function are listed in the 
-<bf>Linux-PAM</bf> Application Developers' Guide.
-
-<sect2>
-Getting items
-
-<p>
-Synopsis:
-<tscreen>
-<verb>
-extern int pam_get_item(const pam_handle_t *pamh,
-			int item_type,
-			const void **item);
-</verb>
-</tscreen>
-
-<p>
-This function is used to obtain the value of the specified
-<tt/item_type/. It is better documented in the <bf/Linux-PAM/
-Application Developers' Guide. However, there are three things worth
-stressing here:
-<itemize>
-
-<item>
-Generally, if the module wishes to obtain the name of the user, it
-should not use this function, but instead perform a call to
-<tt/pam_get_user()/ (see section <ref id="pam-get-user"
-name="below">).
-
-<item>
-The module is additionally privileged to read the authentication
-tokens, <tt/PAM_AUTHTOK/ and <tt/PAM_OLDAUTHTOK/ (see the section
-above on <tt/pam_set_data()/).
-
-<item>
-The module should <em/not/ <tt/free()/ or alter the data pointed to by
-<tt/*item/ after a successful return from <tt/pam_get_item()/. This
-pointer points directly at the data contained within the <tt/*pamh/
-structure.  Should a module require that a change is made to the this
-<tt/ITEM/ it should make the appropriate call to <tt/pam_set_item()/.
-</itemize>
-
-<sect2>The <em/conversation/ mechanism
-
-<p>
-Following the call <tt>pam_get_item(pamh,PAM_CONV,&amp;item)</tt>, the
-pointer <tt/item/ points to a structure containing an a pointer to a
-<em/conversation/-function that provides limited but direct access to
-the application.  The purpose of this function is to allow the module
-to prompt the user for their password and pass other information in a
-manner consistent with the application. For example, an X-windows
-based program might pop up a dialog box to report a login
-failure. Just as the application should not be concerned with the
-method of authentication, so the module should not dictate the manner
-in which input (output) is obtained from (presented to) to the user.
-
-<p>
-<bf>The reader is strongly urged to read the more complete description of
-the <tt/pam_conv/ structure, written from the perspective of the
-application developer, in the <bf/Linux-PAM/ Application Developers'
-Guide.</bf>
-
-<p>
-The return values for this function are listed in the 
-<bf>Linux-PAM</bf> Application Developers' Guide.
-
-<p>
-The <tt/pam_response/ structure returned after a call to the
-<tt/pam_conv/ function must be <tt/free()/'d by the module. Since the
-call to the conversation function originates from the module, it is
-clear that this <tt/pam_response/ structure could be either statically
-or dynamically (using <tt/malloc()/ etc.) allocated within the
-application. Repeated calls to the conversation function would likely
-overwrite static memory, so it is required that for a successful
-return from the conversation function the memory for the response
-structure is dynamically allocated by the application with one of the
-<tt/malloc()/ family of commands and <em/must/ be <tt/free()/'d by the
-module.
-
-<p>
-If the <tt/pam_conv/ mechanism is used to enter authentication tokens,
-the module should either pass the result to the <tt/pam_set_item()/
-library function, or copy it itself. In such a case, once the token
-has been stored (by one of these methods or another one), the memory
-returned by the application should be overwritten with <tt/0/'s, and
-then <tt/free()/'d.
-
-There is a handy macro <tt/_pam_drop_reply()/ to be found in
-<tt>&lt;security/_pam_macros.h&gt;</tt> that can be used to
-conveniently cleanup a <tt/pam_response/ structure. (Note, this
-include file is specific to the Linux-PAM sources, and whilst it will
-work with Sun derived PAM implementations, it is not generally
-distributed by Sun.)
-
-<sect2>Getting the name of a user<label id="pam-get-user">
-
-<p>
-Synopsis:
-<tscreen>
-<verb>
-extern int pam_get_user(pam_handle_t *pamh, 
-                        const char **user,
-			const char *prompt);
-</verb>
-</tscreen>
-
-<p>
-This is a <bf/Linux-PAM/ library function that returns the
-(prospective) name of the user. To determine the username it does the
-following things, in this order:
-<itemize>
-
-<item> checks what <tt/pam_get_item(pamh, PAM_USER, ... );/ would have
-returned. If this is not <tt/NULL/ this is what it returns. Otherwise,
-
-<item> obtains a username from the application via the <tt/pam_conv/
-mechanism, it prompts the user with the first non-<tt/NULL/ string in
-the following list:
-<itemize>
-
-<item> The <tt/prompt/ argument passed to the function
-<item> What is returned by <tt/pam_get_item(pamh,PAM_USER_PROMPT, ... );/
-<item> The default prompt: ``Please enter username: ''
-
-</itemize>
-</itemize>
-
-<p>
-By whatever means the username is obtained, a pointer to it is
-returned as the contents of <tt/*user/. Note, this memory should
-<em/not/ be <tt/free()/'d by the module. Instead, it will be liberated
-on the next call to <tt/pam_get_user()/, or by <tt/pam_end()/ when the
-application ends its interaction with <bf/Linux-PAM/.
-
-<p>
-Also, in addition, it should be noted that this function sets the
-<tt/PAM_USER/ item that is associated with the <tt/pam_[gs]et_item()/
-function.
-
-<p>
-The return value of this function is one of the following:
-<itemize>
-
-<item> <tt/PAM_SUCCESS/ - username obtained.
-
-<item> <tt/PAM_CONV_AGAIN/ - converstation did not complete and the
-caller is required to return control to the application, until such
-time as the application has completed the conversation process. A
-module calling <tt/pam_get_user()/ that obtains this return code,
-should return <tt/PAM_INCOMPLETE/ and be prepared (when invoked the
-next time) to recall <tt/pam_get_user()/ to fill in the user's name,
-and then pick up where it left off as if nothing had happened. This
-procedure is needed to support an event-driven application programming
-model.
-
-<item> <tt/PAM_CONV_ERR/ - the conversation method supplied by the
-application failed to obtain the username.
-
-</itemize>
-
-<sect2>Setting a Linux-PAM environment variable
-
-<p>
-Synopsis:
-<tscreen>
-<verb>
-extern int pam_putenv(pam_handle_t *pamh, const char *name_value);
-</verb>
-</tscreen>
-
-<p>
-<bf/Linux-PAM/ comes equipped with a series of functions for
-maintaining a set of <em/environment/ variables. The environment is
-initialized by the call to <tt/pam_start()/ and is <bf/erased/ with a
-call to <tt/pam_end()/.  This <em/environment/ is associated with the
-<tt/pam_handle_t/ pointer returned by the former call.
-
-<p>
-The default environment is all but empty. It contains a single
-<tt/NULL/ pointer, which is always required to terminate the
-variable-list.  The <tt/pam_putenv()/ function can be used to add a
-new environment variable, replace an existing one, or delete an old
-one.
-
-<p>
-<itemize>
-<item>Adding/replacing a variable<newline>
-
-To add or overwrite a <bf/Linux-PAM/ environment variable the value of
-the argument <tt/name_value/, should be of the following form:
-<tscreen>
-<verb>
-name_value="VARIABLE=VALUE OF VARIABLE"
-</verb>
-</tscreen>
-Here, <tt/VARIABLE/ is the environment variable's name and what
-follows the `<tt/=/' is its (new) value. (Note, that <tt/"VARIABLE="/
-is a valid value for <tt/name_value/, indicating that the variable is
-set to <tt/""/.)
-
-<item> Deleting a variable<newline>
-
-To delete a <bf/Linux-PAM/ environment variable the value of
-the argument <tt/name_value/, should be of the following form:
-<tscreen>
-<verb>
-name_value="VARIABLE"
-</verb>
-</tscreen>
-Here, <tt/VARIABLE/ is the environment variable's name and the absence
-of an `<tt/=/' indicates that the variable should be removed.
-
-</itemize>
-
-<p>
-In all cases <tt/PAM_SUCCESS/ indicates success.
-
-<sect2>Getting a Linux-PAM environment variable
-
-<p>
-Synopsis:
-<tscreen>
-<verb>
-extern const char *pam_getenv(pam_handle_t *pamh, const char *name);
-</verb>
-</tscreen>
-
-<p>
-This function can be used to return the value of the given
-variable. If the returned value is <tt/NULL/, the variable is not
-known.
-
-<sect2>Listing the Linux-PAM environment
-
-<p>
-Synopsis:
-<tscreen>
-<verb>
-extern char * const *pam_getenvlist(pam_handle_t *pamh);
-</verb>
-</tscreen>
-
-<p>
-This function returns a pointer to the entire <bf/Linux-PAM/
-environment array.  At first sight the <em/type/ of the returned data
-may appear a little confusing.  It is basically a <em/read-only/ array
-of character pointers, that lists the <tt/NULL/ terminated list of
-environment variables set so far.
-
-<p>
-Although, this is not a concern for the module programmer, we mention
-here that an application should be careful to copy this entire array
-before executing <tt/pam_end()/ otherwise all the variable information
-will be lost. (There are functions in <tt/libpam_misc/ for this
-purpose: <tt/pam_misc_copy_env()/ and <tt/pam_misc_drop_env()/.)
-
-<sect1>Other functions provided by <tt/libpam/
-
-<sect2>Understanding errors
-
-<p>
-<itemize>
-
-<item>
-<tt>extern const char *pam_strerror(pam_handle_t *pamh, int errnum);</tt>
-
-<p>
-This function returns some text describing the <bf/Linux-PAM/ error
-associated with the argument <tt/errnum/.  If the error is not
-recognized <tt/``Unknown Linux-PAM error''/ is returned.
-
-</itemize>
-
-<sect2>Planning for delays
-
-<p>
-<itemize>
-
-<item>
-<tt>extern int pam_fail_delay(pam_handle_t *pamh, unsigned int
-micro_sec)</tt>
-
-<p>
-This function is offered by <bf/Linux-PAM/ to facilitate time delays
-following a failed call to <tt/pam_authenticate()/ and before control
-is returned to the application. When using this function the module
-programmer should check if it is available with,
-<tscreen>
-<verb>
-#ifdef PAM_FAIL_DELAY
-    ....
-#endif /* PAM_FAIL_DELAY */
-</verb>
-</tscreen>
-
-<p>
-Generally, an application requests that a user is authenticated by
-<bf/Linux-PAM/ through a call to <tt/pam_authenticate()/ or
-<tt/pam_chauthtok()/.  These functions call each of the <em/stacked/
-authentication modules listed in the <bf/Linux-PAM/ configuration
-file.  As directed by this file, one of more of the modules may fail
-causing the <tt/pam_...()/ call to return an error.  It is desirable
-for there to also be a pause before the application continues. The
-principal reason for such a delay is security: a delay acts to
-discourage <em/brute force/ dictionary attacks primarily, but also
-helps hinder <em/timed/ (cf. covert channel) attacks.
-
-<p>
-The <tt/pam_fail_delay()/ function provides the mechanism by which an
-application or module can suggest a minimum delay (of <tt/micro_sec/
-<em/micro-seconds/). <bf/Linux-PAM/ keeps a record of the longest time
-requested with this function. Should <tt/pam_authenticate()/ fail,
-the failing return to the application is delayed by an amount of time
-randomly distributed (by up to 25%) about this longest value.
-
-<p>
-Independent of success, the delay time is reset to its zero default
-value when <bf/Linux-PAM/ returns control to the application.
-
-</itemize>
-
-<sect>What is expected of a module
-
-<p>
-The module must supply a sub-set of the six functions listed
-below. Together they define the function of a <bf/Linux-PAM
-module/. Module developers are strongly urged to read the comments on
-security that follow this list.
-
-<sect1> Overview
-
-<p>
-The six module functions are grouped into four independent management
-groups. These groups are as follows: <em/authentication/,
-<em/account/, <em/session/ and <em/password/. To be properly defined,
-a module must define all functions within at least one of these
-groups. A single module may contain the necessary functions for
-<em/all/ four groups.
-
-<sect2> Functional independence
-
-<p>
-The independence of the four groups of service a module can offer
-means that the module should allow for the possibility that any one of
-these four services may legitimately be called in any order. Thus, the
-module writer should consider the appropriateness of performing a
-service without the prior success of some other part of the module.
-
-<p>
-As an informative example, consider the possibility that an
-application applies to change a user's authentication token, without
-having first requested that <bf/Linux-PAM/ authenticate the user. In
-some cases this may be deemed appropriate: when <tt/root/ wants to
-change the authentication token of some lesser user. In other cases it
-may not be appropriate: when <tt/joe/ maliciously wants to reset
-<tt/alice/'s password; or when anyone other than the user themself
-wishes to reset their <em/KERBEROS/ authentication token. A policy for
-this action should be defined by any reasonable authentication scheme,
-the module writer should consider this when implementing a given
-module.
-
-<sect2> Minimizing administration problems
-
-<p>
-To avoid system administration problems and the poor construction of a
-<tt>/etc/pam.conf</tt> file, the module developer may define all
-six of the following functions. For those functions that would not be
-called, the module should return <tt/PAM_SERVICE_ERR/ and write an
-appropriate message to the system log. When this action is deemed
-inappropriate, the function would simply return <tt/PAM_IGNORE/.
-
-<sect2> Arguments supplied to the module
-
-<p>
-The <tt/flags/ argument of each of the following functions can be
-logically OR'd with <tt/PAM_SILENT/, which is used to inform the
-module to not pass any <em/text/ (errors or warnings) to the
-application.
-
-<p>
-The <tt/argc/ and <tt/argv/ arguments are taken from the line
-appropriate to this module---that is, with the <em/service_name/
-matching that of the application---in the configuration file (see the
-<bf/Linux-PAM/ System Administrators' Guide). Together these two
-parameters provide the number of arguments and an array of pointers to
-the individual argument tokens. This will be familiar to C programmers
-as the ubiquitous method of passing command arguments to the function
-<tt/main()/. Note, however, that the first argument (<tt/argv[0]/) is
-a true argument and <bf/not/ the name of the module.
-
-<sect1> Authentication management
-
-<p>
-To be correctly initialized, <tt/PAM_SM_AUTH/ must be <tt/#define/'d
-prior to including <tt>&lt;security/pam_modules.h&gt;</tt>. This will
-ensure that the prototypes for static modules are properly declared.
-
-<p>
-<itemize>
-
-<item>
-<tt>PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
-int argc, const char **argv);</tt>
-
-<p>
-This function performs the task of authenticating the user. 
-
-<p>
-The <tt/flags/ argument can be a logically OR'd with <tt/PAM_SILENT/
-and optionally take the following value:
-
-<p><descrip>
-<tag><tt/PAM_DISALLOW_NULL_AUTHTOK/</tag>
-	return <tt/PAM_AUTH_ERR/ if the database of authentication
-tokens for this authentication mechanism has a <tt/NULL/ entry for the
-user. Without this flag, such a <tt/NULL/ token will lead to a success
-without the user being prompted.
-</descrip>
-
-<p>
-Besides <tt/PAM_SUCCESS/ return values that can be sent by this
-function are one of the following:
-
-<descrip>
-
-<tag><tt/PAM_AUTH_ERR/</tag>
-	The user was not authenticated
-<tag><tt/PAM_CRED_INSUFFICIENT/</tag>
-	For some reason the application does not have sufficient
-credentials to authenticate the user.
-<tag><tt/PAM_AUTHINFO_UNAVAIL/</tag>
-	The modules were not able to access the authentication
-information. This might be due to a network or hardware failure etc.
-<tag><tt/PAM_USER_UNKNOWN/</tag>
-	The supplied username is not known to the authentication
-service
-<tag><tt/PAM_MAXTRIES/</tag>
-	One or more of the authentication modules has reached its
-limit of tries authenticating the user. Do not try again.
-
-</descrip>
-
-<item>
-<tt>PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int
-argc, const char **argv);</tt>
-
-<p>
-This function performs the task of altering the credentials of the
-user with respect to the corresponding authorization
-scheme. Generally, an authentication module may have access to more
-information about a user than their authentication token. This
-function is used to make such information available to the
-application. It should only be called <em/after/ the user has been
-authenticated but before a session has been established.
-
-<p>
-Permitted flags, one of which, may be logically OR'd with
-<tt/PAM_SILENT/ are,
-
-<p><descrip>
-<tag><tt/PAM_ESTABLISH_CRED/</tag>
-	Set the credentials for the authentication service,
-<tag><tt/PAM_DELETE_CRED/</tag>
-	Delete the credentials associated with the authentication service,
-<tag><tt/PAM_REINITIALIZE_CRED/</tag>
-	Reinitialize the user credentials, and
-<tag><tt/PAM_REFRESH_CRED/</tag>
-	Extend the lifetime of the user credentials.
-</descrip>
-
-<p>
-Prior to <bf/Linux-PAM-0.75/, and due to a deficiency with the way the
-<tt/auth/ stack was handled in the case of the setcred stack being
-processed, the module was required to attempt to return the same error
-code as <tt/pam_sm_authenticate/ did.  This was necessary to preserve
-the logic followed by libpam as it executes the stack of
-<em/authentication/ modules, when the application called either
-<tt/pam_authenticate()/ or <tt/pam_setcred()/.  Failing to do this,
-led to confusion on the part of the System Administrator.
-
-<p>
-For <bf/Linux-PAM-0.75/ and later, libpam handles the credential stack
-much more sanely. The way the <tt/auth/ stack is navigated in order to
-evaluate the <tt/pam_setcred()/ function call, independent of the
-<tt/pam_sm_setcred()/ return codes, is exactly the same way that it
-was navigated when evaluating the <tt/pam_authenticate()/ library
-call. Typically, if a stack entry was ignored in evaluating
-<tt/pam_authenticate()/, it will be ignored when libpam evaluates the
-<tt/pam_setcred()/ function call. Otherwise, the return codes from
-each module specific <tt/pam_sm_setcred()/ call are treated as
-<tt/required/.
-
-<p>
-Besides <tt/PAM_SUCCESS/, the module may return one of the following
-errors:
-
-<p><descrip>
-<tag><tt/PAM_CRED_UNAVAIL/</tag>
-	This module cannot retrieve the user's credentials.
-<tag><tt/PAM_CRED_EXPIRED/</tag>
-	The user's credentials have expired.
-<tag><tt/PAM_USER_UNKNOWN/</tag>
-	The user is not known to this authentication module.
-<tag><tt/PAM_CRED_ERR/</tag>
-	This module was unable to set the credentials of the user.
-</descrip>
-
-<p>
-these, non-<tt/PAM_SUCCESS/, return values will typically lead to the
-credential stack <em/failing/. The first such error will dominate in
-the return value of <tt/pam_setcred()/.
-
-</itemize>
-
-<sect1> Account management
-
-<p>
-To be correctly initialized, <tt/PAM_SM_ACCOUNT/ must be
-<tt/#define/'d prior to including <tt>&lt;security/pam_modules.h&gt;</tt>.
-This will ensure that the prototype for a static module is properly
-declared.
-
-<p>
-<itemize>
-
-<item>
-<tt>PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int
-argc, const char **argv);</tt>
-
-<p>
-This function performs the task of establishing whether the user is
-permitted to gain access at this time. It should be understood that
-the user has previously been validated by an authentication
-module. This function checks for other things. Such things might be:
-the time of day or the date, the terminal line, remote
-hostname, etc. .
-
-<p>
-This function may also determine things like the expiration on
-passwords, and respond that the user change it before continuing.
-
-<p>
-Valid flags, which may be logically OR'd with <tt/PAM_SILENT/, are the
-same as those applicable to the <tt/flags/ argument of
-<tt/pam_sm_authenticate/.
-
-<p>
-This function may return one of the following errors,
-
-<descrip>
-
-<tag><tt/PAM_ACCT_EXPIRED/</tag>
-	The user is no longer permitted access to the system.
-<tag><tt/PAM_AUTH_ERR/</tag>
-	There was an authentication error.
-<tag><tt/PAM_AUTHTOKEN_REQD/</tag>
-	The user's authentication token has expired. Before calling
-this function again the application will arrange for a new one to be
-given. This will likely result in a call to <tt/pam_sm_chauthtok()/.
-<tag><tt/PAM_USER_UNKNOWN/</tag>
-	The user is not known to the module's account management
-component.
-	
-</descrip>
-
-</itemize>
-
-<sect1> Session management
-
-<p>
-To be correctly initialized, <tt/PAM_SM_SESSION/ must be
-<tt/#define/'d prior to including
-<tt>&lt;security/pam_modules.h&gt;</tt>.  This will ensure that the
-prototypes for static modules are properly declared.
-
-<p>
-The following two functions are defined to handle the
-initialization/termination of a session. For example, at the beginning
-of a session the module may wish to log a message with the system
-regarding the user. Similarly, at the end of the session the module
-would inform the system that the user's session has ended.
-
-<p>
-It should be possible for sessions to be opened by one application and
-closed by another. This either requires that the module uses only
-information obtained from <tt/pam_get_item()/, or that information
-regarding the session is stored in some way by the operating system
-(in a file for example).
-
-<p>
-<itemize>
-
-<item>
-<tt>PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int
-argc, const char **argv);</tt>
-
-<p>
-This function is called to commence a session. The only valid, but
-optional, flag is <tt/PAM_SILENT/.
-
-<p>
-As a return value, <tt/PAM_SUCCESS/ signals success and
-<tt/PAM_SESSION_ERR/ failure.
-
-<item>
-<tt>PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int
-argc, const char **argv);</tt>
-
-<p>
-This function is called to terminate a session. The only valid, but
-optional, flag is <tt/PAM_SILENT/.
-
-<p>
-As a return value, <tt/PAM_SUCCESS/ signals success and
-<tt/PAM_SESSION_ERR/ failure.
-
-</itemize>
-
-<sect1> Password management
-
-<p>
-To be correctly initialized, <tt/PAM_SM_PASSWORD/ must be
-<tt/#define/'d prior to including <tt>&lt;security/pam_modules.h&gt;</tt>.
-This will ensure that the prototype for a static module is properly
-declared.
-
-<p>
-<itemize>
-
-<item>
-<tt>PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int
-argc, const char **argv);</tt>
-
-<p>
-This function is used to (re-)set the authentication token of the
-user. A valid flag, which may be logically OR'd with <tt/PAM_SILENT/,
-can be built from the following list,
-
-<descrip>
-<tag><tt/PAM_CHANGE_EXPIRED_AUTHTOK/</tag>
-	This argument indicates to the module that the users
-authentication token (password) should only be changed if it has
-expired. This flag is optional and <em/must/ be combined with one of
-the following two flags. Note, however, the following two options are
-<em/mutually exclusive/.
-
-<tag><tt/PAM_PRELIM_CHECK/</tag>
-	This indicates that the modules are being probed as to their
-ready status for altering the user's authentication token. If the
-module requires access to another system over some network it should
-attempt to verify it can connect to this system on receiving this
-flag. If a module cannot establish it is ready to update the user's
-authentication token it should return <tt/PAM_TRY_AGAIN/, this
-information will be passed back to the application.
-
-<tag><tt/PAM_UPDATE_AUTHTOK/</tag>
-	This informs the module that this is the call it should change
-the authorization tokens. If the flag is logically OR'd with
-<tt/PAM_CHANGE_EXPIRED_AUTHTOK/, the token is only changed if it has
-actually expired.
-
-</descrip>
-
-<p>
-Note, the <bf/Linux-PAM/ library calls this function twice in
-succession. The first time with <tt/PAM_PRELIM_CHECK/ and then, if the
-module does not return <tt/PAM_TRY_AGAIN/, subsequently with
-<tt/PAM_UPDATE_AUTHTOK/. It is only on the second call that the
-authorization token is (possibly) changed.
-
-<p>
-<tt/PAM_SUCCESS/ is the only successful return value, valid
-error-returns are:
-
-<descrip>
-<tag><tt/PAM_AUTHTOK_ERR/</tag>
-	The module was unable to obtain the new authentication token.
-	
-<tag><tt/PAM_AUTHTOK_RECOVERY_ERR/</tag>
-	The module was unable to obtain the old authentication token.
-
-<tag><tt/PAM_AUTHTOK_LOCK_BUSY/</tag>
-	Cannot change the authentication token since it is currently
-locked.
-	
-<tag><tt/PAM_AUTHTOK_DISABLE_AGING/</tag>
-	Authentication token aging has been disabled.
-
-<tag><tt/PAM_PERM_DENIED/</tag>
-	Permission denied.
-
-<tag><tt/PAM_TRY_AGAIN/</tag>
-	Preliminary check was unsuccessful. Signals an immediate return
-to the application is desired.
-
-<tag><tt/PAM_USER_UNKNOWN/</tag>
-	The user is not known to the authentication token changing
-service.
-
-</descrip>
-
-</itemize>
-
-<sect>Generic optional arguments
-
-<p>
-Here we list the generic arguments that all modules can expect to
-be passed. They are not mandatory, and their absence should be
-accepted without comment by the module.
-
-<p>
-<descrip>
-<tag><tt/debug/</tag>
-
-Use the <tt/syslog(3)/ call to log debugging information to the system
-log files.
-
-<tag><tt/no_warn/</tag>
-
-Instruct module to not give warning messages to the application.
-
-<tag><tt/use_first_pass/</tag>
-
-The module should not prompt the user for a password. Instead, it
-should obtain the previously typed password (by a call to
-<tt/pam_get_item()/ for the <tt/PAM_AUTHTOK/ item), and use that. If
-that doesn't work, then the user will not be authenticated. (This
-option is intended for <tt/auth/ and <tt/passwd/ modules only).
-
-<tag><tt/try_first_pass/</tag>
-
-The module should attempt authentication with the previously typed
-password (by a call to <tt/pam_get_item()/ for the <tt/PAM_AUTHTOK/
-item). If that doesn't work, then the user is prompted for a
-password. (This option is intended for <tt/auth/ modules only).
-
-<tag><tt/use_mapped_pass/</tag>
-
-<bf/WARNING:/ coding this functionality may cause the module writer to
-break <em/local/ encryption laws. For example, in the U.S. there are
-restrictions on the export computer code that is capable of strong
-encryption.  It has not been established whether this option is
-affected by this law, but one might reasonably assume that it does
-until told otherwise.  For this reason, this option is not supported
-by any of the modules distributed with <bf/Linux-PAM/.
-
-The intended function of this argument, however, is that the module
-should take the existing authentication token from a previously
-invoked module and use it as a key to retrieve the authentication
-token for this module. For example, the module might create a strong
-hash of the <tt/PAM_AUTHTOK/ item (established by a previously
-executed module). Then, with logical-exclusive-or, use the result as a
-<em/key/ to safely store/retrieve the authentication token for this
-module in/from a local file <em/etc/. .
-
-<tag><tt/expose_account/</tag>
-
-<p>
-In general the leakage of some information about user accounts is not
-a secure policy for modules to adopt. Sometimes information such as
-users names or home directories, or preferred shell, can be used to
-attack a user's account. In some circumstances, however, this sort of
-information is not deemed a threat: displaying a user's full name when
-asking them for a password in a secured environment could also be
-called being 'friendly'. The <tt/expose_account/ argument is a
-standard module argument to encourage a module to be less discrete
-about account information as it is deemed appropriate by the local
-administrator.
-
-</descrip>
-
-<sect>Programming notes
-
-<p>
-Here we collect some pointers for the module writer to bear in mind
-when writing/developing a <bf/Linux-PAM/ compatible module.
-
-<sect1>Security issues for module creation
-
-<sect2>Sufficient resources
-
-<p>
-Care should be taken to ensure that the proper execution of a module
-is not compromised by a lack of system resources.  If a module is
-unable to open sufficient files to perform its task, it should fail
-gracefully, or request additional resources.  Specifically, the
-quantities manipulated by the <tt/setrlimit(2)/ family of commands
-should be taken into consideration.
-
-<sect2>Who's who?
-
-<p>
-Generally, the module may wish to establish the identity of the user
-requesting a service.  This may not be the same as the username
-returned by <tt/pam_get_user()/. Indeed, that is only going to be the
-name of the user under whose identity the service will be given.  This
-is not necessarily the user that requests the service.
-
-<p>
-In other words, user X runs a program that is setuid-Y, it grants the
-user to have the permissions of Z.  A specific example of this sort of
-service request is the <em/su/ program: user <tt/joe/ executes
-<em/su/ to become the user <em/jane/.  In this situation X=<tt/joe/,
-Y=<tt/root/ and Z=<tt/jane/.  Clearly, it is important that the module
-does not confuse these different users and grant an inappropriate
-level of privilege.
-
-<p>
-The following is the convention to be adhered to when juggling
-user-identities.
-
-<p>
-<itemize>
-<item>X, the identity of the user invoking the service request.
-This is the user identifier; returned by the function <tt/getuid(2)/.
-
-<item>Y, the privileged identity of the application used to grant the
-requested service.  This is the <em/effective/ user identifier;
-returned by the function <tt/geteuid(2)/.
-
-<item>Z, the user under whose identity the service will be granted.
-This is the username returned by <tt/pam_get_user(2)/ and also stored
-in the <bf/Linux-PAM/ item, <tt/PAM_USER/.
-
-<item><bf/Linux-PAM/ has a place for an additional user identity that
-a module may care to make use of. This is the <tt/PAM_RUSER/ item.
-Generally, network sensitive modules/applications may wish to set/read
-this item to establish the identity of the user requesting a service
-from a remote location.
-
-</itemize>
-
-<p>
-Note, if a module wishes to modify the identity of either the <tt/uid/
-or <tt/euid/ of the running process, it should take care to restore
-the original values prior to returning control to the <bf/Linux-PAM/
-library.
-
-<sect2>Using the conversation function
-<p>
-Prior to calling the conversation function, the module should reset
-the contents of the pointer that will return the applications
-response.  This is a good idea since the application may fail to fill
-the pointer and the module should be in a position to notice!
-
-<p>
-The module should be prepared for a failure from the conversation. The
-generic error would be <tt/PAM_CONV_ERR/, but anything other than
-<tt/PAM_SUCCESS/ should be treated as indicating failure.
-
-<sect2>Authentication tokens
-
-<p>
-To ensure that the authentication tokens are not left lying around the
-items, <tt/PAM_AUTHTOK/ and <tt/PAM_OLDAUTHTOK/, are not available to
-the application: they are defined in
-<tt>&lt;security/pam_modules.h&gt;</tt>. This is ostensibly for
-security reasons, but a maliciously programmed application will always
-have access to all memory of the process, so it is only superficially
-enforced.  As a general rule the module should overwrite
-authentication tokens as soon as they are no longer needed.
-Especially before <tt/free()/'ing them. The <bf/Linux-PAM/ library is
-required to do this when either of these authentication token items
-are (re)set.
-
-<p>
-Not to dwell too little on this concern; should the module store the
-authentication tokens either as (automatic) function variables or
-using <tt/pam_[gs]et_data()/ the associated memory should be
-over-written explicitly before it is released. In the case of the
-latter storage mechanism, the associated <tt/cleanup()/ function
-should explicitly overwrite the <tt/*data/ before <tt/free()/'ing it:
-for example,
-
-<tscreen>
-<verb>
-/*
- * An example cleanup() function for releasing memory that was used to
- * store a password. 
- */
-
-int cleanup(pam_handle_t *pamh, void *data, int error_status)
-{
-    char *xx;
-
-    if ((xx = data)) {
-        while (*xx)
-            *xx++ = '\0';
-        free(data);
-    }
-    return PAM_SUCCESS;
-}
-</verb>
-</tscreen>
-
-<sect1>Use of <tt/syslog(3)/
-
-<p>
-Only rarely should error information be directed to the user. Usually,
-this is to be limited to ``<em/sorry you cannot login now/'' type
-messages. Information concerning errors in the configuration file,
-<tt>/etc/pam.conf</tt>, or due to some system failure encountered by
-the module, should be written to <tt/syslog(3)/ with
-<em/facility-type/ <tt/LOG_AUTHPRIV/.
-
-<p>
-With a few exceptions, the level of logging is, at the discretion of
-the module developer. Here is the recommended usage of different
-logging levels:
-
-<p>
-<itemize>
-
-<item>
-As a general rule, errors encountered by a module should be logged at
-the <tt/LOG_ERR/ level. However, information regarding an unrecognized
-argument, passed to a module from an entry in the
-<tt>/etc/pam.conf</tt> file, is <bf/required/ to be logged at the
-<tt/LOG_ERR/ level.
-
-<item>
-Debugging information, as activated by the <tt/debug/ argument to the
-module in <tt>/etc/pam.conf</tt>, should be logged at the
-<tt/LOG_DEBUG/ level.
-
-<item>
-If a module discovers that its personal configuration file or some
-system file it uses for information is corrupted or somehow unusable,
-it should indicate this by logging messages at level, <tt/LOG_ALERT/.
-
-<item>
-Shortages of system resources, such as a failure to manipulate a file
-or <tt/malloc()/ failures should be logged at level <tt/LOG_CRIT/.
-
-<item>
-Authentication failures, associated with an incorrectly typed password
-should be logged at level, <tt/LOG_NOTICE/.
-
-</itemize>
-
-<sect1> Modules that require system libraries
-
-<p>
-Writing a module is much like writing an application. You have to
-provide the "conventional hooks" for it to work correctly, like
-<tt>pam_sm_authenticate()</tt> etc., which would correspond to the
-<tt/main()/ function in a normal function.
-
-<p>
-Typically, the author may want to link against some standard system
-libraries. As when one compiles a normal program, this can be done for
-modules too: you simply append the <tt>-l</tt><em>XXX</em> arguments
-for the desired libraries when you create the shared module object. To
-make sure a module is linked to the <tt>lib<em>whatever</em>.so</tt>
-library when it is <tt>dlopen()</tt>ed, try:
-<tscreen>
-<verb>
-% gcc -shared -Xlinker -x -o pam_module.so pam_module.o -lwhatever
-</verb>
-</tscreen>
-
-<sect1> Added requirements for <em/statically/ loaded modules.
-
-<!--
-	Copyright (C) Michael K. Johnson 1996.
-	Last modified:  AGM 1996/5/31.
- -->
-
-<p>
-Modules may be statically linked into libpam. This should be true of
-all the modules distributed with the basic <bf/Linux-PAM/
-distribution.  To be statically linked, a module needs to export
-information about the functions it contains in a manner that does not
-clash with other modules.
-
-The extra code necessary to build a static module should be delimited
-with <tt/#ifdef PAM_STATIC/ and <tt/#endif/. The static code should do
-the following:
-<itemize>
-<item> Define a single structure, <tt/struct pam_module/, called
-<tt>_pam_<it>modname</it>_modstruct</tt>, where
-<tt><it>modname</it></tt> is the name of the module <bf/as used in the
-filesystem/ but without the leading directory name (generally
-<tt>/usr/lib/security/</tt> or the suffix (generally <tt/.so/).
-
-</itemize>
-
-<p>
-As a simple example, consider the following module code which defines
-a module that can be compiled to be <em/static/ or <em/dynamic/:
-
-<p>
-<tscreen>
-<verb>
-#include <stdio.h>                                    /* for NULL define */
-
-#define PAM_SM_PASSWORD         /* the only pam_sm_... function declared */
-#include <security/pam_modules.h>
-
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
-                                int argc, const char **argv)
-{
-     return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC             /* for the case that this module is static */
-
-struct pam_module _pam_modname_modstruct = {       /* static module data */
-     "pam_modname",
-     NULL,
-     NULL,
-     NULL,
-     NULL,
-     NULL,
-     pam_sm_chauthtok,
-};
-
-#endif                                                 /* end PAM_STATIC */
-</verb>
-</tscreen>
-
-<p>
-To be linked with <em/libpam/, staticly-linked modules must be built
-from within the <tt>Linux-PAM-X.YY/modules/</tt> subdirectory of the
-<bf/Linux-PAM/ source directory as part of a normal build of the
-<bf/Linux-PAM/ system.
-
-The <em/Makefile/, for the module in question, must execute the
-<tt/register_static/ shell script that is located in the
-<tt>Linux-PAM-X.YY/modules/</tt> subdirectory. This is to ensure that
-the module is properly registered with <em/libpam/.
-
-The <bf/two/ manditory arguments to <tt/register_static/ are the
-title, and the pathname of the object file containing the module's
-code. The pathname is specified relative to the
-<tt>Linux-PAM-X.YY/modules</tt> directory. The pathname may be an
-empty string---this is for the case that a single object file needs to
-register more than one <tt/struct pam_module/. In such a case, exactly
-one call to <tt/register_static/ must indicate the object file.
-
-<p>
-Here is an example; a line in the <em/Makefile/ might look like this:
-<tscreen>
-<verb>
-register:
-ifdef STATIC
-        (cd ..; ./register_static pam_modname pam_modname/pam_modname.o)
-endif
-</verb>
-</tscreen>
-
-For some further examples, see the <tt>modules</tt> subdirectory of
-the current <bf/Linux-PAM/ distribution.
-
-<sect>An example module file
-
-<p>
-At some point, we may include a fully commented example of a module in
-this document. For now, we point the reader to these two locations in
-the public CVS repository:
-<itemize>
-<item> A module that always succeeds: <tt><htmlurl
-url="http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/modules/pam_permit/"
-name="http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/modules/pam_permit/"
-></tt>
-<item> A module that always fails: <tt><htmlurl
-url="http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/modules/pam_deny/"
-name="http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/modules/pam_deny/"
-></tt>
-</itemize>
-
-<sect>Files
-
-<p><descrip>
-
-<tag><tt>/usr/lib/libpam.so.*</tt></tag>
-
-the shared library providing applications with access to
-<bf/Linux-PAM/.
-
-<tag><tt>/etc/pam.conf</tt></tag>
-
-the <bf/Linux-PAM/ configuration file.
-
-<tag><tt>/usr/lib/security/pam_*.so</tt></tag>
-
-the primary location for <bf/Linux-PAM/ dynamically loadable object
-files; the modules.
-
-</descrip>
-
-<sect>See also
-
-<p><itemize>
-<item>The <bf/Linux-PAM/ System Administrators' Guide.
-<item>The <bf/Linux-PAM/ Application Writers' Guide.
-<item>
-V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH PLUGGABLE
-AUTHENTICATION MODULES'', Open Software Foundation Request For
-Comments 86.0, October 1995.
-</itemize>
-
-<sect>Notes
-
-<p>
-I intend to put development comments here... like ``at the moment
-this isn't actually supported''. At release time what ever is in
-this section will be placed in the Bugs section below! :)
-
-<p>
-<itemize>
-<item>
-Perhaps we should keep a registry of data-names as used by
-<tt/pam_[gs]et_data()/ so there are no unintentional problems due to
-conflicts?
-
-<item>
-<tt/pam_strerror()/ should be internationalized....
-
-<item>
-There has been some debate about whether <tt/initgroups()/ should be
-in an application or in a module. It was settled by Sun who stated
-that initgroups is an action of the <em/application/. The modules are
-permitted to add additional groups, however.
-
-<item>
-Refinements/futher suggestions to <tt/syslog(3)/ usage by modules are
-needed.
-
-</itemize>
-
-<sect>Author/acknowledgments
-
-<p>
-This document was written by Andrew G. Morgan
-(<tt/morgan@kernel.org/) with many contributions from
-<!-- insert credits here -->
-<!--
- an sgml list of people to credit for their contributions to Linux-PAM
- $Id: pam_modules.sgml,v 1.9 2002/05/10 06:00:12 agmorgan Exp $
-  -->
-Chris Adams,
-Peter Allgeyer,
-Tim Baverstock,
-Tim Berger,
-Craig S. Bell,
-Derrick J. Brashear,
-Ben Buxton,
-Seth Chaiklin,
-Oliver Crow,
-Chris Dent,
-Marc Ewing,
-Cristian Gafton,
-Emmanuel Galanos,
-Brad M. Garcia,
-Eric Hester,
-Roger Hu,
-Eric Jacksch,
-Michael K. Johnson,
-David Kinchlea,
-Olaf Kirch,
-Marcin Korzonek,
-Stephen Langasek,
-Nicolai Langfeldt,
-Elliot Lee,
-Luke Kenneth Casson Leighton,
-Al Longyear,
-Ingo Luetkebohle,
-Marek Michalkiewicz,
-Robert Milkowski,
-Aleph One,
-Martin Pool,
-Sean Reifschneider,
-Jan Rekorajski,
-Erik Troan,
-Theodore Ts'o,
-Jeff Uphoff,
-Myles Uyema,
-Savochkin Andrey Vladimirovich,
-Ronald Wahl,
-David Wood,
-John Wilmes,
-Joseph S. D. Yao
-and
-Alex O.  Yuriev.
-
-<p>
-Thanks are also due to Sun Microsystems, especially to Vipin Samar and
-Charlie Lai for their advice. At an early stage in the development of
-<bf/Linux-PAM/, Sun graciously made the documentation for their
-implementation of PAM available. This act greatly accelerated the
-development of <bf/Linux-PAM/.
-
-<sect>Bugs/omissions
-
-<p>
-Few PAM modules currently exist. Few PAM-aware applications exist.
-This document is hopelessly unfinished. Only a partial list of people is
-credited for all the good work they have done.
-
-<sect>Copyright information for this document
-
-<p>
-Copyright (c) Andrew G. Morgan 1996-2002.  All rights reserved.
-<newline>
-Email: <tt>&lt;morgan@kernel.org&gt;</tt>
-
-<p>
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-<p>
-<itemize>
-
-<item>
-1. Redistributions of source code must retain the above copyright
-   notice, and the entire permission notice in its entirety,
-   including the disclaimer of warranties.
-
-<item>
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-<item>
-3. The name of the author may not be used to endorse or promote
-   products derived from this software without specific prior
-   written permission.
-
-</itemize>
-
-<p>
-<bf/Alternatively/, this product may be distributed under the terms of
-the GNU General Public License (GPL), in which case the provisions of
-the GNU GPL are required <bf/instead of/ the above restrictions.
-(This clause is necessary due to a potential bad interaction between
-the GNU GPL and the restrictions contained in a BSD-style copyright.)
-
-<p>
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
-OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
-TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGE.
-
-<p>
-<tt>$Id: pam_modules.sgml,v 1.9 2002/05/10 06:00:12 agmorgan Exp $</tt>
-
-</article>
diff --git a/Linux-PAM/doc/pam_source.sgml b/Linux-PAM/doc/pam_source.sgml
deleted file mode 100644
index 9ec0bbe6..00000000
--- a/Linux-PAM/doc/pam_source.sgml
+++ /dev/null
@@ -1,1166 +0,0 @@
-<!doctype linuxdoc system>
-
-<!--
-
- $Id: pam_source.sgml,v 1.13 2004/09/28 13:48:46 kukuk Exp $
-
-    Copyright (c) Andrew G. Morgan 1996-2002.  All rights reserved.
-
-Redistribution and use in source (sgml) and binary (derived) forms,
-with or without modification, are permitted provided that the
-following conditions are met:
-
-1. Redistributions of source code must retain the above copyright
-   notice, and the entire permission notice in its entirety,
-   including the disclaimer of warranties.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-3. The name of the author may not be used to endorse or promote
-   products derived from this software without specific prior
-   written permission.
-
-ALTERNATIVELY, this product may be distributed under the terms of the
-GNU General Public License, in which case the provisions of the GNU
-GPL are required INSTEAD OF the above restrictions.  (This clause is
-necessary due to a potential bad interaction between the GNU GPL and
-the restrictions contained in a BSD-style copyright.)
-
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
-OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
-TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGE.
-
- -->
-
-<article>
-
-<title>The Linux-PAM System Administrators' Guide
-<author>Andrew G. Morgan, <tt>morgan@kernel.org</tt>
-<date>DRAFT v0.77 2002/07/10
-<abstract>
-This manual documents what a system-administrator needs to know about
-the <bf>Linux-PAM</bf> library. It covers the correct syntax of the
-PAM configuration file and discusses strategies for maintaining a
-secure system.
-</abstract>
-
-<!-- Table of contents -->
-<toc>
-
-<!-- Begin the document -->
-
-<sect>Introduction
-
-<p><bf/Linux-PAM/ (Pluggable Authentication Modules for Linux) is a
-suite of shared libraries that enable the local system administrator
-to choose how applications authenticate users.
-
-<p>In other words, without (rewriting and) recompiling a PAM-aware
-application, it is possible to switch between the authentication
-mechanism(s) it uses. Indeed, one may entirely upgrade the local
-authentication system without touching the applications themselves.
-
-<p>Historically an application that has required a given user to be
-authenticated, has had to be compiled to use a specific authentication
-mechanism.  For example, in the case of traditional UN*X systems, the
-identity of the user is verified by the user entering a correct
-password.  This password, after being prefixed by a two character
-``salt'', is encrypted (with crypt(3)). The user is then authenticated
-if this encrypted password is identical to the second field of the
-user's entry in the system password database (the <tt>/etc/passwd</tt>
-file).  On such systems, most if not all forms of privileges are
-granted based on this single authentication scheme. Privilege comes in
-the form of a personal user-identifier (<tt/uid/) and membership of
-various groups. Services and applications are available based on the
-personal and group identity of the user. Traditionally, group
-membership has been assigned based on entries in the
-<tt>/etc/group</tt> file.
-
-<p>
-Unfortunately, increases in the speed of computers and the
-widespread introduction of network based computing, have made once
-secure authentication mechanisms, such as this, vulnerable to
-attack. In the light of such realities, new methods of authentication
-are continuously being developed.
-
-<p>
-It is the purpose of the <bf/Linux-PAM/ project to separate the
-development of privilege granting software from the development of
-secure and appropriate authentication schemes.  This is accomplished
-by providing a library of functions that an application may use to
-request that a user be authenticated. This PAM library is configured
-locally with a system file, <tt>/etc/pam.conf</tt> (or a series of
-configuration files located in <tt>/etc/pam.d/</tt>) to authenticate a
-user request via the locally available authentication modules. The
-modules themselves will usually be located in the directory
-<tt>/lib/security</tt> and take the form of dynamically loadable
-object files (see <tt/dlopen(3)/).
-
-<sect>Some comments on the text<label id="text-conventions">
-
-<p>
-Before proceeding to read the rest of this document, it should be
-noted that the text assumes that certain files are placed in certain
-directories.  Where they have been specified, the conventions we adopt
-here for locating these files are those of the relevant RFC (RFC-86.0,
-see <ref id="see-also-sec" name="bibliography">).  If you are using a
-distribution of Linux (or some other operating system) that supports
-PAM but chooses to distribute these files in a diferent way you should
-be careful when copying examples directly from the text.
-
-<p>
-As an example of the above, where it is explicit, the text assumes
-that PAM loadable object files (the <em/modules/) are to be located in
-the following directory: <tt>/lib/security/</tt>. This is generally
-the location that seems to be compatible with the Linux File System
-Standard (the FSSTND). On Solaris, which has its own licensed version
-of PAM, and some other implementations of UN*X, these files can be
-found in <tt>/usr/lib/security</tt>. Please be careful to perform the
-necessary transcription when using the examples from the text.
-
-<sect>Overview<label id="overview-section">
-
-<p>
-For the uninitiated, we begin by considering an example.  We take an
-application that grants some service to users; <em/login/ is one such
-program. <em/Login/ does two things, it first establishes that the
-requesting user is whom they claim to be and second provides them with
-the requested service: in the case of <em/login/ the service is a
-command shell (<em>bash, tcsh, zsh, etc.</em>) running with the
-identity of the user.
-
-<p>
-Traditionally, the former step is achieved by the <em/login/
-application prompting the user for a password and then verifying that
-it agrees with that located on the system; hence verifying that
-as far as the system is concerned the user is who they claim to be.
-This is the task that is delegated to <bf/Linux-PAM/.
-
-<p>
-From the perspective of the application programmer (in this case the
-person that wrote the <em/login/ application), <bf/Linux-PAM/ takes
-care of this authentication task -- verifying the identity of the user.
-
-<p>
-The flexibility of <bf/Linux-PAM/ is that <em/you/, the system
-administrator, have the freedom to stipulate which authentication
-scheme is to be used.  You have the freedom to set the scheme for
-any/all PAM-aware applications on your Linux system.  That is, you can
-authenticate from anything as naive as <em/simple trust/
-(<tt/pam_permit/) to something as paranoid as a combination of a
-retinal scan, a voice print and a one-time password!
-
-<p>
-To illustrate the flexibility you face, consider the following
-situation: a system administrator (parent) wishes to improve the
-mathematical ability of her users (children). She can configure their
-favorite ``Shoot 'em up game'' (PAM-aware of course) to authenticate
-them with a request for the product of a couple of random numbers less
-than 12. It is clear that if the game is any good they will soon learn
-their <em/multiplication tables/.   As they mature, the authentication
-can be upgraded to include (long) division!
-
-<p>
-<bf/Linux-PAM/ deals with four separate types of (management)
-task. These are: <em/authentication management/; <em/account
-management/; <em/session management/; and <em/password management/.
-The association of the preferred management scheme with the behavior
-of an application is made with entries in the relevant <bf/Linux-PAM/
-configuration file.  The management functions are performed by
-<em/modules/ specified in the configuration file. The syntax for this
-file is discussed in the section <ref id="configuration"
-name="below">.
-
-<p>
-Here is a figure that describes the overall organization of
-<bf/Linux-PAM/.
-<tscreen>
-<verb>
-	 +----------------+
-	 | application: X |
-         +----------------+	  /  +----------+     +================+
-       	 | authentication-[---->--\--] Linux-   |--<--| PAM config file|
-	 |       +        [----<--/--] 	 PAM    |     |================|
-	 |[conversation()][--+    \  |          |     | X auth .. a.so |
-	 +----------------+  |    /  +-n--n-----+     | X auth .. b.so |
-	 |                |  |       __|  |           |           _____/
-	 |  service user  |  A      |  	  |           |____,-----' 
-	 |                |  |      V  	  A	        	   
-	 +----------------+  +------|-----|---------+ -----+------+
-	                        +---u-----u----+    |	   |	  |
-			        |   auth....   |--[ a ]--[ b ]--[ c ]
-				+--------------+
-				|   acct....   |--[ b ]--[ d ]
-				+--------------+
-				|   password   |--[ b ]--[ c ]
-				+--------------+
-				|   session    |--[ e ]--[ c ]
-				+--------------+
-</verb>
-</tscreen>
-By way of explanation, the left of the figure represents the
-application; application X.  Such an application interfaces with the
-<bf/Linux-PAM/ library and knows none of the specifics of its
-configured authentication method.  The <bf/Linux-PAM/ library (in the
-center) consults the contents of the PAM configuration file and loads
-the modules that are appropriate for application-X. These modules fall
-into one of four management groups (lower-center) and are stacked in
-the order they appear in the configuration file. These modules, when
-called by <bf/Linux-PAM/, perform the various authentication tasks for
-the application. Textual information, required from/or offered to the
-user, can be exchanged through the use of the application-supplied
-<em/conversation/ function.
-
-<sect1>Getting started
-
-<p>
-The following text was contributed by Seth Chaiklin:
-<tscreen>
-<verb>
-To this point, we have described how PAM should work in an
-ideal world, in which all applications are coded properly.
-However, at the present time (October 1998), this is far
-from the case.  Therefore, here are some practical considerations
-in trying to use PAM in your system.
-
-Why bother, is it really worth all the trouble?  
-
-If you running Linux as a single user system, or in an
-environment where all the users are trusted, then there 
-is no real advantage for using PAM.
-</verb>
-</tscreen>
-
-<p>
-<BF>Ed:</BF> there is actually an advantage since you can <em/dummy
-down/ the authentication to the point where you don't have
-any... Almost like Win95.
-<p>
-In a networked environment, it is clear that you need to think a
-little more about how users etc., are authenticated:]
-
-<p>
-<tscreen>
-<verb>
-If you are running Linux as a server, where several different
-services are being provided (e.g., WWW with areas restricted by
-password control, PPP), then there can be some real and interesting
-value for PAM.  In particular, through the use of modules, PAM can
-enable a program to search through several different password
-databases, even if that program is not explicitly coded for
-that particular database.  Here are some examples of the possibilities
-that this enables.
-
-   o  Apache has a module that provides PAM services.  Now
-   authentication
-      to use particular directories can be conducted by PAM, which
-      means that the range of modules that are available to PAM can
-      be used, including RADIUS, NIS, NCP (which means that Novell
-      password databases can be used).
-
-   o  pppd has a PAMified version (available from Red Hat)  Now it is
-      possible to use a series of databases to authenticate ppp users.
-      In addition to the normal Linux-based password databases (such
-      as /etc/passwd and /etc/shadow), you can use PAM modules to 
-      authenticate against Novell password databases or NT-based 
-      password databases. 
-
-   o  The preceding two examples can be combined.  Imagaine that the
-      persons in your office/department are already registered with a
-      username and password in a Novell or NT LAN.  If you wanted to
-      use this database on your Linux server (for PPP access, for 
-      web access, or even for normal shell access), you can use PAM
-      to authenticate against this existing database, rather than
-      maintain a separate database on both Linux and the LAN server.
-
-
-Can I use PAM for any program that requires authentication?
-
-Yes and no.   Yes, if you have access to the source code, and can
-add the appropriate PAM functions.  No, if you do not have access 
-to the source code, and the binary does not have the PAM functions
-included.
-
-In other words, if a program is going to use PAM, then it has to
-have PAM functions explicitly coded into the program.  If they
-are not, then it is not possible to use PAM. 
-
-How can I tell whether a program has PAM coded into it or not?
-
-A quick-and-dirty (but not always reliable) method is to ldd
-<programname>
-If libpam and libpam_misc are not among the libraries that the program
-uses, then it is not going to work with PAM.  However, it is possible
-that the libraries are included, but there are still problems, because
-the PAM coding in the program does not work as it should.  So a
-more reliable method is to make the follow tests.
-
-In the /etc/pam.d directory, one needs to make a configuration file
-for the program that one wants to run.  The exact name of the
-configuration
-file is hard-coded into the program.  Usually, it is the same name as
-the
-program, but not always.  For sake of illustration, let's assume that
-the program is named "pamprog" and the name of the configuration file
-is /etc/pam.d/pamprog.
-
-In the /etc/pam.d/pamprog but the following two lines:
-
-auth    required  pam_permit.so
-auth    required  pam_warn.so
-
-
-Now try to use pamprog.  The first line in the configuration file 
-says that all users are permitted.  The second line will write a
-warning to your syslog file (or whether you syslog is writing
-
-messages).  If this test succeeds, then you know that you have
-a program that can understand pam, and you can start the more
-interesting work of deciding how to stack modules in your
-/etc/pam.d/pamprog  file.
-</verb>
-</tscreen>
-
-<sect>The Linux-PAM configuration file
-<label id="configuration">
-
-<p>
-<bf/Linux-PAM/ is designed to provide the system administrator with a
-great deal of flexibility in configuring the privilege granting
-applications of their system. The local configuration of those aspects
-of system security controlled by <tt/Linux-PAM/ is contained in one of
-two places: either the single system file, <tt>/etc/pam.conf</tt>; or
-the <tt>/etc/pam.d/</tt> directory.  In this section we discuss the
-correct syntax of and generic options respected by entries to these
-files.
-
-<sect1>Configuration file syntax
-
-<p>
-The reader should note that the <bf/Linux-PAM/ specific tokens in this
-file are case <em/insensitive/. The module paths, however, are case
-sensitive since they indicate a file's <em/name/ and reflect the case
-dependence of typical Linux file-systems. The case-sensitivity of the
-arguments to any given module is defined for each module in turn.
-
-<p>
-In addition to the lines described below, there are two <em/special/
-characters provided for the convenience of the system administrator:
-comments are preceded by a `<tt/&num;/' and extend to the
-next end-of-line; also, module specification lines may be extended
-with a `<tt/&bsol;/' escaped newline.
-
-<p>
-A general configuration line of the <tt>/etc/pam.conf</tt> file has
-the following form:
-<tscreen>
-<verb>
-service-name   module-type   control-flag   module-path   args
-</verb>
-</tscreen>
-Below, we explain the meaning of each of these tokens. The second (and
-more recently adopted) way of configuring <bf/Linux-PAM/ is via the
-contents of the <tt>/etc/pam.d/</tt> directory. Once we have explained
-the meaning of the above tokens, we will describe this method.
-
-<p>
-<descrip>
-<tag><tt/service-name/</tag>
-The name of the service associated with this entry. Frequently the
-service name is the conventional name of the given application. For
-example, `<tt/ftpd/', `<tt/rlogind/' and `<tt/su/', <em/etc./ .
-
-<p>
-There is a special <tt/service-name/, reserved for defining a default
-authentication mechanism. It has the name `<tt/OTHER/' and may be
-specified in either lower or upper case characters. Note, when there
-is a module specified for a named service, the `<tt/OTHER/' entries
-are ignored.
-
-<tag><tt/module-type/</tag>
-One of (currently) four types of module. The four types are as
-follows:
-<itemize>
-<item> <tt/auth/; this module type provides two aspects of
-authenticating the user. Firstly, it establishes that the user is who
-they claim to be, by instructing the application to prompt the user
-for a password or other means of identification. Secondly, the module
-can grant <tt/group/ membership (independently of the
-<tt>/etc/groups</tt> file discussed above) or other privileges through
-its <em/credential/ granting properties.
-
-<item> <tt/account/; this module performs non-authentication based
-account management. It is typically used to restrict/permit access to
-a service based on the time of day, currently available system
-resources (maximum number of users) or perhaps the location of the
-applicant user---`<tt/root/' login only on the console.
-
-<item> <tt/session/; primarily, this module is associated with doing
-things that need to be done for the user before/after they can be
-given service.  Such things include the logging of information
-concerning the opening/closing of some data exchange with a user,
-mounting directories, etc. .
-
-<item> <tt/password/; this last module type is required for updating the
-authentication token associated with the user. Typically, there is one
-module for each `challenge/response' based authentication (<tt/auth/)
-module-type.
-
-</itemize>
-
-<tag><tt/control-flag/</tag>
-
-The control-flag is used to indicate how the PAM library will react to
-the success or failure of the module it is associated with.  Since
-modules can be <em/stacked/ (modules of the same type execute in
-series, one after another), the control-flags determine the relative
-importance of each module.  The application is not made aware of the
-individual success or failure of modules listed in the
-`<tt>/etc/pam.conf</tt>' file.  Instead, it receives a summary
-<em/success/ or <em/fail/ response from the <bf/Linux-PAM/ library.
-The order of execution of these modules is that of the entries in the
-<tt>/etc/pam.conf</tt> file; earlier entries are executed before later
-ones.  As of Linux-PAM v0.60, this <em/control-flag/ can be defined
-with one of two syntaxes.
-
-<p>
-The simpler (and historical) syntax for the control-flag is a single
-keyword defined to indicate the severity of concern associated with
-the success or failure of a specific module.  There are four such
-keywords: <tt/required/, <tt/requisite/, <tt/sufficient/,
-<tt/optional/ and <tt/include/.
-
-<p>
-The Linux-PAM library interprets these keywords in the following
-manner:
-
-<itemize>
-
-<item> <tt/required/; this indicates that the success of the module is
-required for the <tt/module-type/ facility to succeed. Failure of this
-module will not be apparent to the user until all of the remaining
-modules (of the same <tt/module-type/) have been executed.
-
-<item> <tt/requisite/; like <tt/required/, however, in the case that
-such a module returns a failure, control is directly returned to the
-application.  The return value is that associated with the <em/first/
-<tt/required/ or <tt/requisite/ module to fail.  Note, this flag can be
-used to protect against the possibility of a user getting the
-opportunity to enter a password over an unsafe medium.  It is
-conceivable that such behavior might inform an attacker of valid
-accounts on a system. This possibility should be weighed against the
-not insignificant concerns of exposing a sensitive password in a
-hostile environment.
-
-<item> <tt/sufficient/; the success of this module is deemed
-`<em/sufficient/' to satisfy the <bf/Linux-PAM/ library that this
-module-type has succeeded in its purpose. In the event that no
-previous <tt/required/ module has failed, no more `<em/stacked/'
-modules of this type are invoked. (Note, in this case subsequent
-<tt/required/ modules are <bf/not/ invoked.). A failure of this module
-is not deemed as fatal to satisfying the application that this
-<tt/module-type/ has succeeded.
-
-<item> <tt/optional/; as its name suggests, this <tt/control-flag/
-marks the module as not being critical to the success or failure of
-the user's application for service.  In general, <bf/Linux-PAM/
-ignores such a module when determining if the module stack will
-succeed or fail.  However, in the absence of any definite successes or
-failures of previous or subsequent stacked modules this module will
-determine the nature of the response to the application.  One example
-of this latter case, is when the other modules return something like
-<tt/PAM_IGNORE/.
-
-<item> <tt/include/; this tells PAM to include all lines of given type
-from the configuration file specified as an argument to this control.
-The whole idea is to create few "systemwide" pam configs and include
-parts of them in application pam configs.
-
-
-</itemize>
-
-<p>
-The more elaborate (newer) syntax is much more specific and gives the
-administrator a great deal of control over how the user is
-authenticated.  This form of the control flag is delimeted with square
-brackets and consists of a series of <tt/value=action/ tokens:
-<tscreen>
-<verb>
-    [value1=action1 value2=action2 ...]
-</verb>
-</tscreen>
-
-<p>
-Here, <tt/valueI/ is one of the following <em/return values/:
-<tt/success/; <tt/open_err/; <tt/symbol_err/; <tt/service_err/;
-<tt/system_err/; <tt/buf_err/; <tt/perm_denied/; <tt/auth_err/;
-<tt/cred_insufficient/; <tt/authinfo_unavail/; <tt/user_unknown/;
-<tt/maxtries/; <tt/new_authtok_reqd/; <tt/acct_expired/;
-<tt/session_err/; <tt/cred_unavail/; <tt/cred_expired/; <tt/cred_err/;
-<tt/no_module_data/; <tt/conv_err/; <tt/authtok_err/;
-<tt/authtok_recover_err/; <tt/authtok_lock_busy/;
-<tt/authtok_disable_aging/; <tt/try_again/; <tt/ignore/; <tt/abort/;
-<tt/authtok_expired/; <tt/module_unknown/; <tt/bad_item/; and
-<tt/default/.  The last of these (<tt/default/) can be used to set the
-action for those return values that are not explicitly defined.
-
-<p>
-The <tt/actionI/ can be a positive integer or one of the following
-tokens: <tt/ignore/; <tt/ok/; <tt/done/; <tt/bad/; <tt/die/; and
-<tt/reset/.  A positive integer, <tt/J/, when specified as the action,
-can be used to indicate that the next <em/J/ modules of the current
-module-type will be skipped.  In this way, the administrator can
-develop a moderately sophisticated stack of modules with a number of
-different paths of execution.  Which path is taken can be determined
-by the reactions of individual modules.
-
-<p>
-<itemize>
-<item><tt/ignore/ - when used with a stack of modules, the module's
-  return status will not contribute to the return code the application
-  obtains.
-<item><tt/bad/ - this action indicates that the return code should be
-  thought of as indicative of the module failing. If this module is
-  the first in the stack to fail, its status value will be used for
-  that of the whole stack.
-<item><tt/die/ - equivalent to <tt/bad/ with the side effect of
-  terminating the module stack and PAM immediately returning to the
-  application.
-<item><tt/ok/ - this tells <bf/PAM/ that the administrator thinks this
-  return code should contribute directly to the return code of the full
-  stack of modules. In other words, if the former state of the stack
-  would lead to a return of <tt/PAM_SUCCESS/, the module's return code
-  will override this value.  Note, if the former state of the stack
-  holds some value that is indicative of a modules failure, this 'ok'
-  value will not be used to override that value.
-<item><tt/done/ - equivalent to <tt/ok/ with the side effect of
-  terminating the module stack and PAM immediately returning to the
-  application.
-<item><tt/reset/ - clear all memory of the state of the module stack and
-  start again with the next stacked module.
-</itemize>
-
-<p>
-Each of the four keywords: <tt/required/; <tt/requisite/;
-<tt/sufficient/; and <tt/optional/, have an equivalent expression in
-terms of the <tt/[...]/ syntax. They are as follows:
-<itemize>
-<item><tt/required/ is equivalent to
-<tt/[success=ok new_authtok_reqd=ok ignore=ignore default=bad]/
-<item><tt/requisite/ is equivalent to
-<tt/[success=ok new_authtok_reqd=ok ignore=ignore default=die]/
-<item><tt/sufficient/ is equivalent to
-<tt/[success=done new_authtok_reqd=done default=ignore]/
-<item><tt/optional/ is equivalent to 
-<tt/[success=ok new_authtok_reqd=ok default=ignore]/
-</itemize>
-
-<p>
-Just to get a feel for the power of this new syntax, here is a taste
-of what you can do with it.  With <bf/Linux-PAM-0.63/, the notion of
-client plug-in agents was introduced.  This is something that makes it
-possible for PAM to support machine-machine authentication using the
-transport protocol inherent to the client/server application.  With
-the ``<tt/[ ... value=action ... ]/'' control syntax, it is possible
-for an application to be configured to support binary prompts with
-compliant clients, but to gracefully fall over into an alternative
-authentication mode for older, legacy, applications.
-
-<tag> <tt/module-path/</tag>
-
-The path-name of the dynamically loadable object file; <em/the
-pluggable module/ itself. If the first character of the module path is
-`<tt>/</tt>', it is assumed to be a complete path. If this is not the
-case, the given module path is appended to the default module path:
-<tt>/lib/security</tt> (but see the notes <ref id="text-conventions"
-name="above">).
-
-<tag> <tt/args/</tag>
-
-The <tt/args/ are a list of tokens that are passed to the module when
-it is invoked. Much like arguments to a typical Linux shell command.
-Generally, valid arguments are optional and are specific to any given
-module. Invalid arguments are ignored by a module, however, when
-encountering an invalid argument, the module is required to write an
-error to <tt/syslog(3)/. For a list of <em/generic/ options see the
-next section.
-
-Note, if you wish to include spaces in an argument, you should
-surround that argument with square brackets. For example:
-<tscreen>
-<verb>
-squid auth required pam_mysql.so user=passwd_query passwd=mada \
-        db=eminence [query=select user_name from internet_service where \
-                     user_name='%u' and password=PASSWORD('%p') and \
-                     service='web_proxy']
-</verb>
-</tscreen>
-Note, when using this convention, you can include `<tt/[/' characters
-inside the string, and if you wish to include a `<tt/]/' character
-inside the string that will survive the argument parsing, you should
-use `<tt/\[/'. In other words:
-<tscreen>
-<verb>
-[..[..\]..]    -->   ..[..]..
-</verb>
-</tscreen>
-
-</descrip>
-
-<p>
-Any line in (one of) the configuration file(s), that is not formatted
-correctly, will generally tend (erring on the side of caution) to make
-the authentication process fail.  A corresponding error is written to
-the system log files with a call to <tt/syslog(3)/.
-
-<sect1>Directory based configuration
-
-<p>
-More flexible than the single configuration file, as of version 0.56,
-it is possible to configure <tt>libpam</tt> via the contents of the
-<tt>/etc/pam.d/</tt> directory.  In this case the directory is filled
-with files each of which has a filename equal to a service-name (in
-lower-case): it is the personal configuration file for the named
-service.
-
-<p>
-<bf/Linux-PAM/ can be compiled in one of two modes.  The preferred
-mode uses either <tt>/etc/pam.d/</tt> or <tt>/etc/pam.conf</tt>
-configuration but not both.  That is to say, if there is a
-<tt>/etc/pam.d/</tt> directory then libpam only uses the files
-contained in this directory.  However, in the absence of the
-<tt>/etc/pam.d/</tt> directory the <tt>/etc/pam.conf</tt> file is used
-(this is likely to be the mode your preferred distribution uses).  The
-other mode is to use both <tt>/etc/pam.d/</tt> and
-<tt>/etc/pam.conf</tt> in sequence.  In this mode, entries in
-<tt>/etc/pam.d/</tt> override those of <tt>/etc/pam.conf</tt>.
-
-The syntax of each file in <tt>/etc/pam.d/</tt> is similar to that of
-the <tt>/etc/pam.conf</tt> file and is made up of lines of the
-following form:
-<tscreen>
-<verb>
-module-type   control-flag   module-path   arguments
-</verb>
-</tscreen>
-The only difference being that the <tt>service-name</tt> is not
-present.   The service-name is of course the name of the given
-configuration file.  For example, <tt>/etc/pam.d/login</tt> contains
-the configuration for the <em>login</em> service.
-
-<p>
-This method of configuration has a number of advantages over the
-single file approach. We list them here to assist the reader in
-deciding which scheme to adopt:
-
-<p>
-<itemize>
-
-<item>A lower chance of misconfiguring an application. There is one
-less field to mis-type when editing the configuration files by hand.
-
-<item>Easier to maintain. One application may be reconfigured without
-risk of interfering with other applications on the system.
-
-<item>It is possible to symbolically link different services
-configuration files to a single file. This makes it easier to keep the
-system policy for access consistent across different applications.
-(It should be noted, to conserve space, it is equally possible to
-<em>hard</em> link a number of configuration files.  However, care
-should be taken when administering this arrangement as editing a hard
-linked file is likely to break the link.)
-
-<item>A potential for quicker configuration file parsing. Only the
-relevant entries are parsed when a service gets bound to its modules.
-
-<item>It is possible to limit read access to individual <bf/Linux-PAM/
-configuration files using the file protections of the filesystem.
-
-<item>Package management becomes simpler.  Every time a new
-application is installed, it can be accompanied by an
-<tt>/etc/pam.d/</tt><em>xxxxxx</em> file.
-
-</itemize>
-
-<sect1>Generic optional arguments
-
-<p>
-The following are optional arguments which are likely to be understood
-by any module. Arguments (including these) are in general
-<em/optional/.
-
-<p>
-<descrip>
-<tag><tt/debug/</tag>
-
-Use the <tt/syslog(3)/ call to log debugging information to the system
-log files.
-
-<tag> <tt/no_warn/</tag>
-
-Instruct module to not give warning messages to the application.
-
-<tag> <tt/use_first_pass/</tag>
-
-The module should not prompt the user for a password. Instead, it
-should obtain the previously typed password (from the preceding
-<tt/auth/ module), and use that. If that doesn't work, then the user
-will not be authenticated. (This option is intended for <tt/auth/
-and <tt/password/ modules only).
-
-<tag> <tt/try_first_pass/</tag>
-
-The module should attempt authentication with the previously typed
-password (from the preceding <tt/auth/ module). If that doesn't work,
-then the user is prompted for a password. (This option is intended for
-<tt/auth/ modules only).
-
-<tag> <tt/use_mapped_pass/</tag>
-
-This argument is not currently supported by any of the modules in the
-<bf/Linux-PAM/ distribution because of possible consequences
-associated with U.S. encryption exporting restrictions. Within the
-U.S., module developers are, of course, free to implement it (as are
-developers in other countries). For compatibility reasons we describe
-its use as suggested in the <bf/DCE-RFC 86.0/, see section <ref
-id="see-also-sec" name="bibliography"> for a pointer to this document.
-
-<p>
-The <tt/use_mapped_pass/ argument instructs the module to take the
-clear text authentication token entered by a previous module (that
-requests such a token) and use it to generate an encryption/decryption
-key with which to safely store/retrieve the authentication token
-required for this module. In this way the user can enter a single
-authentication token and be quietly authenticated by a number of
-stacked modules.  Obviously a convenient feature that necessarily
-requires some reliably strong encryption to make it secure.
-This argument is intended for the <tt/auth/ and <tt/password/ module
-types only.
-
-<tag><tt/expose_account/</tag>
-
-<p>
-In general the leakage of some information about user accounts is not
-a secure policy for modules to adopt. Sometimes information such as
-users names or home directories, or preferred shell, can be used to
-attack a user's account. In some circumstances, however, this sort of
-information is not deemed a threat: displaying a user's full name when
-asking them for a password in a secured environment could also be
-called being 'friendly'. The <tt/expose_account/ argument is a
-standard module argument to encourage a module to be less discrete
-about account information as it is deemed appropriate by the local
-administrator.
-
-</descrip>
-
-<sect1>Example configuration file entries
-
-<p>
-In this section, we give some examples of entries that can be present
-in the <bf/Linux-PAM/ configuration file. As a first attempt at
-configuring your system you could do worse than to implement these.
-
-<sect2>Default policy
-
-<p>
-If a system is to be considered secure, it had better have a
-reasonably secure `<tt/OTHER/' entry. The following is a paranoid
-setting (which is not a bad place to start!):
-<tscreen>
-<verb>
-#
-# default; deny access
-#
-OTHER	auth	 required	pam_deny.so
-OTHER	account	 required	pam_deny.so
-OTHER	password required	pam_deny.so
-OTHER	session	 required	pam_deny.so
-</verb>
-</tscreen>
-Whilst fundamentally a secure default, this is not very sympathetic to
-a misconfigured system. For example, such a system is vulnerable to
-locking everyone out should the rest of the file become badly written.
-
-<p>
-The module <tt/pam_deny/ (documented in a later section) is not very
-sophisticated. For example, it logs no information when it is invoked
-so unless the users of a system contact the administrator when failing
-to execute a service application, the administrator may go for a long
-while in ignorance of the fact that his system is misconfigured.
-
-<p>
-The addition of the following line before those in the above example
-would provide a suitable warning to the administrator.
-<tscreen>
-<verb>
-#
-# default; wake up! This application is not configured
-#
-OTHER	auth	 required	pam_warn.so
-OTHER	password required	pam_warn.so
-</verb>
-</tscreen>
-Having two ``<tt/OTHER auth/'' lines is an example of stacking.
-
-<p>
-On a system that uses the <tt>/etc/pam.d/</tt> configuration, the
-corresponding default setup would be achieved with the following file:
-<tscreen>
-<verb>
-#
-# default configuration: /etc/pam.d/other
-#
-auth	 required	pam_warn.so
-auth	 required	pam_deny.so
-account	 required	pam_deny.so
-password required	pam_warn.so
-password required	pam_deny.so
-session	 required	pam_deny.so
-</verb>
-</tscreen>
-This is the only explicit example we give for an <tt>/etc/pam.d/</tt>
-file. In general, it should be clear how to transpose the remaining
-examples to this configuration scheme.
-
-<p>
-On a less sensitive computer, one on which the system administrator
-wishes to remain ignorant of much of the power of <tt/Linux-PAM/, the
-following selection of lines (in <tt>/etc/pam.conf</tt>) is likely to
-mimic the historically familiar Linux setup.
-<tscreen>
-<verb>
-#
-# default; standard UN*X access
-#
-OTHER	auth	 required	pam_unix.so
-OTHER	account	 required	pam_unix.so
-OTHER	password required	pam_unix.so
-OTHER	session	 required	pam_unix.so
-</verb>
-</tscreen>
-In general this will provide a starting place for most applications.
-Unfortunately, most is not all. One application that might require
-additional lines is <em/ftpd/ if you wish to enable
-<em/anonymous-ftp/.
-
-<p>
-To enable anonymous-ftp, the following lines might be used to replace
-the default (<tt/OTHER/) ones. (<bf/*WARNING*/ as of 1996/12/28 this
-does not work correctly with any ftpd. Consequently, this description
-may be subject to change or the application will be fixed.)
-<tscreen>
-<verb>
-#
-# ftpd; add ftp-specifics. These lines enable anonymous ftp over
-#       standard UN*X access (the listfile entry blocks access to
-#	users listed in /etc/ftpusers)
-#
-ftpd	auth	sufficient  pam_ftp.so
-ftpd	auth	required    pam_unix_auth.so use_first_pass
-ftpd	auth	required    pam_listfile.so \
-	onerr=succeed item=user sense=deny file=/etc/ftpusers
-</verb>
-</tscreen>
-Note, the second line is necessary since the default entries are
-ignored by a service application (here <em/ftpd/) if there are
-<em/any/ entries in <tt>/etc/pam.conf</tt> for that specified service.
-Again, this is an example of authentication module stacking.  Note the
-use of the <tt/sufficient/ control-flag. It says that ``if this module
-authenticates the user, ignore the subsequent <tt/auth/
-modules''. Also note the use of the ``<tt/use_first_pass/''
-module-argument, this instructs the UN*X authentication module that it
-is not to prompt for a password but rely on one already having been
-obtained by the <tt/pam_ftp/ module.
-
-<sect>Security issues of Linux-PAM
-
-<p>
-This section will discuss good practices for using PAM in a secure
-manner.  <em>It is currently sadly lacking...suggestions are
-welcome!</em>
-
-<sect1>If something goes wrong
-
-<p>
-<bf/Linux-PAM/ has the potential to seriously change the security of
-your system.  You can choose to have no security or absolute security
-(no access permitted).  In general, <bf/Linux-PAM/ errs towards the
-latter.  Any number of configuration errors can dissable access to
-your system partially, or completely.
-
-<p>
-The most dramatic problem that is likely to be encountered when
-configuring <bf/Linux-PAM/ is that of <em>deleting</em> the
-configuration file(s): <tt>/etc/pam.d/*</tt> and/or
-<tt>/etc/pam.conf</tt>.  This will lock you out of your own system!
-
-<p>
-To recover, your best bet is to reboot the system in single user mode
-and set about correcting things from there.  The following has been
-<em>adapted</em> from a life-saving email on the subject from David
-Wood:
-<verb>
-> What the hell do I do now?
-
-OK, don't panic. The first thing you have to realize is that
-this happens to 50% of users who ever do anything with PAM.
-It happened here, not once, not twice, but three times, all
-different, and in the end, the solution was the same every
-time.
-
-First, I hope you installed LILO with a delay. If you can,
-reboot, hit shift or tab or something and type:
-
-    LILO boot: linux single
-
-(Replace 'linux' with 'name-of-your-normal-linux-image').
-This will let you in without logging in.  Ever wondered how
-easy it is to break into a linux machine from the console?
-Now you know.
-
-If you can't do that, then get yourself a bootkernel floppy
-and a root disk a-la slackware's rescue.gz.  (Red Hat's
-installation disks can be used in this mode too.)
-
-In either case, the point is to get back your root prompt.
-
-Second, I'm going to assume that you haven't completely
-nuked your pam installation - just your configuration files.
-Here's how you make your configs nice again:
-
-    cd /etc
-    mv pam.conf pam.conf.orig
-    mv pam.d pam.d.orig
-    mkdir pam.d
-    cd pam.d
-
-and then use vi to create a file called "other" in this
-directory.  It should contain the following four lines:
-
-    auth     required       pam_unix.so
-    account  required       pam_unix.so
-    password required       pam_unix.so
-    session  required       pam_unix.so
-
-Now you have the simplest possible PAM configuration that
-will work the way you're used to.  Everything should
-magically start to work again.  Try it out by hitting ALT-F2
-and logging in on another virtual console.  If it doesn't
-work, you have bigger problems, or you've mistyped
-something.  One of the wonders of this system (seriously,
-perhaps) is that if you mistype anything in the conf files,
-you usually get no error reporting of any kind on the
-console - just some entries in the log file.  So look there!
-(Try 'tail /var/log/messages'.)
-
-From here you can go back and get a real configuration
-going, hopefully after you've tested it first on a machine
-you don't care about screwing up.  :/
-
-Some pointers (to make everything "right" with Red Hat...):
-
-    Install the newest pam, pamconfig, and pwdb from the
-    redhat current directory, and do it all on the same
-    command line with rpm...
-
-        rpm -Uvh [maybe --force too] pam-* pamconfig-* pwdb-*
-
-    Then make sure you install (or reinstall) the newest
-    version of libc, util-linux, wuftp, and NetKit. For
-    kicks you might try installing the newest versions of
-    the affected x apps, like xlock, but I haven't gotten
-    those to work at all yet.
-
-</verb>
-
-<sect1>Avoid having a weak `other' configuration
-
-<p>
-It is not a good thing to have a weak default (<tt/OTHER/) entry.
-This service is the default configuration for all PAM aware
-applications and if it is weak, your system is likely to be vulnerable
-to attack.
-
-<p>
-Here is a sample "other" configuration file. The <em/pam_deny/ module will
-deny access and the <em/pam_warn/ module will send a syslog message to
-<tt/auth.notice/:
-
-<p>
-<tscreen>
-<verb>
-#
-# The PAM configuration file for the `other' service 
-# 
-auth      required   pam_deny.so 
-auth      required   pam_warn.so 
-account   required   pam_deny.so 
-account   required   pam_warn.so 
-password  required   pam_deny.so 
-password  required   pam_warn.so 
-session   required   pam_deny.so 
-session   required   pam_warn.so
-</verb>
-</tscreen>
-
-<sect>A reference guide for available modules
-
-<p>
-Here, we collect together some descriptions of the various modules
-available for <bf/Linux-PAM/.  In general these modules should be
-freely available.  Where this is not the case, it will be indicated.
-
-<p>
-Also please note the comments contained in the section <ref 
-id="text-conventions" name="on text conventions above"> when copying
-the examples listed below.
-
-<!-- insert-file MODULES-SGML -->
-
-<sect>Files
-
-<p><descrip>
-
-<tag><tt>/lib/libpam.so.*</tt></tag>
-
-the shared library providing applications with access to
-<bf/Linux-PAM/.
-
-<tag><tt>/etc/pam.conf</tt></tag>
-
-the <bf/Linux-PAM/ configuration file.
-
-<tag><tt>/lib/security/pam_*.so</tt></tag>
-
-the primary location for <bf/Linux-PAM/ dynamically loadable object
-files; the modules.
-
-</descrip>
-
-<sect>See also<label id="see-also-sec">
-
-<p><itemize>
-
-<item>The <bf/Linux-PAM/ Application Writers' Guide.
-
-<item>The <bf/Linux-PAM/ Module Writers' Guide.
-
-<item>The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH
-PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation Request
-For Comments 86.0, October 1995. See this url:
-<tt><htmlurl
-url="http://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz"
-name="http://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz"></tt>
-
-</itemize>
-
-<sect>Notes
-
-<p>
-I intend to put development comments here... like ``at the moment
-this isn't actually supported''. At release time what ever is in
-this section will be placed in the Bugs section below! :)
-
-<p>
-Are we going to be able to support the <tt/use_mapped_pass/ module
-argument? Anyone know a cheap (free) good lawyer?!
-
-<p>
-<itemize>
-<item>
-This issue may go away, as Sun have investigated adding a new
-management group for mappings. In this way, libpam would have mapping
-modules that could securely store passwords using strong cryptography
-and in such a way that they need not be distributed with Linux-PAM.
-</itemize>
-
-<sect>Author/acknowledgments
-
-<p>
-This document was written by Andrew G. Morgan (morgan@kernel.org)
-with many contributions from
-<!-- insert-file CREDITS -->
-
-<p>
-Thanks are also due to Sun Microsystems, especially to Vipin Samar and
-Charlie Lai for their advice. At an early stage in the development of
-<bf/Linux-PAM/, Sun graciously made the documentation for their
-implementation of PAM available. This act greatly accelerated the
-development of <bf/Linux-PAM/.
-
-<sect>Bugs/omissions
-
-<p>
-More PAM modules are being developed all the time. It is unlikely that
-this document will ever be truely up to date!
-
-<p>
-This manual is unfinished. Only a partial list of people is credited
-for all the good work they have done.
-
-<sect>Copyright information for this document
-
-<p>
-Copyright (c) Andrew G. Morgan 1996-2002.  All rights reserved.
-<newline>
-Email: <tt>&lt;morgan@kernel.org&gt;</tt>
-
-<p>
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-<p>
-<itemize>
-
-<item>
-1. Redistributions of source code must retain the above copyright
-   notice, and the entire permission notice in its entirety,
-   including the disclaimer of warranties.
-
-<item>
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-<item>
-3. The name of the author may not be used to endorse or promote
-   products derived from this software without specific prior
-   written permission.
-
-</itemize>
-
-<p>
-<bf/Alternatively/, this product may be distributed under the terms of
-the GNU General Public License (GPL), in which case the provisions of
-the GNU GPL are required <bf/instead of/ the above restrictions.
-(This clause is necessary due to a potential bad interaction between
-the GNU GPL and the restrictions contained in a BSD-style copyright.)
-
-<p>
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
-OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
-TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGE.
-
-<p>
-<tt>$Id: pam_source.sgml,v 1.13 2004/09/28 13:48:46 kukuk Exp $</tt>
-
-</article>
diff --git a/Linux-PAM/doc/pdf/README b/Linux-PAM/doc/pdf/README
deleted file mode 100644
index 5cae4e68..00000000
--- a/Linux-PAM/doc/pdf/README
+++ /dev/null
@@ -1,3 +0,0 @@
-$Id: README,v 1.1 2002/05/29 04:14:11 agmorgan Exp $
-
-a directory for PDF versions of the documentation
diff --git a/Linux-PAM/doc/ps/README b/Linux-PAM/doc/ps/README
deleted file mode 100644
index 18ab6329..00000000
--- a/Linux-PAM/doc/ps/README
+++ /dev/null
@@ -1,3 +0,0 @@
-$Id: README,v 1.2 2001/11/27 05:37:30 agmorgan Exp $
-
-this is the directory for the PostScript documentation
diff --git a/Linux-PAM/doc/sag/Linux-PAM_SAG.xml b/Linux-PAM/doc/sag/Linux-PAM_SAG.xml
new file mode 100644
index 00000000..84dece31
--- /dev/null
+++ b/Linux-PAM/doc/sag/Linux-PAM_SAG.xml
@@ -0,0 +1,570 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+	"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<book id="sag">
+  <bookinfo>
+    <title>The Linux-PAM System Administrators' Guide</title>
+    <authorgroup>
+      <author>
+        <firstname>Andrew G.</firstname>
+        <surname>Morgan</surname>
+        <email>morgan@kernel.org</email>
+      </author>
+      <author>
+        <firstname>Thorsten</firstname>
+        <surname>Kukuk</surname>
+        <email>kukuk@thkukuk.de</email>
+      </author>
+    </authorgroup>
+    <releaseinfo>Version 0.99.7.0, 16. January 2007</releaseinfo>
+    <abstract>
+      <para>
+        This manual documents what a system-administrator needs to know about
+        the <emphasis remap='B'>Linux-PAM</emphasis> library. It covers the
+        correct syntax of the PAM configuration file and discusses strategies
+        for maintaining a secure system.
+      </para>
+    </abstract>
+  </bookinfo>
+
+  <chapter id='sag-introductoin'>
+    <title>Introduction</title>
+    <para>
+      <emphasis remap='B'>Linux-PAM</emphasis> (Pluggable Authentication
+      Modules for Linux) is a suite of shared libraries that enable the
+      local system administrator to choose how applications authenticate users.
+    </para>
+    <para>
+      In other words, without (rewriting and) recompiling a PAM-aware
+      application, it is possible to switch between the authentication
+      mechanism(s) it uses. Indeed, one may entirely upgrade the local
+      authentication system without touching the applications themselves.
+    </para>
+    <para>
+      Historically an application that has required a given user to be
+      authenticated, has had to be compiled to use a specific authentication
+      mechanism.  For example, in the case of traditional UN*X systems, the
+      identity of the user is verified by the user entering a correct
+      password.  This password, after being prefixed by a two character
+      ``salt'', is encrypted (with crypt(3)). The user is then authenticated
+      if this encrypted password is identical to the second field of the
+      user's entry in the system password database (the
+      <filename>/etc/passwd</filename> file).  On such systems, most if
+      not all forms of privileges are granted based on this single
+      authentication scheme. Privilege comes in the form of a personal
+      user-identifier (UID) and membership of various groups. Services and
+      applications are available based on the personal and group identity
+      of the user. Traditionally, group membership has been assigned based
+      on entries in the <filename>/etc/group</filename> file.
+    </para>
+    <para>
+      It is the purpose of the <emphasis remap='B'>Linux-PAM</emphasis>
+      project to separate the development of privilege granting software
+      from the development of secure and appropriate authentication schemes.
+      This is accomplished by providing a library of functions that an
+      application may use to request that a user be authenticated. This
+      PAM library is configured locally with a system file,
+      <filename>/etc/pam.conf</filename> (or a series of configuration
+      files located in <filename>/etc/pam.d/</filename>) to authenticate a
+      user request via the locally available authentication modules. The
+      modules themselves will usually be located in the directory
+      <filename>/lib/security</filename> or
+      <filename>/lib64/security</filename> and take the form of dynamically
+      loadable object files (see <citerefentry>
+        <refentrytitle>dlopen</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>).
+    </para>
+  </chapter>
+
+  <chapter id="sag-text-conventions">
+    <title>Some comments on the text</title>
+    <para>
+      Before proceeding to read the rest of this document, it should be
+      noted that the text assumes that certain files are placed in certain
+      directories.  Where they have been specified, the conventions we adopt
+      here for locating these files are those of the relevant RFC (RFC-86.0,
+      see <link linkend="sag-see-also">bibliography"</link>). If you are
+      using a distribution of Linux (or some other operating system) that
+      supports PAM but chooses to distribute these files in a diferent way
+      you should be careful when copying examples directly from the text.
+    </para>
+    <para>
+      As an example of the above, where it is explicit, the text assumes
+      that PAM loadable object files (the
+      <emphasis remap='B'>modules</emphasis>) are to be located in
+      the following directory: <filename>/lib/security/</filename> or
+      <filename>/lib64/security</filename> depending on the architecture.
+      This is generally the location that seems to be compatible with the
+      Filesystem Hierarchy Standard (FHS). On Solaris, which has its own
+      licensed version of PAM, and some other implementations of UN*X,
+      these files can be found in <filename>/usr/lib/security</filename>.
+      Please be careful to perform the necessary transcription when using
+      the examples from the text.
+    </para>
+  </chapter>
+
+  <chapter id="sag-overview">
+    <title>Overview</title>
+    <para>
+      For the uninitiated, we begin by considering an example.  We take an
+      application that grants some service to users;
+      <command>login</command> is one such program.
+      <command>Login</command> does two things, it first establishes that
+      the requesting user is whom they claim to be and second provides
+      them with the requested service: in the case of
+      <command>login</command> the service is a command shell
+      (bash, tcsh, zsh, etc.) running with the identity of the user.
+    </para>
+    <para>
+      Traditionally, the former step is achieved by the
+      <command>login</command> application prompting the user for a
+      password and then verifying that it agrees with that located on
+      the system; hence verifying that as far as the system is concerned
+      the user is who they claim to be. This is the task that is delegated
+      to <emphasis remap='B'>Linux-PAM</emphasis>.
+    </para>
+    <para>
+      From the perspective of the application programmer (in this case
+      the person that wrote the <command>login</command> application),
+      <emphasis remap='B'>Linux-PAM</emphasis> takes care of this
+      authentication task -- verifying the identity of the user.
+    </para>
+    <para>
+      The flexibility of <emphasis remap='B'>Linux-PAM</emphasis> is
+      that <emphasis>you</emphasis>, the system administrator, have
+      the freedom to stipulate which authentication scheme is to be
+      used. You have the freedom to set the scheme for any/all
+      PAM-aware applications on your Linux system. That is, you can
+      authenticate from anything as naive as
+      <emphasis>simple trust</emphasis> (<command>pam_permit</command>)
+      to something as paranoid as a combination of a retinal scan, a
+      voice print and a one-time password!
+    </para>
+    <para>
+      To illustrate the flexibility you face, consider the following
+      situation: a system administrator (parent) wishes to improve the
+      mathematical ability of her users (children). She can configure
+      their favorite ``Shoot 'em up game'' (PAM-aware of course) to
+      authenticate them with a request for the product of a couple of
+      random numbers less than 12. It is clear that if the game is any
+      good they will soon learn their
+      <emphasis>multiplication tables</emphasis>. As they mature, the
+      authentication can be upgraded to include (long) division!
+    </para>
+    <para>
+      <emphasis remap='B'>Linux-PAM</emphasis> deals with four
+      separate types of (management) task. These are:
+      <emphasis>authentication management</emphasis>;
+      <emphasis>account management</emphasis>;
+      <emphasis>session management</emphasis>; and
+      <emphasis>password management</emphasis>.
+      The association of the preferred management scheme with the behavior
+      of an application is made with entries in the relevant
+      <emphasis remap='B'>Linux-PAM</emphasis> configuration file.
+      The management functions are performed by <emphasis>modules</emphasis>
+      specified in the configuration file. The syntax for this
+      file is discussed in the section
+      <link  linkend="sag-configuration">below</link>.
+    </para>
+    <para>
+      Here is a figure that describes the overall organization of
+      <emphasis remap='B'>Linux-PAM</emphasis>:
+      <programlisting>
+  +----------------+
+  | application: X |
+  +----------------+       /  +----------+     +================+
+  | authentication-[----&gt;--\--] Linux-   |--&lt;--| PAM config file|
+  |       +        [----&lt;--/--]   PAM    |     |================|
+  |[conversation()][--+    \  |          |     | X auth .. a.so |
+  +----------------+  |    /  +-n--n-----+     | X auth .. b.so |
+  |                |  |       __|  |           |           _____/
+  |  service user  |  A      |     |           |____,-----'
+  |                |  |      V     A
+  +----------------+  +------|-----|---------+ -----+------+
+                         +---u-----u----+    |      |      |
+                         |   auth....   |--[ a ]--[ b ]--[ c ]
+                         +--------------+
+                         |   acct....   |--[ b ]--[ d ]
+                         +--------------+
+                         |   password   |--[ b ]--[ c ]
+                         +--------------+
+                         |   session    |--[ e ]--[ c ]
+                         +--------------+
+      </programlisting>
+      By way of explanation, the left of the figure represents the
+      application; application X.  Such an application interfaces with the
+      <emphasis remap='B'>Linux-PAM</emphasis> library and knows none of
+      the specifics of its configured authentication method. The
+      <emphasis remap='B'>Linux-PAM</emphasis> library (in the center)
+      consults the contents of the PAM configuration file and loads the
+      modules that are appropriate for application-X. These modules fall
+      into one of four management groups (lower-center) and are stacked in
+      the order they appear in the configuration file. These modules, when
+      called by <emphasis remap='B'>Linux-PAM</emphasis>, perform the
+      various authentication tasks for the application. Textual information,
+      required from/or offered to the user, can be exchanged through the
+      use of the application-supplied <emphasis>conversation</emphasis>
+      function.
+    </para>
+    <para>
+      If a program is going to use PAM, then it has to have PAM
+      functions explicitly coded into the program. If you have
+      access to the source code you can add the appropriate PAM
+      functions. If you do not have accessto the source code, and
+      the binary does not have the PAM functions included, then
+      it is not possible to use PAM.
+    </para>
+  </chapter>
+
+  <chapter id="sag-configuration">
+    <title>The Linux-PAM configuration file</title>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../man/pam.conf-desc.xml"
+     xpointer='xpointer(//section[@id = "pam.conf-desc"]/*)' />
+     <section id='sag-configuration-file'>
+       <title>Configuration file syntax</title>
+       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+        href="../man/pam.conf-syntax.xml"
+        xpointer='xpointer(//section[@id = "pam.conf-syntax"]/*)' />
+     </section>
+     <section id='sag-configuratin-dirctory'>
+       <title>Directory based configuration</title>
+       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+        href="../man/pam.conf-dir.xml"
+        xpointer='xpointer(//section[@id = "pam.conf-dir"]/*)' />
+     </section>
+     <section id='sag-configuration-example'>
+       <title>Example configuration file entries</title>
+       <para>
+         In this section, we give some examples of entries that can
+         be present in the <emphasis remap='B'>Linux-PAM</emphasis>
+         configuration file. As a first attempt at configuring your
+         system you could do worse than to implement these.
+       </para>
+       <para>
+         If a system is to be considered secure, it had better have a
+         reasonably secure '<emphasis remap='B'>other</emphasis> entry.
+         The following is a paranoid setting (which is not a bad place
+         to start!):
+       </para>
+       <programlisting>
+#
+# default; deny access
+#
+other   auth     required       pam_deny.so
+other   account  required       pam_deny.so
+other   password required       pam_deny.so
+other   session  required       pam_deny.so
+       </programlisting>
+       <para>
+         Whilst fundamentally a secure default, this is not very
+         sympathetic to a misconfigured system. For example, such
+         a system is vulnerable to locking everyone out should the
+         rest of the file become badly written.
+       </para>
+       <para>
+         The module <command>pam_deny</command> (documented in a
+         <link linkend="sag-pam_deny">later section</link>) is not very
+         sophisticated. For example, it logs no information when it
+         is invoked so unless the users of a system contact the
+         administrator when failing to execute a service application,
+         the administrator may go for a long while in ignorance of the
+         fact that his system is misconfigured.
+       </para>
+       <para>
+         The addition of the following line before those in the above
+         example would provide a suitable warning to the administrator.
+       </para>
+       <programlisting>
+#
+# default; wake up! This application is not configured
+#
+other   auth     required       pam_warn.so
+other   password required       pam_warn.so
+       </programlisting>
+       <para>
+         Having two '<command>other auth</command>' lines is an
+         example of stacking.
+       </para>
+       <para>
+         On a system that uses the <filename>/etc/pam.d/</filename>
+         configuration, the corresponding default setup would be
+         achieved with the following file:
+       </para>
+       <programlisting>
+#
+# default configuration: /etc/pam.d/other
+#
+auth     required       pam_warn.so
+auth     required       pam_deny.so
+account  required       pam_deny.so
+password required       pam_warn.so
+password required       pam_deny.so
+session  required       pam_deny.so
+       </programlisting>
+       <para>
+         This is the only explicit example we give for an
+         <filename>/etc/pam.d/</filename> file. In general, it
+         should be clear how to transpose the remaining examples
+         to this configuration scheme.
+       </para>
+       <para>
+         On a less sensitive computer, one on which the system
+         administrator wishes to remain ignorant of much of the
+         power of <emphasis remap='B'>Linux-PAM</emphasis>, the
+         following selection of lines (in
+         <filename>/etc/pam.d/other</filename>) is likely to
+         mimic the historically familiar Linux setup.
+       </para>
+       <programlisting>
+#
+# default; standard UN*X access
+#
+auth     required       pam_unix.so
+account  required       pam_unix.so
+password required       pam_unix.so
+session  required       pam_unix.so
+       </programlisting>
+       <para>
+         In general this will provide a starting place for most applications.
+       </para>
+     </section>
+  </chapter>
+
+  <chapter id='sag-security-issues'>
+    <title>Security issues</title>
+    <section id='sag-scurity-issues-wrong'>
+      <title>If something goes wrong</title>
+      <para>
+        <emphasis remap='B'>Linux-PAM</emphasis> has the potential
+        to seriously change the security of your system. You can
+        choose to have no security or absolute security (no access
+        permitted). In general, <emphasis remap='B'>Linux-PAM</emphasis>
+        errs towards the latter. Any number of configuration errors
+        can dissable access to your system partially, or completely.
+      </para>
+      <para>
+        The most dramatic problem that is likely to be encountered when
+        configuring <emphasis remap='B'>Linux-PAM</emphasis> is that of
+        <emphasis>deleting</emphasis> the configuration file(s):
+        <filename>/etc/pam.d/*</filename> and/or
+        <filename>/etc/pam.conf</filename>. This will lock you out of
+        your own system!
+      </para>
+      <para>
+        To recover, your best bet is to restore the system from a
+        backup or boot the system into a rescue system and correct
+        things from there.
+      </para>
+    </section>
+    <section id='sag-security-issues-other'>
+      <title>Avoid having a weak `other' configuration</title>
+      <para>
+        It is not a good thing to have a weak default
+        (<emphasis remap='B'>other</emphasis>) entry.
+        This service is the default configuration for all PAM aware
+        applications and if it is weak, your system is likely to be
+        vulnerable to attack.
+      </para>
+      <para>
+        Here is a sample "other" configuration file. The
+        <command>pam_deny</command> module will deny access and the
+        <command>pam_warn</command> module will send a syslog message
+        to <emphasis>auth.notice</emphasis>:
+      </para>
+      <programlisting>
+#
+# The PAM configuration file for the `other' service
+#
+auth      required   pam_deny.so
+auth      required   pam_warn.so
+account   required   pam_deny.so
+account   required   pam_warn.so
+password  required   pam_deny.so
+password  required   pam_warn.so
+session   required   pam_deny.so
+session   required   pam_warn.so
+      </programlisting>
+    </section>
+  </chapter>
+
+  <chapter id='sag-module-reference'>
+    <title>A reference guide for available modules</title>
+    <para>
+      Here, we collect together the descriptions of the various modules
+      coming with Linux-PAM.
+    </para>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_access.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_cracklib.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_debug.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_deny.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_echo.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_env.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_exec.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_faildelay.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_filter.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_ftp.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_group.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_issue.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_keyinit.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_lastlog.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_limits.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_listfile.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_localuser.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_loginuid.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_mail.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_mkhomedir.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_motd.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_namespace.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_nologin.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_permit.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_rhosts.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_rootok.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_securetty.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_selinux.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_shells.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_succeed_if.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_tally.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_time.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_umask.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_unix.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_userdb.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_warn.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_wheel.xml"/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="pam_xauth.xml"/>
+  </chapter>
+
+  <chapter id="sag-see-also">
+    <title>See also</title>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The Linux-PAM Application Writers' Guide.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The Linux-PAM Module Writers' Guide.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH
+          PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation
+          Request For Comments 86.0, October 1995.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </chapter>
+
+  <chapter id='sag-author'>
+    <title>Author/acknowledgments</title>
+    <para>
+      This document was written by Andrew G. Morgan (morgan@kernel.org)
+      with many contributions from
+      Chris Adams, Peter Allgeyer, Tim Baverstock, Tim Berger,
+      Craig S. Bell, Derrick J. Brashear, Ben Buxton, Seth Chaiklin,
+      Oliver Crow, Chris Dent, Marc Ewing, Cristian Gafton,
+      Emmanuel Galanos, Brad M. Garcia, Eric Hester, Michel D'Hooge,
+      Roger Hu, Eric Jacksch, Michael K. Johnson, David Kinchlea,
+      Olaf Kirch, Marcin Korzonek, Thorsten Kukuk, Stephen Langasek,
+      Nicolai Langfeldt, Elliot Lee, Luke Kenneth Casson Leighton,
+      Al Longyear, Ingo Luetkebohle, Marek Michalkiewicz,
+      Robert Milkowski, Aleph One, Martin Pool, Sean Reifschneider,
+      Jan Rekorajski, Erik Troan, Theodore Ts'o, Jeff Uphoff, Myles Uyema,
+      Savochkin Andrey Vladimirovich, Ronald Wahl, David Wood, John Wilmes,
+      Joseph S. D. Yao and Alex O. Yuriev.
+    </para>
+    <para>
+      Thanks are also due to Sun Microsystems, especially to Vipin Samar and
+      Charlie Lai for their advice. At an early stage in the development of
+      <emphasis remap='B'>Linux-PAM</emphasis>, Sun graciously made the
+      documentation for their implementation of PAM available. This act
+      greatly accelerated the development of
+      <emphasis remap='B'>Linux-PAM</emphasis>.
+    </para>
+  </chapter>
+
+  <chapter id='sag-copyright'>
+    <title>Copyright information for this document</title>
+    <programlisting>
+Copyright (c) 2006 Thorsten Kukuk &lt;kukuk@thkukuk.de&gt;
+Copyright (c) 1996-2002 Andrew G. Morgan &lt;morgan@kernel.org&gt;
+    </programlisting>
+    <para>
+      Redistribution and use in source and binary forms, with or without
+      modification, are permitted provided that the following conditions are
+      met:
+    </para>
+    <programlisting>
+1. Redistributions of source code must retain the above copyright
+   notice, and the entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. The name of the author may not be used to endorse or promote
+   products derived from this software without specific prior
+   written permission.
+    </programlisting>
+    <para>
+      Alternatively, this product may be distributed under the terms of
+      the GNU General Public License (GPL), in which case the provisions
+      of the GNU GPL are required instead of the above restrictions.
+      (This clause is necessary due to a potential bad interaction between
+      the GNU GPL and the restrictions contained in a BSD-style copyright.)
+    </para>
+    <programlisting>
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+    </programlisting>
+  </chapter>
+</book>
diff --git a/Linux-PAM/doc/sag/Makefile.am b/Linux-PAM/doc/sag/Makefile.am
new file mode 100644
index 00000000..26b5f5b8
--- /dev/null
+++ b/Linux-PAM/doc/sag/Makefile.am
@@ -0,0 +1,97 @@
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+#
+
+CLEANFILES = Linux-PAM_SAG.fo *~
+
+EXTRA_DIST = $(XMLS)
+
+XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml)
+
+DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml)
+
+if ENABLE_REGENERATE_MAN
+MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html
+
+all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf
+
+Linux-PAM_SAG.pdf: $(XMLS) $(DEP_XMLS)
+if ENABLE_GENERATE_PDF
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam generate.toc "book toc" \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 2 --xinclude --nonet \
+	http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_SAG.fo
+	$(FO2PDF) Linux-PAM_SAG.fo $@
+else
+	echo "No fo2pdf processor installed, skip PDF generation"
+endif
+
+Linux-PAM_SAG.txt: $(XMLS) $(DEP_XMLS)
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam generate.toc "book toc" \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 2 --xinclude --nonet \
+	  http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@
+
+html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS)
+	@test -d html || mkdir -p html
+	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+	$(XSLTPROC) --stringparam base.dir html/ \
+	  --stringparam root.filename Linux-PAM_SAG \
+	  --stringparam use.id.as.filename 1 \
+	  --stringparam chunk.first.sections 1 \
+	  --stringparam section.autolabel 1 \
+	  --stringparam section.label.includes.component.label 1 \
+	  --stringparam toc.max.depth 2 --xinclude --nonet \
+	  http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $<
+
+distclean-local:
+	-rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf
+endif
+
+install-data-local:
+	$(mkinstalldirs) $(DESTDIR)$(docdir)
+	$(mkinstalldirs) $(DESTDIR)$(pdfdir)
+	$(mkinstalldirs) $(DESTDIR)$(htmldir)
+	test -f html/Linux-PAM_SAG.html || exit 0; \
+	    $(install_sh_DATA) html/Linux-PAM_SAG.html html/sag-*.html \
+		$(DESTDIR)$(htmldir)/ || \
+	    $(install_sh_DATA) $(srcdir)/html/Linux-PAM_SAG.html \
+		$(srcdir)/html/sag-*.html \
+		$(DESTDIR)$(htmldir)/
+	test -f Linux-PAM_SAG.txt || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_SAG.txt $(DESTDIR)$(docdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_SAG.txt \
+		$(DESTDIR)$(docdir)/
+	test -f Linux-PAM_SAG.pdf || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_SAG.pdf $(DESTDIR)$(pdfdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_SAG.pdf \
+		$(DESTDIR)$(pdfdir)/
+
+uninstall-local:
+	-rm $(DESTDIR)$(htmldir)/Linux-PAM_SAG.html
+	-rm $(DESTDIR)$(htmldir)/sag-*.html
+	-rm $(DESTDIR)$(docdir)/Linux-PAM_SAG.txt
+	-rm $(DESTDIR)$(pdfdir)/Linux-PAM_SAG.pdf
+
+releasedocs: all
+	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html
+	test -f html/Linux-PAM_SAG.html || exit 0; \
+	    cp -ap html/Linux-PAM_SAG.html html/sag-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html/ || \
+	    cp -ap $(srcdir)/html/Linux-PAM_SAG.html \
+		$(srcdir)/html/sag-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html/
+	test -f Linux-PAM_SAG.txt || exit 0; \
+	    cp -p Linux-PAM_SAG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/ || \
+	    cp -p $(srcdir)/Linux-PAM_SAG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/
+	test -f Linux-PAM_SAG.pdf || exit 0; \
+	    cp -p Linux-PAM_SAG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/ || \
+	    cp -p $(srcdir)/Linux-PAM_SAG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/
diff --git a/Linux-PAM/doc/sag/Makefile.in b/Linux-PAM/doc/sag/Makefile.in
new file mode 100644
index 00000000..007316a4
--- /dev/null
+++ b/Linux-PAM/doc/sag/Makefile.in
@@ -0,0 +1,470 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+#
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = doc/sag
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 \
+	$(top_srcdir)/m4/jh_path_xml_catalog.m4 \
+	$(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BROWSER = @BROWSER@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+FO2PDF = @FO2PDF@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBDB = @LIBDB@
+LIBDL = @LIBDL@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBNSL = @LIBNSL@
+LIBOBJS = @LIBOBJS@
+LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
+LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
+LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@
+LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@
+LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@
+LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@
+LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SCONFIGDIR = @SCONFIGDIR@
+SECUREDIR = @SECUREDIR@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+WITH_DEBUG = @WITH_DEBUG@
+WITH_PAMLOCKING = @WITH_PAMLOCKING@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XMLCATALOG = @XMLCATALOG@
+XMLLINT = @XMLLINT@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libc_cv_fpie = @libc_cv_fpie@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pam_cv_ld_as_needed = @pam_cv_ld_as_needed@
+pam_xauth_path = @pam_xauth_path@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+CLEANFILES = Linux-PAM_SAG.fo *~
+EXTRA_DIST = $(XMLS)
+XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml)
+DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml)
+@ENABLE_REGENERATE_MAN_TRUE@MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  doc/sag/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  doc/sag/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+@ENABLE_REGENERATE_MAN_FALSE@distclean-local:
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-local
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-data-local
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-local
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distclean-local \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-local \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am uninstall uninstall-am uninstall-local
+
+
+@ENABLE_REGENERATE_MAN_TRUE@all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf
+
+@ENABLE_REGENERATE_MAN_TRUE@Linux-PAM_SAG.pdf: $(XMLS) $(DEP_XMLS)
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam generate.toc "book toc" \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 2 --xinclude --nonet \
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_SAG.fo
+@ENABLE_GENERATE_PDF_TRUE@@ENABLE_REGENERATE_MAN_TRUE@	$(FO2PDF) Linux-PAM_SAG.fo $@
+@ENABLE_GENERATE_PDF_FALSE@@ENABLE_REGENERATE_MAN_TRUE@	echo "No fo2pdf processor installed, skip PDF generation"
+
+@ENABLE_REGENERATE_MAN_TRUE@Linux-PAM_SAG.txt: $(XMLS) $(DEP_XMLS)
+@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam generate.toc "book toc" \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 2 --xinclude --nonet \
+@ENABLE_REGENERATE_MAN_TRUE@	  http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@
+
+@ENABLE_REGENERATE_MAN_TRUE@html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS)
+@ENABLE_REGENERATE_MAN_TRUE@	@test -d html || mkdir -p html
+@ENABLE_REGENERATE_MAN_TRUE@	$(XMLLINT) --nonet --xinclude --postvalid --noent --noout $<
+@ENABLE_REGENERATE_MAN_TRUE@	$(XSLTPROC) --stringparam base.dir html/ \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam root.filename Linux-PAM_SAG \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam use.id.as.filename 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam chunk.first.sections 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.autolabel 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam section.label.includes.component.label 1 \
+@ENABLE_REGENERATE_MAN_TRUE@	  --stringparam toc.max.depth 2 --xinclude --nonet \
+@ENABLE_REGENERATE_MAN_TRUE@	  http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $<
+
+@ENABLE_REGENERATE_MAN_TRUE@distclean-local:
+@ENABLE_REGENERATE_MAN_TRUE@	-rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf
+
+install-data-local:
+	$(mkinstalldirs) $(DESTDIR)$(docdir)
+	$(mkinstalldirs) $(DESTDIR)$(pdfdir)
+	$(mkinstalldirs) $(DESTDIR)$(htmldir)
+	test -f html/Linux-PAM_SAG.html || exit 0; \
+	    $(install_sh_DATA) html/Linux-PAM_SAG.html html/sag-*.html \
+		$(DESTDIR)$(htmldir)/ || \
+	    $(install_sh_DATA) $(srcdir)/html/Linux-PAM_SAG.html \
+		$(srcdir)/html/sag-*.html \
+		$(DESTDIR)$(htmldir)/
+	test -f Linux-PAM_SAG.txt || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_SAG.txt $(DESTDIR)$(docdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_SAG.txt \
+		$(DESTDIR)$(docdir)/
+	test -f Linux-PAM_SAG.pdf || exit 0; \
+	    $(install_sh_DATA) Linux-PAM_SAG.pdf $(DESTDIR)$(pdfdir)/ || \
+	    $(install_sh_DATA) $(srcdir)/Linux-PAM_SAG.pdf \
+		$(DESTDIR)$(pdfdir)/
+
+uninstall-local:
+	-rm $(DESTDIR)$(htmldir)/Linux-PAM_SAG.html
+	-rm $(DESTDIR)$(htmldir)/sag-*.html
+	-rm $(DESTDIR)$(docdir)/Linux-PAM_SAG.txt
+	-rm $(DESTDIR)$(pdfdir)/Linux-PAM_SAG.pdf
+
+releasedocs: all
+	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html
+	test -f html/Linux-PAM_SAG.html || exit 0; \
+	    cp -ap html/Linux-PAM_SAG.html html/sag-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html/ || \
+	    cp -ap $(srcdir)/html/Linux-PAM_SAG.html \
+		$(srcdir)/html/sag-*.html \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html/
+	test -f Linux-PAM_SAG.txt || exit 0; \
+	    cp -p Linux-PAM_SAG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/ || \
+	    cp -p $(srcdir)/Linux-PAM_SAG.txt \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/
+	test -f Linux-PAM_SAG.pdf || exit 0; \
+	    cp -p Linux-PAM_SAG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/ || \
+	    cp -p $(srcdir)/Linux-PAM_SAG.pdf \
+		$(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/Linux-PAM/doc/sag/pam_access.xml b/Linux-PAM/doc/sag/pam_access.xml
new file mode 100644
index 00000000..9e2837ca
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_access.xml
@@ -0,0 +1,42 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_access'>
+  <title>pam_access - logdaemon style login access control</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_access-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_access-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-description"]/*)'/>
+  </section>
+  <section id='sag-access.conf-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-description"]/*)'/>
+  </section>
+  <section id='sag-pam_access-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-options"]/*)'/>
+  </section>
+  <section id='sag-pam_access-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-services"]/*)'/>
+  </section>
+  <section id='sag-pam_access-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_access-files'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-files"]/*)'/>
+  </section>
+  <section id='sag-access.conf-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_access-authors'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-authors"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_cracklib.xml b/Linux-PAM/doc/sag/pam_cracklib.xml
new file mode 100644
index 00000000..58f0edb0
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_cracklib.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_cracklib'>
+  <title>pam_cracklib - checks the password against dictionary words</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_cracklib-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_cracklib-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-description"]/*)'/>
+  </section>
+  <section id='sag-pam_cracklib-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-options"]/*)'/>
+  </section>
+  <section id='sag-pam_cracklib-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-services"]/*)'/>
+  </section>
+  <section id='sag-pam_cracklib-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_cracklib-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_cracklib-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_debug.xml b/Linux-PAM/doc/sag/pam_debug.xml
new file mode 100644
index 00000000..6ec398b8
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_debug.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_debug'>
+  <title>pam_debug - debug the PAM stack</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_debug-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_debug-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-description"]/*)'/>
+  </section>
+  <section id='sag-pam_debug-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-options"]/*)'/>
+  </section>
+  <section id='sag-pam_debug-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-services"]/*)'/>
+  </section>
+  <section id='sag-pam_debug-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_debug-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_debug-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_deny.xml b/Linux-PAM/doc/sag/pam_deny.xml
new file mode 100644
index 00000000..eaaada3b
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_deny.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_deny'>
+  <title>pam_deny - locking-out PAM module</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_deny-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_deny-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-description"]/*)'/>
+  </section>
+  <section id='sag-pam_deny-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-options"]/*)'/>
+  </section>
+  <section id='sag-pam_deny-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-services"]/*)'/>
+  </section>
+  <section id='sag-pam_deny-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_deny-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_deny-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_echo.xml b/Linux-PAM/doc/sag/pam_echo.xml
new file mode 100644
index 00000000..95baa0aa
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_echo.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_echo'>
+  <title>pam_echo - print text messages</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_echo-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_echo-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-description"]/*)'/>
+  </section>
+  <section id='sag-pam_echo-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-options"]/*)'/>
+  </section>
+  <section id='sag-pam_echo-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-services"]/*)'/>
+  </section>
+  <section id='sag-pam_echo-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_echo-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_echo-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_env.xml b/Linux-PAM/doc/sag/pam_env.xml
new file mode 100644
index 00000000..d1c561e0
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_env.xml
@@ -0,0 +1,42 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_env'>
+  <title>pam_env - set/unset environment variables</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_env-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_env-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-description"]/*)'/>
+  </section>
+  <section id='sag-pam_env.conf-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-description"]/*)'/>
+  </section>
+  <section id='sag-pam_env-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-options"]/*)'/>
+  </section>
+  <section id='sag-pam_env-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-services"]/*)'/>
+  </section>
+  <section id='sag-pam_env-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_env-files'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-files"]/*)'/>
+  </section>
+  <section id='sag-pam_env.conf-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_env-authors'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-authors"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_exec.xml b/Linux-PAM/doc/sag/pam_exec.xml
new file mode 100644
index 00000000..38245ed8
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_exec.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_exec'>
+  <title>pam_exec - call an external command</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_exec-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_exec-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/>
+  </section>
+  <section id='sag-pam_exec-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/>
+  </section>
+  <section id='sag-pam_exec-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-services"]/*)'/>
+  </section>
+  <section id='sag-pam_exec-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_exec-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_exec-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_faildelay.xml b/Linux-PAM/doc/sag/pam_faildelay.xml
new file mode 100644
index 00000000..312fee8e
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_faildelay.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_faildelay'>
+  <title>pam_faildelay - change the delay on failure per-application</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faildelay-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_faildelay-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-description"]/*)'/>
+  </section>
+  <section id='sag-pam_faildelay-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-options"]/*)'/>
+  </section>
+  <section id='sag-pam_faildelay-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-services"]/*)'/>
+  </section>
+  <section id='sag-pam_faildelay-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_faildelay-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_faildelay-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_filter.xml b/Linux-PAM/doc/sag/pam_filter.xml
new file mode 100644
index 00000000..4248704d
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_filter.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_filter'>
+  <title>pam_filter - filter module</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_filter-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_filter-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-description"]/*)'/>
+  </section>
+  <section id='sag-pam_filter-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-options"]/*)'/>
+  </section>
+  <section id='sag-pam_filter-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-services"]/*)'/>
+  </section>
+  <section id='sag-pam_filter-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_filter-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_filter-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_ftp.xml b/Linux-PAM/doc/sag/pam_ftp.xml
new file mode 100644
index 00000000..c53139ca
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_ftp.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_ftp'>
+  <title>pam_ftp - module for anonymous access</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_ftp-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_ftp-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-description"]/*)'/>
+  </section>
+  <section id='sag-pam_ftp-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-options"]/*)'/>
+  </section>
+  <section id='sag-pam_ftp-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-services"]/*)'/>
+  </section>
+  <section id='sag-pam_ftp-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_ftp-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_ftp-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_group.xml b/Linux-PAM/doc/sag/pam_group.xml
new file mode 100644
index 00000000..f83ccc58
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_group.xml
@@ -0,0 +1,42 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_group'>
+  <title>pam_group - module to modify group access</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_group-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_group-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/>
+  </section>
+  <section id='sag-group.conf-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-description"]/*)'/>
+  </section>
+  <section id='sag-pam_group-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-options"]/*)'/>
+  </section>
+  <section id='sag-pam_group-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-services"]/*)'/>
+  </section>
+  <section id='sag-pam_group-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_group-files'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-files"]/*)'/>
+  </section>
+  <section id='sag-group.conf-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_group-authors'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-authors"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_issue.xml b/Linux-PAM/doc/sag/pam_issue.xml
new file mode 100644
index 00000000..f9283de6
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_issue.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_issue'>
+  <title>pam_issue - add issue file to user prompt</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_issue-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_issue-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-description"]/*)'/>
+  </section>
+  <section id='sag-pam_issue-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-options"]/*)'/>
+  </section>
+  <section id='sag-pam_issue-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-services"]/*)'/>
+  </section>
+  <section id='sag-pam_issue-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_issue-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_issue-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_keyinit.xml b/Linux-PAM/doc/sag/pam_keyinit.xml
new file mode 100644
index 00000000..4925900b
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_keyinit.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_keyinit'>
+  <title>pam_keyinit - display the keyinit file</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_keyinit-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_keyinit-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/>
+  </section>
+  <section id='sag-pam_keyinit-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/>
+  </section>
+  <section id='sag-pam_keyinit-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-services"]/*)'/>
+  </section>
+  <section id='sag-pam_keyinit-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_keyinit-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_keyinit-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_lastlog.xml b/Linux-PAM/doc/sag/pam_lastlog.xml
new file mode 100644
index 00000000..a8012b1c
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_lastlog.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_lastlog'>
+  <title>pam_lastlog - display date of last login</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_lastlog-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_lastlog-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-description"]/*)'/>
+  </section>
+  <section id='sag-pam_lastlog-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-options"]/*)'/>
+  </section>
+  <section id='sag-pam_lastlog-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-services"]/*)'/>
+  </section>
+  <section id='sag-pam_lastlog-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_lastlog-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_lastlog-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_limits.xml b/Linux-PAM/doc/sag/pam_limits.xml
new file mode 100644
index 00000000..25e14e1c
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_limits.xml
@@ -0,0 +1,42 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_limits'>
+  <title>pam_limits - limit resources</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_limits-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_limits-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-description"]/*)'/>
+  </section>
+  <section id='sag-limits.conf-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-description"]/*)'/>
+  </section>
+  <section id='sag-pam_limits-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-options"]/*)'/>
+  </section>
+  <section id='sag-pam_limits-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-services"]/*)'/>
+  </section>
+  <section id='sag-pam_limits-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_limits-files'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-files"]/*)'/>
+  </section>
+  <section id='sag-limits.conf-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_limits-authors'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-authors"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_listfile.xml b/Linux-PAM/doc/sag/pam_listfile.xml
new file mode 100644
index 00000000..fe3f6b0c
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_listfile.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_listfile'>
+  <title>pam_listfile - deny or allow services based on an arbitrary file</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_listfile-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_listfile-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-description"]/*)'/>
+  </section>
+  <section id='sag-pam_listfile-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-options"]/*)'/>
+  </section>
+  <section id='sag-pam_listfile-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-services"]/*)'/>
+  </section>
+  <section id='sag-pam_listfile-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_listfile-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_listfile-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_localuser.xml b/Linux-PAM/doc/sag/pam_localuser.xml
new file mode 100644
index 00000000..0f13d368
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_localuser.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_localuser'>
+  <title>pam_localuser - require users to be listed in /etc/passwd</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_localuser-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_localuser-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-description"]/*)'/>
+  </section>
+  <section id='sag-pam_localuser-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-options"]/*)'/>
+  </section>
+  <section id='sag-pam_localuser-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-services"]/*)'/>
+  </section>
+  <section id='sag-pam_localuser-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_localuser-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_localuser-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_loginuid.xml b/Linux-PAM/doc/sag/pam_loginuid.xml
new file mode 100644
index 00000000..6166d99f
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_loginuid.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_loginuid'>
+  <title>pam_loginuid - record user's login uid to the process attribute</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_loginuid-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_loginuid-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-description"]/*)'/>
+  </section>
+  <section id='sag-pam_loginuid-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-options"]/*)'/>
+  </section>
+  <section id='sag-pam_loginuid-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-services"]/*)'/>
+  </section>
+  <section id='sag-pam_loginuid-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_loginuid-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_loginuid-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_mail.xml b/Linux-PAM/doc/sag/pam_mail.xml
new file mode 100644
index 00000000..879c8940
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_mail.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_mail'>
+  <title>pam_mail - inform about available mail</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_mail-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_mail-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-description"]/*)'/>
+  </section>
+  <section id='sag-pam_mail-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-options"]/*)'/>
+  </section>
+  <section id='sag-pam_mail-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-services"]/*)'/>
+  </section>
+  <section id='sag-pam_mail-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_mail-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_mail-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_mkhomedir.xml b/Linux-PAM/doc/sag/pam_mkhomedir.xml
new file mode 100644
index 00000000..a1465439
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_mkhomedir.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_mkhomedir'>
+  <title>pam_mkhomedir - create users home directory</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_mkhomedir-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_mkhomedir-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-description"]/*)'/>
+  </section>
+  <section id='sag-pam_mkhomedir-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-options"]/*)'/>
+  </section>
+  <section id='sag-pam_mkhomedir-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-services"]/*)'/>
+  </section>
+  <section id='sag-pam_mkhomedir-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_mkhomedir-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_mkhomedir-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_motd.xml b/Linux-PAM/doc/sag/pam_motd.xml
new file mode 100644
index 00000000..847a047c
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_motd.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_motd'>
+  <title>pam_motd - display the motd file</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_motd-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_motd-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-description"]/*)'/>
+  </section>
+  <section id='sag-pam_motd-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-options"]/*)'/>
+  </section>
+  <section id='sag-pam_motd-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-services"]/*)'/>
+  </section>
+  <section id='sag-pam_motd-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_motd-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_motd-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_namespace.xml b/Linux-PAM/doc/sag/pam_namespace.xml
new file mode 100644
index 00000000..6a4f59e7
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_namespace.xml
@@ -0,0 +1,42 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_namespace'>
+  <title>pam_namespace - setup a private namespace</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_namespace-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_namespace-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/>
+  </section>
+  <section id='sag-namespace.conf-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/>
+  </section>
+  <section id='sag-pam_namespace-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/>
+  </section>
+  <section id='sag-pam_namespace-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-services"]/*)'/>
+  </section>
+  <section id='sag-pam_namespace-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_namespace-files'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-files"]/*)'/>
+  </section>
+  <section id='sag-namespace.conf-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_namespace-authors'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-authors"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_nologin.xml b/Linux-PAM/doc/sag/pam_nologin.xml
new file mode 100644
index 00000000..b05652f5
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_nologin.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_nologin'>
+  <title>pam_nologin - prevent non-root users from login</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_nologin-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_nologin-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-description"]/*)'/>
+  </section>
+  <section id='sag-pam_nologin-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-options"]/*)'/>
+  </section>
+  <section id='sag-pam_nologin-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-services"]/*)'/>
+  </section>
+  <section id='sag-pam_nologin-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_nologin-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_nologin-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_permit.xml b/Linux-PAM/doc/sag/pam_permit.xml
new file mode 100644
index 00000000..82febe01
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_permit.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_permit'>
+  <title>pam_permit - the promiscuous module</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_permit-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_permit-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-description"]/*)'/>
+  </section>
+  <section id='sag-pam_permit-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-options"]/*)'/>
+  </section>
+  <section id='sag-pam_permit-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-services"]/*)'/>
+  </section>
+  <section id='sag-pam_permit-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_permit-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_permit-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_rhosts.xml b/Linux-PAM/doc/sag/pam_rhosts.xml
new file mode 100644
index 00000000..10ae9361
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_rhosts.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_rhosts'>
+  <title>pam_rhosts - grant access using .rhosts file</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_rhosts-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_rhosts-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-description"]/*)'/>
+  </section>
+  <section id='sag-pam_rhosts-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-options"]/*)'/>
+  </section>
+  <section id='sag-pam_rhosts-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-services"]/*)'/>
+  </section>
+  <section id='sag-pam_rhosts-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_rhosts-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_rhosts-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_rootok.xml b/Linux-PAM/doc/sag/pam_rootok.xml
new file mode 100644
index 00000000..6907bd89
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_rootok.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_rootok'>
+  <title>pam_rootok - gain only root access</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_rootok-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_rootok-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-description"]/*)'/>
+  </section>
+  <section id='sag-pam_rootok-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-options"]/*)'/>
+  </section>
+  <section id='sag-pam_rootok-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-services"]/*)'/>
+  </section>
+  <section id='sag-pam_rootok-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_rootok-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_rootok-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_securetty.xml b/Linux-PAM/doc/sag/pam_securetty.xml
new file mode 100644
index 00000000..061546cc
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_securetty.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_securetty'>
+  <title>pam_securetty - limit root login to special devices</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_securetty-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_securetty-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-description"]/*)'/>
+  </section>
+  <section id='sag-pam_securetty-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-options"]/*)'/>
+  </section>
+  <section id='sag-pam_securetty-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-services"]/*)'/>
+  </section>
+  <section id='sag-pam_securetty-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_securetty-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_securetty-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_selinux.xml b/Linux-PAM/doc/sag/pam_selinux.xml
new file mode 100644
index 00000000..a0fb293b
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_selinux.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_selinux'>
+  <title>pam_selinux - set the default security context</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_selinux-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_selinux-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-description"]/*)'/>
+  </section>
+  <section id='sag-pam_selinux-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-options"]/*)'/>
+  </section>
+  <section id='sag-pam_selinux-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-services"]/*)'/>
+  </section>
+  <section id='sag-pam_selinux-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_selinux-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_selinux-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_shells.xml b/Linux-PAM/doc/sag/pam_shells.xml
new file mode 100644
index 00000000..87bc6fdb
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_shells.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_shells'>
+  <title>pam_shells - check for valid login shell</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_shells-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_shells-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-description"]/*)'/>
+  </section>
+  <section id='sag-pam_shells-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-options"]/*)'/>
+  </section>
+  <section id='sag-pam_shells-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-services"]/*)'/>
+  </section>
+  <section id='sag-pam_shells-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_shells-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_shells-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_succeed_if.xml b/Linux-PAM/doc/sag/pam_succeed_if.xml
new file mode 100644
index 00000000..0d7304a4
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_succeed_if.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_succeed_if'>
+  <title>pam_succeed_if - test account characteristics</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_succeed_if-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_succeed_if-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-description"]/*)'/>
+  </section>
+  <section id='sag-pam_succeed_if-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-options"]/*)'/>
+  </section>
+  <section id='sag-pam_succeed_if-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-services"]/*)'/>
+  </section>
+  <section id='sag-pam_succeed_if-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_succeed_if-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_succeed_if-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_tally.xml b/Linux-PAM/doc/sag/pam_tally.xml
new file mode 100644
index 00000000..df34a511
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_tally.xml
@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_tally'>
+  <title>pam_tally - login counter (tallying) module</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_tally-cmdsynopsis1"]/*)'/>
+  </cmdsynopsis>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_tally-cmdsynopsis2"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_tally-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-description"]/*)'/>
+  </section>
+  <section id='sag-pam_tally-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-options"]/*)'/>
+  </section>
+  <section id='sag-pam_tally-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-services"]/*)'/>
+  </section>
+  <section id='sag-pam_tally-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_tally-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_tally-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_time.xml b/Linux-PAM/doc/sag/pam_time.xml
new file mode 100644
index 00000000..c53ebcab
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_time.xml
@@ -0,0 +1,42 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_time'>
+  <title>pam_time - time controled access</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_time-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_time-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-description"]/*)'/>
+  </section>
+  <section id='sag-time.conf-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-description"]/*)'/>
+  </section>
+  <section id='sag-pam_time-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-options"]/*)'/>
+  </section>
+  <section id='sag-pam_time-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-services"]/*)'/>
+  </section>
+  <section id='sag-pam_time-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_time-files'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-files"]/*)'/>
+  </section>
+  <section id='sag-time.conf-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_time-authors'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-authors"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_umask.xml b/Linux-PAM/doc/sag/pam_umask.xml
new file mode 100644
index 00000000..af68f647
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_umask.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_umask'>
+  <title>pam_umask - set the file mode creation mask</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_umask-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_umask-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-description"]/*)'/>
+  </section>
+  <section id='sag-pam_umask-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-options"]/*)'/>
+  </section>
+  <section id='sag-pam_umask-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-services"]/*)'/>
+  </section>
+  <section id='sag-pam_umask-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_umask-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_umask-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_unix.xml b/Linux-PAM/doc/sag/pam_unix.xml
new file mode 100644
index 00000000..57b2f9d2
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_unix.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_unix'>
+  <title>pam_unix - traditional password authentication</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_unix-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_unix-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-description"]/*)'/>
+  </section>
+  <section id='sag-pam_unix-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-options"]/*)'/>
+  </section>
+  <section id='sag-pam_unix-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-services"]/*)'/>
+  </section>
+  <section id='sag-pam_unix-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_unix-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_unix-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_userdb.xml b/Linux-PAM/doc/sag/pam_userdb.xml
new file mode 100644
index 00000000..ae934cf6
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_userdb.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_userdb'>
+  <title>pam_userdb - authenticate against a db database</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_userdb-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_userdb-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-description"]/*)'/>
+  </section>
+  <section id='sag-pam_userdb-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-options"]/*)'/>
+  </section>
+  <section id='sag-pam_userdb-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-services"]/*)'/>
+  </section>
+  <section id='sag-pam_userdb-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_userdb-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_userdb-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_warn.xml b/Linux-PAM/doc/sag/pam_warn.xml
new file mode 100644
index 00000000..3d42a757
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_warn.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_warn'>
+  <title>pam_warn - logs all PAM items</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_warn-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_warn-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-description"]/*)'/>
+  </section>
+  <section id='sag-pam_warn-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-options"]/*)'/>
+  </section>
+  <section id='sag-pam_warn-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-services"]/*)'/>
+  </section>
+  <section id='sag-pam_warn-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_warn-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_warn-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_wheel.xml b/Linux-PAM/doc/sag/pam_wheel.xml
new file mode 100644
index 00000000..69175124
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_wheel.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_wheel'>
+  <title>pam_wheel - only permit root access to members of group wheel</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_wheel-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_wheel-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-description"]/*)'/>
+  </section>
+  <section id='sag-pam_wheel-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-options"]/*)'/>
+  </section>
+  <section id='sag-pam_wheel-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-services"]/*)'/>
+  </section>
+  <section id='sag-pam_wheel-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_wheel-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_wheel-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_xauth.xml b/Linux-PAM/doc/sag/pam_xauth.xml
new file mode 100644
index 00000000..84ca5ddb
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_xauth.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_xauth'>
+  <title>pam_xauth - forward xauth keys between users</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_xauth-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_xauth-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-description"]/*)'/>
+  </section>
+  <section id='sag-pam_xauth-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-options"]/*)'/>
+  </section>
+  <section id='sag-pam_xauth-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-services"]/*)'/>
+  </section>
+  <section id='sag-pam_xauth-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_xauth-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_xauth-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/specs/Makefile.am b/Linux-PAM/doc/specs/Makefile.am
new file mode 100644
index 00000000..595c09bf
--- /dev/null
+++ b/Linux-PAM/doc/specs/Makefile.am
@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+#
+
+CLEANFILES = draft-morgan-pam-current.txt *~
+
+EXTRA_DIST = draft-morgan-pam.raw std-agent-id.raw rfc86.0.txt
+
+draft-morgan-pam-current.txt: padout draft-morgan-pam.raw
+	./padout < $(srcdir)/draft-morgan-pam.raw > draft-morgan-pam-current.txt
+
+AM_YFLAGS = -d
+
+BUILT_SOURCES = parse_y.h
+
+noinst_PROGRAMS = padout
+
+padout_SOURCES = parse_l.l parse_y.y
+
+padout_LDADD = @LEXLIB@
+
+doc_DATA = draft-morgan-pam-current.txt rfc86.0.txt
diff --git a/Linux-PAM/doc/specs/Makefile.in b/Linux-PAM/doc/specs/Makefile.in
new file mode 100644
index 00000000..7e6617a5
--- /dev/null
+++ b/Linux-PAM/doc/specs/Makefile.in
@@ -0,0 +1,560 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+#
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+noinst_PROGRAMS = padout$(EXEEXT)
+subdir = doc/specs
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in parse_l.c \
+	parse_y.c parse_y.h
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 \
+	$(top_srcdir)/m4/jh_path_xml_catalog.m4 \
+	$(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+PROGRAMS = $(noinst_PROGRAMS)
+am_padout_OBJECTS = parse_l.$(OBJEXT) parse_y.$(OBJEXT)
+padout_OBJECTS = $(am_padout_OBJECTS)
+padout_DEPENDENCIES =
+DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+YLWRAP = $(top_srcdir)/ylwrap
+YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+SOURCES = $(padout_SOURCES)
+DIST_SOURCES = $(padout_SOURCES)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(docdir)"
+docDATA_INSTALL = $(INSTALL_DATA)
+DATA = $(doc_DATA)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BROWSER = @BROWSER@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+FO2PDF = @FO2PDF@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBDB = @LIBDB@
+LIBDL = @LIBDL@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBNSL = @LIBNSL@
+LIBOBJS = @LIBOBJS@
+LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
+LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
+LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@
+LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@
+LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@
+LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@
+LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SCONFIGDIR = @SCONFIGDIR@
+SECUREDIR = @SECUREDIR@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+WITH_DEBUG = @WITH_DEBUG@
+WITH_PAMLOCKING = @WITH_PAMLOCKING@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XMLCATALOG = @XMLCATALOG@
+XMLLINT = @XMLLINT@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libc_cv_fpie = @libc_cv_fpie@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pam_cv_ld_as_needed = @pam_cv_ld_as_needed@
+pam_xauth_path = @pam_xauth_path@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+CLEANFILES = draft-morgan-pam-current.txt *~
+EXTRA_DIST = draft-morgan-pam.raw std-agent-id.raw rfc86.0.txt
+AM_YFLAGS = -d
+BUILT_SOURCES = parse_y.h
+padout_SOURCES = parse_l.l parse_y.y
+padout_LDADD = @LEXLIB@
+doc_DATA = draft-morgan-pam-current.txt rfc86.0.txt
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .l .lo .o .obj .y
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  doc/specs/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  doc/specs/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+parse_y.h: parse_y.c
+	@if test ! -f $@; then \
+	  rm -f parse_y.c; \
+	  $(MAKE) $(AM_MAKEFLAGS) parse_y.c; \
+	else :; fi
+padout$(EXEEXT): $(padout_OBJECTS) $(padout_DEPENDENCIES) 
+	@rm -f padout$(EXEEXT)
+	$(LINK) $(padout_OBJECTS) $(padout_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parse_l.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parse_y.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+.l.c:
+	$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
+
+.y.c:
+	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-docDATA: $(doc_DATA)
+	@$(NORMAL_INSTALL)
+	test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
+	@list='$(doc_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(docDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(docdir)/$$f'"; \
+	  $(docDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(docdir)/$$f"; \
+	done
+
+uninstall-docDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(doc_DATA)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(docdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(docdir)/$$f"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(PROGRAMS) $(DATA)
+installdirs:
+	for dir in "$(DESTDIR)$(docdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-rm -f parse_l.c
+	-rm -f parse_y.c
+	-rm -f parse_y.h
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-docDATA
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-docDATA
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstPROGRAMS ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am \
+	install-docDATA install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-docDATA
+
+
+draft-morgan-pam-current.txt: padout draft-morgan-pam.raw
+	./padout < $(srcdir)/draft-morgan-pam.raw > draft-morgan-pam-current.txt
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/Linux-PAM/doc/specs/formatter/Makefile b/Linux-PAM/doc/specs/formatter/Makefile
deleted file mode 100644
index d73258d7..00000000
--- a/Linux-PAM/doc/specs/formatter/Makefile
+++ /dev/null
@@ -1,16 +0,0 @@
-LIBS=-lfl
-
-padout: parse.tab.o
-	$(CC) -o padout parse.tab.o $(LIBS)
-
-parse.tab.o: parse.tab.c lex.yy.c
-	$(CC) -c parse.tab.c
-
-parse.tab.c: parse.y
-	bison parse.y
-
-lex.yy.c: parse.lex
-	flex parse.lex
-
-clean:
-	rm -f parse.tab.o parse.tab.c lex.yy.c padout *~ core
diff --git a/Linux-PAM/doc/specs/parse_l.c b/Linux-PAM/doc/specs/parse_l.c
new file mode 100644
index 00000000..6cf1e56e
--- /dev/null
+++ b/Linux-PAM/doc/specs/parse_l.c
@@ -0,0 +1,1675 @@
+
+#line 3 "parse_l.c"
+
+#define  YY_INT_ALIGNED short int
+
+/* A lexical scanner generated by flex */
+
+#define FLEX_SCANNER
+#define YY_FLEX_MAJOR_VERSION 2
+#define YY_FLEX_MINOR_VERSION 5
+#define YY_FLEX_SUBMINOR_VERSION 31
+#if YY_FLEX_SUBMINOR_VERSION > 0
+#define FLEX_BETA
+#endif
+
+/* First, we deal with  platform-specific or compiler-specific issues. */
+
+/* begin standard C headers. */
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+/* end standard C headers. */
+
+/* flex integer type definitions */
+
+#ifndef FLEXINT_H
+#define FLEXINT_H
+
+/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
+
+#if defined __STDC_VERSION__ && __STDC_VERSION__ >= 199901L
+#include <inttypes.h>
+typedef int8_t flex_int8_t;
+typedef uint8_t flex_uint8_t;
+typedef int16_t flex_int16_t;
+typedef uint16_t flex_uint16_t;
+typedef int32_t flex_int32_t;
+typedef uint32_t flex_uint32_t;
+#else
+typedef signed char flex_int8_t;
+typedef short int flex_int16_t;
+typedef int flex_int32_t;
+typedef unsigned char flex_uint8_t; 
+typedef unsigned short int flex_uint16_t;
+typedef unsigned int flex_uint32_t;
+#endif /* ! C99 */
+
+/* Limits of integral types. */
+#ifndef INT8_MIN
+#define INT8_MIN               (-128)
+#endif
+#ifndef INT16_MIN
+#define INT16_MIN              (-32767-1)
+#endif
+#ifndef INT32_MIN
+#define INT32_MIN              (-2147483647-1)
+#endif
+#ifndef INT8_MAX
+#define INT8_MAX               (127)
+#endif
+#ifndef INT16_MAX
+#define INT16_MAX              (32767)
+#endif
+#ifndef INT32_MAX
+#define INT32_MAX              (2147483647)
+#endif
+#ifndef UINT8_MAX
+#define UINT8_MAX              (255U)
+#endif
+#ifndef UINT16_MAX
+#define UINT16_MAX             (65535U)
+#endif
+#ifndef UINT32_MAX
+#define UINT32_MAX             (4294967295U)
+#endif
+
+#endif /* ! FLEXINT_H */
+
+#ifdef __cplusplus
+
+/* The "const" storage-class-modifier is valid. */
+#define YY_USE_CONST
+
+#else	/* ! __cplusplus */
+
+#if __STDC__
+
+#define YY_USE_CONST
+
+#endif	/* __STDC__ */
+#endif	/* ! __cplusplus */
+
+#ifdef YY_USE_CONST
+#define yyconst const
+#else
+#define yyconst
+#endif
+
+/* Returned upon end-of-file. */
+#define YY_NULL 0
+
+/* Promotes a possibly negative, possibly signed char to an unsigned
+ * integer for use as an array index.  If the signed char is negative,
+ * we want to instead treat it as an 8-bit unsigned char, hence the
+ * double cast.
+ */
+#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+
+/* Enter a start condition.  This macro really ought to take a parameter,
+ * but we do it the disgusting crufty way forced on us by the ()-less
+ * definition of BEGIN.
+ */
+#define BEGIN (yy_start) = 1 + 2 *
+
+/* Translate the current start state into a value that can be later handed
+ * to BEGIN to return to the state.  The YYSTATE alias is for lex
+ * compatibility.
+ */
+#define YY_START (((yy_start) - 1) / 2)
+#define YYSTATE YY_START
+
+/* Action number for EOF rule of a given start state. */
+#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
+
+/* Special action meaning "start processing a new file". */
+#define YY_NEW_FILE yyrestart(yyin  )
+
+#define YY_END_OF_BUFFER_CHAR 0
+
+/* Size of default input buffer. */
+#ifndef YY_BUF_SIZE
+#define YY_BUF_SIZE 16384
+#endif
+
+/* The state buf must be large enough to hold one state per character in the main buffer.
+ */
+#define YY_STATE_BUF_SIZE   ((YY_BUF_SIZE + 2) * sizeof(yy_state_type))
+
+#ifndef YY_TYPEDEF_YY_BUFFER_STATE
+#define YY_TYPEDEF_YY_BUFFER_STATE
+typedef struct yy_buffer_state *YY_BUFFER_STATE;
+#endif
+
+extern int yyleng;
+
+extern FILE *yyin, *yyout;
+
+#define EOB_ACT_CONTINUE_SCAN 0
+#define EOB_ACT_END_OF_FILE 1
+#define EOB_ACT_LAST_MATCH 2
+
+    #define YY_LESS_LINENO(n)
+    
+/* Return all but the first "n" matched characters back to the input stream. */
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		*yy_cp = (yy_hold_char); \
+		YY_RESTORE_YY_MORE_OFFSET \
+		(yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \
+		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
+		} \
+	while ( 0 )
+
+#define unput(c) yyunput( c, (yytext_ptr)  )
+
+/* The following is because we cannot portably get our hands on size_t
+ * (without autoconf's help, which isn't available because we want
+ * flex-generated scanners to compile on their own).
+ */
+
+#ifndef YY_TYPEDEF_YY_SIZE_T
+#define YY_TYPEDEF_YY_SIZE_T
+typedef unsigned int yy_size_t;
+#endif
+
+#ifndef YY_STRUCT_YY_BUFFER_STATE
+#define YY_STRUCT_YY_BUFFER_STATE
+struct yy_buffer_state
+	{
+	FILE *yy_input_file;
+
+	char *yy_ch_buf;		/* input buffer */
+	char *yy_buf_pos;		/* current position in input buffer */
+
+	/* Size of input buffer in bytes, not including room for EOB
+	 * characters.
+	 */
+	yy_size_t yy_buf_size;
+
+	/* Number of characters read into yy_ch_buf, not including EOB
+	 * characters.
+	 */
+	int yy_n_chars;
+
+	/* Whether we "own" the buffer - i.e., we know we created it,
+	 * and can realloc() it to grow it, and should free() it to
+	 * delete it.
+	 */
+	int yy_is_our_buffer;
+
+	/* Whether this is an "interactive" input source; if so, and
+	 * if we're using stdio for input, then we want to use getc()
+	 * instead of fread(), to make sure we stop fetching input after
+	 * each newline.
+	 */
+	int yy_is_interactive;
+
+	/* Whether we're considered to be at the beginning of a line.
+	 * If so, '^' rules will be active on the next match, otherwise
+	 * not.
+	 */
+	int yy_at_bol;
+
+    int yy_bs_lineno; /**< The line count. */
+    int yy_bs_column; /**< The column count. */
+    
+	/* Whether to try to fill the input buffer when we reach the
+	 * end of it.
+	 */
+	int yy_fill_buffer;
+
+	int yy_buffer_status;
+
+#define YY_BUFFER_NEW 0
+#define YY_BUFFER_NORMAL 1
+	/* When an EOF's been seen but there's still some text to process
+	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
+	 * shouldn't try reading from the input source any more.  We might
+	 * still have a bunch of tokens to match, though, because of
+	 * possible backing-up.
+	 *
+	 * When we actually see the EOF, we change the status to "new"
+	 * (via yyrestart()), so that the user can continue scanning by
+	 * just pointing yyin at a new input file.
+	 */
+#define YY_BUFFER_EOF_PENDING 2
+
+	};
+#endif /* !YY_STRUCT_YY_BUFFER_STATE */
+
+/* Stack of input buffers. */
+static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
+static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
+static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */
+
+/* We provide macros for accessing buffer states in case in the
+ * future we want to put the buffer states in a more general
+ * "scanner state".
+ *
+ * Returns the top of the stack, or NULL.
+ */
+#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \
+                          ? (yy_buffer_stack)[(yy_buffer_stack_top)] \
+                          : NULL)
+
+/* Same as previous macro, but useful when we know that the buffer stack is not
+ * NULL or when we need an lvalue. For internal use only.
+ */
+#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)]
+
+/* yy_hold_char holds the character lost when yytext is formed. */
+static char yy_hold_char;
+static int yy_n_chars;		/* number of characters read into yy_ch_buf */
+int yyleng;
+
+/* Points to current character in buffer. */
+static char *yy_c_buf_p = (char *) 0;
+static int yy_init = 1;		/* whether we need to initialize */
+static int yy_start = 0;	/* start state number */
+
+/* Flag which is used to allow yywrap()'s to do buffer switches
+ * instead of setting up a fresh yyin.  A bit of a hack ...
+ */
+static int yy_did_buffer_switch_on_eof;
+
+void yyrestart (FILE *input_file  );
+void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer  );
+YY_BUFFER_STATE yy_create_buffer (FILE *file,int size  );
+void yy_delete_buffer (YY_BUFFER_STATE b  );
+void yy_flush_buffer (YY_BUFFER_STATE b  );
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer  );
+void yypop_buffer_state (void );
+
+static void yyensure_buffer_stack (void );
+static void yy_load_buffer_state (void );
+static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file  );
+
+#define YY_FLUSH_BUFFER yy_flush_buffer(YY_CURRENT_BUFFER )
+
+YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size  );
+YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str  );
+YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len  );
+
+void *yyalloc (yy_size_t  );
+void *yyrealloc (void *,yy_size_t  );
+void yyfree (void *  );
+
+#define yy_new_buffer yy_create_buffer
+
+#define yy_set_interactive(is_interactive) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){ \
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
+	}
+
+#define yy_set_bol(at_bol) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){\
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
+	}
+
+#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
+
+/* Begin user sect3 */
+
+typedef unsigned char YY_CHAR;
+
+FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+
+typedef int yy_state_type;
+
+extern int yylineno;
+extern char *yytext;
+#define yytext_ptr yytext
+
+static yy_state_type yy_get_previous_state (void );
+static yy_state_type yy_try_NUL_trans (yy_state_type current_state  );
+static int yy_get_next_buffer (void );
+static void yy_fatal_error (yyconst char msg[]  );
+
+/* Done after the current pattern has been matched and before the
+ * corresponding action - sets up yytext.
+ */
+#define YY_DO_BEFORE_ACTION \
+	(yytext_ptr) = yy_bp; \
+	yyleng = (size_t) (yy_cp - yy_bp); \
+	(yy_hold_char) = *yy_cp; \
+	*yy_cp = '\0'; \
+	(yy_c_buf_p) = yy_cp;
+
+#define YY_NUM_RULES 8
+#define YY_END_OF_BUFFER 9
+/* This struct is not used in this scanner,
+   but its presence is necessary. */
+struct yy_trans_info
+	{
+	flex_int32_t yy_verify;
+	flex_int32_t yy_nxt;
+	};
+static yyconst flex_int16_t yy_accept[19] =
+    {   0,
+        0,    0,    9,    6,    7,    3,    6,    4,    1,    0,
+        5,    0,    1,    0,    1,    0,    2,    0
+    } ;
+
+static yyconst flex_int32_t yy_ec[256] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    2,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    3,    4,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    5,    5,    5,
+        5,    5,    5,    5,    5,    5,    5,    1,    1,    1,
+        6,    1,    1,    1,    7,    7,    7,    7,    7,    7,
+        7,    7,    7,    7,    7,    7,    7,    7,    7,    7,
+        7,    7,    7,    7,    7,    7,    7,    7,    7,    7,
+        1,    8,    1,    1,    9,    1,    7,    7,    7,    7,
+
+        7,    7,    7,    7,    7,    7,    7,    7,    7,    7,
+        7,    7,    7,    7,    7,    7,    7,    7,    7,    7,
+        7,    7,   10,    1,   11,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1
+    } ;
+
+static yyconst flex_int32_t yy_meta[12] =
+    {   0,
+        1,    1,    1,    1,    2,    1,    2,    1,    2,    1,
+        2
+    } ;
+
+static yyconst flex_int16_t yy_base[21] =
+    {   0,
+        0,    7,   21,   30,   30,   13,   17,   30,   20,   12,
+       30,   13,   10,    2,    7,    0,   30,   30,   27,    2
+    } ;
+
+static yyconst flex_int16_t yy_def[21] =
+    {   0,
+       19,   19,   18,   18,   18,   18,   18,   18,   18,   18,
+       18,   18,    9,   20,   18,   20,   18,    0,   18,   18
+    } ;
+
+static yyconst flex_int16_t yy_nxt[42] =
+    {   0,
+       18,    5,    6,   16,   18,   18,   18,    7,    5,    6,
+       17,   15,   17,   18,    7,    8,    9,   15,   14,   11,
+       18,   18,   10,    9,   18,   12,   13,    4,    4,    3,
+       18,   18,   18,   18,   18,   18,   18,   18,   18,   18,
+       18
+    } ;
+
+static yyconst flex_int16_t yy_chk[42] =
+    {   0,
+        0,    1,    1,   20,    0,    0,    0,    1,    2,    2,
+       16,   15,   14,   13,    2,    6,    6,   12,   10,    7,
+        3,    0,    6,    9,    0,    9,    9,   19,   19,   18,
+       18,   18,   18,   18,   18,   18,   18,   18,   18,   18,
+       18
+    } ;
+
+static yy_state_type yy_last_accepting_state;
+static char *yy_last_accepting_cpos;
+
+extern int yy_flex_debug;
+int yy_flex_debug = 0;
+
+/* The intent behind this definition is that it'll catch
+ * any uses of REJECT which flex missed.
+ */
+#define REJECT reject_used_but_not_detected
+#define yymore() yymore_used_but_not_detected
+#define YY_MORE_ADJ 0
+#define YY_RESTORE_YY_MORE_OFFSET
+char *yytext;
+#line 1 "parse_l.l"
+#line 2 "parse_l.l"
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif
+
+#include <stdio.h>
+
+#include "parse_y.h"
+#line 462 "parse_l.c"
+
+#define INITIAL 0
+
+/* Special case for "unistd.h", since it is non-ANSI. We include it way
+ * down here because we want the user's section 1 to have been scanned first.
+ * The user has a chance to override it with an option.
+ */
+#include <unistd.h>
+
+#ifndef YY_EXTRA_TYPE
+#define YY_EXTRA_TYPE void *
+#endif
+
+/* Macros after this point can all be overridden by user definitions in
+ * section 1.
+ */
+
+#ifndef YY_SKIP_YYWRAP
+#ifdef __cplusplus
+extern "C" int yywrap (void );
+#else
+extern int yywrap (void );
+#endif
+#endif
+
+    static void yyunput (int c,char *buf_ptr  );
+    
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char *,yyconst char *,int );
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * );
+#endif
+
+#ifndef YY_NO_INPUT
+
+#ifdef __cplusplus
+static int yyinput (void );
+#else
+static int input (void );
+#endif
+
+#endif
+
+/* Amount of stuff to slurp up with each read. */
+#ifndef YY_READ_BUF_SIZE
+#define YY_READ_BUF_SIZE 8192
+#endif
+
+/* Copy whatever the last rule matched to the standard output. */
+#ifndef ECHO
+/* This used to be an fputs(), but since the string might contain NUL's,
+ * we now use fwrite().
+ */
+#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#endif
+
+/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
+ * is returned in "result".
+ */
+#ifndef YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
+		{ \
+		int c = '*'; \
+		size_t n; \
+		for ( n = 0; n < max_size && \
+			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
+			buf[n] = (char) c; \
+		if ( c == '\n' ) \
+			buf[n++] = (char) c; \
+		if ( c == EOF && ferror( yyin ) ) \
+			YY_FATAL_ERROR( "input in flex scanner failed" ); \
+		result = n; \
+		} \
+	else \
+		{ \
+		errno=0; \
+		while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+			{ \
+			if( errno != EINTR) \
+				{ \
+				YY_FATAL_ERROR( "input in flex scanner failed" ); \
+				break; \
+				} \
+			errno=0; \
+			clearerr(yyin); \
+			} \
+		}\
+\
+
+#endif
+
+/* No semi-colon after return; correct usage is to write "yyterminate();" -
+ * we don't want an extra ';' after the "return" because that will cause
+ * some compilers to complain about unreachable statements.
+ */
+#ifndef yyterminate
+#define yyterminate() return YY_NULL
+#endif
+
+/* Number of entries by which start-condition stack grows. */
+#ifndef YY_START_STACK_INCR
+#define YY_START_STACK_INCR 25
+#endif
+
+/* Report a fatal error. */
+#ifndef YY_FATAL_ERROR
+#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
+#endif
+
+/* end tables serialization structures and prototypes */
+
+/* Default declaration of generated scanner - a define so the user can
+ * easily add parameters.
+ */
+#ifndef YY_DECL
+#define YY_DECL_IS_OURS 1
+
+extern int yylex (void);
+
+#define YY_DECL int yylex (void)
+#endif /* !YY_DECL */
+
+/* Code executed at the beginning of each rule, after yytext and yyleng
+ * have been set up.
+ */
+#ifndef YY_USER_ACTION
+#define YY_USER_ACTION
+#endif
+
+/* Code executed at the end of each rule. */
+#ifndef YY_BREAK
+#define YY_BREAK break;
+#endif
+
+#define YY_RULE_SETUP \
+	YY_USER_ACTION
+
+/** The main scanner function which does all the work.
+ */
+YY_DECL
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp, *yy_bp;
+	register int yy_act;
+    
+#line 11 "parse_l.l"
+
+
+#line 614 "parse_l.c"
+
+	if ( (yy_init) )
+		{
+		(yy_init) = 0;
+
+#ifdef YY_USER_INIT
+		YY_USER_INIT;
+#endif
+
+		if ( ! (yy_start) )
+			(yy_start) = 1;	/* first start state */
+
+		if ( ! yyin )
+			yyin = stdin;
+
+		if ( ! yyout )
+			yyout = stdout;
+
+		if ( ! YY_CURRENT_BUFFER ) {
+			yyensure_buffer_stack ();
+			YY_CURRENT_BUFFER_LVALUE =
+				yy_create_buffer(yyin,YY_BUF_SIZE );
+		}
+
+		yy_load_buffer_state( );
+		}
+
+	while ( 1 )		/* loops until end-of-file is reached */
+		{
+		yy_cp = (yy_c_buf_p);
+
+		/* Support of yytext. */
+		*yy_cp = (yy_hold_char);
+
+		/* yy_bp points to the position in yy_ch_buf of the start of
+		 * the current run.
+		 */
+		yy_bp = yy_cp;
+
+		yy_current_state = (yy_start);
+yy_match:
+		do
+			{
+			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
+			if ( yy_accept[yy_current_state] )
+				{
+				(yy_last_accepting_state) = yy_current_state;
+				(yy_last_accepting_cpos) = yy_cp;
+				}
+			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+				{
+				yy_current_state = (int) yy_def[yy_current_state];
+				if ( yy_current_state >= 19 )
+					yy_c = yy_meta[(unsigned int) yy_c];
+				}
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			++yy_cp;
+			}
+		while ( yy_base[yy_current_state] != 30 );
+
+yy_find_action:
+		yy_act = yy_accept[yy_current_state];
+		if ( yy_act == 0 )
+			{ /* have to back up */
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			yy_act = yy_accept[yy_current_state];
+			}
+
+		YY_DO_BEFORE_ACTION;
+
+do_action:	/* This label is used only to access EOF actions. */
+
+		switch ( yy_act )
+	{ /* beginning of action switch */
+			case 0: /* must back up */
+			/* undo the effects of YY_DO_BEFORE_ACTION */
+			*yy_cp = (yy_hold_char);
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			goto yy_find_action;
+
+case 1:
+YY_RULE_SETUP
+#line 13 "parse_l.l"
+return NEW_COUNTER;
+	YY_BREAK
+case 2:
+YY_RULE_SETUP
+#line 14 "parse_l.l"
+return LABEL;
+	YY_BREAK
+case 3:
+YY_RULE_SETUP
+#line 15 "parse_l.l"
+return NO_INDENT;
+	YY_BREAK
+case 4:
+YY_RULE_SETUP
+#line 16 "parse_l.l"
+return RIGHT;
+	YY_BREAK
+case 5:
+YY_RULE_SETUP
+#line 17 "parse_l.l"
+return HASH;
+	YY_BREAK
+case 6:
+YY_RULE_SETUP
+#line 18 "parse_l.l"
+return CHAR;
+	YY_BREAK
+case 7:
+/* rule 7 can match eol */
+YY_RULE_SETUP
+#line 19 "parse_l.l"
+return NEWLINE;
+	YY_BREAK
+case 8:
+YY_RULE_SETUP
+#line 21 "parse_l.l"
+ECHO;
+	YY_BREAK
+#line 738 "parse_l.c"
+case YY_STATE_EOF(INITIAL):
+	yyterminate();
+
+	case YY_END_OF_BUFFER:
+		{
+		/* Amount of text matched not including the EOB char. */
+		int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1;
+
+		/* Undo the effects of YY_DO_BEFORE_ACTION. */
+		*yy_cp = (yy_hold_char);
+		YY_RESTORE_YY_MORE_OFFSET
+
+		if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW )
+			{
+			/* We're scanning a new file or input source.  It's
+			 * possible that this happened because the user
+			 * just pointed yyin at a new source and called
+			 * yylex().  If so, then we have to assure
+			 * consistency between YY_CURRENT_BUFFER and our
+			 * globals.  Here is the right place to do so, because
+			 * this is the first action (other than possibly a
+			 * back-up) that will match for the new input source.
+			 */
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+			YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL;
+			}
+
+		/* Note that here we test for yy_c_buf_p "<=" to the position
+		 * of the first EOB in the buffer, since yy_c_buf_p will
+		 * already have been incremented past the NUL character
+		 * (since all states make transitions on EOB to the
+		 * end-of-buffer state).  Contrast this with the test
+		 * in input().
+		 */
+		if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			{ /* This was really a NUL. */
+			yy_state_type yy_next_state;
+
+			(yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text;
+
+			yy_current_state = yy_get_previous_state(  );
+
+			/* Okay, we're now positioned to make the NUL
+			 * transition.  We couldn't have
+			 * yy_get_previous_state() go ahead and do it
+			 * for us because it doesn't know how to deal
+			 * with the possibility of jamming (and we don't
+			 * want to build jamming into it because then it
+			 * will run more slowly).
+			 */
+
+			yy_next_state = yy_try_NUL_trans( yy_current_state );
+
+			yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+
+			if ( yy_next_state )
+				{
+				/* Consume the NUL. */
+				yy_cp = ++(yy_c_buf_p);
+				yy_current_state = yy_next_state;
+				goto yy_match;
+				}
+
+			else
+				{
+				yy_cp = (yy_c_buf_p);
+				goto yy_find_action;
+				}
+			}
+
+		else switch ( yy_get_next_buffer(  ) )
+			{
+			case EOB_ACT_END_OF_FILE:
+				{
+				(yy_did_buffer_switch_on_eof) = 0;
+
+				if ( yywrap( ) )
+					{
+					/* Note: because we've taken care in
+					 * yy_get_next_buffer() to have set up
+					 * yytext, we can now set up
+					 * yy_c_buf_p so that if some total
+					 * hoser (like flex itself) wants to
+					 * call the scanner after we return the
+					 * YY_NULL, it'll still work - another
+					 * YY_NULL will get returned.
+					 */
+					(yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ;
+
+					yy_act = YY_STATE_EOF(YY_START);
+					goto do_action;
+					}
+
+				else
+					{
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+					}
+				break;
+				}
+
+			case EOB_ACT_CONTINUE_SCAN:
+				(yy_c_buf_p) =
+					(yytext_ptr) + yy_amount_of_matched_text;
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_match;
+
+			case EOB_ACT_LAST_MATCH:
+				(yy_c_buf_p) =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)];
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_find_action;
+			}
+		break;
+		}
+
+	default:
+		YY_FATAL_ERROR(
+			"fatal flex scanner internal error--no action found" );
+	} /* end of action switch */
+		} /* end of scanning one token */
+} /* end of yylex */
+
+/* yy_get_next_buffer - try to read in a new buffer
+ *
+ * Returns a code representing an action:
+ *	EOB_ACT_LAST_MATCH -
+ *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
+ *	EOB_ACT_END_OF_FILE - end of file
+ */
+static int yy_get_next_buffer (void)
+{
+    	register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
+	register char *source = (yytext_ptr);
+	register int number_to_move, i;
+	int ret_val;
+
+	if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
+		YY_FATAL_ERROR(
+		"fatal flex scanner internal error--end of buffer missed" );
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
+		{ /* Don't try to fill the buffer, so this is an EOF. */
+		if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 )
+			{
+			/* We matched a single character, the EOB, so
+			 * treat this as a final EOF.
+			 */
+			return EOB_ACT_END_OF_FILE;
+			}
+
+		else
+			{
+			/* We matched some text prior to the EOB, first
+			 * process it.
+			 */
+			return EOB_ACT_LAST_MATCH;
+			}
+		}
+
+	/* Try to read more data. */
+
+	/* First move last chars to start of buffer. */
+	number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1;
+
+	for ( i = 0; i < number_to_move; ++i )
+		*(dest++) = *(source++);
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+		/* don't do the read, it's not guaranteed to return an EOF,
+		 * just force an EOF
+		 */
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
+
+	else
+		{
+			size_t num_to_read =
+			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+
+		while ( num_to_read <= 0 )
+			{ /* Not enough room in the buffer - grow it. */
+
+			/* just a shorter name for the current buffer */
+			YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
+
+			int yy_c_buf_p_offset =
+				(int) ((yy_c_buf_p) - b->yy_ch_buf);
+
+			if ( b->yy_is_our_buffer )
+				{
+				int new_size = b->yy_buf_size * 2;
+
+				if ( new_size <= 0 )
+					b->yy_buf_size += b->yy_buf_size / 8;
+				else
+					b->yy_buf_size *= 2;
+
+				b->yy_ch_buf = (char *)
+					/* Include room in for 2 EOB chars. */
+					yyrealloc((void *) b->yy_ch_buf,b->yy_buf_size + 2  );
+				}
+			else
+				/* Can't grow it, we don't own it. */
+				b->yy_ch_buf = 0;
+
+			if ( ! b->yy_ch_buf )
+				YY_FATAL_ERROR(
+				"fatal error - scanner input buffer overflow" );
+
+			(yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset];
+
+			num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size -
+						number_to_move - 1;
+
+			}
+
+		if ( num_to_read > YY_READ_BUF_SIZE )
+			num_to_read = YY_READ_BUF_SIZE;
+
+		/* Read in more data. */
+		YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
+			(yy_n_chars), num_to_read );
+
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	if ( (yy_n_chars) == 0 )
+		{
+		if ( number_to_move == YY_MORE_ADJ )
+			{
+			ret_val = EOB_ACT_END_OF_FILE;
+			yyrestart(yyin  );
+			}
+
+		else
+			{
+			ret_val = EOB_ACT_LAST_MATCH;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status =
+				YY_BUFFER_EOF_PENDING;
+			}
+		}
+
+	else
+		ret_val = EOB_ACT_CONTINUE_SCAN;
+
+	(yy_n_chars) += number_to_move;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
+
+	(yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0];
+
+	return ret_val;
+}
+
+/* yy_get_previous_state - get the state just before the EOB char was reached */
+
+    static yy_state_type yy_get_previous_state (void)
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp;
+    
+	yy_current_state = (yy_start);
+
+	for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp )
+		{
+		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
+		if ( yy_accept[yy_current_state] )
+			{
+			(yy_last_accepting_state) = yy_current_state;
+			(yy_last_accepting_cpos) = yy_cp;
+			}
+		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+			{
+			yy_current_state = (int) yy_def[yy_current_state];
+			if ( yy_current_state >= 19 )
+				yy_c = yy_meta[(unsigned int) yy_c];
+			}
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		}
+
+	return yy_current_state;
+}
+
+/* yy_try_NUL_trans - try to make a transition on the NUL character
+ *
+ * synopsis
+ *	next_state = yy_try_NUL_trans( current_state );
+ */
+    static yy_state_type yy_try_NUL_trans  (yy_state_type yy_current_state )
+{
+	register int yy_is_jam;
+    	register char *yy_cp = (yy_c_buf_p);
+
+	register YY_CHAR yy_c = 1;
+	if ( yy_accept[yy_current_state] )
+		{
+		(yy_last_accepting_state) = yy_current_state;
+		(yy_last_accepting_cpos) = yy_cp;
+		}
+	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+		{
+		yy_current_state = (int) yy_def[yy_current_state];
+		if ( yy_current_state >= 19 )
+			yy_c = yy_meta[(unsigned int) yy_c];
+		}
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_is_jam = (yy_current_state == 18);
+
+	return yy_is_jam ? 0 : yy_current_state;
+}
+
+    static void yyunput (int c, register char * yy_bp )
+{
+	register char *yy_cp;
+    
+    yy_cp = (yy_c_buf_p);
+
+	/* undo effects of setting up yytext */
+	*yy_cp = (yy_hold_char);
+
+	if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+		{ /* need to shift things up to make room */
+		/* +2 for EOB chars. */
+		register int number_to_move = (yy_n_chars) + 2;
+		register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
+					YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
+		register char *source =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move];
+
+		while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
+			*--dest = *--source;
+
+		yy_cp += (int) (dest - source);
+		yy_bp += (int) (dest - source);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+
+		if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+			YY_FATAL_ERROR( "flex scanner push-back overflow" );
+		}
+
+	*--yy_cp = (char) c;
+
+	(yytext_ptr) = yy_bp;
+	(yy_hold_char) = *yy_cp;
+	(yy_c_buf_p) = yy_cp;
+}
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+    static int yyinput (void)
+#else
+    static int input  (void)
+#endif
+
+{
+	int c;
+    
+	*(yy_c_buf_p) = (yy_hold_char);
+
+	if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR )
+		{
+		/* yy_c_buf_p now points to the character we want to return.
+		 * If this occurs *before* the EOB characters, then it's a
+		 * valid NUL; if not, then we've hit the end of the buffer.
+		 */
+		if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			/* This was really a NUL. */
+			*(yy_c_buf_p) = '\0';
+
+		else
+			{ /* need more input */
+			int offset = (yy_c_buf_p) - (yytext_ptr);
+			++(yy_c_buf_p);
+
+			switch ( yy_get_next_buffer(  ) )
+				{
+				case EOB_ACT_LAST_MATCH:
+					/* This happens because yy_g_n_b()
+					 * sees that we've accumulated a
+					 * token and flags that we need to
+					 * try matching the token before
+					 * proceeding.  But for input(),
+					 * there's no matching to consider.
+					 * So convert the EOB_ACT_LAST_MATCH
+					 * to EOB_ACT_END_OF_FILE.
+					 */
+
+					/* Reset buffer status. */
+					yyrestart(yyin );
+
+					/*FALLTHROUGH*/
+
+				case EOB_ACT_END_OF_FILE:
+					{
+					if ( yywrap( ) )
+						return EOF;
+
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+#ifdef __cplusplus
+					return yyinput();
+#else
+					return input();
+#endif
+					}
+
+				case EOB_ACT_CONTINUE_SCAN:
+					(yy_c_buf_p) = (yytext_ptr) + offset;
+					break;
+				}
+			}
+		}
+
+	c = *(unsigned char *) (yy_c_buf_p);	/* cast for 8-bit char's */
+	*(yy_c_buf_p) = '\0';	/* preserve yytext */
+	(yy_hold_char) = *++(yy_c_buf_p);
+
+	return c;
+}
+#endif	/* ifndef YY_NO_INPUT */
+
+/** Immediately switch to a different input stream.
+ * @param input_file A readable stream.
+ * 
+ * @note This function does not reset the start condition to @c INITIAL .
+ */
+    void yyrestart  (FILE * input_file )
+{
+    
+	if ( ! YY_CURRENT_BUFFER ){
+        yyensure_buffer_stack ();
+		YY_CURRENT_BUFFER_LVALUE =
+            yy_create_buffer(yyin,YY_BUF_SIZE );
+	}
+
+	yy_init_buffer(YY_CURRENT_BUFFER,input_file );
+	yy_load_buffer_state( );
+}
+
+/** Switch to a different input buffer.
+ * @param new_buffer The new input buffer.
+ * 
+ */
+    void yy_switch_to_buffer  (YY_BUFFER_STATE  new_buffer )
+{
+    
+	/* TODO. We should be able to replace this entire function body
+	 * with
+	 *		yypop_buffer_state();
+	 *		yypush_buffer_state(new_buffer);
+     */
+	yyensure_buffer_stack ();
+	if ( YY_CURRENT_BUFFER == new_buffer )
+		return;
+
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+	yy_load_buffer_state( );
+
+	/* We don't actually know whether we did this switch during
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
+	 * to go ahead and always set it.
+	 */
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+static void yy_load_buffer_state  (void)
+{
+    	(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+	(yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos;
+	yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file;
+	(yy_hold_char) = *(yy_c_buf_p);
+}
+
+/** Allocate and initialize an input buffer state.
+ * @param file A readable stream.
+ * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE.
+ * 
+ * @return the allocated buffer state.
+ */
+    YY_BUFFER_STATE yy_create_buffer  (FILE * file, int  size )
+{
+	YY_BUFFER_STATE b;
+    
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_buf_size = size;
+
+	/* yy_ch_buf has to be 2 characters longer than the size given because
+	 * we need to put in 2 end-of-buffer characters.
+	 */
+	b->yy_ch_buf = (char *) yyalloc(b->yy_buf_size + 2  );
+	if ( ! b->yy_ch_buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_is_our_buffer = 1;
+
+	yy_init_buffer(b,file );
+
+	return b;
+}
+
+/** Destroy the buffer.
+ * @param b a buffer created with yy_create_buffer()
+ * 
+ */
+    void yy_delete_buffer (YY_BUFFER_STATE  b )
+{
+    
+	if ( ! b )
+		return;
+
+	if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */
+		YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
+
+	if ( b->yy_is_our_buffer )
+		yyfree((void *) b->yy_ch_buf  );
+
+	yyfree((void *) b  );
+}
+
+#ifndef __cplusplus
+extern int isatty (int );
+#endif /* __cplusplus */
+    
+/* Initializes or reinitializes a buffer.
+ * This function is sometimes called more than once on the same buffer,
+ * such as during a yyrestart() or at EOF.
+ */
+    static void yy_init_buffer  (YY_BUFFER_STATE  b, FILE * file )
+
+{
+	int oerrno = errno;
+    
+	yy_flush_buffer(b );
+
+	b->yy_input_file = file;
+	b->yy_fill_buffer = 1;
+
+    /* If b is the current buffer, then yy_init_buffer was _probably_
+     * called from yyrestart() or through yy_get_next_buffer.
+     * In that case, we don't want to reset the lineno or column.
+     */
+    if (b != YY_CURRENT_BUFFER){
+        b->yy_bs_lineno = 1;
+        b->yy_bs_column = 0;
+    }
+
+        b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+    
+	errno = oerrno;
+}
+
+/** Discard all buffered characters. On the next scan, YY_INPUT will be called.
+ * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER.
+ * 
+ */
+    void yy_flush_buffer (YY_BUFFER_STATE  b )
+{
+    	if ( ! b )
+		return;
+
+	b->yy_n_chars = 0;
+
+	/* We always need two end-of-buffer characters.  The first causes
+	 * a transition to the end-of-buffer state.  The second causes
+	 * a jam in that state.
+	 */
+	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
+	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
+
+	b->yy_buf_pos = &b->yy_ch_buf[0];
+
+	b->yy_at_bol = 1;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	if ( b == YY_CURRENT_BUFFER )
+		yy_load_buffer_state( );
+}
+
+/** Pushes the new state onto the stack. The new state becomes
+ *  the current state. This function will allocate the stack
+ *  if necessary.
+ *  @param new_buffer The new state.
+ *  
+ */
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer )
+{
+    	if (new_buffer == NULL)
+		return;
+
+	yyensure_buffer_stack();
+
+	/* This block is copied from yy_switch_to_buffer. */
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	/* Only push if top exists. Otherwise, replace top. */
+	if (YY_CURRENT_BUFFER)
+		(yy_buffer_stack_top)++;
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+
+	/* copied from yy_switch_to_buffer. */
+	yy_load_buffer_state( );
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+/** Removes and deletes the top of the stack, if present.
+ *  The next element becomes the new top.
+ *  
+ */
+void yypop_buffer_state (void)
+{
+    	if (!YY_CURRENT_BUFFER)
+		return;
+
+	yy_delete_buffer(YY_CURRENT_BUFFER );
+	YY_CURRENT_BUFFER_LVALUE = NULL;
+	if ((yy_buffer_stack_top) > 0)
+		--(yy_buffer_stack_top);
+
+	if (YY_CURRENT_BUFFER) {
+		yy_load_buffer_state( );
+		(yy_did_buffer_switch_on_eof) = 1;
+	}
+}
+
+/* Allocates the stack if it does not exist.
+ *  Guarantees space for at least one push.
+ */
+static void yyensure_buffer_stack (void)
+{
+	int num_to_alloc;
+    
+	if (!(yy_buffer_stack)) {
+
+		/* First allocation is just for 2 elements, since we don't know if this
+		 * scanner will even need a stack. We use 2 instead of 1 to avoid an
+		 * immediate realloc on the next call.
+         */
+		num_to_alloc = 1;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
+								(num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+		
+		memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
+				
+		(yy_buffer_stack_max) = num_to_alloc;
+		(yy_buffer_stack_top) = 0;
+		return;
+	}
+
+	if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){
+
+		/* Increase the buffer to prepare for a possible push. */
+		int grow_size = 8 /* arbitrary grow size */;
+
+		num_to_alloc = (yy_buffer_stack_max) + grow_size;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc
+								((yy_buffer_stack),
+								num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+
+		/* zero only the new slots.*/
+		memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
+		(yy_buffer_stack_max) = num_to_alloc;
+	}
+}
+
+/** Setup the input buffer state to scan directly from a user-specified character buffer.
+ * @param base the character buffer
+ * @param size the size in bytes of the character buffer
+ * 
+ * @return the newly allocated buffer state object. 
+ */
+YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size )
+{
+	YY_BUFFER_STATE b;
+    
+	if ( size < 2 ||
+	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
+	     base[size-1] != YY_END_OF_BUFFER_CHAR )
+		/* They forgot to leave room for the EOB's. */
+		return 0;
+
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
+
+	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_pos = b->yy_ch_buf = base;
+	b->yy_is_our_buffer = 0;
+	b->yy_input_file = 0;
+	b->yy_n_chars = b->yy_buf_size;
+	b->yy_is_interactive = 0;
+	b->yy_at_bol = 1;
+	b->yy_fill_buffer = 0;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	yy_switch_to_buffer(b  );
+
+	return b;
+}
+
+/** Setup the input buffer state to scan a string. The next call to yylex() will
+ * scan from a @e copy of @a str.
+ * @param str a NUL-terminated string to scan
+ * 
+ * @return the newly allocated buffer state object.
+ * @note If you want to scan bytes that may contain NUL values, then use
+ *       yy_scan_bytes() instead.
+ */
+YY_BUFFER_STATE yy_scan_string (yyconst char * str )
+{
+    
+	return yy_scan_bytes(str,strlen(str) );
+}
+
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
+ * scan from a @e copy of @a bytes.
+ * @param bytes the byte buffer to scan
+ * @param len the number of bytes in the buffer pointed to by @a bytes.
+ * 
+ * @return the newly allocated buffer state object.
+ */
+YY_BUFFER_STATE yy_scan_bytes  (yyconst char * bytes, int  len )
+{
+	YY_BUFFER_STATE b;
+	char *buf;
+	yy_size_t n;
+	int i;
+    
+	/* Get memory for full buffer, including space for trailing EOB's. */
+	n = len + 2;
+	buf = (char *) yyalloc(n  );
+	if ( ! buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
+
+	for ( i = 0; i < len; ++i )
+		buf[i] = bytes[i];
+
+	buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR;
+
+	b = yy_scan_buffer(buf,n );
+	if ( ! b )
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
+
+	/* It's okay to grow etc. this buffer, and we should throw it
+	 * away when we're done.
+	 */
+	b->yy_is_our_buffer = 1;
+
+	return b;
+}
+
+#ifndef YY_EXIT_FAILURE
+#define YY_EXIT_FAILURE 2
+#endif
+
+static void yy_fatal_error (yyconst char* msg )
+{
+    	(void) fprintf( stderr, "%s\n", msg );
+	exit( YY_EXIT_FAILURE );
+}
+
+/* Redefine yyless() so it works in section 3 code. */
+
+#undef yyless
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		yytext[yyleng] = (yy_hold_char); \
+		(yy_c_buf_p) = yytext + yyless_macro_arg; \
+		(yy_hold_char) = *(yy_c_buf_p); \
+		*(yy_c_buf_p) = '\0'; \
+		yyleng = yyless_macro_arg; \
+		} \
+	while ( 0 )
+
+/* Accessor  methods (get/set functions) to struct members. */
+
+/** Get the input stream.
+ * 
+ */
+FILE *yyget_in  (void)
+{
+        return yyin;
+}
+
+/** Get the output stream.
+ * 
+ */
+FILE *yyget_out  (void)
+{
+        return yyout;
+}
+
+/** Get the length of the current token.
+ * 
+ */
+int yyget_leng  (void)
+{
+        return yyleng;
+}
+
+/** Get the current token.
+ * 
+ */
+
+char *yyget_text  (void)
+{
+        return yytext;
+}
+
+/** Set the input stream. This does not discard the current
+ * input buffer.
+ * @param in_str A readable stream.
+ * 
+ * @see yy_switch_to_buffer
+ */
+void yyset_in (FILE *  in_str )
+{
+        yyin = in_str ;
+}
+
+void yyset_out (FILE *  out_str )
+{
+        yyout = out_str ;
+}
+
+int yyget_debug  (void)
+{
+        return yy_flex_debug;
+}
+
+void yyset_debug (int  bdebug )
+{
+        yy_flex_debug = bdebug ;
+}
+
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy  (void)
+{
+    
+    /* Pop the buffer stack, destroying each element. */
+	while(YY_CURRENT_BUFFER){
+		yy_delete_buffer(YY_CURRENT_BUFFER  );
+		YY_CURRENT_BUFFER_LVALUE = NULL;
+		yypop_buffer_state();
+	}
+
+	/* Destroy the stack itself. */
+	yyfree((yy_buffer_stack) );
+	(yy_buffer_stack) = NULL;
+
+    return 0;
+}
+
+/*
+ * Internal utility routines.
+ */
+
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char* s1, yyconst char * s2, int n )
+{
+	register int i;
+    	for ( i = 0; i < n; ++i )
+		s1[i] = s2[i];
+}
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * s )
+{
+	register int n;
+    	for ( n = 0; s[n]; ++n )
+		;
+
+	return n;
+}
+#endif
+
+void *yyalloc (yy_size_t  size )
+{
+	return (void *) malloc( size );
+}
+
+void *yyrealloc  (void * ptr, yy_size_t  size )
+{
+	/* The cast to (char *) in the following accommodates both
+	 * implementations that use char* generic pointers, and those
+	 * that use void* generic pointers.  It works with the latter
+	 * because both ANSI C and C++ allow castless assignment from
+	 * any pointer type to void*, and deal with argument conversions
+	 * as though doing an assignment.
+	 */
+	return (void *) realloc( (char *) ptr, size );
+}
+
+void yyfree (void * ptr )
+{
+	free( (char *) ptr );	/* see yyrealloc() for (char *) cast */
+}
+
+#define YYTABLES_NAME "yytables"
+
+#line 21 "parse_l.l"
+
+
+
diff --git a/Linux-PAM/doc/specs/formatter/parse.lex b/Linux-PAM/doc/specs/parse_l.l
index 1d5c898e..7cab424c 100644
--- a/Linux-PAM/doc/specs/formatter/parse.lex
+++ b/Linux-PAM/doc/specs/parse_l.l
@@ -1,3 +1,13 @@
+%{
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif
+
+#include <stdio.h>
+
+#include "parse_y.h"
+%}
+
 %%
 
 \#[\$]+[a-zA-Z]*(\=[0-9]+)?          return NEW_COUNTER;
diff --git a/Linux-PAM/doc/specs/parse_y.c b/Linux-PAM/doc/specs/parse_y.c
new file mode 100644
index 00000000..f62d41c9
--- /dev/null
+++ b/Linux-PAM/doc/specs/parse_y.c
@@ -0,0 +1,1706 @@
+/* A Bison parser, made by GNU Bison 2.1.  */
+
+/* Skeleton parser for Yacc-like parsing with Bison,
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, when this file is copied by Bison into a
+   Bison output file, you may use that output file without restriction.
+   This special exception was added by the Free Software Foundation
+   in version 1.24 of Bison.  */
+
+/* Written by Richard Stallman by simplifying the original so called
+   ``semantic'' parser.  */
+
+/* All symbols defined below should begin with yy or YY, to avoid
+   infringing on user name space.  This should be done even for local
+   variables, as they might otherwise be expanded by user macros.
+   There are some unavoidable exceptions within include files to
+   define necessary library symbols; they are noted "INFRINGES ON
+   USER NAME SPACE" below.  */
+
+/* Identify Bison output.  */
+#define YYBISON 1
+
+/* Bison version.  */
+#define YYBISON_VERSION "2.1"
+
+/* Skeleton name.  */
+#define YYSKELETON_NAME "yacc.c"
+
+/* Pure parsers.  */
+#define YYPURE 0
+
+/* Using locations.  */
+#define YYLSP_NEEDED 0
+
+
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     NEW_COUNTER = 258,
+     LABEL = 259,
+     HASH = 260,
+     CHAR = 261,
+     NEWLINE = 262,
+     NO_INDENT = 263,
+     RIGHT = 264
+   };
+#endif
+/* Tokens.  */
+#define NEW_COUNTER 258
+#define LABEL 259
+#define HASH 260
+#define CHAR 261
+#define NEWLINE 262
+#define NO_INDENT 263
+#define RIGHT 264
+
+
+
+
+/* Copy the first part of user declarations.  */
+#line 2 "parse_y.y"
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+    
+#define MAXLINE  1000
+#define INDENT_STRING "  "
+#define PAPER_WIDTH   74
+
+    int indent=0;
+    int line=1;
+    char *last_label=NULL;
+
+    extern int yylex(void);
+    extern char *yytext;
+    extern void yyerror(const char *x);
+    extern char *get_label(const char *label);
+    extern void set_label(const char *label, const char *target);
+    char *new_counter(const char *key);
+
+
+/* Enabling traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 0
+#endif
+
+/* Enabling verbose error messages.  */
+#ifdef YYERROR_VERBOSE
+# undef YYERROR_VERBOSE
+# define YYERROR_VERBOSE 1
+#else
+# define YYERROR_VERBOSE 0
+#endif
+
+/* Enabling the token table.  */
+#ifndef YYTOKEN_TABLE
+# define YYTOKEN_TABLE 0
+#endif
+
+#if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED)
+#line 27 "parse_y.y"
+typedef union YYSTYPE {
+    int def;
+    char *string;
+} YYSTYPE;
+/* Line 196 of yacc.c.  */
+#line 133 "parse_y.c"
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+
+
+/* Copy the second part of user declarations.  */
+
+
+/* Line 219 of yacc.c.  */
+#line 145 "parse_y.c"
+
+#if ! defined (YYSIZE_T) && defined (__SIZE_TYPE__)
+# define YYSIZE_T __SIZE_TYPE__
+#endif
+#if ! defined (YYSIZE_T) && defined (size_t)
+# define YYSIZE_T size_t
+#endif
+#if ! defined (YYSIZE_T) && (defined (__STDC__) || defined (__cplusplus))
+# include <stddef.h> /* INFRINGES ON USER NAME SPACE */
+# define YYSIZE_T size_t
+#endif
+#if ! defined (YYSIZE_T)
+# define YYSIZE_T unsigned int
+#endif
+
+#ifndef YY_
+# if YYENABLE_NLS
+#  if ENABLE_NLS
+#   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
+#   define YY_(msgid) dgettext ("bison-runtime", msgid)
+#  endif
+# endif
+# ifndef YY_
+#  define YY_(msgid) msgid
+# endif
+#endif
+
+#if ! defined (yyoverflow) || YYERROR_VERBOSE
+
+/* The parser invokes alloca or malloc; define the necessary symbols.  */
+
+# ifdef YYSTACK_USE_ALLOCA
+#  if YYSTACK_USE_ALLOCA
+#   ifdef __GNUC__
+#    define YYSTACK_ALLOC __builtin_alloca
+#   else
+#    define YYSTACK_ALLOC alloca
+#    if defined (__STDC__) || defined (__cplusplus)
+#     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#     define YYINCLUDED_STDLIB_H
+#    endif
+#   endif
+#  endif
+# endif
+
+# ifdef YYSTACK_ALLOC
+   /* Pacify GCC's `empty if-body' warning. */
+#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (0)
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+    /* The OS might guarantee only one guard page at the bottom of the stack,
+       and a page size can be as small as 4096 bytes.  So we cannot safely
+       invoke alloca (N) if N exceeds 4096.  Use a slightly smaller number
+       to allow for a few compiler-allocated temporary stack slots.  */
+#   define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2005 */
+#  endif
+# else
+#  define YYSTACK_ALLOC YYMALLOC
+#  define YYSTACK_FREE YYFREE
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+#   define YYSTACK_ALLOC_MAXIMUM ((YYSIZE_T) -1)
+#  endif
+#  ifdef __cplusplus
+extern "C" {
+#  endif
+#  ifndef YYMALLOC
+#   define YYMALLOC malloc
+#   if (! defined (malloc) && ! defined (YYINCLUDED_STDLIB_H) \
+	&& (defined (__STDC__) || defined (__cplusplus)))
+void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+#  ifndef YYFREE
+#   define YYFREE free
+#   if (! defined (free) && ! defined (YYINCLUDED_STDLIB_H) \
+	&& (defined (__STDC__) || defined (__cplusplus)))
+void free (void *); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+#  ifdef __cplusplus
+}
+#  endif
+# endif
+#endif /* ! defined (yyoverflow) || YYERROR_VERBOSE */
+
+
+#if (! defined (yyoverflow) \
+     && (! defined (__cplusplus) \
+	 || (defined (YYSTYPE_IS_TRIVIAL) && YYSTYPE_IS_TRIVIAL)))
+
+/* A type that is properly aligned for any stack member.  */
+union yyalloc
+{
+  short int yyss;
+  YYSTYPE yyvs;
+  };
+
+/* The size of the maximum gap between one aligned stack and the next.  */
+# define YYSTACK_GAP_MAXIMUM (sizeof (union yyalloc) - 1)
+
+/* The size of an array large to enough to hold all stacks, each with
+   N elements.  */
+# define YYSTACK_BYTES(N) \
+     ((N) * (sizeof (short int) + sizeof (YYSTYPE))			\
+      + YYSTACK_GAP_MAXIMUM)
+
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined (__GNUC__) && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (0)
+#  endif
+# endif
+
+/* Relocate STACK from its old location to the new one.  The
+   local variables YYSIZE and YYSTACKSIZE give the old and new number of
+   elements in the stack, and YYPTR gives the new location of the
+   stack.  Advance YYPTR to a properly aligned location for the next
+   stack.  */
+# define YYSTACK_RELOCATE(Stack)					\
+    do									\
+      {									\
+	YYSIZE_T yynewbytes;						\
+	YYCOPY (&yyptr->Stack, Stack, yysize);				\
+	Stack = &yyptr->Stack;						\
+	yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
+	yyptr += yynewbytes / sizeof (*yyptr);				\
+      }									\
+    while (0)
+
+#endif
+
+#if defined (__STDC__) || defined (__cplusplus)
+   typedef signed char yysigned_char;
+#else
+   typedef short int yysigned_char;
+#endif
+
+/* YYFINAL -- State number of the termination state. */
+#define YYFINAL  2
+/* YYLAST -- Last index in YYTABLE.  */
+#define YYLAST   27
+
+/* YYNTOKENS -- Number of terminals. */
+#define YYNTOKENS  10
+/* YYNNTS -- Number of nonterminals. */
+#define YYNNTS  4
+/* YYNRULES -- Number of rules. */
+#define YYNRULES  15
+/* YYNRULES -- Number of states. */
+#define YYNSTATES  19
+
+/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
+#define YYUNDEFTOK  2
+#define YYMAXUTOK   264
+
+#define YYTRANSLATE(YYX)						\
+  ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
+
+/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX.  */
+static const unsigned char yytranslate[] =
+{
+       0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     1,     2,     3,     4,
+       5,     6,     7,     8,     9
+};
+
+#if YYDEBUG
+/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
+   YYRHS.  */
+static const unsigned char yyprhs[] =
+{
+       0,     0,     3,     4,     7,    11,    17,    25,    33,    34,
+      37,    39,    42,    44,    46,    48
+};
+
+/* YYRHS -- A `-1'-separated list of the rules' RHS. */
+static const yysigned_char yyrhs[] =
+{
+      11,     0,    -1,    -1,    11,     7,    -1,    11,    12,     7,
+      -1,    11,    12,     9,    12,     7,    -1,    11,    12,     9,
+      12,     9,    12,     7,    -1,    11,    12,     9,    12,     9,
+      12,     7,    -1,    -1,    12,    13,    -1,     6,    -1,    13,
+       6,    -1,     8,    -1,     5,    -1,     4,    -1,     3,    -1
+};
+
+/* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
+static const unsigned char yyrline[] =
+{
+       0,    39,    39,    40,    44,    53,    72,    99,   128,   131,
+     139,   142,   147,   151,   154,   160
+};
+#endif
+
+#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE
+/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
+   First, the terminals, then, starting at YYNTOKENS, nonterminals. */
+static const char *const yytname[] =
+{
+  "$end", "error", "$undefined", "NEW_COUNTER", "LABEL", "HASH", "CHAR",
+  "NEWLINE", "NO_INDENT", "RIGHT", "$accept", "doc", "stuff", "text", 0
+};
+#endif
+
+# ifdef YYPRINT
+/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
+   token YYLEX-NUM.  */
+static const unsigned short int yytoknum[] =
+{
+       0,   256,   257,   258,   259,   260,   261,   262,   263,   264
+};
+# endif
+
+/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+static const unsigned char yyr1[] =
+{
+       0,    10,    11,    11,    11,    11,    11,    11,    12,    12,
+      13,    13,    13,    13,    13,    13
+};
+
+/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
+static const unsigned char yyr2[] =
+{
+       0,     2,     0,     2,     3,     5,     7,     7,     0,     2,
+       1,     2,     1,     1,     1,     1
+};
+
+/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
+   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+   means the default is an error.  */
+static const unsigned char yydefact[] =
+{
+       2,     8,     1,     3,     0,    15,    14,    13,    10,     4,
+      12,     8,     9,     0,    11,     5,     8,     0,     6
+};
+
+/* YYDEFGOTO[NTERM-NUM]. */
+static const yysigned_char yydefgoto[] =
+{
+      -1,     1,     4,    12
+};
+
+/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+   STATE-NUM.  */
+#define YYPACT_NINF -3
+static const yysigned_char yypact[] =
+{
+      -3,     0,    -3,    -3,     5,    -3,    -3,    -3,    -3,    -3,
+      -3,    -3,    17,    12,    -3,    -3,    -3,    -2,    -3
+};
+
+/* YYPGOTO[NTERM-NUM].  */
+static const yysigned_char yypgoto[] =
+{
+      -3,    -3,    11,    -3
+};
+
+/* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
+   positive, shift that token.  If negative, reduce the rule which
+   number is the opposite.  If zero, do what YYDEFACT says.
+   If YYTABLE_NINF, syntax error.  */
+#define YYTABLE_NINF -1
+static const unsigned char yytable[] =
+{
+       2,     5,     6,     7,     8,    18,    10,     3,     5,     6,
+       7,     8,     9,    10,    11,     5,     6,     7,     8,    15,
+      10,    16,    13,    14,     0,     0,     0,    17
+};
+
+static const yysigned_char yycheck[] =
+{
+       0,     3,     4,     5,     6,     7,     8,     7,     3,     4,
+       5,     6,     7,     8,     9,     3,     4,     5,     6,     7,
+       8,     9,    11,     6,    -1,    -1,    -1,    16
+};
+
+/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+   symbol of state STATE-NUM.  */
+static const unsigned char yystos[] =
+{
+       0,    11,     0,     7,    12,     3,     4,     5,     6,     7,
+       8,     9,    13,    12,     6,     7,     9,    12,     7
+};
+
+#define yyerrok		(yyerrstatus = 0)
+#define yyclearin	(yychar = YYEMPTY)
+#define YYEMPTY		(-2)
+#define YYEOF		0
+
+#define YYACCEPT	goto yyacceptlab
+#define YYABORT		goto yyabortlab
+#define YYERROR		goto yyerrorlab
+
+
+/* Like YYERROR except do call yyerror.  This remains here temporarily
+   to ease the transition to the new meaning of YYERROR, for GCC.
+   Once GCC version 2 has supplanted version 1, this can go.  */
+
+#define YYFAIL		goto yyerrlab
+
+#define YYRECOVERING()  (!!yyerrstatus)
+
+#define YYBACKUP(Token, Value)					\
+do								\
+  if (yychar == YYEMPTY && yylen == 1)				\
+    {								\
+      yychar = (Token);						\
+      yylval = (Value);						\
+      yytoken = YYTRANSLATE (yychar);				\
+      YYPOPSTACK;						\
+      goto yybackup;						\
+    }								\
+  else								\
+    {								\
+      yyerror (YY_("syntax error: cannot back up")); \
+      YYERROR;							\
+    }								\
+while (0)
+
+
+#define YYTERROR	1
+#define YYERRCODE	256
+
+
+/* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N].
+   If N is 0, then set CURRENT to the empty location which ends
+   the previous symbol: RHS[0] (always defined).  */
+
+#define YYRHSLOC(Rhs, K) ((Rhs)[K])
+#ifndef YYLLOC_DEFAULT
+# define YYLLOC_DEFAULT(Current, Rhs, N)				\
+    do									\
+      if (N)								\
+	{								\
+	  (Current).first_line   = YYRHSLOC (Rhs, 1).first_line;	\
+	  (Current).first_column = YYRHSLOC (Rhs, 1).first_column;	\
+	  (Current).last_line    = YYRHSLOC (Rhs, N).last_line;		\
+	  (Current).last_column  = YYRHSLOC (Rhs, N).last_column;	\
+	}								\
+      else								\
+	{								\
+	  (Current).first_line   = (Current).last_line   =		\
+	    YYRHSLOC (Rhs, 0).last_line;				\
+	  (Current).first_column = (Current).last_column =		\
+	    YYRHSLOC (Rhs, 0).last_column;				\
+	}								\
+    while (0)
+#endif
+
+
+/* YY_LOCATION_PRINT -- Print the location on the stream.
+   This macro was not mandated originally: define only if we know
+   we won't break user code: when these are the locations we know.  */
+
+#ifndef YY_LOCATION_PRINT
+# if YYLTYPE_IS_TRIVIAL
+#  define YY_LOCATION_PRINT(File, Loc)			\
+     fprintf (File, "%d.%d-%d.%d",			\
+              (Loc).first_line, (Loc).first_column,	\
+              (Loc).last_line,  (Loc).last_column)
+# else
+#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+# endif
+#endif
+
+
+/* YYLEX -- calling `yylex' with the right arguments.  */
+
+#ifdef YYLEX_PARAM
+# define YYLEX yylex (YYLEX_PARAM)
+#else
+# define YYLEX yylex ()
+#endif
+
+/* Enable debugging if requested.  */
+#if YYDEBUG
+
+# ifndef YYFPRINTF
+#  include <stdio.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYFPRINTF fprintf
+# endif
+
+# define YYDPRINTF(Args)			\
+do {						\
+  if (yydebug)					\
+    YYFPRINTF Args;				\
+} while (0)
+
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)		\
+do {								\
+  if (yydebug)							\
+    {								\
+      YYFPRINTF (stderr, "%s ", Title);				\
+      yysymprint (stderr,					\
+                  Type, Value);	\
+      YYFPRINTF (stderr, "\n");					\
+    }								\
+} while (0)
+
+/*------------------------------------------------------------------.
+| yy_stack_print -- Print the state stack from its BOTTOM up to its |
+| TOP (included).                                                   |
+`------------------------------------------------------------------*/
+
+#if defined (__STDC__) || defined (__cplusplus)
+static void
+yy_stack_print (short int *bottom, short int *top)
+#else
+static void
+yy_stack_print (bottom, top)
+    short int *bottom;
+    short int *top;
+#endif
+{
+  YYFPRINTF (stderr, "Stack now");
+  for (/* Nothing. */; bottom <= top; ++bottom)
+    YYFPRINTF (stderr, " %d", *bottom);
+  YYFPRINTF (stderr, "\n");
+}
+
+# define YY_STACK_PRINT(Bottom, Top)				\
+do {								\
+  if (yydebug)							\
+    yy_stack_print ((Bottom), (Top));				\
+} while (0)
+
+
+/*------------------------------------------------.
+| Report that the YYRULE is going to be reduced.  |
+`------------------------------------------------*/
+
+#if defined (__STDC__) || defined (__cplusplus)
+static void
+yy_reduce_print (int yyrule)
+#else
+static void
+yy_reduce_print (yyrule)
+    int yyrule;
+#endif
+{
+  int yyi;
+  unsigned long int yylno = yyrline[yyrule];
+  YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu), ",
+             yyrule - 1, yylno);
+  /* Print the symbols being reduced, and their result.  */
+  for (yyi = yyprhs[yyrule]; 0 <= yyrhs[yyi]; yyi++)
+    YYFPRINTF (stderr, "%s ", yytname[yyrhs[yyi]]);
+  YYFPRINTF (stderr, "-> %s\n", yytname[yyr1[yyrule]]);
+}
+
+# define YY_REDUCE_PRINT(Rule)		\
+do {					\
+  if (yydebug)				\
+    yy_reduce_print (Rule);		\
+} while (0)
+
+/* Nonzero means print parse trace.  It is left uninitialized so that
+   multiple parsers can coexist.  */
+int yydebug;
+#else /* !YYDEBUG */
+# define YYDPRINTF(Args)
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)
+# define YY_STACK_PRINT(Bottom, Top)
+# define YY_REDUCE_PRINT(Rule)
+#endif /* !YYDEBUG */
+
+
+/* YYINITDEPTH -- initial size of the parser's stacks.  */
+#ifndef	YYINITDEPTH
+# define YYINITDEPTH 200
+#endif
+
+/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only
+   if the built-in stack extension method is used).
+
+   Do not make this value too large; the results are undefined if
+   YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
+   evaluated with infinite-precision integer arithmetic.  */
+
+#ifndef YYMAXDEPTH
+# define YYMAXDEPTH 10000
+#endif
+
+
+
+#if YYERROR_VERBOSE
+
+# ifndef yystrlen
+#  if defined (__GLIBC__) && defined (_STRING_H)
+#   define yystrlen strlen
+#  else
+/* Return the length of YYSTR.  */
+static YYSIZE_T
+#   if defined (__STDC__) || defined (__cplusplus)
+yystrlen (const char *yystr)
+#   else
+yystrlen (yystr)
+     const char *yystr;
+#   endif
+{
+  const char *yys = yystr;
+
+  while (*yys++ != '\0')
+    continue;
+
+  return yys - yystr - 1;
+}
+#  endif
+# endif
+
+# ifndef yystpcpy
+#  if defined (__GLIBC__) && defined (_STRING_H) && defined (_GNU_SOURCE)
+#   define yystpcpy stpcpy
+#  else
+/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
+   YYDEST.  */
+static char *
+#   if defined (__STDC__) || defined (__cplusplus)
+yystpcpy (char *yydest, const char *yysrc)
+#   else
+yystpcpy (yydest, yysrc)
+     char *yydest;
+     const char *yysrc;
+#   endif
+{
+  char *yyd = yydest;
+  const char *yys = yysrc;
+
+  while ((*yyd++ = *yys++) != '\0')
+    continue;
+
+  return yyd - 1;
+}
+#  endif
+# endif
+
+# ifndef yytnamerr
+/* Copy to YYRES the contents of YYSTR after stripping away unnecessary
+   quotes and backslashes, so that it's suitable for yyerror.  The
+   heuristic is that double-quoting is unnecessary unless the string
+   contains an apostrophe, a comma, or backslash (other than
+   backslash-backslash).  YYSTR is taken from yytname.  If YYRES is
+   null, do not copy; instead, return the length of what the result
+   would have been.  */
+static YYSIZE_T
+yytnamerr (char *yyres, const char *yystr)
+{
+  if (*yystr == '"')
+    {
+      size_t yyn = 0;
+      char const *yyp = yystr;
+
+      for (;;)
+	switch (*++yyp)
+	  {
+	  case '\'':
+	  case ',':
+	    goto do_not_strip_quotes;
+
+	  case '\\':
+	    if (*++yyp != '\\')
+	      goto do_not_strip_quotes;
+	    /* Fall through.  */
+	  default:
+	    if (yyres)
+	      yyres[yyn] = *yyp;
+	    yyn++;
+	    break;
+
+	  case '"':
+	    if (yyres)
+	      yyres[yyn] = '\0';
+	    return yyn;
+	  }
+    do_not_strip_quotes: ;
+    }
+
+  if (! yyres)
+    return yystrlen (yystr);
+
+  return yystpcpy (yyres, yystr) - yyres;
+}
+# endif
+
+#endif /* YYERROR_VERBOSE */
+
+
+
+#if YYDEBUG
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+#if defined (__STDC__) || defined (__cplusplus)
+static void
+yysymprint (FILE *yyoutput, int yytype, YYSTYPE *yyvaluep)
+#else
+static void
+yysymprint (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE *yyvaluep;
+#endif
+{
+  /* Pacify ``unused variable'' warnings.  */
+  (void) yyvaluep;
+
+  if (yytype < YYNTOKENS)
+    YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
+  else
+    YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
+
+
+# ifdef YYPRINT
+  if (yytype < YYNTOKENS)
+    YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
+# endif
+  switch (yytype)
+    {
+      default:
+        break;
+    }
+  YYFPRINTF (yyoutput, ")");
+}
+
+#endif /* ! YYDEBUG */
+/*-----------------------------------------------.
+| Release the memory associated to this symbol.  |
+`-----------------------------------------------*/
+
+#if defined (__STDC__) || defined (__cplusplus)
+static void
+yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
+#else
+static void
+yydestruct (yymsg, yytype, yyvaluep)
+    const char *yymsg;
+    int yytype;
+    YYSTYPE *yyvaluep;
+#endif
+{
+  /* Pacify ``unused variable'' warnings.  */
+  (void) yyvaluep;
+
+  if (!yymsg)
+    yymsg = "Deleting";
+  YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
+
+  switch (yytype)
+    {
+
+      default:
+        break;
+    }
+}
+
+
+/* Prevent warnings from -Wmissing-prototypes.  */
+
+#ifdef YYPARSE_PARAM
+# if defined (__STDC__) || defined (__cplusplus)
+int yyparse (void *YYPARSE_PARAM);
+# else
+int yyparse ();
+# endif
+#else /* ! YYPARSE_PARAM */
+#if defined (__STDC__) || defined (__cplusplus)
+int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
+
+
+
+/* The look-ahead symbol.  */
+int yychar;
+
+/* The semantic value of the look-ahead symbol.  */
+YYSTYPE yylval;
+
+/* Number of syntax errors so far.  */
+int yynerrs;
+
+
+
+/*----------.
+| yyparse.  |
+`----------*/
+
+#ifdef YYPARSE_PARAM
+# if defined (__STDC__) || defined (__cplusplus)
+int yyparse (void *YYPARSE_PARAM)
+# else
+int yyparse (YYPARSE_PARAM)
+  void *YYPARSE_PARAM;
+# endif
+#else /* ! YYPARSE_PARAM */
+#if defined (__STDC__) || defined (__cplusplus)
+int
+yyparse (void)
+#else
+int
+yyparse ()
+    ;
+#endif
+#endif
+{
+  
+  int yystate;
+  int yyn;
+  int yyresult;
+  /* Number of tokens to shift before error messages enabled.  */
+  int yyerrstatus;
+  /* Look-ahead token as an internal (translated) token number.  */
+  int yytoken = 0;
+
+  /* Three stacks and their tools:
+     `yyss': related to states,
+     `yyvs': related to semantic values,
+     `yyls': related to locations.
+
+     Refer to the stacks thru separate pointers, to allow yyoverflow
+     to reallocate them elsewhere.  */
+
+  /* The state stack.  */
+  short int yyssa[YYINITDEPTH];
+  short int *yyss = yyssa;
+  short int *yyssp;
+
+  /* The semantic value stack.  */
+  YYSTYPE yyvsa[YYINITDEPTH];
+  YYSTYPE *yyvs = yyvsa;
+  YYSTYPE *yyvsp;
+
+
+
+#define YYPOPSTACK   (yyvsp--, yyssp--)
+
+  YYSIZE_T yystacksize = YYINITDEPTH;
+
+  /* The variables used to return semantic value and location from the
+     action routines.  */
+  YYSTYPE yyval;
+
+
+  /* When reducing, the number of symbols on the RHS of the reduced
+     rule.  */
+  int yylen;
+
+  YYDPRINTF ((stderr, "Starting parse\n"));
+
+  yystate = 0;
+  yyerrstatus = 0;
+  yynerrs = 0;
+  yychar = YYEMPTY;		/* Cause a token to be read.  */
+
+  /* Initialize stack pointers.
+     Waste one element of value and location stack
+     so that they stay on the same level as the state stack.
+     The wasted elements are never initialized.  */
+
+  yyssp = yyss;
+  yyvsp = yyvs;
+
+  goto yysetstate;
+
+/*------------------------------------------------------------.
+| yynewstate -- Push a new state, which is found in yystate.  |
+`------------------------------------------------------------*/
+ yynewstate:
+  /* In all cases, when you get here, the value and location stacks
+     have just been pushed. so pushing a state here evens the stacks.
+     */
+  yyssp++;
+
+ yysetstate:
+  *yyssp = yystate;
+
+  if (yyss + yystacksize - 1 <= yyssp)
+    {
+      /* Get the current used size of the three stacks, in elements.  */
+      YYSIZE_T yysize = yyssp - yyss + 1;
+
+#ifdef yyoverflow
+      {
+	/* Give user a chance to reallocate the stack. Use copies of
+	   these so that the &'s don't force the real ones into
+	   memory.  */
+	YYSTYPE *yyvs1 = yyvs;
+	short int *yyss1 = yyss;
+
+
+	/* Each stack pointer address is followed by the size of the
+	   data in use in that stack, in bytes.  This used to be a
+	   conditional around just the two extra args, but that might
+	   be undefined if yyoverflow is a macro.  */
+	yyoverflow (YY_("memory exhausted"),
+		    &yyss1, yysize * sizeof (*yyssp),
+		    &yyvs1, yysize * sizeof (*yyvsp),
+
+		    &yystacksize);
+
+	yyss = yyss1;
+	yyvs = yyvs1;
+      }
+#else /* no yyoverflow */
+# ifndef YYSTACK_RELOCATE
+      goto yyexhaustedlab;
+# else
+      /* Extend the stack our own way.  */
+      if (YYMAXDEPTH <= yystacksize)
+	goto yyexhaustedlab;
+      yystacksize *= 2;
+      if (YYMAXDEPTH < yystacksize)
+	yystacksize = YYMAXDEPTH;
+
+      {
+	short int *yyss1 = yyss;
+	union yyalloc *yyptr =
+	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
+	if (! yyptr)
+	  goto yyexhaustedlab;
+	YYSTACK_RELOCATE (yyss);
+	YYSTACK_RELOCATE (yyvs);
+
+#  undef YYSTACK_RELOCATE
+	if (yyss1 != yyssa)
+	  YYSTACK_FREE (yyss1);
+      }
+# endif
+#endif /* no yyoverflow */
+
+      yyssp = yyss + yysize - 1;
+      yyvsp = yyvs + yysize - 1;
+
+
+      YYDPRINTF ((stderr, "Stack size increased to %lu\n",
+		  (unsigned long int) yystacksize));
+
+      if (yyss + yystacksize - 1 <= yyssp)
+	YYABORT;
+    }
+
+  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
+
+  goto yybackup;
+
+/*-----------.
+| yybackup.  |
+`-----------*/
+yybackup:
+
+/* Do appropriate processing given the current state.  */
+/* Read a look-ahead token if we need one and don't already have one.  */
+/* yyresume: */
+
+  /* First try to decide what to do without reference to look-ahead token.  */
+
+  yyn = yypact[yystate];
+  if (yyn == YYPACT_NINF)
+    goto yydefault;
+
+  /* Not known => get a look-ahead token if don't already have one.  */
+
+  /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol.  */
+  if (yychar == YYEMPTY)
+    {
+      YYDPRINTF ((stderr, "Reading a token: "));
+      yychar = YYLEX;
+    }
+
+  if (yychar <= YYEOF)
+    {
+      yychar = yytoken = YYEOF;
+      YYDPRINTF ((stderr, "Now at end of input.\n"));
+    }
+  else
+    {
+      yytoken = YYTRANSLATE (yychar);
+      YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
+    }
+
+  /* If the proper action on seeing token YYTOKEN is to reduce or to
+     detect an error, take that action.  */
+  yyn += yytoken;
+  if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
+    goto yydefault;
+  yyn = yytable[yyn];
+  if (yyn <= 0)
+    {
+      if (yyn == 0 || yyn == YYTABLE_NINF)
+	goto yyerrlab;
+      yyn = -yyn;
+      goto yyreduce;
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  /* Shift the look-ahead token.  */
+  YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
+
+  /* Discard the token being shifted unless it is eof.  */
+  if (yychar != YYEOF)
+    yychar = YYEMPTY;
+
+  *++yyvsp = yylval;
+
+
+  /* Count tokens shifted since error; after three, turn off error
+     status.  */
+  if (yyerrstatus)
+    yyerrstatus--;
+
+  yystate = yyn;
+  goto yynewstate;
+
+
+/*-----------------------------------------------------------.
+| yydefault -- do the default action for the current state.  |
+`-----------------------------------------------------------*/
+yydefault:
+  yyn = yydefact[yystate];
+  if (yyn == 0)
+    goto yyerrlab;
+  goto yyreduce;
+
+
+/*-----------------------------.
+| yyreduce -- Do a reduction.  |
+`-----------------------------*/
+yyreduce:
+  /* yyn is the number of a rule to reduce with.  */
+  yylen = yyr2[yyn];
+
+  /* If YYLEN is nonzero, implement the default value of the action:
+     `$$ = $1'.
+
+     Otherwise, the following line sets YYVAL to garbage.
+     This behavior is undocumented and Bison
+     users should not rely upon it.  Assigning to YYVAL
+     unconditionally makes the parser a bit smaller, and it avoids a
+     GCC warning that YYVAL may be used uninitialized.  */
+  yyval = yyvsp[1-yylen];
+
+
+  YY_REDUCE_PRINT (yyn);
+  switch (yyn)
+    {
+        case 3:
+#line 40 "parse_y.y"
+    {
+    printf("\n");
+    ++line;
+}
+    break;
+
+  case 4:
+#line 44 "parse_y.y"
+    {
+    if (strlen((yyvsp[-1].string)) > (PAPER_WIDTH-(indent ? strlen(INDENT_STRING):0))) {
+	yyerror("line too long");
+    }
+    printf("%s%s\n", indent ? INDENT_STRING:"", (yyvsp[-1].string));
+    free((yyvsp[-1].string));
+    indent = 1;
+    ++line;
+}
+    break;
+
+  case 5:
+#line 53 "parse_y.y"
+    {
+    char fixed[PAPER_WIDTH+1];
+    int len;
+
+    len = PAPER_WIDTH-(strlen((yyvsp[-3].string))+strlen((yyvsp[-1].string)));
+
+    if (len >= 0) {
+	memset(fixed, ' ', len);
+	fixed[len] = '\0';
+    } else {
+	yyerror("line too wide");
+	fixed[0] = '\0';
+    }
+    printf("%s%s%s\n", (yyvsp[-3].string), fixed, (yyvsp[-1].string));
+    free((yyvsp[-3].string));
+    free((yyvsp[-1].string));
+    indent = 1;
+    ++line;
+}
+    break;
+
+  case 6:
+#line 72 "parse_y.y"
+    {
+    char fixed[PAPER_WIDTH+1];
+    int len, l;
+
+    len = PAPER_WIDTH-(strlen((yyvsp[-5].string))+strlen((yyvsp[-3].string)));
+
+    if (len < 0) {
+	len = 0;
+	yyerror("line too wide");
+    }
+
+    l = len/2;
+    memset(fixed, ' ', l);
+    fixed[l] = '\0';
+    printf("%s%s%s", (yyvsp[-5].string), fixed, (yyvsp[-3].string));
+    free((yyvsp[-5].string));
+    free((yyvsp[-3].string));
+    
+    l = (len+1)/2;
+    memset(fixed, ' ', l);
+    fixed[l] = '\0';
+    printf("%s%s\n", fixed, (yyvsp[-1].string));
+    free((yyvsp[-1].string));
+
+    indent = 1;
+    ++line;
+}
+    break;
+
+  case 7:
+#line 99 "parse_y.y"
+    {
+    char fixed[PAPER_WIDTH+1];
+    int len, l;
+
+    len = PAPER_WIDTH-(strlen((yyvsp[-5].string))+strlen((yyvsp[-3].string)));
+
+    if (len < 0) {
+	len = 0;
+	yyerror("line too wide");
+    }
+
+    l = len/2;
+    memset(fixed, ' ', l);
+    fixed[l] = '\0';
+    printf("%s%s%s", (yyvsp[-5].string), fixed, (yyvsp[-3].string));
+    free((yyvsp[-5].string));
+    free((yyvsp[-3].string));
+    
+    l = (len+1)/2;
+    memset(fixed, ' ', l);
+    fixed[l] = '\0';
+    printf("%s%s\n", fixed, (yyvsp[-1].string));
+    free((yyvsp[-1].string));
+
+    indent = 1;
+    ++line;
+}
+    break;
+
+  case 8:
+#line 128 "parse_y.y"
+    {
+    (yyval.string) = strdup("");
+}
+    break;
+
+  case 9:
+#line 131 "parse_y.y"
+    {
+    (yyval.string) = malloc(strlen((yyvsp[-1].string))+strlen((yyvsp[0].string))+1);
+    sprintf((yyval.string),"%s%s", (yyvsp[-1].string), (yyvsp[0].string));
+    free((yyvsp[-1].string));
+    free((yyvsp[0].string));
+}
+    break;
+
+  case 10:
+#line 139 "parse_y.y"
+    {
+    (yyval.string) = strdup(yytext);
+}
+    break;
+
+  case 11:
+#line 142 "parse_y.y"
+    {
+    (yyval.string) = malloc(strlen((yyvsp[-1].string))+2);
+    sprintf((yyval.string),"%s%s", (yyvsp[-1].string), yytext);
+    free((yyvsp[-1].string));
+}
+    break;
+
+  case 12:
+#line 147 "parse_y.y"
+    {
+    (yyval.string) = strdup("");
+    indent = 0;
+}
+    break;
+
+  case 13:
+#line 151 "parse_y.y"
+    {
+    (yyval.string) = strdup("#");
+}
+    break;
+
+  case 14:
+#line 154 "parse_y.y"
+    {
+    if (((yyval.string) = get_label(yytext)) == NULL) {
+	set_label(yytext, last_label);
+	(yyval.string) = strdup("");
+    }
+}
+    break;
+
+  case 15:
+#line 160 "parse_y.y"
+    {
+    (yyval.string) = new_counter(yytext);
+}
+    break;
+
+
+      default: break;
+    }
+
+/* Line 1126 of yacc.c.  */
+#line 1305 "parse_y.c"
+
+  yyvsp -= yylen;
+  yyssp -= yylen;
+
+
+  YY_STACK_PRINT (yyss, yyssp);
+
+  *++yyvsp = yyval;
+
+
+  /* Now `shift' the result of the reduction.  Determine what state
+     that goes to, based on the state we popped back to and the rule
+     number reduced by.  */
+
+  yyn = yyr1[yyn];
+
+  yystate = yypgoto[yyn - YYNTOKENS] + *yyssp;
+  if (0 <= yystate && yystate <= YYLAST && yycheck[yystate] == *yyssp)
+    yystate = yytable[yystate];
+  else
+    yystate = yydefgoto[yyn - YYNTOKENS];
+
+  goto yynewstate;
+
+
+/*------------------------------------.
+| yyerrlab -- here on detecting error |
+`------------------------------------*/
+yyerrlab:
+  /* If not already recovering from an error, report this error.  */
+  if (!yyerrstatus)
+    {
+      ++yynerrs;
+#if YYERROR_VERBOSE
+      yyn = yypact[yystate];
+
+      if (YYPACT_NINF < yyn && yyn < YYLAST)
+	{
+	  int yytype = YYTRANSLATE (yychar);
+	  YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
+	  YYSIZE_T yysize = yysize0;
+	  YYSIZE_T yysize1;
+	  int yysize_overflow = 0;
+	  char *yymsg = 0;
+#	  define YYERROR_VERBOSE_ARGS_MAXIMUM 5
+	  char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+	  int yyx;
+
+#if 0
+	  /* This is so xgettext sees the translatable formats that are
+	     constructed on the fly.  */
+	  YY_("syntax error, unexpected %s");
+	  YY_("syntax error, unexpected %s, expecting %s");
+	  YY_("syntax error, unexpected %s, expecting %s or %s");
+	  YY_("syntax error, unexpected %s, expecting %s or %s or %s");
+	  YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
+#endif
+	  char *yyfmt;
+	  char const *yyf;
+	  static char const yyunexpected[] = "syntax error, unexpected %s";
+	  static char const yyexpecting[] = ", expecting %s";
+	  static char const yyor[] = " or %s";
+	  char yyformat[sizeof yyunexpected
+			+ sizeof yyexpecting - 1
+			+ ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
+			   * (sizeof yyor - 1))];
+	  char const *yyprefix = yyexpecting;
+
+	  /* Start YYX at -YYN if negative to avoid negative indexes in
+	     YYCHECK.  */
+	  int yyxbegin = yyn < 0 ? -yyn : 0;
+
+	  /* Stay within bounds of both yycheck and yytname.  */
+	  int yychecklim = YYLAST - yyn;
+	  int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+	  int yycount = 1;
+
+	  yyarg[0] = yytname[yytype];
+	  yyfmt = yystpcpy (yyformat, yyunexpected);
+
+	  for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+	    if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
+	      {
+		if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+		  {
+		    yycount = 1;
+		    yysize = yysize0;
+		    yyformat[sizeof yyunexpected - 1] = '\0';
+		    break;
+		  }
+		yyarg[yycount++] = yytname[yyx];
+		yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+		yysize_overflow |= yysize1 < yysize;
+		yysize = yysize1;
+		yyfmt = yystpcpy (yyfmt, yyprefix);
+		yyprefix = yyor;
+	      }
+
+	  yyf = YY_(yyformat);
+	  yysize1 = yysize + yystrlen (yyf);
+	  yysize_overflow |= yysize1 < yysize;
+	  yysize = yysize1;
+
+	  if (!yysize_overflow && yysize <= YYSTACK_ALLOC_MAXIMUM)
+	    yymsg = (char *) YYSTACK_ALLOC (yysize);
+	  if (yymsg)
+	    {
+	      /* Avoid sprintf, as that infringes on the user's name space.
+		 Don't have undefined behavior even if the translation
+		 produced a string with the wrong number of "%s"s.  */
+	      char *yyp = yymsg;
+	      int yyi = 0;
+	      while ((*yyp = *yyf))
+		{
+		  if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
+		    {
+		      yyp += yytnamerr (yyp, yyarg[yyi++]);
+		      yyf += 2;
+		    }
+		  else
+		    {
+		      yyp++;
+		      yyf++;
+		    }
+		}
+	      yyerror (yymsg);
+	      YYSTACK_FREE (yymsg);
+	    }
+	  else
+	    {
+	      yyerror (YY_("syntax error"));
+	      goto yyexhaustedlab;
+	    }
+	}
+      else
+#endif /* YYERROR_VERBOSE */
+	yyerror (YY_("syntax error"));
+    }
+
+
+
+  if (yyerrstatus == 3)
+    {
+      /* If just tried and failed to reuse look-ahead token after an
+	 error, discard it.  */
+
+      if (yychar <= YYEOF)
+        {
+	  /* Return failure if at end of input.  */
+	  if (yychar == YYEOF)
+	    YYABORT;
+        }
+      else
+	{
+	  yydestruct ("Error: discarding", yytoken, &yylval);
+	  yychar = YYEMPTY;
+	}
+    }
+
+  /* Else will try to reuse look-ahead token after shifting the error
+     token.  */
+  goto yyerrlab1;
+
+
+/*---------------------------------------------------.
+| yyerrorlab -- error raised explicitly by YYERROR.  |
+`---------------------------------------------------*/
+yyerrorlab:
+
+  /* Pacify compilers like GCC when the user code never invokes
+     YYERROR and the label yyerrorlab therefore never appears in user
+     code.  */
+  if (0)
+     goto yyerrorlab;
+
+yyvsp -= yylen;
+  yyssp -= yylen;
+  yystate = *yyssp;
+  goto yyerrlab1;
+
+
+/*-------------------------------------------------------------.
+| yyerrlab1 -- common code for both syntax error and YYERROR.  |
+`-------------------------------------------------------------*/
+yyerrlab1:
+  yyerrstatus = 3;	/* Each real token shifted decrements this.  */
+
+  for (;;)
+    {
+      yyn = yypact[yystate];
+      if (yyn != YYPACT_NINF)
+	{
+	  yyn += YYTERROR;
+	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
+	    {
+	      yyn = yytable[yyn];
+	      if (0 < yyn)
+		break;
+	    }
+	}
+
+      /* Pop the current state because it cannot handle the error token.  */
+      if (yyssp == yyss)
+	YYABORT;
+
+
+      yydestruct ("Error: popping", yystos[yystate], yyvsp);
+      YYPOPSTACK;
+      yystate = *yyssp;
+      YY_STACK_PRINT (yyss, yyssp);
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  *++yyvsp = yylval;
+
+
+  /* Shift the error token. */
+  YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp);
+
+  yystate = yyn;
+  goto yynewstate;
+
+
+/*-------------------------------------.
+| yyacceptlab -- YYACCEPT comes here.  |
+`-------------------------------------*/
+yyacceptlab:
+  yyresult = 0;
+  goto yyreturn;
+
+/*-----------------------------------.
+| yyabortlab -- YYABORT comes here.  |
+`-----------------------------------*/
+yyabortlab:
+  yyresult = 1;
+  goto yyreturn;
+
+#ifndef yyoverflow
+/*-------------------------------------------------.
+| yyexhaustedlab -- memory exhaustion comes here.  |
+`-------------------------------------------------*/
+yyexhaustedlab:
+  yyerror (YY_("memory exhausted"));
+  yyresult = 2;
+  /* Fall through.  */
+#endif
+
+yyreturn:
+  if (yychar != YYEOF && yychar != YYEMPTY)
+     yydestruct ("Cleanup: discarding lookahead",
+		 yytoken, &yylval);
+  while (yyssp != yyss)
+    {
+      yydestruct ("Cleanup: popping",
+		  yystos[*yyssp], yyvsp);
+      YYPOPSTACK;
+    }
+#ifndef yyoverflow
+  if (yyss != yyssa)
+    YYSTACK_FREE (yyss);
+#endif
+  return yyresult;
+}
+
+
+#line 165 "parse_y.y"
+
+
+typedef struct node_s {
+    struct node_s *left, *right;
+    const char *key;
+    char *value;
+} *node_t;
+
+node_t label_root = NULL;
+node_t counter_root = NULL;
+
+static const char *find_key(node_t root, const char *key)
+{
+    while (root) {
+	int cmp = strcmp(key, root->key);
+
+	if (cmp > 0) {
+	    root = root->right;
+	} else if (cmp) {
+	    root = root->left;
+	} else {
+	    return root->value;
+	}
+    }
+    return NULL;
+}
+
+static node_t set_key(node_t root, const char *key, const char *value)
+{
+    if (root) {
+	int cmp = strcmp(key, root->key);
+	if (cmp > 0) {
+	    root->right = set_key(root->right, key, value);
+	} else if (cmp) {
+	    root->left = set_key(root->left, key, value);
+	} else {
+	    free(root->value);
+	    root->value = strdup(value);
+	}
+    } else {
+	root = malloc(sizeof(struct node_s));
+	root->right = root->left = NULL;
+	root->key = strdup(key);
+	root->value = strdup(value);
+    }
+    return root;
+}
+
+void yyerror(const char *x)
+{
+    fprintf(stderr, "line %d: %s\n", line, x);
+}
+
+char *get_label(const char *label)
+{
+    const char *found = find_key(label_root, label);
+
+    if (found) {
+	return strdup(found);
+    }
+    return NULL;
+}
+
+void set_label(const char *label, const char *target)
+{
+    if (target == NULL) {
+	yyerror("no hanging value for label");
+	target = "<??>";
+    }
+    label_root = set_key(label_root, label, target);
+}
+
+char *new_counter(const char *key)
+{
+    int i=0, j, ndollars = 0;
+    const char *old;
+    char *new;
+
+    if (key[i++] != '#') {
+	yyerror("bad index");
+	return strdup("<???>");
+    }
+
+    while (key[i] == '$') {
+	++ndollars;
+	++i;
+    }
+
+    key += i;
+    old = find_key(counter_root, key);
+    new = malloc(20*ndollars);
+
+    if (old) {
+	for (j=0; ndollars > 1 && old[j]; ) {
+	    if (old[j++] == '.' && --ndollars <= 0) {
+		break;
+	    }
+	}
+	if (j) {
+	    strncpy(new, old, j);
+	}
+	if (old[j]) {
+	    i = atoi(old+j);
+	} else {
+	    new[j++] = '.';
+	    i = 0;
+	}
+    } else {
+	j=0;
+	while (--ndollars > 0) {
+	    new[j++] = '0';
+	    new[j++] = '.';
+	}
+	i = 0;
+    }
+    new[j] = '\0';
+    sprintf(new+j, "%d", ++i);
+
+    counter_root = set_key(counter_root, key, new);
+    
+    if (last_label) {
+	free(last_label);
+    }
+    last_label = strdup(new);
+
+    return new;
+}
+
+int
+main(void)
+{
+    return yyparse();
+}
+
diff --git a/Linux-PAM/doc/specs/parse_y.h b/Linux-PAM/doc/specs/parse_y.h
new file mode 100644
index 00000000..e96d7c76
--- /dev/null
+++ b/Linux-PAM/doc/specs/parse_y.h
@@ -0,0 +1,69 @@
+/* A Bison parser, made by GNU Bison 2.1.  */
+
+/* Skeleton parser for Yacc-like parsing with Bison,
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, when this file is copied by Bison into a
+   Bison output file, you may use that output file without restriction.
+   This special exception was added by the Free Software Foundation
+   in version 1.24 of Bison.  */
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     NEW_COUNTER = 258,
+     LABEL = 259,
+     HASH = 260,
+     CHAR = 261,
+     NEWLINE = 262,
+     NO_INDENT = 263,
+     RIGHT = 264
+   };
+#endif
+/* Tokens.  */
+#define NEW_COUNTER 258
+#define LABEL 259
+#define HASH 260
+#define CHAR 261
+#define NEWLINE 262
+#define NO_INDENT 263
+#define RIGHT 264
+
+
+
+
+#if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED)
+#line 27 "parse_y.y"
+typedef union YYSTYPE {
+    int def;
+    char *string;
+} YYSTYPE;
+/* Line 1447 of yacc.c.  */
+#line 61 "parse_y.h"
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+extern YYSTYPE yylval;
+
+
+
diff --git a/Linux-PAM/doc/specs/formatter/parse.y b/Linux-PAM/doc/specs/parse_y.y
index 6da47d17..9ea51654 100644
--- a/Linux-PAM/doc/specs/formatter/parse.y
+++ b/Linux-PAM/doc/specs/parse_y.y
@@ -1,5 +1,9 @@
 
 %{
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -12,13 +16,12 @@
     int line=1;
     char *last_label=NULL;
 
+    extern int yylex(void);
+    extern char *yytext;
     extern void yyerror(const char *x);
     extern char *get_label(const char *label);
     extern void set_label(const char *label, const char *target);
     char *new_counter(const char *key);
-
-#include "lex.yy.c"
-
 %}
 
 %union {
@@ -170,7 +173,7 @@ typedef struct node_s {
 node_t label_root = NULL;
 node_t counter_root = NULL;
 
-const char *find_key(node_t root, const char *key)
+static const char *find_key(node_t root, const char *key)
 {
     while (root) {
 	int cmp = strcmp(key, root->key);
@@ -186,7 +189,7 @@ const char *find_key(node_t root, const char *key)
     return NULL;
 }
 
-node_t set_key(node_t root, const char *key, const char *value)
+static node_t set_key(node_t root, const char *key, const char *value)
 {
     if (root) {
 	int cmp = strcmp(key, root->key);
@@ -287,7 +290,8 @@ char *new_counter(const char *key)
     return new;
 }
 
-main()
+int
+main(void)
 {
-    yyparse();
+    return yyparse();
 }
diff --git a/Linux-PAM/doc/txts/README b/Linux-PAM/doc/txts/README
deleted file mode 100644
index f63820cf..00000000
--- a/Linux-PAM/doc/txts/README
+++ /dev/null
@@ -1,3 +0,0 @@
-$Id: README,v 1.1.1.1 2000/06/20 22:11:12 agmorgan Exp $
-
-This is a directory for text versions of the pam documentation