diff -r fc5b8fc1040e -r fd7ebe95d8e5 doc/manual.docbook
--- a/doc/manual.docbook	Wed Oct 14 15:25:56 2009 +0100
+++ b/doc/manual.docbook	Wed Oct 14 15:28:33 2009 +0100
@@ -195,34 +195,6 @@
 </para>
 </section>
 </section>
-<section>
-<title>How mercurial-server works</title>
-<para>
-All of the repositories controlled by mercurial-server are owned by a
-single user, the <literal>hg</literal> user, which is why all URLs for
-mercurial-server repositories start with <literal>ssh://hg@...</literal>.
-Each SSH key that has access to the repository has an entry in
-<filename>~hg/.ssh/authorized_keys</filename>; this is how the SSH daemon
-knows to give that key access. When the user connects over SSH, their
-commands are run in a specially crafted restricted shell; this shell knows
-which key was used to connect, determines what the user is trying to do,
-and checks the access rules to decide whether to allow it.  
-</para>
-<para>
-This restricted shell also ensures that certain Mercurial extensions are
-loaded when the user acts on a repository; these extensions check the
-access control rules for any changeset that the user tries to commit, and
-log all pushes and pulls into a per-repository access log.
-</para>
-<para>
-<command>refresh-auth</command> recurses through the <filename
-class='directory'>/etc/mercurial-server/keys</filename> and the <filename
-class='directory'>keys</filename> directory in the
-<literal>hgadmin</literal> repository, creating an entry in
-<filename>~hg/.ssh/authorized_keys</filename> for each one. This is redone
-automatically whenever a change is pushed to <literal>hgadmin</literal>.
-</para>
-</section>
 <section id="accesscontrol">
 <title>Access control</title>
 <para>
@@ -422,6 +394,34 @@
 </section>
 </section>
 <section>
+<title>How mercurial-server works</title>
+<para>
+All of the repositories controlled by mercurial-server are owned by a
+single user, the <literal>hg</literal> user, which is why all URLs for
+mercurial-server repositories start with <literal>ssh://hg@...</literal>.
+Each SSH key that has access to the repository has an entry in
+<filename>~hg/.ssh/authorized_keys</filename>; this is how the SSH daemon
+knows to give that key access. When the user connects over SSH, their
+commands are run in a specially crafted restricted shell; this shell knows
+which key was used to connect, determines what the user is trying to do,
+and checks the access rules to decide whether to allow it.  
+</para>
+<para>
+This restricted shell also ensures that certain Mercurial extensions are
+loaded when the user acts on a repository; these extensions check the
+access control rules for any changeset that the user tries to commit, and
+log all pushes and pulls into a per-repository access log.
+</para>
+<para>
+<command>refresh-auth</command> recurses through the <filename
+class='directory'>/etc/mercurial-server/keys</filename> and the <filename
+class='directory'>keys</filename> directory in the
+<literal>hgadmin</literal> repository, creating an entry in
+<filename>~hg/.ssh/authorized_keys</filename> for each one. This is redone
+automatically whenever a change is pushed to <literal>hgadmin</literal>.
+</para>
+</section>
+<section>
 <title>Security</title>
 <para>
 mercurial-server relies entirely on sshd to grant access to remote users.