* man/chfn.1.xml: Uses CHFN_AUTH, CHFN_RESTRICT, LOGIN_STRING.

* man/chgpasswd.8.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
  MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS (SHA_CRYPT_MAX_ROUNDS).
* man/chpasswd.8.xml: Switch to using entities for ENCRYPT_METHOD,
  MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS (SHA_CRYPT_MAX_ROUNDS).
* man/chsh.1.xml: Uses CHSH_AUTH, LOGIN_STRING.
* man/expiry.1.xml: Does not use any login.defs parameter.
* man/gpasswd.1.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
  MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS.
* man/login.defs.5.xml: Added CHSH_AUTH.
* man/login.defs.5.xml: Cross reference -> cross references.
* man/login.defs.5.xml: chfn only uses CHFN_AUTH when no_pam.
* man/login.defs.5.xml: chsh uses CHSH_AUTH, not CHFN_AUTH.
* man/login.defs.d/CHSH_AUTH.xml: Added.
* man/login.defs.5.xml: chsh uses parameters only when no_pam.
* man/login.defs.5.xml: expiry does not use CONSOLE_GROUPS, even
  if linked in the binary.
* man/newusers.8.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
  MD5_CRYPT_ENAB, PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE,
  SHA_CRYPT_MIN_ROUNDS, UMASK.

ChangeLog

@@ -1,3 +1,26 @@
+2007-11-27  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* man/chfn.1.xml: Uses CHFN_AUTH, CHFN_RESTRICT, LOGIN_STRING.
+	* man/chgpasswd.8.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
+	MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS (SHA_CRYPT_MAX_ROUNDS).
+	* man/chpasswd.8.xml: Switch to using entities for ENCRYPT_METHOD,
+	MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS (SHA_CRYPT_MAX_ROUNDS).
+	* man/chsh.1.xml: Uses CHSH_AUTH, LOGIN_STRING.
+	* man/expiry.1.xml: Does not use any login.defs parameter.
+	* man/gpasswd.1.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
+	MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS.
+	* man/login.defs.5.xml: Added CHSH_AUTH.
+	* man/login.defs.5.xml: Cross reference -> cross references.
+	* man/login.defs.5.xml: chfn only uses CHFN_AUTH when no_pam.
+	* man/login.defs.5.xml: chsh uses CHSH_AUTH, not CHFN_AUTH.
+	* man/login.defs.d/CHSH_AUTH.xml: Added.
+	* man/login.defs.5.xml: chsh uses parameters only when no_pam.
+	* man/login.defs.5.xml: expiry does not use CONSOLE_GROUPS, even
+	if linked in the binary.
+	* man/newusers.8.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
+	MD5_CRYPT_ENAB, PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE,
+	SHA_CRYPT_MIN_ROUNDS, UMASK.
+
 2007-11-26  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* man/generate_translations.mak, man/po/Makefile.in.in: Add

man/chfn.1.xml

@@ -1,4 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY CHFN_AUTH             SYSTEM "login.defs.d/CHFN_AUTH.xml">
+<!ENTITY CHFN_RESTRICT         SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
+<!ENTITY LOGIN_STRING          SYSTEM "login.defs.d/LOGIN_STRING.xml">
+]>
+
 <refentry id='chfn.1'>
   <!-- $Id$ -->
   <refmeta>
@@ -56,6 +63,20 @@
     </para>
   </refsect1>
 
+  <refsect1 id='configuration'>
+    <title>CONFIGURATION</title>
+    <para>
+      The following configuration variables in
+      <filename>/etc/login.defs</filename> change the behavior of this
+      tool:
+    </para>
+    <variablelist>
+      &CHFN_AUTH;
+      &CHFN_RESTRICT;
+      &LOGIN_STRING;
+    </variablelist>
+  </refsect1>
+
   <refsect1 id='files'>
     <title>FILES</title>
     <variablelist>

man/chgpasswd.8.xml

@@ -1,4 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
+<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
+<!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
+<!ENTITY SHA_CRYPT_MIN_ROUNDS  SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
+]>
+
 <refentry id='chgpasswd.8'>
   <!-- $Id$ -->
   <refmeta>
@@ -121,6 +129,21 @@
     </para>
   </refsect1>
 
+  <refsect1 id='configuration'>
+    <title>CONFIGURATION</title>
+    <para>
+      The following configuration variables in
+      <filename>/etc/login.defs</filename> change the behavior of this
+      tool:
+    </para>
+    <variablelist>
+      &ENCRYPT_METHOD;
+      &MAX_MEMBERS_PER_GROUP;
+      &MD5_CRYPT_ENAB;
+      &SHA_CRYPT_MIN_ROUNDS; <!--This also document SHA_CRYPT_MAX_ROUNDS-->
+    </variablelist>
+  </refsect1>
+
   <refsect1 id='files'>
     <title>FILES</title>
     <variablelist>

man/chpasswd.8.xml

@@ -1,4 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
+<!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
+<!ENTITY SHA_CRYPT_MIN_ROUNDS  SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
+]>
+
 <refentry id='chpasswd.8'>
   <!-- $Id$ -->
   <refmeta>
@@ -135,112 +142,10 @@
       <filename>/etc/login.defs</filename> change the behavior of this
       tool:
     </para>
-    <!--********************************************************************
-      **                                                                  **
-      **             Definitions copied from login.def.5.xml              **
-      **                                                                  **
-      ********************************************************************-->
     <variablelist>
-      <varlistentry>
+      &ENCRYPT_METHOD;
-	<term><option>MD5_CRYPT_ENAB</option> (boolean)</term>
+      &MD5_CRYPT_ENAB;
-	<listitem>
+      &SHA_CRYPT_MIN_ROUNDS; <!--documents also SHA_CRYPT_MAX_ROUNDS-->
-	  <para>
-	    Indicate if passwords must be encrypted using the MD5-based
-	    algorithm. If set to <replaceable>yes</replaceable>, new
-	    passwords will be encrypted
-	    using the MD5-based algorithm compatible with the one used by
-	    recent releases of FreeBSD. It supports passwords of
-	    unlimited length and longer salt strings. Set to
-	    <replaceable>no</replaceable> if you
-	    need to copy encrypted passwords to other systems which don't
-	    understand the new algorithm. Default is
-	    <replaceable>no</replaceable>.
-	  </para>
-	  <para>
-	    This variable is superceded by the
-	    <option>ENCRYPT_METHOD</option> variable or by any command
-	    line option.
-	  </para>
-	  <para>
-	   This variable is deprecated. You should use
-	   <option>ENCRYPT_METHOD</option>.
-	  </para>
-	  <para>
-	    Note: if you use PAM, it is recommended to set this variable
-	    consistently with the PAM modules configuration.
-	  </para>
-	</listitem>
-      </varlistentry>
-      <varlistentry>
-	<term><option>ENCRYPT_METHOD</option> (string)</term>
-	<listitem>
-	  <para>
-	    This defines the system default encryption algorithm for
-	    encrypting passwords (if no algorithm are specified on the
-	    command line).
-	  </para>
-	  <para>
-	    It can take one of these values:
-	    <itemizedlist>
-	      <listitem>
-		<para><replaceable>DES</replaceable> (default)</para>
-	      </listitem>
-	      <listitem>
-		<para><replaceable>MD5</replaceable></para>
-	      </listitem>
-	      <listitem>
-		<para><replaceable>SHA256</replaceable></para>
-	      </listitem>
-	      <listitem>
-		<para><replaceable>SHA512</replaceable></para>
-	      </listitem>
-	    </itemizedlist>
-	  </para>
-	  <para>
-	    Note: this parameter overrides the
-	    <option>MD5_CRYPT_ENAB</option> variable.
-	  </para>
-	  <para>
-	    Note: if you use PAM, it is recommended to set this variable
-	    consistently with the PAM modules configuration.
-	  </para>
-	</listitem>
-      </varlistentry>
-      <varlistentry>
-	<term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term>
-	<term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term>
-	<listitem>
-	  <para>
-	    When <option>ENCRYPT_METHOD</option> is set to
-	    <replaceable>SHA256</replaceable> or
-	    <replaceable>SHA512</replaceable>, this defines the number of
-	    SHA rounds used by the encryption algorithm by default (when
-	    the number of rounds is not specified on the command line).
-	  </para>
-	  <para>
-	    With a lot of rounds, it is more difficult to brute forcing
-	    the password. But note also that more CPU resources will be
-	    needed to authenticate users.
-	  </para>
-	  <para>
-	    If not specified, the libc will choose the default number of
-	    rounds (5000).
-	  </para>
-	  <para>
-	    The values must be inside the 1000-999999999 range.
-	  </para>
-	  <para>
-	    If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or
-	    <option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this
-	    value will be used.
-	  </para>
-	  <para>
-	    If <option>SHA_CRYPT_MIN_ROUNDS</option> &gt;
-	    <option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will
-	    be used.
-	  </para>
-	</listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 

man/chsh.1.xml

@@ -1,4 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY CHSH_AUTH             SYSTEM "login.defs.d/CHSH_AUTH.xml">
+<!ENTITY LOGIN_STRING          SYSTEM "login.defs.d/LOGIN_STRING.xml">
+]>
+
 <refentry id='chsh.1'>
   <!-- $Id$ -->
   <refmeta>
@@ -81,6 +87,19 @@
     </para>
   </refsect1>
 
+  <refsect1 id='configuration' condition="no_pam">
+    <title>CONFIGURATION</title>
+    <para>
+      The following configuration variables in
+      <filename>/etc/login.defs</filename> change the behavior of this
+      tool:
+    </para>
+    <variablelist>
+      &CHSH_AUTH;
+      &LOGIN_STRING;
+    </variablelist>
+  </refsect1>
+
   <refsect1 id='files'>
     <title>FILES</title>
     <variablelist>

man/expiry.1.xml

@@ -1,4 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!--ENTITY CONSOLE_GROUPS        SYSTEM "login.defs.d/CONSOLE_GROUPS.xml"-->
+<!-- A call to CONSOLE_GROUPS is linked, but not used -->
+]>
+
 <refentry id='expiry.1'>
   <!-- $Id$ -->
   <refmeta>

man/gpasswd.1.xml

@@ -1,4 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
+<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
+<!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
+<!ENTITY SHA_CRYPT_MIN_ROUNDS  SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
+]>
+
 <refentry id='gpasswd.1'>
   <!-- $Id$ -->
   <refmeta>
@@ -174,6 +182,21 @@
     </para>
   </refsect1>
 
+  <refsect1 id='configuration'>
+    <title>CONFIGURATION</title>
+    <para>
+      The following configuration variables in
+      <filename>/etc/login.defs</filename> change the behavior of this
+      tool:
+    </para>
+    <variablelist>
+      &ENCRYPT_METHOD;
+      &MAX_MEMBERS_PER_GROUP;
+      &MD5_CRYPT_ENAB;
+      &SHA_CRYPT_MIN_ROUNDS; <!--This also document SHA_CRYPT_MAX_ROUNDS-->
+    </variablelist>
+  </refsect1>
+
   <refsect1 id='files'>
     <title>FILES</title>
     <variablelist>

man/login.defs.5.xml

@@ -3,6 +3,7 @@
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY CHFN_AUTH             SYSTEM "login.defs.d/CHFN_AUTH.xml">
 <!ENTITY CHFN_RESTRICT         SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
+<!ENTITY CHSH_AUTH             SYSTEM "login.defs.d/CHSH_AUTH.xml">
 <!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
 <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
 <!ENTITY LOGIN_STRING          SYSTEM "login.defs.d/LOGIN_STRING.xml">
@@ -67,6 +68,7 @@
     <variablelist remap='IP'>
       &CHFN_AUTH;
       &CHFN_RESTRICT;
+      &CHSH_AUTH;
       &ENCRYPT_METHOD;
       &GID_MAX; <!--document also GID_MIN-->
       &LOGIN_STRING;
@@ -91,10 +93,10 @@
     </variablelist>
   </refsect1>
 
-  <refsect1 id='cross_reference'>
+  <refsect1 id='cross_references'>
-    <title>CROSS REFERENCE</title>
+    <title>CROSS REFERENCES</title>
     <para>
-      The following cross reference shows which programs in the shadow
+      The following cross references show which programs in the shadow
       password suite use which parameters.
     </para>
     <!-- .na -->
@@ -104,7 +106,8 @@
 	<term>chfn</term>
 	<listitem>
 	  <para>
-	    CHFN_AUTH CHFN_RESTRICT
+	    <phrase condition="no_pam">CHFN_AUTH</phrase>
+	    CHFN_RESTRICT
 	    <phrase condition="no_pam">LOGIN_STRING</phrase>
 	  </para>
 	</listitem>
@@ -127,21 +130,15 @@
 	  </para>
 	</listitem>
       </varlistentry>
-      <varlistentry>
+      <varlistentry condition="no_pam">
 	<term>chsh</term>
 	<listitem>
 	  <para>
-	    CHFN_AUTH
+	    CHSH_AUTH LOGIN_STRING
-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
 	  </para>
 	</listitem>
       </varlistentry>
-      <varlistentry condition="no_pam">
+      <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
-	<term>expiry</term>
-	<listitem>
-	  <para>CONSOLE_GROUPS</para>
-	</listitem>
-      </varlistentry>
       <!-- faillog: no variables -->
       <varlistentry>
 	<term>gpasswd</term>

man/login.defs.d/CHFN_AUTH.xml

@@ -1,10 +1,10 @@
-<varlistentry>
+<varlistentry condition="no_pam">
   <term><option>CHFN_AUTH</option> (boolean)</term>
   <listitem>
     <para>
-      If <replaceable>yes</replaceable>, the <command>chfn</command> and
+      If <replaceable>yes</replaceable>, the <command>chfn</command>
-      <command>chsh</command> programs will require authentication before
+      program will require authentication before making any changes,
-      making any changes, unless run by the superuser.
+      unless run by the superuser.
     </para>
   </listitem>
 </varlistentry>

man/login.defs.d/CHSH_AUTH.xml

@@ -0,0 +1,10 @@
+<varlistentry condition="no_pam">
+  <term><option>CHSH_AUTH</option> (boolean)</term>
+  <listitem>
+    <para>
+      If <replaceable>yes</replaceable>, the <command>chsh</command>
+      program will require authentication before making any changes,
+      unless run by the superuser.
+    </para>
+  </listitem>
+</varlistentry>

man/newusers.8.xml

@@ -1,4 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
+<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
+<!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
+<!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
+<!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
+<!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
+<!ENTITY SHA_CRYPT_MIN_ROUNDS  SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
+<!ENTITY UMASK                 SYSTEM "login.defs.d/UMASK.xml">
+]>
+
 <refentry id='newusers.8'>
   <!-- $Id$ -->
   <refmeta>
@@ -92,6 +104,25 @@
     </para>
   </refsect1>
 
+  <refsect1 id='configuration'>
+    <title>CONFIGURATION</title>
+    <para>
+      The following configuration variables in
+      <filename>/etc/login.defs</filename> change the behavior of this
+      tool:
+    </para>
+    <variablelist>
+      &ENCRYPT_METHOD;
+      &MAX_MEMBERS_PER_GROUP;
+      &MD5_CRYPT_ENAB;
+      &PASS_MAX_DAYS;
+      &PASS_MIN_DAYS;
+      &PASS_WARN_AGE;
+      &SHA_CRYPT_MIN_ROUNDS; <!--This also document SHA_CRYPT_MAX_ROUNDS-->
+      &UMASK;
+    </variablelist>
+  </refsect1>
+
   <refsect1 id='files'>
     <title>FILES</title>
     <variablelist>