This commit was generated by cvs2svn to compensate for changes in r76371,

which included commits to RCS files with non-trunk default branches.

crypto/heimdal/admin/ktutil.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm ktutil
-.Nd
-manage Kerberos keytabs
+.Nd manage Kerberos keytabs
 .Sh SYNOPSIS
 .Nm
 .Oo Fl k Ar keytab \*(Ba Xo

crypto/heimdal/appl/ftp/ftpd/ftpd.8

@@ -38,8 +38,7 @@
 .Os BSD 4.2
 .Sh NAME
 .Nm ftpd
-.Nd
-Internet File Transfer Protocol server
+.Nd Internet File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm ftpd
 .Op Fl a Ar authmode

crypto/heimdal/appl/ftp/ftpd/ftpusers.5

@@ -5,8 +5,7 @@
 .Os KTH-KRB
 .Sh NAME
 .Pa /etc/ftpusers
-.Nd
-FTP access list file.
+.Nd FTP access list file
 .Sh DESCRIPTION
 .Pa /etc/ftpusers
 contains a list of users that should be allowed or denied FTP

crypto/heimdal/appl/kf/kf.1

@@ -8,62 +8,54 @@
 .Os Heimdal
 .Sh NAME
 .Nm kf
-.Nd
-securly forward tickets
+.Nd securly forward tickets
 .Sh SYNOPSIS
 .Nm
-.Oo Fl p Ar port \*(Ba Xo
-.Fl -port= Ns Ar port Oc
-.Xc
-.Oo Fl l Ar login \*(Ba Xo
-.Fl -login= Ns Ar login Oc
-.Xc
-.Oo Fl c Ar ccache \*(Ba Xo
-.Fl -ccache= Ns Ar ccache Oc
-.Xc
-.Op Fl F | Fl -forwardable
-.Op Fl G | Fl -no-forwardable
-.Op Fl h | Fl -help
+.Oo
+.Fl p Ar port |
+.Fl -port Ns = Ns Ar port
+.Oc
+.Oo
+.Fl l Ar login |
+.Fl -login Ns = Ns Ar login
+.Oc
+.Oo
+.Fl c Ar ccache |
+.Fl -ccache Ns = Ns Ar ccache
+.Oc
+.Op Fl F | -forwardable
+.Op Fl G | -no-forwardable
+.Op Fl h | -help
 .Op Fl -version
 .Ar host ...
 .Sh DESCRIPTION
 The
 .Nm
 program forwards tickets to a remove host through an authenticated
-and encrypted stream. Options supported are:
-.Bl -tag -width Ds
+and encrypted stream.
+Options supported are:
+.Bl -tag -width indent
 .It Xo
-.Fl p Ar port Ns ,
-.Fl -port= Ns Ar port
+.Fl p Ar port ,
+.Fl -port Ns = Ns Ar port
 .Xc
 port to connect to
 .It Xo
-.Fl l Ar login Ns ,
-.Fl -login= Ns Ar login
+.Fl l Ar login ,
+.Fl -login Ns = Ns Ar login
 .Xc
 remote login name
 .It Xo
-.Fl c Ar ccache Ns ,
-.Fl -ccache= Ns Ar ccache
+.Fl c Ar ccache ,
+.Fl -ccache Ns = Ns Ar ccache
 .Xc
 remote cred cache
-.It Xo
-.Fl F Ns ,
-.Fl -forwardable
-.Xc
+.It Fl F , -forwardable
 forward forwardable credentials
-.It Xo
-.Fl G Ns ,
-.Fl -no-forwardable
-.Xc
+.It Fl G , -no-forwardable
 do not forward forwardable credentials
-.It Xo
-.Fl h Ns ,
-.Fl -help
-.Xc
-.It Xo
-.Fl -version
-.Xc
+.It Fl h , -help
+.It Fl -version
 .El
 .Pp
 .Nm
@@ -83,9 +75,9 @@ is able to forward ticket by itself.
 .\".Sh EXAMPLES
 .\".Sh DIAGNOSTICS
 .Sh SEE ALSO
-.Xr kfd 8 ,
 .Xr kinit 1 ,
-.Xr telnet 1
+.Xr telnet 1 ,
+.Xr kfd 8
 .\".Sh STANDARDS
 .\".Sh HISTORY
 .\".Sh AUTHORS

crypto/heimdal/appl/kf/kfd.8

@@ -8,33 +8,31 @@
 .Os Heimdal
 .Sh NAME
 .Nm kfd
-.Nd
-receive forwarded tickets
+.Nd receive forwarded tickets
 .Sh SYNOPSIS
 .Nm
-.Oo Fl p Ar port \*(Ba Xo
-.Fl -port= Ns Ar port Oc
-.Xc
-.Op Fl i | Fl -inetd
-.Oo Fl R Ar regpag \*(Ba Xo
-.Fl -regpag= Ns Ar regpag Oc
-.Xc
-.Op Fl h | Fl -help
+.Oo
+.Fl p Ar port |
+.Fl -port Ns = Ns Ar port
+.Oc
+.Op Fl i | -inetd
+.Oo
+.Fl R Ar regpag |
+.Fl -regpag Ns = Ns Ar regpag
+.Oc
+.Op Fl h | -help
 .Op Fl -version
 .Sh DESCRIPTION
 This is the daemon for
-.Nm kf .
+.Xr kf 1 .
 Supported options:
-.Bl -tag -width Ds
+.Bl -tag -width indent
 .It Xo
-.Fl p Ar port Ns ,
-.Fl -port= Ns Ar port
+.Fl p Ar port ,
+.Fl -port Ns = Ns Ar port
 .Xc
 port to listen to
-.It Xo
-.Fl i Ns ,
-.Fl -inetd
-.Xc
+.It Fl i , -inetd
 not started from inetd
 .It Xo
 .Fl R Ar regpag Ns ,

crypto/heimdal/appl/push/pfrom.1

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm pfrom
-.Nd
-fetch a list of the current mail via POP
+.Nd "fetch a list of the current mail via POP"
 .Sh SYNOPSIS
 .Nm
 .Op Fl 4 | Fl -krb4

crypto/heimdal/appl/push/push.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm push
-.Nd
-fetch mail via POP
+.Nd fetch mail via POP
 .Sh SYNOPSIS
 .Nm
 .Op Fl 4 | Fl -krb4
@@ -16,9 +15,9 @@ fetch mail via POP
 .Op Fl l | -leave
 .Op Fl -from
 .Op Fl c | -count
-.Op Fl -headers= Ns Ar headers
+.Op Fl -headers Ns = Ns Ar headers
 .Oo Fl p Ar port-spec  \*(Ba Xo
-.Fl -port= Ns Ar port-spec
+.Fl -port Ns = Ns Ar port-spec
 .Xc
 .Oc
 .Ar po-box
@@ -81,12 +80,12 @@ behave like from.
 .Xc
 first print how many messages and bytes there are.
 .It Xo
-.Fl -headers= Ns Ar headers
+.Fl -headers Ns = Ns Ar headers
 .Xc
 a list of comma-separated headers that should get printed.
 .It Xo
 .Fl p Ar port-spec Ns ,
-.Fl -port= Ns Ar port-spec
+.Fl -port Ns = Ns Ar port-spec
 .Xc
 use this port instead of the default
 .Ql kpop 
@@ -119,7 +118,7 @@ $ push --from -5 havregryn
 .Ed
 .Pp
 tries to fetch 
-.Nm From: 
+.Sy From: 
 lines for current user at post office
 .Dq havregryn
 using Kerberos 5.

crypto/heimdal/appl/telnet/telnet/telnet.1

@@ -98,7 +98,7 @@ BINARY option to be negotiated on output.
 .It Fl S Ar tos
 Sets the IP type-of-service (TOS) option for the telnet
 connection to the value
-.Ar tos,
+.Ar tos ,
 which can be a numeric TOS value
 or, on systems that support it, a symbolic
 TOS name found in the /etc/iptos file.
@@ -134,7 +134,7 @@ Sets the initial
 .Nm
 .Nm telnet
 escape character to
-.Ar escape char.
+.Ar escape char .
 If
 .Ar escape char
 is omitted, then
@@ -143,7 +143,6 @@ there will be no escape character.
 If Kerberos V5 authentication is being used, the
 .Fl f
 option allows the local credentials to be forwarded to the remote system.
-.ne 1i
 .It Fl k Ar realm
 If Kerberos authentication is being used, the
 .Fl k
@@ -304,12 +303,12 @@ auth command are as follows:
 .It Ic disable Ar type
 Disables the specified type of authentication.  To
 obtain a list of available types, use the
-.Ic auth disable \&?
+.Ic auth disable ?\&
 command.
 .It Ic enable Ar type
 Enables the specified type of authentication.  To
 obtain a list of available types, use the
-.Ic auth enable \&?
+.Ic auth enable ?\&
 command.
 .It Ic status
 Lists the current status of the various types of
@@ -336,18 +335,22 @@ option is not supported outside of the United States and Canada.
 .Pp
 Valid arguments for the encrypt command are as follows:
 .Bl -tag -width Ar
-.It Ic disable Ar type Ic [input|output]
+.It Ic disable Ar type Xo
+.Op Cm input | output
+.Xc
 Disables the specified type of encryption.  If you
 omit the input and output, both input and output
 are disabled.  To obtain a list of available
 types, use the
-.Ic encrypt disable \&?
+.Ic encrypt disable ?\&
 command.
-.It Ic enable Ar type Ic [input|output]
+.It Ic enable Ar type Xo
+.Op Cm input | output
+.Xc
 Enables the specified type of encryption.  If you
 omit input and output, both input and output are
 enabled.  To obtain a list of available types, use the
-.Ic encrypt enable \&?
+.Ic encrypt enable ?\&
 command.
 .It Ic input
 This is the same as the
@@ -365,18 +368,18 @@ command.
 This is the same as the
 .Ic encrypt stop output
 command.
-.It Ic start Ic [input|output]
+.It Ic start Op Cm input | output
 Attempts to start encryption.  If you omit
 .Ic input
 and
-.Ic output,
+.Ic output ,
 both input and output are enabled.  To
 obtain a list of available types, use the
-.Ic encrypt enable \&?
+.Ic encrypt enable ?\&
 command.
 .It Ic status
 Lists the current status of encryption.
-.It Ic stop Ic [input|output]
+.It Ic stop Op Cm input | output
 Stops encryption.  If you omit input and output,
 encryption is on both input and output.
 .It Ic type Ar type
@@ -387,7 +390,7 @@ or
 .Ic encrypt stop
 commands.
 .El
-.It Ic environ Ar arguments... 
+.It Ic environ Ar arguments ...
 The
 .Ic environ
 command is used to manipulate the
@@ -407,7 +410,7 @@ variable is also exported if the
 or
 .Fl l
 options are used.
-.br
+.Pp
 Valid arguments for the
 .Ic environ
 command are:
@@ -416,7 +419,7 @@ command are:
 Define the variable
 .Ar variable
 to have a value of
-.Ar value.
+.Ar value .
 Any variables defined by this command are automatically exported.
 The
 .Ar value
@@ -441,7 +444,7 @@ Those marked with a
 .Cm *
 will be sent automatically,
 other variables will only be sent if explicitly requested.
-.It Ic \&?
+.It Ic ?\&
 Prints out help information for the
 .Ic environ
 command.
@@ -512,7 +515,6 @@ option.
 This requires that the 
 .Dv LINEMODE
 option be enabled.
-.ne 1i
 .It Ic litecho Pq Ic \-litecho 
 Attempt to enable (disable) the 
 .Dv LIT_ECHO
@@ -522,17 +524,15 @@ option.
 This requires that the 
 .Dv LINEMODE
 option be enabled.
-.It Ic \&?
+.It Ic ?\&
 Prints out help information for the
 .Ic mode
 command.
 .El
 .It Xo
 .Ic open Ar host
-.Oo Op Fl l
-.Ar user
-.Oc Ns Oo Fl
-.Ar port Oc
+.Op Fl l Ar user
+.Op Oo Fl Oc Ns Ar port
 .Xc
 Open a connection to the named host.
 If no port number
@@ -646,7 +646,6 @@ command,
 .Ic getstatus
 will send the subnegotiation to request that the server send
 its current option status.
-.ne 1i
 .It Ic ip
 Sends the
 .Dv TELNET IP
@@ -692,10 +691,10 @@ command.
 can also be either
 .Ic help
 or
-.Ic \&?
+.Ic ?\&
 to print out help information, including
 a list of known symbolic names.
-.It Ic \&?
+.It Ic ?\&
 Prints out help information for the
 .Ic send
 command.
@@ -972,7 +971,6 @@ The initial value for the suspend character is taken to be
 the terminal's
 .Ic suspend
 character.
-.ne 1i
 .It Ic tracefile
 This is the file to which the output, caused by
 .Ic netdata
@@ -996,7 +994,7 @@ The initial value for the worderase character is taken to be
 the terminal's
 .Ic worderase
 character.
-.It Ic \&?
+.It Ic ?\&
 Displays the legal
 .Ic set
 .Pq Ic unset
@@ -1040,7 +1038,7 @@ The remote default characters are those of the remote system
 at the time when the 
 .Tn TELNET
 connection was established.
-.It Ic \&?
+.It Ic ?\&
 Prints out help information for the
 .Ic slc
 command.
@@ -1115,7 +1113,6 @@ stream does not start automatically.  The autoencrypt
 (autodecrypt) command states that encryption of the
 output (input) stream should be enabled as soon as
 possible.
-.sp
 .Pp
 Note:  Because of export controls, the
 .Dv TELNET ENCRYPT
@@ -1273,7 +1270,6 @@ protocol processing (having to do with
 options).
 The initial value for this toggle is
 .Dv FALSE .
-.ne 1i
 .It Ic prettydump
 When the
 .Ic netdata
@@ -1295,7 +1291,7 @@ skips the reading of the
 file in the users home
 directory when connections are opened.  The initial
 value for this toggle is
-.Dv FALSE.
+.Dv FALSE .
 .It Ic termdata
 Toggles the display of all terminal data (in hexadecimal format).
 The initial value for this toggle is
@@ -1308,7 +1304,7 @@ toggle is
 .Tn TELNET
 prints out a message each time encryption is enabled or
 disabled.  The initial value for this toggle is
-.Dv FALSE.
+.Dv FALSE .
 Note:  Because of export controls, data encryption
 is not supported outside of the United States and Canada.
 .It Ic \&?
@@ -1327,7 +1323,7 @@ system.  If
 .Ic command
 is omitted, then an interactive
 subshell is invoked.
-.It Ic \&? Op Ar command 
+.It Ic ?\& Op Ar command 
 Get help.  With no arguments,
 .Nm telnet
 prints a help summary.

crypto/heimdal/appl/telnet/telnetd/telnetd.8

@@ -95,7 +95,7 @@ has been compiled with support for the
 .Dv AUTHENTICATION
 option.
 There are several valid values for
-.Ar authmode:
+.Ar authmode :
 .Bl -tag -width debug
 .It debug
 Turns on authentication debugging code.
@@ -153,7 +153,7 @@ to the connection, allowing the user to see what
 .Nm telnetd
 is doing.
 There are several possible values for 
-.Ar debugmode:
+.Ar debugmode :
 .Bl -tag -width exercise
 .It Cm options
 Prints information about the negotiation of
@@ -166,7 +166,7 @@ information, plus some additional information
 about what processing is going on.
 .It Cm netdata
 Displays the data stream received by
-.Nm telnetd.
+.Nm telnetd .
 .It Cm ptydata
 Displays data written to the pty.
 .It Cm exercise
@@ -194,12 +194,12 @@ be reached may be cleaned up.
 This option is only enabled when
 .Nm telnetd
 is compiled for
-.Dv UNICOS.
+.Dv UNICOS .
 It specifies an inclusive range of pseudo-terminal devices to
 use.  If the system has sysconf variable
 .Dv _SC_CRAY_NPTY
 configured, the default pty search range is 0 to
-.Dv _SC_CRAY_NPTY;
+.Dv _SC_CRAY_NPTY ;
 otherwise, the default range is 0 to 128.  Either
 .Ar lowpty
 or
@@ -230,7 +230,6 @@ indicates that only dotted decimal addresses
 should be put into the
 .Pa utmp
 file.
-.ne 1i
 .It Fl U
 This option causes
 .Nm telnetd
@@ -338,7 +337,7 @@ Indicates that the client is willing to send a
 of the Network Virtual Terminal.
 .It "WILL SGA"
 Indicates that it will not be sending
-.Dv IAC GA,
+.Dv IAC GA ,
 go ahead, commands.
 .It "WILL STATUS"
 Indicates a willingness to send the client, upon
@@ -351,7 +350,6 @@ Whenever a
 command is received, it is always responded
 to with a
 .Dv WILL TIMING-MARK
-.ne 1i
 .It "WILL LOGOUT"
 When a
 .Dv DO LOGOUT
@@ -384,7 +382,7 @@ characters remotely.
 This is not really supported, but is sent to identify a 4.2BSD
 .Xr telnet 1
 client, which will improperly respond with
-.Dv WILL ECHO.
+.Dv WILL ECHO .
 If a
 .Dv WILL ECHO
 is received, a
@@ -396,7 +394,7 @@ name of the type of terminal that is attached
 to the client side of the connection.
 .It "DO SGA"
 Indicates that it does not need to receive
-.Dv IAC GA,
+.Dv IAC GA ,
 the go ahead command.
 .It "DO NAWS"
 Requests that the client inform the server when
@@ -425,9 +423,9 @@ Only sent if
 .Nm telnetd
 is compiled with support for both linemode and
 kludge linemode, and the client responded with
-.Dv WONT LINEMODE.
+.Dv WONT LINEMODE .
 If the client responds with
-.Dv WILL TM,
+.Dv WILL TM ,
 the it is assumed that the client supports
 kludge linemode.
 Note that the
@@ -448,14 +446,13 @@ the data stream.
 .El
 .Sh ENVIRONMENT
 .Sh FILES
-.Pa /etc/services
-.br
-.Pa /etc/inittab
+.Bl -tag -width /etc/services -compact
+.It Pa /etc/services
+.It Pa /etc/inittab
 (UNICOS systems only)
-.br
-.Pa /etc/iptos
+.It Pa /etc/iptos
 (if supported)
-.br
+.El
 .Sh "SEE ALSO"
 .Xr telnet 1 ,
 .Xr login 1

crypto/heimdal/kadmin/kadmin.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kadmin
-.Nd
-Kerberos administration utility
+.Nd Kerberos administration utility
 .Sh SYNOPSIS
 .Nm
 .Oo Fl p Ar string \*(Ba Xo
@@ -101,7 +100,7 @@ will prompt for commands to process. Commands include:
 .Op Fl -pw-expiration-time= Ns Ar time
 .Ar principal...
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 creates a new principal
 .Ed
 .Pp
@@ -114,21 +113,21 @@ creates a new principal
 .Op Fl -key= Ns Ar string
 .Ar principal...
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 changes the password of an existing principal
 .Ed
 .Pp
 .Nm delete
 .Ar principal...
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 removes a principal
 .Ed
 .Pp
 .Nm del_enctype
 .Ar principal enctypes...
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 removes some enctypes from a principal, this can be useful the service
 belonging to the principal is known to not handle certain enctypes
 .Ed
@@ -139,7 +138,7 @@ belonging to the principal is known to not handle certain enctypes
 .Xc
 .Ar principal...
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 creates a keytab with the keys of the specified principals
 .Ed
 .Pp
@@ -149,7 +148,7 @@ creates a keytab with the keys of the specified principals
 .Op Fl t | Fl -terse
 .Ar expression...
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 lists the principals that match the expressions (which are shell glob
 like), long format gives more information, and terse just prints the
 names
@@ -158,7 +157,7 @@ names
 .Nm rename
 .Ar from to
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 renames a principal
 .Ed
 .Pp
@@ -173,26 +172,25 @@ renames a principal
 .Op Fl -kvno= Ns Ar number
 .Ar principal
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 modifies certain attributes of a principal
 .Ed
 .Pp
 .Nm privileges
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 lists the operations you are allowd to perform
 .Ed
 .Pp
 .Ed
-
+.Pp
 When running in local mode, the following commands can also be used.
-
 .Bd -ragged -offset indent
 .Nm dump
 .Op Fl d | Fl -decrypt
 .Op Ar dump-file
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 writes the database in
 .Dq human readable
 form to the specified file, or standard out
@@ -203,7 +201,7 @@ form to the specified file, or standard out
 .Op Fl -realm-max-renewable-life= Ns Ar string
 .Ar realm
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 initialises the Kerberos database with entries for a new realm, it's
 possible to have more than one realm served by one server
 .Ed
@@ -211,21 +209,20 @@ possible to have more than one realm served by one server
 .Nm load
 .Ar file
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 reads a previously dumped database, and re-creates that database from scratch
 .Ed
 .Pp
 .Nm merge
 .Ar file
 .Pp
-.Bd -filled -offset indent
+.Bd -ragged -offset indent
 similar to 
 .Nm list
 but just modifies the database with the entries in the dump file
 .Ed
 .Pp
 .Ed
-
 .\".Sh ENVIRONMENT
 .\".Sh FILES
 .\".Sh EXAMPLES

crypto/heimdal/kadmin/kadmind.8

@@ -3,8 +3,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kadmind
-.Nd
-server for administrative access to kerberos database
+.Nd "server for administrative access to kerberos database"
 .Sh SYNOPSIS
 .Nm
 .Oo Fl c Ar file \*(Ba Xo
@@ -32,7 +31,7 @@ connection. The
 option causes 
 .Nm
 to accept exactly one connection, which is useful for debugging. 
-
+.Pp
 If built with krb4 support, it implements both the Heimdal Kerberos 5
 administrative protocol and the Kerberos 4 protocol. Password changes
 via the Kerberos 4 protocol are also performed by

crypto/heimdal/kdc/hprop.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm hprop
-.Nd
-propagate the KDC database
+.Nd propagate the KDC database
 .Sh SYNOPSIS
 .Nm
 .Oo Fl m Ar file \*(Ba Xo
@@ -37,8 +36,8 @@ propagate the KDC database
 .Op Fl v | Fl -verbose
 .Op Fl -version
 .Op Fl h | Fl -help
-.Ar host Ns Op :port
-...
+.Ar host Ns Op : Ns Ar port
+.Ar ...
 .Sh DESCRIPTION
 .Nm
 takes a principal database in a specified format and converts it into
@@ -112,7 +111,7 @@ This option thansmits the database with encrypted keys.
 .Xc
 Dump the database on stdout, in a format that can be fed to hpropd.
 .El
-
+.Pp
 The following options are only valid if
 .Nm hprop
 is compiled with support for Kerberos 4 (kaserver).
@@ -145,7 +144,6 @@ Deprecated, identical to
 Deprecated, identical to 
 .Sq --source=kaserver .
 .El
-
 .Sh EXAMPLES
 The following will propagate a database to another machine (which
 should run
@@ -153,12 +151,12 @@ should run
 .Bd -literal -offset indent
 $ hprop slave-1 slave-2
 .Ed
-
+.Pp
 Copy a Kerberos 4 database to a Kerberos 5 slave:
 .Bd -literal -offset indent
 $ hprop --source=krb4-db -E krb5-slave
 .Ed
-
+.Pp
 Convert a Kerberos 4 dump-file for use with a Heimdal KDC:
 .Bd -literal -offset indent
 $ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump -E | hpropd -n

crypto/heimdal/kdc/hpropd.8

@@ -1,12 +1,11 @@
 .\" $Id: hpropd.8,v 1.5 2000/11/12 15:37:33 joda Exp $
 .\"
-.Dd Aug 27, 1997
+.Dd August 27, 1997
 .Dt HPROPD 8
 .Os HEIMDAL
 .Sh NAME
 .Nm hpropd
-.Nd
-receive a propagated database
+.Nd receive a propagated database
 .Sh SYNOPSIS
 .Nm
 .Oo Fl d Ar file \*(Ba Xo

crypto/heimdal/kdc/kdc.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kdc
-.Nd
-Kerberos 5 server
+.Nd Kerberos 5 server
 .Sh SYNOPSIS
 .Nm
 .Oo Fl c Ar file \*(Ba Xo

crypto/heimdal/kdc/kstash.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kstash
-.Nd
-store the KDC master password in a file
+.Nd "store the KDC master password in a file"
 .Sh SYNOPSIS
 .Nm
 .Oo Fl e Ar string \*(Ba Xo

crypto/heimdal/kdc/string2key.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm string2key
-.Nd
-map a password into a key
+.Nd map a password into a key
 .Sh SYNOPSIS
 .Nm
 .Op Fl 5 | Fl -version5

crypto/heimdal/kpasswd/kpasswd.1

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kpasswd
-.Nd
-Kerberos 5 password changing program
+.Nd Kerberos 5 password changing program
 .Sh SYNOPSIS
 .Nm
 .Op Ar principal

crypto/heimdal/kpasswd/kpasswdd.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kpasswdd
-.Nd
-Kerberos 5 password changing server
+.Nd Kerberos 5 password changing server
 .Sh SYNOPSIS
 .Nm
 .Op Fl -check-library= Ns Ar library

crypto/heimdal/kuser/kdestroy.1

@@ -1,12 +1,11 @@
 .\" $Id: kdestroy.1,v 1.2 1999/05/14 14:05:40 assar Exp $
 .\"
-.Dd Aug 27, 1997
+.Dd August 27, 1997
 .Dt KDESTROY 1
 .Os HEIMDAL
 .Sh NAME
 .Nm kdestroy
-.Nd
-destroy the current ticket file
+.Nd destroy the current ticket file
 .Sh SYNOPSIS
 .Nm
 .Op Fl c Ar cachefile

crypto/heimdal/kuser/kgetcred.1

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kgetcred
-.Nd
-get a ticket for a particular service
+.Nd "get a ticket for a particular service"
 .Sh SYNOPSIS
 .Nm
 .Oo Fl e Ar enctype \*(Ba Xo

crypto/heimdal/kuser/kinit.1

@@ -6,8 +6,7 @@
 .Sh NAME
 .Nm kinit ,
 .Nm kauth
-.Nd
-acquire initial tickets
+.Nd acquire initial tickets
 .Sh SYNOPSIS
 .Nm kinit
 .Op Fl 4 | Fl -524init

crypto/heimdal/kuser/klist.1

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm klist
-.Nd
-list Kerberos credentials
+.Nd list Kerberos credentials
 .Sh SYNOPSIS
 .Nm
 .Oo Fl c Ar cache \*(Ba Xo
@@ -81,7 +80,7 @@ pre-authenticated
 .It H
 hardware authenticated
 .El
-
+.Pp
 This information is also output with the 
 .Fl -verbose
 option, but in a more verbose way.

crypto/heimdal/lib/krb5/kerberos.8

@@ -42,8 +42,8 @@ without giving your password.
 .Pp
 For more information on how Kerberos works, and other general Kerberos
 questions see the Kerberos FAQ at
-.Ad http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html .
-
+.Pa http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html .
+.Pp
 For setup instructions see the Heimdal Texinfo manual.
 .Sh SEE ALSO
 .Xr ftp 1

crypto/heimdal/lib/krb5/krb5.conf.5

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm /etc/krb5.conf
-.Nd
-Configuration file for Kerberos 5
+.Nd configuration file for Kerberos 5
 .Sh DESCRIPTION
 The 
 .Nm

crypto/heimdal/lib/krb5/krb5_425_conv_principal.3

@@ -7,7 +7,7 @@
 .Nm krb5_425_conv_principal ,
 .Nm krb5_425_conv_principal_ext ,
 .Nm krb5_524_conv_principal
-.Nd Converts to and from version 4 principals
+.Nd converts to and from version 4 principals
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
 .Ft krb5_error_code

crypto/heimdal/lib/krb5/krb5_appdefault.3

@@ -7,27 +7,23 @@
 .Nm krb5_appdefault_boolean ,
 .Nm krb5_appdefault_string ,
 .Nm krb5_appdefault_time
-.Nd Get application configuration value
-
+.Nd get application configuration value
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft void
 .Fn krb5_appdefault_boolean "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "krb5_boolean def_val" "krb5_boolean *ret_val"
 .Ft void
 .Fn krb5_appdefault_string "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "const char *def_val" "char **ret_val"
 .Ft void
 .Fn krb5_appdefault_time "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "time_t def_val" "time_t *ret_val"
-
 .Sh DESCRIPTION
-
 These functions get application application defaults from the 
 .Dv appdefaults
 section of the
 .Xr krb5.conf 5 
 configuration file. These defaults can be specified per application,
 and/or per realm.
-
+.Pp
 These values will be looked for in 
 .Xr krb5.conf 5 ,
 in order of descending importance.
@@ -46,12 +42,11 @@ in order of descending importance.
 	}
 	option = value
 .Ed
-
+.Pp
 If the realm is omitted it will not be used for resolving values.  If
 no value can be found,
 .Fa def_val
 is returned instead.
-
 .Sh SEE ALSO
 .Xr krb5_config 3 ,
 .Xr krb5.conf 5

crypto/heimdal/lib/krb5/krb5_auth_context.3

@@ -34,7 +34,7 @@
 .Nm krb5_auth_con_setrcache ,
 .Nm krb5_auth_con_initivector ,
 .Nm krb5_auth_con_setivector
-.Nd manage authetication on connection level.
+.Nd manage authetication on connection level
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
 .Ft krb5_error_code

crypto/heimdal/lib/krb5/krb5_build_principal.3

@@ -9,7 +9,7 @@
 .Nm krb5_build_principal_va ,
 .Nm krb5_build_principal_va_ext ,
 .Nm krb5_make_principal
-.Nd Principal creation functions
+.Nd principal creation functions
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
 .Ft krb5_error_code

crypto/heimdal/lib/krb5/krb5_config.3

@@ -8,11 +8,9 @@
 .Nm krb5_config_get_int_default ,
 .Nm krb5_config_get_string_default ,
 .Nm krb5_config_get_time_default
-.Nd Get configuration value
-
+.Nd get configuration value
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_boolean
 .Fn krb5_config_get_bool_default "krb5_context context" "krb5_config_section *c" "krb5_boolean def_value" "..."
 .Ft int
@@ -21,27 +19,24 @@
 .Fn krb5_config_get_string_default "krb5_context context" "krb5_config_section *c" "const char *def_value" "..."
 .Ft int
 .Fn krb5_config_get_time_default "krb5_context context" "krb5_config_section *c" "int def_value" "..."
-
 .Sh DESCRIPTION
-
 These functions get values from the 
 .Xr krb5.conf 5 
 configuration file, or another configuration database specified by the
 .Fa c
 parameter.
-
+.Pp
 The variable arguments should be a list of strings naming each
 subsection to look for. For example:
-
 .Bd -literal -offset indent
 krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL)
 .Ed
-
+.Pp
 gets the boolean value for the
 .Dv log_utc
 option, defaulting to
 .Dv FALSE .
-
+.Pp
 .Fn krb5_config_get_bool_default
 will convert the option value to a boolean value, where
 .Sq yes , 
@@ -50,22 +45,19 @@ and any non-zero number means
 .Dv TRUE ,
 and any other value 
 .Dv FALSE .
-
+.Pp
 .Fn krb5_config_get_int_default
 will convert the value to an integer.
-
+.Pp
 .Fn krb5_config_get_time_default
 will convert the value to a period of time (not a time stamp) in
 seconds, so the string
 .Sq 2 weeks
 will be converted to
 1209600 (2 * 7 * 24 * 60 * 60).
-
 .Sh BUGS
-
 Other than for the string case, there's no way to tell whether there
 was a value specified or not.
-
 .Sh SEE ALSO
 .Xr krb5_appdefault 3 ,
 .Xr krb5.conf 5

crypto/heimdal/lib/krb5/krb5_free_principal.3

@@ -5,7 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_free_principal
-.Nd Principal free function
+.Nd principal free function
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
 .Ft void

crypto/heimdal/lib/krb5/krb5_parse_name.3

@@ -5,7 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_parse_name
-.Nd String to principal conversion
+.Nd string to principal conversion
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
 .Ft krb5_error_code

crypto/heimdal/lib/krb5/krb5_sname_to_principal.3

@@ -6,7 +6,7 @@
 .Sh NAME
 .Nm krb5_sname_to_principal ,
 .Nm krb5_sock_to_principal
-.Nd Create a service principal
+.Nd create a service principal
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
 .Ft krb5_error_code

crypto/heimdal/lib/krb5/krb5_unparse_name.3

@@ -6,7 +6,7 @@
 .Sh NAME
 .Nm krb5_unparse_name
 .\" .Nm krb5_unparse_name_ext
-.Nd Principal to string conversion
+.Nd principal to string conversion
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
 .Ft krb5_error_code

crypto/heimdal/lib/krb5/verify_krb5_conf.8

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm verify_krb5_conf
-.Nd
-does a crude test that
+.Nd does a crude test that
 .Pa krb5.conf
 does not contain any obvious syntax error
 .Sh SYNOPSIS

crypto/heimdal/lib/vers/make-print-version.c

@@ -42,7 +42,7 @@ RCSID("$Id: make-print-version.c,v 1.2 2000/07/08 10:46:36 assar Exp $");
 extern const char *heimdal_version;
 #endif
 #ifdef KRB4
-extern const char *krb4_version;
+extern char *krb4_version;
 #endif
 #include <version.h>
 

crypto/heimdal/tools/krb5-config.1

@@ -5,8 +5,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5-config
-.Nd
-give information on how to link code against Heimdal libraries
+.Nd "give information on how to link code against Heimdal libraries"
 .Sh SYNOPSIS
 .Nm
 .Op Fl -prefix Ns Op = Ns Ar dir

crypto/kerberosIV/lib/roken/getarg.3

@@ -9,13 +9,10 @@
 .Nd collect command line options
 .Sh SYNOPSIS
 .Fd #include <getarg.h>
-
 .Ft int
 .Fn getarg "struct getargs *args" "size_t num_args" "int argc" "char **argv" "int *optind"
-
 .Ft void
 .Fn arg_printusage "struct getargs *args" "size_t num_args" "const char *progname" "const char *extra_string"
-
 .Sh DESCRIPTION
 .Fn getarg
 collects any command line options given to a program in an easily used way. 
@@ -45,7 +42,8 @@ take the same
 and
 .Fa num_args
 as getarg;
-.Fa progname is the name of the program (to be used in the help text), and 
+.Fa progname
+is the name of the program (to be used in the help text), and 
 .Fa extra_string
 is a string to print after the actual options to indicate more
 arguments. The usefulness of this function is realised only be people
@@ -55,7 +53,6 @@ the code does.
 The
 .Fa getargs
 struct has the following elements.
-
 .Bd -literal
 struct getargs{
     const char *long_name;
@@ -176,7 +173,7 @@ and
 .Fa *optarg ,
 but to do this correct you (more or less) have to know about the inner
 workings of getarg.
- 
+.Pp 
 You can skip parts of arguments by increasing
 .Fa *optarg
 (you could
@@ -233,8 +230,6 @@ and if you're really confused you can do it multiple times
 .Pf ( Fl -no-no-help= Ns Ar false ,
 or even 
 .Fl -no-no-help= Ns Ar maybe ) .
-
-.Pp
 .Sh EXAMPLE
 .Bd -literal
 #include <stdio.h>
@@ -276,11 +271,11 @@ main(int argc, char **argv)
 	exit (0);
     }
     if (destination == NULL) {
-	fprintf(stderr, "%s: must specify destination\n", progname);
+	fprintf(stderr, "%s: must specify destination\en", progname);
 	exit(1);
     }
     if (strcmp(source, destination) == 0) {
-	fprintf(stderr, "%s: destination must be different from source\n");
+	fprintf(stderr, "%s: destination must be different from source\en");
 	exit(1);
     }
     /* include more stuff here ... */
@@ -298,7 +293,6 @@ Usage: ship++ [--source=city] [-s city] [--destination=city] [-d city]
 -w tons, --weight=tons      weight of shippment
 -c, --no-catalog            include product catalog
 .Ed
-
 .Sh BUGS
 It should be more flexible, so it would be possible to use other more
 complicated option syntaxes, such as what

crypto/kerberosIV/man/afslog.1

@@ -5,8 +5,7 @@
 .Os KTH-KRB
 .Sh NAME
 .Nm afslog
-.Nd
-obtains AFS tokens for specified cells
+.Nd "obtains AFS tokens for specified cells"
 .Sh SYNOPSIS
 .Nm
 .Op Fl d

crypto/kerberosIV/man/ftp.1

@@ -913,7 +913,7 @@ if verbose is on, when a file transfer completes, statistics
 regarding the efficiency of the transfer are reported.
 By default,
 verbose is on.
-.It Ic ? Op Ar command
+.It Ic \&? Op Ar command
 A synonym for help.
 .El
 .Pp

crypto/kerberosIV/man/ftpd.8

@@ -38,8 +38,7 @@
 .Os BSD 4.2
 .Sh NAME
 .Nm ftpd
-.Nd
-Internet File Transfer Protocol server
+.Nd Internet File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm ftpd
 .Op Fl a Ar authmode
@@ -81,7 +80,7 @@ but only OTP is allowed.
 .It Ar ftp
 Allow anonymous login.
 .El
-
+.Pp
 The following combination modes exists for backwards compatibility:
 .Bl -tag -width plain
 .It Ar none
@@ -319,7 +318,7 @@ that the
 .Dq ftp
 subtree be constructed with care, consider following these guidelines
 for anonymous ftp.
-
+.Pp
 In general all files should be owned by
 .Dq root ,
 and have non-write permissions (644 or 755 depending on the kind of
@@ -377,7 +376,7 @@ and
 .Xr group 5
 files here, ls will be able to produce owner names rather than
 numbers. Remember to remove any passwords from these files.  
-
+.Pp
 The file
 .Pa motd ,
 if present, will be printed after a successful login.
@@ -388,7 +387,7 @@ here.
 .It Pa ~ftp/pub
 Traditional place to put whatever you want to make public.
 .El
-
+.Pp
 If you want guests to be able to upload files, create a
 .Pa ~ftp/incoming
 directory owned by 
@@ -459,6 +458,7 @@ FTP PROTOCOL SPECIFICATION
 OTP Specification
 .It Cm RFC 2228
 FTP Security Extensions.
+.El
 .Sh BUGS
 The server must run as the super-user
 to create sockets with privileged port numbers.  It maintains

crypto/kerberosIV/man/ftpusers.5

@@ -5,8 +5,7 @@
 .Os KTH-KRB
 .Sh NAME
 .Pa /etc/ftpusers
-.Nd
-FTP access list file.
+.Nd FTP access list file
 .Sh DESCRIPTION
 .Pa /etc/ftpusers
 contains a list of users that should be allowed or denied FTP
@@ -20,7 +19,7 @@ matches any user.  Users that has an explicit
 .Dq allow ,
 or that does not match any line, are allowed access. Anyone else is
 denied access.
-
+.Pp
 Note that this is compatible with the old format, where this file
 contained a list of users that should be denied access.
 .Sh EXAMPLES

crypto/kerberosIV/man/kadmin.8

@@ -4,14 +4,12 @@
 .\" For copying and distribution information,
 .\" please see the file <mit-copyright.h>.
 .\"
-
 .Dd February  3, 1998
 .Dt KADMIN 8
 .Os "KTH-KRB"
 .Sh NAME
 .Nm kadmin
-.Nd
-network utility for Kerberos database administration
+.Nd "network utility for Kerberos database administration"
 .Sh SYNOPSIS
 .Nm
 .Op Fl p Ar principal
@@ -23,7 +21,7 @@ network utility for Kerberos database administration
 .Op Fl -version
 .Op Fl h
 .Op Fl -help
-.Ar [command]
+.Op Ar command
 .Sh DESCRIPTION
 This utility provides a unified administration interface to the
 Kerberos master database.  Kerberos administrators use
@@ -64,7 +62,7 @@ for
 .It Fl t
 Use existing tickets (if any are available), this also disbles
 timeout, and doesn't destroy any tickets upon exit.
-
+.Pp
 These tickets have to be for the changepw.kerberos service.  Use
 .Nm kinit -p
 to acquire them.

crypto/kerberosIV/man/kafs.3

@@ -11,8 +11,8 @@
 .Nm k_afs_cell_of_file ,
 .Nm krb_afslog ,
 .Nm krb_afslog_uid
-\" .Nm krb5_afslog ,
-\" .Nm krb5_afslog_uid
+.\" .Nm krb5_afslog ,
+.\" .Nm krb5_afslog_uid
 .Nd AFS library
 .Sh SYNOPSIS
 .Fd #include <kafs.h>
@@ -30,10 +30,10 @@
 .Fn krb_afslog "char *cell" "char *realm"
 .Ft int
 .Fn krb_afslog_uid "char *cell" "char *realm" "uid_t uid"
-\" .Ft krb5_error_code
-\" .Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid"
-\" .Ft krb5_error_code
-\" .Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm"
 .Sh DESCRIPTION
 .Fn k_hasafs
 initializes some library internal structures, and tests for the
@@ -41,7 +41,7 @@ presense of AFS in the kernel, none of the other functions should be
 called before 
 .Fn k_hasafs
 is called, or if it fails.
-
+.Pp
 .Fn krb_afslog ,
 and
 .Fn krb_afslog_uid
@@ -66,22 +66,22 @@ field in the token,
 .Fn krb_afslog_uid
 will use
 .Fa uid .
-
-\" .Fn krb5_afslog ,
-\" and 
-\" .Fn krb5_afslog_uid
-\" are the Kerberos 5 equivalents of
-\" .Fn krb_afslog ,
-\" and
-\" .Fn krb_afslog_uid .
-\" The extra arguments are the ubiquitous context, and the cache id where
-\" to store any obtained tickets. Since AFS servers normally can't handle
-\" Kerberos 5 tickets directly, these functions will first obtain version
-\" 5 tickets for the requested cells, and then convert them to version 4
-\" tickets, that can be stashed in the kernel. To convert tickets the
-\" .Fn krb524_convert_creds_kdc
-\" function will be used.
-
+.Pp
+.\" .Fn krb5_afslog ,
+.\" and 
+.\" .Fn krb5_afslog_uid
+.\" are the Kerberos 5 equivalents of
+.\" .Fn krb_afslog ,
+.\" and
+.\" .Fn krb_afslog_uid .
+.\" The extra arguments are the ubiquitous context, and the cache id where
+.\" to store any obtained tickets. Since AFS servers normally can't handle
+.\" Kerberos 5 tickets directly, these functions will first obtain version
+.\" 5 tickets for the requested cells, and then convert them to version 4
+.\" tickets, that can be stashed in the kernel. To convert tickets the
+.\" .Fn krb524_convert_creds_kdc
+.\" function will be used.
+.\" .Pp
 .Fn k_afs_cell_of_file
 will in 
 .Fa cell
@@ -89,23 +89,22 @@ return the cell of a specified file, no more than
 .Fa len
 characters is put in 
 .Fa cell .
-
+.Pp
 .Fn k_pioctl
 does a 
 .Fn pioctl
 syscall with the specified arguments. This function is equivalent to
 .Fn lpioctl .
-
+.Pp
 .Fn k_setpag
 initializes a new PAG.
-
+.Pp
 .Fn k_unlog
 removes destroys all tokens in the current PAG.
-
 .Sh ENVIRONMENT
 The following environment variable affect the mode of operation of
 .Nm kafs :
-.Bl -tag
+.Bl -tag -width AFS_SYSCALL
 .It Ev AFS_SYSCALL
 Normally,
 .Nm kafs

crypto/kerberosIV/man/kauth.1

@@ -5,8 +5,7 @@
 .Os KTH-KRB
 .Sh NAME
 .Nm kauth
-.Nd
-overworked Kerberos login program
+.Nd overworked Kerberos login program
 .Sh SYNOPSIS
 .Nm
 .Op Fl n Ar name

crypto/kerberosIV/man/kauthd.8

@@ -5,8 +5,7 @@
 .Os KTH-KRB
 .Sh NAME
 .Nm kauthd
-.Nd
-remote Kerberos login daemon
+.Nd remote Kerberos login daemon
 .Sh SYNOPSIS
 .Nm
 .Sh DESCRIPTION
@@ -19,7 +18,7 @@ Options supported by
 .Bl -tag -width Ds
 .It Fl i
 Interactive.  Do not expect to be started by
-.Nm inetd,
+.Nm inetd ,
 but allocate and listen to the socket yourself.  Handy for testing
 and debugging.
 .El

crypto/kerberosIV/man/kerberos.8

@@ -5,7 +5,7 @@
 .Os KTH-KRB
 .Sh NAME
 .Nm kerberos
-.Nd The kerberos daemon
+.Nd the kerberos daemon
 .Sh SYNPOSIS
 .Nm
 .Op Fl mns
@@ -52,7 +52,8 @@ port specification follows the format:
 The
 .Ar port
 can be either a symbolic port name (from
-.Pa /etc/services), or a number;
+.Pa /etc/services ) ,
+or a number;
 .Ar protocol can be either 
 .Li udp ,
 or
@@ -71,13 +72,12 @@ Run as a server for realm
 Set slave parameters.  This will enable check to see if data is
 getting too stale relative to the master.
 .El
-
+.Pp
 If no 
 .Ar database
 is given a default datbase will be used, normally
 .Pa /var/kerberos/principal .
 .Sh DIAGNOSTICS
-
 The server logs several messages in a log file
 .Pf ( Pa /var/run/kerberos.log
 by default).  The logging mechanism opens and closes the log file for
@@ -115,7 +115,6 @@ An initial (password authenticated) request was received.
 .Xc
 A tgt-based request for a ticket was made.
 .El
-
 .Ss Error messages
 These messages reflects misconfigured clients, invalid requests, or
 possibly attepted attacks.
@@ -167,7 +166,6 @@ because of a broken client, or possibly an attack.
 .It Li KRB protocol version mismatch ( Ar number )
 The server received a request with an unknown version number.
 .El
-
 .Ss Fatal error messages
 The following messages indicate problems when starting the server.
 .Bl -tag -width xxxxx
@@ -186,7 +184,6 @@ The database doesn't contain a
 .Sq krbtgt.REALM
 for the local realm.
 .El
-
 .Sh SEE ALSO
 .Xr kprop 8 ,
 .Xr kpropd 8

crypto/kerberosIV/man/krb.equiv.5

@@ -5,8 +5,7 @@
 .Os KTH-KRB
 .Sh NAME
 .Nm krb.equiv
-.Nd
-Kerberos equivalent hosts file
+.Nd Kerberos equivalent hosts file
 .Sh DESCRIPTION
 .Nm
 contains a list of IP addresses that is to be considered being the

crypto/kerberosIV/man/krb.extra.5

@@ -5,8 +5,7 @@
 .Os KTH-KRB
 .Sh NAME
 .Nm krb.extra
-.Nd
-Kerberos misc configuration file
+.Nd Kerberos misc configuration file
 .Sh DESCRIPTION
 .Nm
 contains a number of settings that are used by the kerberos library,

crypto/kerberosIV/man/login.1

@@ -43,7 +43,7 @@
 .Op Fl h Ar hostname
 .Op Ar user
 .Sh DESCRIPTION
-.Sy Note:
+.Sy Note :
 this manual page describes the original login program for
 NetBSD. Everything in here might not be true.
 .Pp

crypto/kerberosIV/man/login.access.5

@@ -1,10 +1,10 @@
 .\" this is comment
 .Dd April 30, 1994
 .Dt SKEY.ACCESS 5
-.Os FreeBSD 1.2
+.Os FreeBSD
 .Sh NAME
 .Nm login.access
-.Nd Login access control table
+.Nd login access control table
 .Sh DESCRIPTION
 The
 .Nm login.access
@@ -21,7 +21,7 @@ be accepted or refused.
 .Pp
 Each line of the login access control table has three fields separated by a
 ":" character:	  permission : users : origins
-
+.Pp
 The first field should be a "+" (access granted) or "-" (access denied)
 character. The second field should be a list of one or more login names,
 group names, or ALL (always matches).  The third field should be a list
@@ -30,9 +30,9 @@ names (begin with "."), host addresses, internet network numbers (end
 with "."), ALL (always matches) or LOCAL (matches any string that does
 not contain a "." character). If you run NIS you can use @netgroupname
 in host or user patterns.
-
+.Pp
 The EXCEPT operator makes it possible to write very compact rules.
-
+.Pp
 The group file is searched only when a name does not match that of the
 logged-in user. Only groups are matched in which users are explicitly
 listed: the program does not look at a user's primary group id value.

crypto/kerberosIV/man/pagsh.1

@@ -5,18 +5,21 @@
 .Os KTH-KRB
 .Sh NAME
 .Nm pagsh
-.Nd
-execute a command without authentication
+.Nd execute a command without authentication
 .Sh SYNOPSIS
 .Nm pagsh
-.Op Oo Fl c Oc Nm command Ar args
+.Oo
+.Op Fl c
+.Ar command Ar args
+.Oc
 .Sh DESCRIPTION
 Starts a new subprocess that is detached from any Kerberos ticket
-cache and AFS tokens. Without
-.Nm command
+cache and AFS tokens.
+Without
+.Ar command
 a new shell is started.
 .Sh ENVIRONMENT
-.Bl -tag -width Fl
+.Bl -tag -width $SHELL
 .It Ev $SHELL
 Default shell.
 .El

crypto/kerberosIV/man/rcp.1

@@ -47,7 +47,7 @@
 .Nm rcp
 .Op Fl Kprx
 .Op Fl k Ar realm
-.Ar file ...
+.Ar
 .Ar directory
 .Sh DESCRIPTION
 .Nm Rcp

crypto/kerberosIV/man/rlogin.1

@@ -98,7 +98,7 @@ This specification may be as a literal character, or as an octal
 value in the form \ennn.
 .It Fl k
 The
-.FL k
+.Fl k
 option requests rlogin to obtain tickets for the remote host
 in realm
 .Ar realm

crypto/kerberosIV/man/telnet.1

@@ -98,7 +98,7 @@ BINARY option to be negotiated on output.
 .It Fl S Ar tos
 Sets the IP type-of-service (TOS) option for the telnet
 connection to the value
-.Ar tos,
+.Ar tos ,
 which can be a numeric TOS value
 or, on systems that support it, a symbolic
 TOS name found in the /etc/iptos file.
@@ -134,7 +134,7 @@ Sets the initial
 .Nm
 .Nm telnet
 escape character to
-.Ar escape char.
+.Ar escape char .
 If
 .Ar escape char
 is omitted, then
@@ -304,12 +304,12 @@ auth command are as follows:
 .It Ic disable Ar type
 Disables the specified type of authentication.  To
 obtain a list of available types, use the
-.Ic auth disable \&?
+.Ic auth disable ?\&
 command.
 .It Ic enable Ar type
 Enables the specified type of authentication.  To
 obtain a list of available types, use the
-.Ic auth enable \&?
+.Ic auth enable ?\&
 command.
 .It Ic status
 Lists the current status of the various types of
@@ -336,18 +336,22 @@ option is not supported outside of the United States and Canada.
 .Pp
 Valid arguments for the encrypt command are as follows:
 .Bl -tag -width Ar
-.It Ic disable Ar type Ic [input|output]
+.It Ic disable Ar type Xo
+.Op Cm input | output
+.Xc
 Disables the specified type of encryption.  If you
 omit the input and output, both input and output
 are disabled.  To obtain a list of available
 types, use the
-.Ic encrypt disable \&?
+.Ic encrypt disable ?\&
 command.
-.It Ic enable Ar type Ic [input|output]
+.It Ic enable Ar type Xo
+.Op Cm input | output
+.Xc
 Enables the specified type of encryption.  If you
 omit input and output, both input and output are
 enabled.  To obtain a list of available types, use the
-.Ic encrypt enable \&?
+.Ic encrypt enable ?\&
 command.
 .It Ic input
 This is the same as the
@@ -365,18 +369,18 @@ command.
 This is the same as the
 .Ic encrypt stop output
 command.
-.It Ic start Ic [input|output]
+.It Ic start Op Cm input | output
 Attempts to start encryption.  If you omit
 .Ic input
 and
-.Ic output,
+.Ic output ,
 both input and output are enabled.  To
 obtain a list of available types, use the
-.Ic encrypt enable \&?
+.Ic encrypt enable ?\&
 command.
 .It Ic status
 Lists the current status of encryption.
-.It Ic stop Ic [input|output]
+.It Ic stop Op Cm input | output
 Stops encryption.  If you omit input and output,
 encryption is on both input and output.
 .It Ic type Ar type
@@ -387,7 +391,7 @@ or
 .Ic encrypt stop
 commands.
 .El
-.It Ic environ Ar arguments... 
+.It Ic environ Ar arguments ...
 The
 .Ic environ
 command is used to manipulate the
@@ -416,7 +420,7 @@ command are:
 Define the variable
 .Ar variable
 to have a value of
-.Ar value.
+.Ar value .
 Any variables defined by this command are automatically exported.
 The
 .Ar value
@@ -441,7 +445,7 @@ Those marked with a
 .Cm *
 will be sent automatically,
 other variables will only be sent if explicitly requested.
-.It Ic \&?
+.It Ic ?\&
 Prints out help information for the
 .Ic environ
 command.
@@ -522,17 +526,15 @@ option.
 This requires that the 
 .Dv LINEMODE
 option be enabled.
-.It Ic \&?
+.It Ic ?\&
 Prints out help information for the
 .Ic mode
 command.
 .El
 .It Xo
 .Ic open Ar host
-.Oo Op Fl l
-.Ar user
-.Oc Ns Oo Fl
-.Ar port Oc
+.Op Fl l Ar user
+.Op Oo Fl Oc Ns Ar port
 .Xc
 Open a connection to the named host.
 If no port number
@@ -692,10 +694,10 @@ command.
 can also be either
 .Ic help
 or
-.Ic \&?
+.Ic ?\&
 to print out help information, including
 a list of known symbolic names.
-.It Ic \&?
+.It Ic ?\&
 Prints out help information for the
 .Ic send
 command.
@@ -996,7 +998,7 @@ The initial value for the worderase character is taken to be
 the terminal's
 .Ic worderase
 character.
-.It Ic \&?
+.It Ic ?\&
 Displays the legal
 .Ic set
 .Pq Ic unset
@@ -1040,7 +1042,7 @@ The remote default characters are those of the remote system
 at the time when the 
 .Tn TELNET
 connection was established.
-.It Ic \&?
+.It Ic ?\&
 Prints out help information for the
 .Ic slc
 command.
@@ -1251,10 +1253,12 @@ has ever been enabled, then
 is sent as
 .Ic abort  ,
 and
-.Ic eof and
-.B suspend
+.Ic eof
+and
+.Ic suspend
 are sent as
-.Ic eof and
+.Ic eof
+and
 .Ic susp ,
 see
 .Ic send
@@ -1293,7 +1297,7 @@ skips the reading of the
 file in the users home
 directory when connections are opened.  The initial
 value for this toggle is
-.Dv FALSE.
+.Dv FALSE .
 .It Ic termdata
 Toggles the display of all terminal data (in hexadecimal format).
 The initial value for this toggle is
@@ -1306,7 +1310,7 @@ toggle is
 .Tn TELNET
 prints out a message each time encryption is enabled or
 disabled.  The initial value for this toggle is
-.Dv FALSE.
+.Dv FALSE .
 Note:  Because of export controls, data encryption
 is not supported outside of the United States and Canada.
 .It Ic \&?
@@ -1325,7 +1329,7 @@ system.  If
 .Ic command
 is omitted, then an interactive
 subshell is invoked.
-.It Ic \&? Op Ar command 
+.It Ic ?\& Op Ar command 
 Get help.  With no arguments,
 .Nm telnet
 prints a help summary.

crypto/kerberosIV/man/telnetd.8

@@ -95,7 +95,7 @@ has been compiled with support for the
 .Dv AUTHENTICATION
 option.
 There are several valid values for
-.Ar authmode:
+.Ar authmode :
 .Bl -tag -width debug
 .It debug
 Turns on authentication debugging code.
@@ -153,7 +153,7 @@ to the connection, allowing the user to see what
 .Nm telnetd
 is doing.
 There are several possible values for 
-.Ar debugmode:
+.Ar debugmode :
 .Bl -tag -width exercise
 .It Cm options
 Prints information about the negotiation of
@@ -166,7 +166,7 @@ information, plus some additional information
 about what processing is going on.
 .It Cm netdata
 Displays the data stream received by
-.Nm telnetd.
+.Nm telnetd .
 .It Cm ptydata
 Displays data written to the pty.
 .It Cm exercise
@@ -194,12 +194,12 @@ be reached may be cleaned up.
 This option is only enabled when
 .Nm telnetd
 is compiled for
-.Dv UNICOS.
+.Dv UNICOS .
 It specifies an inclusive range of pseudo-terminal devices to
 use.  If the system has sysconf variable
 .Dv _SC_CRAY_NPTY
 configured, the default pty search range is 0 to
-.Dv _SC_CRAY_NPTY;
+.Dv _SC_CRAY_NPTY ;
 otherwise, the default range is 0 to 128.  Either
 .Ar lowpty
 or
@@ -298,7 +298,9 @@ DO TIMING-MARK
 .Ed
 .Pp
 The pseudo-terminal allocated to the client is configured
-to operate in \*(lqcooked\*(rq mode, and with
+to operate in
+.Dq cooked
+mode, and with
 .Dv XTABS and
 .Dv CRMOD
 enabled (see
@@ -336,7 +338,7 @@ Indicates that the client is willing to send a
 of the Network Virtual Terminal.
 .It "WILL SGA"
 Indicates that it will not be sending
-.Dv IAC GA,
+.Dv IAC GA ,
 go ahead, commands.
 .It "WILL STATUS"
 Indicates a willingness to send the client, upon
@@ -382,7 +384,7 @@ characters remotely.
 This is not really supported, but is sent to identify a 4.2BSD
 .Xr telnet 1
 client, which will improperly respond with
-.Dv WILL ECHO.
+.Dv WILL ECHO .
 If a
 .Dv WILL ECHO
 is received, a
@@ -394,7 +396,7 @@ name of the type of terminal that is attached
 to the client side of the connection.
 .It "DO SGA"
 Indicates that it does not need to receive
-.Dv IAC GA,
+.Dv IAC GA ,
 the go ahead command.
 .It "DO NAWS"
 Requests that the client inform the server when
@@ -423,9 +425,9 @@ Only sent if
 .Nm telnetd
 is compiled with support for both linemode and
 kludge linemode, and the client responded with
-.Dv WONT LINEMODE.
+.Dv WONT LINEMODE .
 If the client responds with
-.Dv WILL TM,
+.Dv WILL TM ,
 the it is assumed that the client supports
 kludge linemode.
 Note that the
@@ -443,6 +445,7 @@ Only sent if
 is compiled with support for data encryption, and
 indicates a willingness to decrypt
 the data stream.
+.El
 .Sh ENVIRONMENT
 .Sh FILES
 .Pa /etc/services
@@ -501,6 +504,7 @@ Telnet Authentication: SPX
 Telnet Environment Option Interoperability Issues
 .It Cm RFC-1572
 Telnet Environment Option
+.El
 .Sh BUGS
 Some
 .Tn TELNET