Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Switch the default password hash from md5 to sha512.

MFC after: 1 week

Document that we also support sha256 and sha512.

MFC after: 1 week

General mdoc(7) and typo fixes.

PR: 167804
Submitted by: Nobuyuki Koganemaru (kogane!jp.freebsd.org)
MFC after: 3 days

mdoc: terminate quoted strings.

mandoc complains loudly when <TAB>s are misused in columnated lists. Fix
this syntax violation and while I'm here also convert <TAB> to Ta and adjust
quotation marks in order to prevent this problem in the future.

This string should be quoted.

Noticed by: brueffer

mdoc: terminate quoted strings.

Reviewed by: brueffer

Add missing "swapuse" resource limit.

Integrate the new MPSAFE TTY layer to the FreeBSD operating system.

The last half year I've been working on a replacement TTY layer for the
FreeBSD kernel. The new TTY layer was designed to improve the following:

- Improved driver model:

The old TTY layer has a driver model that is not abstract enough to
make it friendly to use. A good example is the output path, where the
device drivers directly access the output buffers. This means that an
in-kernel PPP implementation must always convert network buffers into
TTY buffers.

If a PPP implementation would be built on top of the new TTY layer
(still needs a hooks layer, though), it would allow the PPP
implementation to directly hand the data to the TTY driver.

- Improved hotplugging:

With the old TTY layer, it isn't entirely safe to destroy TTY's from
the system. This implementation has a two-step destructing design,
where the driver first abandons the TTY. After all threads have left
the TTY, the TTY layer calls a routine in the driver, which can be
used to free resources (unit numbers, etc).

The pts(4) driver also implements this feature, which means
posix_openpt() will now return PTY's that are created on the fly.

- Improved performance:

One of the major improvements is the per-TTY mutex, which is expected
to improve scalability when compared to the old Giant locking.
Another change is the unbuffered copying to userspace, which is both
used on TTY device nodes and PTY masters.

Upgrading should be quite straightforward. Unlike previous versions,
existing kernel configuration files do not need to be changed, except
when they reference device drivers that are listed in UPDATING.

Obtained from: //depot/projects/mpsafetty/...
Approved by: philip (ex-mentor)
Discussed: on the lists, at BSDCan, at the DevSummit
Sponsored by: Snow B.V., the Netherlands
dcons(4) fixed by: kan

Add support for a new login capability, cpumask which allows login
sessions to be pinned to cpus by login class.

Fix markup in previous revision.

Add information on how to escape a literal colon in a value or name.

PR: 101262

Recognize the existence of `auth' and `auth-type'
capabilities but tell they do nothing in the base system.

This is a late responce to
http://docs.freebsd.org/cgi/mid.cgi?ED759F1DC5ADD74592DD063B1EDEDAF803ACD2B5
.

Obtained from: OpenBSD (wording; with minor corrections)

Document how the backoff delay is calculated.

Submitted by: markus
MFC after: 3 days

Fix grammatical issue.

Submitted by: ceri

Use ~/.login_conf when discussing a user's local file.

Suggested by: ru

Reword previous commit to be a bit more correct and provide more information.

Inspiried by: ru

Make it more obvious that cap_mkdb(1) is required to rebuild the database.

PR: 76981
Submitted by: Lowell Gilbert <freebsd-bugs-local@be-well.ilk.org>

Spell FTP correctly - in this case, it is used as the name of the protocol,
not the program. Also, bump the document date.

Reminded by: our resident mdoc guard (ru)

Add Giorgos's description of the ftp-chroot login.conf option.

Reported by: Bill Moran <wmoran@potentialtech.com>
Submitted by: keramida
MFC after: 2 weeks

Mechanically kill hard sentence breaks.

Backout last commit. It is redundant in -CURRENT.

Pointed out by: David Schultz

Note that the idletime setting is not enforced.

PR: docs/40952
MFC After: 3 days

Document the login-backoff and login-retries capabilities.

PR: docs/51397
MFC After: 3 days

Re-document unimplemented capabilities that were removed in the last
revision of this file, but note that they are not supported in the
base system.

Requested by: ache
Reviewed by: ache, mike (mentor)

- Document the fact that we now use pam_passwdqc(8) to check
password quality, not login.conf(5).
- Move warnexpire and warnpasswd from the ``Accounting Limits''
section to ``Authentication'', and nix everything else in the
former section. The accounting knobs are not available in
the base system, and the subset of them available in ports
should be documented in the ports' manpages.

PR: 47960
Reviewed by: mike (mentor), doc

Document the `label' capability.

Approved by: re
Sponsored by: DARPA, Network Associates Labs
Obtained from: TrustedBSD Project

Use "deprecated" instead of "depreciated" where appropriate.

mdoc(7) police: spelling.

Add documentation for vmemoryuse

o Document 'nocheckmail' login capability.

Although the 'bool' type is referenced in the list of capabilities, it
is not defined in the capability type list. Provide a definition for
'bool', if a slightly less than elegant one. Note that this definition
does not include the complete scope of available behavior defined
in cgetcap(3), and could probably be improved.

1) Back out ~/.login_conf disable
2) Pick only "me" class from ~/.login_conf as documented

Disable per-user .login_conf support due to incorrect merging of local
and globaly settings. An alternative implementation will be developed.

Reported by: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: remove extraneous .Pp before and/or after .Sh.

Sort.

Add the "prompt" and "passwd_prompt" fields to /etc/login.conf,
which makes lgoin more like getty in its ability to be configured.

Submitted by: tlambert (code only)

Updates for Blowfish password hashing.

Prepare for mdoc(7)NG.

Prepare for mdoc(7)NG.

mdoc(7) police: use the new features of the Nm macro.

Use Fx macro wherever possible.

Document passwd_format further.

Make sbsize a size instead of a number. This allows the usual suffixes
to be applied to the value given. This does not break installed
/etc/login.conf files, since un-suffixed numbers are interpreted as
they were before.

PR: 19750
Submitted by: Paul Herman <pherman@frenchfries.net>

document sbsize limit.

Add xref to cap_mkdb(1).

PR: docs/17544
Submitted by: Christ J. Clark <cjc@cc942873-a.ewndsr1.nj.home.com>

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

Document mixpasswordcase here as well as in passwd.1

Do not set the default terminal type to "su", leave it empty.

PR: bin/5084
Reviewed by: asmodai, davidn, sef

mdoc(7)'fy

Reviewed by: mpp

$Id$ -> $FreeBSD$

Axe LOGIN_CAP_AUTH.

PR: 10115
Reported by: Gene Skonicki <gene@cif.rochester.edu>
Requested by: jdp

Change references from "passwordperiod" to "passwordtime", since
"passwordtime" is what passwd(1) has actually been using. I suspect
passwordperiod was the original intent. I can't figure-out which,
if either, BSDi uses. If anyone knows...

Change tty-related capability names to match the implementation ("ttys.",
not "tty.").

Correctly document h and m modifiers to the time format.

PR: 5739
Submitted by: Matthew Cashdollar <mattc@rfcnet.com>

Add passwd(5) to "SEE ALSO".

ISSUES:
An example and better explansion on how to specify a user's login
class in /etc/master passwd is needed.
(As I don't seem to be specifiying it right, I can't do it).

Remove login_progok()
Suggested by: guido

Add full support for determining if a user
is restricted from running a given program.

Add prog.deny as a list capability for
denying execution of certain programs.

Typo police.

Revert $FreeBSD$ to $Id$

1MB is 1048576 bytes, not 1038476 bytes. (I can see that the original
committer wasn't using the MicroSlop Natural keyboard though! :)

Sort cross references.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Minor mdoc style fixes.

Man page police.

Consistency check: refs to ~/.login.conf should be ~/.login_conf.

Add missing manpage for login.conf.