diff --git a/appl/login/login.access.5 b/appl/login/login.access.5
new file mode 100644
index 000000000..df57e4413
--- /dev/null
+++ b/appl/login/login.access.5
@@ -0,0 +1,56 @@
+.\" $Id$
+.\" 
+.Dd March 21, 2003
+.Dt LOGIN.ACCESS 5
+.Os HEIMDAL
+.Sh NAME
+.Nm login.access
+.Nd
+login access control table
+.Sh DESCRIPTION
+The
+.Nm login.access
+file specifies on which ttys or from which hosts certain users are
+allowed to login.
+.Pp
+At login, the
+.Pa /etc/login.access 
+file is checked for the first entry that matches a specific user/host
+or user/tty combination. That entry can either allow or deny login
+access to that user.
+.Pp
+Each entry have three fields separated by colon:
+.Bl -bullet
+.It
+The first field indicates the permission given if the entry matches.
+It can be either
+.Dq +
+(allow access)
+or
+.Dq -
+(deny access) .
+.It
+The second field is a comma separated list of users or groups for
+which the current entry applies. NIS netgroups can used (if
+configured) if preceeded by @. The magic string ALL matches all users.
+A group will match if the user is a member of that group, or it is the
+user's primary group.
+.It
+The third field is a list of ttys, or network names. A network name
+can be either a hostname, a domain (indicated by a starting period),
+or a netgroup. As with the user list, ALL matches anything. LOCAL
+matches a string not containing a period.
+.El
+.Pp
+If the string EXCEPT is found in either the user or from list, the
+rest of the list are exceptions to the list before EXCEPT.
+.Sh BUGS
+If there's a user and a group with the same name, there is no way to
+make the group match if the user also matches.
+.Sh SEE ALSO
+.Xr login 1
+.Sh AUTHORS
+The
+.Fn login_access
+function was written by 
+Wietse Venema. This manual page was written for Heimdal.