diff --git a/trunk/FS66068.patch b/trunk/FS66068.patch
index 87442d8..f0a4374 100644
--- a/trunk/FS66068.patch
+++ b/trunk/FS66068.patch
@@ -1,8 +1,8 @@
 diff --git a/etc/login.defs b/etc/login.defs
-index 397446fe..123da519 100644
+index 4965d58..ff018c4 100644
 --- a/etc/login.defs
 +++ b/etc/login.defs
-@@ -88,12 +88,12 @@ TTYPERM		0600
+@@ -81,12 +81,12 @@ TTYPERM		0600
  # 022 is the default value, but 027, or even 077, could be considered
  # for increased privacy. There is no One True Answer here: each sysadmin
  # must make up their mind.
diff --git a/trunk/FS71393.patch b/trunk/FS71393.patch
index 6e9be4d..df89441 100644
--- a/trunk/FS71393.patch
+++ b/trunk/FS71393.patch
@@ -1,8 +1,8 @@
 diff --git a/etc/login.defs b/etc/login.defs
-index 0a07819..34f8c70 100644
+index ff018c4..3c24592 100644
 --- a/etc/login.defs
 +++ b/etc/login.defs
-@@ -178,7 +178,7 @@ CHFN_RESTRICT		rwh
+@@ -157,7 +157,7 @@ CHFN_RESTRICT		rwh
  # Note: If you use PAM, it is recommended to use a value consistent with
  # the PAM modules configuration.
  #
diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index de451df..a0fbd3f 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -2,8 +2,8 @@
 # Maintainer: Aaron Griffin <aaron@archlinux.org>
 
 pkgname=shadow
-pkgver=4.8.1
-pkgrel=4
+pkgver=4.9
+pkgrel=1
 pkgdesc="Password and account management tool suite with support for shadow files and PAM"
 arch=('x86_64')
 url='https://github.com/shadow-maint/shadow'
@@ -11,38 +11,108 @@ license=('BSD')
 # libcap-ng needed by install scriptlet for 'filecap'
 depends=('pam' 'acl' 'libacl.so' 'audit' 'libaudit.so' 'libcap-ng' 'libcap-ng.so'
          'libxcrypt' 'libcrypt.so')
+makedepends=('docbook-xsl' 'itstool')
 backup=(etc/login.defs
         etc/pam.d/{chage,passwd,shadow,useradd,usermod,userdel}
         etc/pam.d/{chpasswd,newusers,groupadd,groupdel,groupmod}
         etc/pam.d/{chgpasswd,groupmems}
         etc/default/useradd)
-options=(strip debug)
 validpgpkeys=('D5C2F9BFCA128BBA22A77218872F702C4D6E25A8'   # Christian Perrier
               'F1D08DB778185BF784002DFFE9FEEA06A85E3F9D')  # Serge Hallyn
-source=("https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz"{,.asc}
+source=("https://github.com/shadow-maint/shadow/releases/download/v$pkgver/shadow-$pkgver.tar.xz"{,.asc}
+        https://github.com/shadow-maint/shadow/commit/f4a84efb468b8be21be124700ce35159c444e9d6.patch # libsubid: link to PAM libraries
+        https://github.com/shadow-maint/shadow/commit/05388f748d650208f25f135d56a296afed0bea28.patch # passwd: handle NULL pw_passwd when printing password status
+        https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62.patch # libmisc: fix default value in SHA_get_salt_rounds()
+        https://github.com/shadow-maint/shadow/commit/4624e9fca1b02b64e25e8b2280a0186182ab73ba.patch # Revert "useradd.c:fix memleaks of grp"
+        shadow-4.8-ignore-login-prompt.patch # From Fedora
+        unsupported-options.patch
+        login.defs-arch.patch
+        FS66068.patch
+        FS71393.patch
         LICENSE
         chgpasswd
         chpasswd
         defaults.pam
-        login.defs
         newusers
         passwd
         shadow.{timer,service}
         useradd.defaults)
 install=shadow.install
-sha1sums=('63457a0ba58dc4e81b2663b839dc6c89d3343f12'
+sha1sums=('fa2307ff6c85ab3863d9e24dba0935bbbb337f3f'
           'SKIP'
+          '0a0febd57838254508f96e2ca018f3ec57d6dc92'
+          '6ed1aa429ad5fdbed0f8eb7b104a9e3232f8253d'
+          '7a319f2f314104927f6c96e0b6f68e93fbd74130'
+          '477b2944e992770f409589d243aaeae6fb82b651'
+          '21c84f51d0bb9e61f00bc30bba7bf24778278995'
+          'd0ea2f86886b9ea32d43bd43a7e3c8bdfcb989a1'
+          'b18cbd416a7f29ad3b298f4fe253aba7127dd466'
+          'ad3c7621c2c64b5c53d7095faed66859c5c9a3f7'
+          'f57f8336c71003aab0cfe28c6875de38bf9644a9'
           '33a6cf1e44a1410e5c9726c89e5de68b78f5f922'
           '4ad0e059406a305c8640ed30d93c2a1f62c2f4ad'
           '12427b1ca92a9b85ca8202239f0d9f50198b818f'
           '0e56fed7fc93572c6bf0d8f3b099166558bb46f1'
-          '81a02eadb5f605fef5c75b6d8a03713a7041864b'
           '12427b1ca92a9b85ca8202239f0d9f50198b818f'
           '611be25d91c3f8f307c7fe2485d5f781e5dee75f'
           'a154a94b47a3d0c6c287253b98c0d10b861226d0'
           'b5540736f5acbc23b568973eb5645604762db3dd'
           'c173208c5cf34528602f9931468a67b7f68abad3')
 
+#PAMDEFS are options silently ignored by shadow when built with pam enabled
+#MOTD_FILE is in PAMDEFS but is supported by login from util-linux
+_unsupported_options=(
+                      CHFN_AUTH                  #PAMDEFS
+                      CONSOLE_GROUPS             #Not with pam enabled
+                      CONSOLE                    #Not with pam enabled
+                      CRACKLIB_DICTPATH          #PAMDEFS
+                      ENV_HZ                     #PAMDEFS
+                      ENVIRON_FILE               #PAMDEFS
+                      ENV_TZ                     #PAMDEFS
+                      ERASECHAR                  #Not with login from util-linux
+                      FAILLOG_ENAB               #PAMDEFS
+                      FTMP_FILE                  #PAMDEFS
+                      ISSUE_FILE                 #PAMDEFS
+                      KILLCHAR                   #Not with login from util-linux
+                      LASTLOG_ENAB               #PAMDEFS
+                      LOGIN_STRING               #PAMDEFS
+                      LOG_OK_LOGINS              #Not with login from util-linux
+                      MAIL_CHECK_ENAB            #PAMDEFS
+                      MD5_CRYPT_ENAB             #Not with pam enabled
+                      NOLOGINS_FILE              #PAMDEFS
+                      OBSCURE_CHECKS_ENAB        #PAMDEFS
+                      PASS_ALWAYS_WARN           #PAMDEFS
+                      PASS_CHANGE_TRIES          #PAMDEFS
+                      PASS_MAX_LEN               #PAMDEFS
+                      PASS_MIN_LEN               #PAMDEFS
+                      PORTTIME_CHECKS_ENAB       #PAMDEFS
+                      PREVENT_NO_AUTH            #Not with login or su from util-linux
+                      QUOTAS_ENAB                #PAMDEFS
+                      SULOG_FILE                 #Not with su from util-linux
+                      SU_NAME                    #Not with su from util-linux
+                      SU_WHEEL_ONLY              #PAMDEFS
+                      SYSLOG_SU_ENAB             #PAMDEFS
+                      TTYTYPE_FILE               #Not with login from util-linux
+                      ULIMIT                     #PAMDEFS
+                      )
+
+prepare() {
+  cd "$pkgname-$pkgver"
+  patch -p1 -i ../f4a84efb468b8be21be124700ce35159c444e9d6.patch
+  patch -p1 -i ../05388f748d650208f25f135d56a296afed0bea28.patch
+  patch -p1 -i ../234e8fa7b134d1ebabfdad980a3ae5b63c046c62.patch
+  patch -p1 -i ../4624e9fca1b02b64e25e8b2280a0186182ab73ba.patch
+  patch -p1 -i ../shadow-4.8-ignore-login-prompt.patch # Do not complain about LOGIN_PLAIN_PROMPT option that is used by login from util-linux.
+  patch -p1 -i ../unsupported-options.patch # Remove uptions not supported due to use of pam or util-linux from login.defs.
+  patch -p1 -i ../login.defs-arch.patch # Set Arch defaults.
+  patch -p1 -i ../FS66068.patch # Changes to login.defs for FS#66068 should be merged into above patch if accepted.
+  patch -p1 -i ../FS71393.patch # Changes to login.defs for FS#71393 should be merged into above patch if accepted.
+  for _option in "${_unsupported_options[@]}"
+  do
+      sed -i -e "/${_option}.xml/d" -e "/\&${_option}\;/d" man/login.defs.5.xml
+  done
+}
+
 build() {
   cd "$pkgname-$pkgver"
 
@@ -58,9 +128,14 @@ build() {
     --with-libpam \
     --with-group-name-max-length=32 \
     --with-audit \
-    --without-selinux
+    --without-selinux \
+    --enable-man \
+    --with-bcrypt \
+    --with-yescrypt
 
+  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
   make
+  make man
 }
 
 package() {
@@ -80,9 +155,6 @@ package() {
   install -d -m755 "$pkgdir/usr/lib/systemd/system/timers.target.wants"
   ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer"
 
-  # login.defs
-  install -Dm644 "$srcdir/login.defs" "$pkgdir/etc/login.defs"
-
   # PAM config - custom
   rm "$pkgdir/etc/pam.d"/*
   install -t "$pkgdir/etc/pam.d" -m644 "$srcdir"/{passwd,chgpasswd,chpasswd,newusers}
diff --git a/trunk/login.defs-arch.patch b/trunk/login.defs-arch.patch
index 9c373c8..9194f65 100644
--- a/trunk/login.defs-arch.patch
+++ b/trunk/login.defs-arch.patch
@@ -1,5 +1,5 @@
 diff --git a/etc/login.defs b/etc/login.defs
-index eebf0d99..397446fe 100644
+index 5c709e9..4965d58 100644
 --- a/etc/login.defs
 +++ b/etc/login.defs
 @@ -1,8 +1,14 @@
@@ -17,8 +17,8 @@ index eebf0d99..397446fe 100644
 +# Modified for Linux.  --marekm
  
  #
- # Delay in seconds before being allowed another attempt after a login failure
-@@ -34,7 +40,7 @@ SYSLOG_SG_ENAB		yes
+ # Enable display of unknown usernames when login(1) failures are recorded.
+@@ -27,7 +33,7 @@ SYSLOG_SG_ENAB		yes
  # If defined, ":" delimited list of "message of the day" files to
  # be displayed upon login.
  #
@@ -27,7 +27,7 @@ index eebf0d99..397446fe 100644
  #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
  
  #
-@@ -58,8 +64,8 @@ HUSHLOGIN_FILE	.hushlogin
+@@ -51,8 +57,8 @@ HUSHLOGIN_FILE	.hushlogin
  # *REQUIRED*  The default PATH settings, for superuser and normal users.
  #
  # (they are minimal, add the rest in the shell startup files)
@@ -38,7 +38,7 @@ index eebf0d99..397446fe 100644
  
  #
  # Terminal permissions
-@@ -82,7 +88,7 @@ TTYPERM		0600
+@@ -75,7 +81,7 @@ TTYPERM		0600
  # 022 is the default value, but 027, or even 077, could be considered
  # for increased privacy. There is no One True Answer here: each sysadmin
  # must make up their mind.
@@ -47,7 +47,7 @@ index eebf0d99..397446fe 100644
  
  # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
  # home directories.
-@@ -106,7 +112,7 @@ PASS_WARN_AGE	7
+@@ -99,7 +105,7 @@ PASS_WARN_AGE	7
  UID_MIN			 1000
  UID_MAX			60000
  # System accounts
@@ -56,7 +56,7 @@ index eebf0d99..397446fe 100644
  SYS_UID_MAX		  999
  # Extra per user uids
  SUB_UID_MIN		   100000
-@@ -119,7 +125,7 @@ SUB_UID_COUNT		    65536
+@@ -112,7 +118,7 @@ SUB_UID_COUNT		    65536
  GID_MIN			 1000
  GID_MAX			60000
  # System accounts
@@ -65,7 +65,7 @@ index eebf0d99..397446fe 100644
  SYS_GID_MAX		  999
  # Extra per user group ids
  SUB_GID_MIN		   100000
-@@ -171,7 +177,7 @@ CHFN_RESTRICT		rwh
+@@ -151,7 +157,7 @@ CHFN_RESTRICT		rwh
  # Note: If you use PAM, it is recommended to use a value consistent with
  # the PAM modules configuration.
  #
diff --git a/trunk/options.patch b/trunk/options.patch
deleted file mode 100644
index d496dd8..0000000
--- a/trunk/options.patch
+++ /dev/null
@@ -1,503 +0,0 @@
-diff --git a/etc/login.defs b/etc/login.defs
-index a2f8cd50..eebf0d99 100644
---- a/etc/login.defs
-+++ b/etc/login.defs
-@@ -11,26 +11,11 @@
- #
- FAIL_DELAY		3
- 
--#
--# Enable logging and display of /var/log/faillog login(1) failure info.
--#
--FAILLOG_ENAB		yes
--
- #
- # Enable display of unknown usernames when login(1) failures are recorded.
- #
- LOG_UNKFAIL_ENAB	no
- 
--#
--# Enable logging of successful logins
--#
--LOG_OK_LOGINS		no
--
--#
--# Enable logging and display of /var/log/lastlog login(1) time info.
--#
--LASTLOG_ENAB		yes
--
- #
- # Limit the highest user ID number for which the lastlog entries should
- # be updated.
-@@ -41,48 +26,10 @@ LASTLOG_ENAB		yes
- #LASTLOG_UID_MAX
- 
- #
--# Enable checking and display of mailbox status upon login.
--#
--# Disable if the shell startup files already check for mail
--# ("mailx -e" or equivalent).
--#
--MAIL_CHECK_ENAB		yes
--
--#
--# Enable additional checks upon password changes.
--#
--OBSCURE_CHECKS_ENAB	yes
--
--#
--# Enable checking of time restrictions specified in /etc/porttime.
--#
--PORTTIME_CHECKS_ENAB	yes
--
--#
--# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
--#
--QUOTAS_ENAB		yes
--
--#
--# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
--# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
-+# Enable "syslog" logging of newgrp(1) and sg(1) activity.
- #
--SYSLOG_SU_ENAB		yes
- SYSLOG_SG_ENAB		yes
- 
--#
--# If defined, either full pathname of a file containing device names or
--# a ":" delimited list of device names.  Root logins will be allowed only
--# from these devices.
--#
--CONSOLE		/etc/securetty
--#CONSOLE	console:tty01:tty02:tty03:tty04
--
--#
--# If defined, all su(1) activity is logged to this file.
--#
--#SULOG_FILE	/var/log/sulog
--
- #
- # If defined, ":" delimited list of "message of the day" files to
- # be displayed upon login.
-@@ -90,38 +37,6 @@ CONSOLE		/etc/securetty
- MOTD_FILE	/etc/motd
- #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
- 
--#
--# If defined, this file will be output before each login(1) prompt.
--#
--#ISSUE_FILE	/etc/issue
--
--#
--# If defined, file which maps tty line to TERM environment parameter.
--# Each line of the file is in a format similar to "vt100  tty01".
--#
--#TTYTYPE_FILE	/etc/ttytype
--
--#
--# If defined, login(1) failures will be logged here in a utmp format.
--# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
--#
--FTMP_FILE	/var/log/btmp
--
--#
--# If defined, name of file whose presence will inhibit non-root
--# logins.  The content of this file should be a message indicating
--# why logins are inhibited.
--#
--NOLOGINS_FILE	/etc/nologin
--
--#
--# If defined, the command name to display when running "su -".  For
--# example, if this is defined as "su" then ps(1) will display the
--# command as "-su".  If not defined, then ps(1) will display the
--# name of the shell actually being run, e.g. something like "-sh".
--#
--SU_NAME		su
--
- #
- # *REQUIRED*
- #   Directory where mailboxes reside, _or_ name of file, relative to the
-@@ -139,21 +54,6 @@ MAIL_DIR	/var/spool/mail
- HUSHLOGIN_FILE	.hushlogin
- #HUSHLOGIN_FILE	/etc/hushlogins
- 
--#
--# If defined, either a TZ environment parameter spec or the
--# fully-rooted pathname of a file containing such a spec.
--#
--#ENV_TZ		TZ=CST6CDT
--#ENV_TZ		/etc/tzname
--
--#
--# If defined, an HZ environment parameter spec.
--#
--# for Linux/x86
--ENV_HZ		HZ=100
--# For Linux/Alpha...
--#ENV_HZ		HZ=1024
--
- #
- # *REQUIRED*  The default PATH settings, for superuser and normal users.
- #
-@@ -175,23 +75,6 @@ ENV_PATH	PATH=/bin:/usr/bin
- TTYGROUP	tty
- TTYPERM		0600
- 
--#
--# Login configuration initializations:
--#
--#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
--#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
--#	ULIMIT		Default "ulimit" value.
--#
--# The ERASECHAR and KILLCHAR are used only on System V machines.
--# The ULIMIT is used only if the system supports it.
--# (now it works with setrlimit too; ulimit is in 512-byte units)
--#
--# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
--#
--ERASECHAR	0177
--KILLCHAR	025
--#ULIMIT		2097152
--
- # Default initial "umask" value used by login(1) on non-PAM enabled systems.
- # Default "umask" value for pam_umask(8) on PAM enabled systems.
- # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-@@ -211,27 +94,12 @@ UMASK		022
- #
- #	PASS_MAX_DAYS	Maximum number of days a password may be used.
- #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
--#	PASS_MIN_LEN	Minimum acceptable password length.
- #	PASS_WARN_AGE	Number of days warning given before a password expires.
- #
- PASS_MAX_DAYS	99999
- PASS_MIN_DAYS	0
--PASS_MIN_LEN	5
- PASS_WARN_AGE	7
- 
--#
--# If "yes", the user must be listed as a member of the first gid 0 group
--# in /etc/group (called "root" on most Linux systems) to be able to "su"
--# to uid 0 accounts.  If the group doesn't exist or is empty, no one
--# will be able to "su" to uid 0.
--#
--SU_WHEEL_ONLY	no
--
--#
--# If compiled with cracklib support, sets the path to the dictionaries
--#
--CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
--
- #
- # Min/max values for automatic uid selection in useradd(8)
- #
-@@ -268,28 +136,6 @@ LOGIN_RETRIES		5
- #
- LOGIN_TIMEOUT		60
- 
--#
--# Maximum number of attempts to change password if rejected (too easy)
--#
--PASS_CHANGE_TRIES	5
--
--#
--# Warn about weak passwords (but still allow them) if you are root.
--#
--PASS_ALWAYS_WARN	yes
--
--#
--# Number of significant characters in the password for crypt().
--# Default is 8, don't change unless your crypt() is better.
--# Ignored if MD5_CRYPT_ENAB set to "yes".
--#
--#PASS_MAX_LEN		8
--
--#
--# Require password before chfn(1)/chsh(1) can make any changes.
--#
--CHFN_AUTH		yes
--
- #
- # Which fields may be changed by regular users using chfn(1) - use
- # any combination of letters "frwh" (full name, room number, work
-@@ -298,13 +144,6 @@ CHFN_AUTH		yes
- # 
- CHFN_RESTRICT		rwh
- 
--#
--# Password prompt (%s will be replaced by user name).
--#
--# XXX - it doesn't work correctly yet, for now leave it commented out
--# to use the default which is just "Password: ".
--#LOGIN_STRING		"%s's Password: "
--
- #
- # Only works if compiled with MD5_CRYPT defined:
- # If set to "yes", new passwords will be encrypted using the MD5-based
-@@ -365,29 +204,12 @@ CHFN_RESTRICT		rwh
- #BCRYPT_MIN_ROUNDS 13
- #BCRYPT_MAX_ROUNDS 13
- 
--#
--# List of groups to add to the user's supplementary group set
--# when logging in from the console (as determined by the CONSOLE
--# setting).  Default is none.
--#
--# Use with caution - it is possible for users to gain permanent
--# access to these groups, even when not logged in from the console.
--# How to do it is left as an exercise for the reader...
--#
--#CONSOLE_GROUPS		floppy:audio:cdrom
--
- #
- # Should login be allowed if we can't cd to the home directory?
- # Default is no.
- #
- DEFAULT_HOME	yes
- 
--#
--# If this file exists and is readable, login environment will be
--# read from it.  Every line should be in the form name=value.
--#
--ENVIRON_FILE	/etc/environment
--
- #
- # If defined, this command is run when removing a user.
- # It should remove any at/cron/print jobs etc. owned by
-diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
-index 9e95da20..36992c4b 100644
---- a/man/login.defs.5.xml
-+++ b/man/login.defs.5.xml
-@@ -31,67 +31,37 @@
- -->
- <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN" 
-   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
--<!ENTITY CHFN_AUTH             SYSTEM "login.defs.d/CHFN_AUTH.xml">
- <!ENTITY CHFN_RESTRICT         SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
--<!ENTITY CHSH_AUTH             SYSTEM "login.defs.d/CHSH_AUTH.xml">
--<!ENTITY CONSOLE               SYSTEM "login.defs.d/CONSOLE.xml">
--<!ENTITY CONSOLE_GROUPS        SYSTEM "login.defs.d/CONSOLE_GROUPS.xml">
- <!ENTITY CREATE_HOME           SYSTEM "login.defs.d/CREATE_HOME.xml">
- <!ENTITY DEFAULT_HOME          SYSTEM "login.defs.d/DEFAULT_HOME.xml">
- <!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
--<!ENTITY ENV_HZ                SYSTEM "login.defs.d/ENV_HZ.xml">
- <!ENTITY ENV_PATH              SYSTEM "login.defs.d/ENV_PATH.xml">
- <!ENTITY ENV_SUPATH            SYSTEM "login.defs.d/ENV_SUPATH.xml">
--<!ENTITY ENV_TZ                SYSTEM "login.defs.d/ENV_TZ.xml">
--<!ENTITY ENVIRON_FILE          SYSTEM "login.defs.d/ENVIRON_FILE.xml">
--<!ENTITY ERASECHAR             SYSTEM "login.defs.d/ERASECHAR.xml">
- <!ENTITY FAIL_DELAY            SYSTEM "login.defs.d/FAIL_DELAY.xml">
--<!ENTITY FAILLOG_ENAB          SYSTEM "login.defs.d/FAILLOG_ENAB.xml">
--<!ENTITY FAKE_SHELL            SYSTEM "login.defs.d/FAKE_SHELL.xml">
--<!ENTITY FTMP_FILE             SYSTEM "login.defs.d/FTMP_FILE.xml">
- <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
- <!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
- <!ENTITY HUSHLOGIN_FILE        SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
--<!ENTITY ISSUE_FILE            SYSTEM "login.defs.d/ISSUE_FILE.xml">
--<!ENTITY KILLCHAR              SYSTEM "login.defs.d/KILLCHAR.xml">
--<!ENTITY LASTLOG_ENAB          SYSTEM "login.defs.d/LASTLOG_ENAB.xml">
- <!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
--<!ENTITY LOG_OK_LOGINS         SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
- <!ENTITY LOG_UNKFAIL_ENAB      SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
- <!ENTITY LOGIN_RETRIES         SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
--<!ENTITY LOGIN_STRING          SYSTEM "login.defs.d/LOGIN_STRING.xml">
- <!ENTITY LOGIN_TIMEOUT         SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
--<!ENTITY MAIL_CHECK_ENAB       SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
- <!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
- <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
- <!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
- <!ENTITY MOTD_FILE             SYSTEM "login.defs.d/MOTD_FILE.xml">
--<!ENTITY NOLOGINS_FILE         SYSTEM "login.defs.d/NOLOGINS_FILE.xml">
--<!ENTITY OBSCURE_CHECKS_ENAB   SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml">
--<!ENTITY PASS_ALWAYS_WARN      SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml">
--<!ENTITY PASS_CHANGE_TRIES     SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml">
--<!ENTITY PASS_MAX_LEN          SYSTEM "login.defs.d/PASS_MAX_LEN.xml">
- <!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
- <!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
- <!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
--<!ENTITY PORTTIME_CHECKS_ENAB  SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml">
--<!ENTITY QUOTAS_ENAB           SYSTEM "login.defs.d/QUOTAS_ENAB.xml">
- <!ENTITY SHA_CRYPT_MIN_ROUNDS  SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
--<!ENTITY SULOG_FILE            SYSTEM "login.defs.d/SULOG_FILE.xml">
--<!ENTITY SU_NAME               SYSTEM "login.defs.d/SU_NAME.xml">
--<!ENTITY SU_WHEEL_ONLY         SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
- <!ENTITY SUB_GID_COUNT         SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
- <!ENTITY SUB_UID_COUNT         SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
- <!ENTITY SYS_GID_MAX           SYSTEM "login.defs.d/SYS_GID_MAX.xml">
- <!ENTITY SYSLOG_SG_ENAB        SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml">
--<!ENTITY SYSLOG_SU_ENAB        SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
- <!ENTITY SYS_UID_MAX           SYSTEM "login.defs.d/SYS_UID_MAX.xml">
- <!ENTITY TCB_AUTH_GROUP        SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
- <!ENTITY TCB_SYMLINKS          SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
- <!ENTITY TTYGROUP              SYSTEM "login.defs.d/TTYGROUP.xml">
--<!ENTITY TTYTYPE_FILE          SYSTEM "login.defs.d/TTYTYPE_FILE.xml">
- <!ENTITY UID_MAX               SYSTEM "login.defs.d/UID_MAX.xml">
--<!ENTITY ULIMIT                SYSTEM "login.defs.d/ULIMIT.xml">
- <!ENTITY UMASK                 SYSTEM "login.defs.d/UMASK.xml">
- <!ENTITY USERDEL_CMD           SYSTEM "login.defs.d/USERDEL_CMD.xml">
- <!ENTITY USERGROUPS_ENAB       SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
-@@ -167,45 +137,24 @@
-     <para>The following configuration items are provided:</para>
- 
-     <variablelist remap='IP'>
--      &CHFN_AUTH;
-       &CHFN_RESTRICT;
--      &CHSH_AUTH;
--      &CONSOLE;
--      &CONSOLE_GROUPS;
-       &CREATE_HOME;
-       &DEFAULT_HOME;
-       &ENCRYPT_METHOD;
--      &ENV_HZ;
-       &ENV_PATH;
-       &ENV_SUPATH;
--      &ENV_TZ;
--      &ENVIRON_FILE;
--      &ERASECHAR;
-       &FAIL_DELAY;
--      &FAILLOG_ENAB;
--      &FAKE_SHELL;
--      &FTMP_FILE;
-       &GID_MAX; <!-- documents also GID_MIN -->
-       &HOME_MODE;
-       &HUSHLOGIN_FILE;
--      &ISSUE_FILE;
--      &KILLCHAR;
--      &LASTLOG_ENAB;
-       &LASTLOG_UID_MAX;
--      &LOG_OK_LOGINS;
-       &LOG_UNKFAIL_ENAB;
-       &LOGIN_RETRIES;
--      &LOGIN_STRING;
-       &LOGIN_TIMEOUT;
--      &MAIL_CHECK_ENAB;
-       &MAIL_DIR;
-       &MAX_MEMBERS_PER_GROUP;
-       &MD5_CRYPT_ENAB;
-       &MOTD_FILE;
--      &NOLOGINS_FILE;
--      &OBSCURE_CHECKS_ENAB;
--      &PASS_ALWAYS_WARN;
--      &PASS_CHANGE_TRIES;
-       &PASS_MAX_DAYS;
-       &PASS_MIN_DAYS;
-       &PASS_WARN_AGE;
-@@ -215,25 +164,16 @@
-         time of account creation. Any changes to these settings won't affect
-         existing accounts.
-       </para>
--      &PASS_MAX_LEN; <!-- documents also PASS_MIN_LEN -->
--      &PORTTIME_CHECKS_ENAB;
--      &QUOTAS_ENAB;
-       &SHA_CRYPT_MIN_ROUNDS; <!-- documents also SHA_CRYPT_MAX_ROUNDS -->
--      &SULOG_FILE;
--      &SU_NAME;
--      &SU_WHEEL_ONLY;
-       &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX -->
-       &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX -->
-       &SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
-       &SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
-       &SYSLOG_SG_ENAB;
--      &SYSLOG_SU_ENAB;
-       &TCB_AUTH_GROUP;
-       &TCB_SYMLINKS;
-       &TTYGROUP;
--      &TTYTYPE_FILE;
-       &UID_MAX; <!-- documents also UID_MIN -->
--      &ULIMIT;
-       &UMASK;
-       &USERDEL_CMD;
-       &USERGROUPS_ENAB;
-@@ -359,35 +299,6 @@
- 	  <para>LASTLOG_UID_MAX</para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>login</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
--	    ENV_TZ ENVIRON_FILE</phrase>
--	    ERASECHAR FAIL_DELAY
--	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
--	    FAKE_SHELL
--	    <phrase condition="no_pam">FTMP_FILE</phrase>
--	    HUSHLOGIN_FILE
--	    <phrase condition="no_pam">ISSUE_FILE</phrase>
--	    KILLCHAR
--	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
--	    LOGIN_RETRIES
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
--	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
--	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
--	    QUOTAS_ENAB</phrase>
--	    TTYGROUP TTYPERM TTYTYPE_FILE
--	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
--	    USERGROUPS_ENAB
--	  </para>
--	</listitem>
--      </varlistentry>
--      <!-- logoutd: no variables -->
-       <varlistentry>
- 	<term>newgrp / sg</term>
- 	<listitem>
-@@ -452,32 +363,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>su</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
--	    ENV_PATH ENV_SUPATH
--	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
--	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
--	    SULOG_FILE SU_NAME
--	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
--	    SYSLOG_SU_ENAB
--	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
--	<term>sulogin</term>
--	<listitem>
--	  <para>
--	    ENV_HZ
--	    <phrase condition="no_pam">ENV_TZ</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>useradd</term>
- 	<listitem>
-@@ -507,22 +392,6 @@
- 	</listitem>
-       </varlistentry>
-       <varlistentry>
--	<term>usermod</term>
--	<listitem>
--	  <para>
--	    LASTLOG_UID_MAX
--	    MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
--	    <phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry condition="tcb">
--	<term>vipw</term>
--	<listitem>
--	  <para>
--	    <phrase condition="tcb">USE_TCB</phrase>
--	  </para>
--	</listitem>
-       </varlistentry>
-     </variablelist>
-   </refsect1>