From: Jen Selby Date: Wed, 26 Jun 2002 21:15:11 +0000 (+0000) Subject: * Makefile: changed the way html output is generated, made "make all" X-Git-Tag: krb5-1.3-alpha1~632 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=a522464928341b63106c397cd0635a7d8700bbc8;p=krb5.git * Makefile: changed the way html output is generated, made "make all" remove generated tex files * admin.texinfo: added sections about encryption types and salts, updated the configuration file sections, revised the example configuration files, updated dates on output strings, added an explanation of destroying a Kerberos database * build.texinfo: changed the description of the tarball * definitions.texinfo: added variables for all the default values so that they can all be updated in one place, changed the release from 1.2 to 1.3 * dnstxt.texinfo updated the information * install.texinfo added more description of the configuration files and the minimum needed in the files to set up a kerberos realm, revised the examples of the configuration file sections, took out old encryption type and salt information * kdcconf.texinfo: new file, taken from the admin guide and included in both the admin and install guides, provides descriptions of the sections in kdc.conf * krb425.texinfo: moved a texinfo tag so that makeinfo --html would work * krb5conf.texinfo: new file, take from the admin guide and included in both the admin and install guides, provides descriptions of the sections in krb5.conf * man2html, man2html.M: new files, a perl program to create html pages from the output of the man command * salts.texinfo: new file, a description of the different salt types that are currently supported * support-enc.texinfo: new file, a description of the currently supported encryptions types * user-guide.texinfo: added a section describing different ticket flags, added a way to have the man pages in the reference section accessible in the html version of the documentation git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14587 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/ChangeLog b/doc/ChangeLog index 37b52c4d0..7ea57f4d7 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,38 @@ +2002-06-26 Jen Selby + + * Makefile: changed the way html output is generated, made "make all" + remove generated tex files + * admin.texinfo: added sections about encryption types and salts, + updated the configuration file sections, revised the example + configuration files, updated dates on output strings, added an + explanation of destroying a Kerberos database + * build.texinfo: changed the description of the tarball + * definitions.texinfo: added variables for all the default values + so that they can all be updated in one place, changed the release + from 1.2 to 1.3 + * dnstxt.texinfo updated the information + * install.texinfo added more description of the configuration files + and the minimum needed in the files to set up a kerberos realm, + revised the examples of the configuration file sections, took out + old encryption type and salt information + * kdcconf.texinfo: new file, taken from the admin guide and included + in both the admin and install guides, provides descriptions of the + sections in kdc.conf + * krb425.texinfo: moved a texinfo tag so that makeinfo --html would + work + * krb5conf.texinfo: new file, take from the admin guide and included + in both the admin and install guides, provides descriptions of the + sections in krb5.conf + * man2html, man2html.M: new files, a perl program to create html pages + from the output of the man command + * salts.texinfo: new file, a description of the different salt types + that are currently supported + * support-enc.texinfo: new file, a description of the currently + supported encryptions types + * user-guide.texinfo: added a section describing different ticket + flags, added a way to have the man pages in the reference section + accessible in the html version of the documentation + 2002-06-21 Ezra Eeisach * implementor.texinfo (IPv6 Support): Update fact that IRIX 6.5.16 diff --git a/doc/Makefile b/doc/Makefile index f8c29969b..a5b8d13fe 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -2,18 +2,22 @@ SRCDIR=../src DVI=texi2dvi DVIPS=dvips -o "$@" INFO=makeinfo -HTML=texi2html +HTML=makeinfo --html RM=rm -f TAR=tar -chvf GZIP=gzip -9 MANPS=./man2ps +MANTXT=nroff -man +MANHTML=./man2html ADMIN_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \ - glossary.texinfo send-pr.texinfo + glossary.texinfo support-enc.texinfo salts.texinfo krb5conf.texinfo \ + kdcconf.texinfo dnstxt.texinfo dnssrv.texinfo send-pr.texinfo ADMIN_DEPS=admin.texinfo $(ADMIN_INCLUDES) INSTALL_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \ - build.texinfo bug-report.texinfo send-pr.texinfo + dnstxt.texinfo dnssrv.texinfo build.texinfo bug-report.texinfo \ + krb5conf.texinfo kdcconf.texinfo send-pr.texinfo INSTALL_DEPS=install.texinfo $(INSTALL_INCLUDES) USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo @@ -23,7 +27,7 @@ KRB425_INCLUDES=definitions.texinfo copyright.texinfo KRB425_DEPS=krb425.texinfo $(KRB425_INCLUDES) .PHONY: all -all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps +all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps clean-tex .PHONY: admin-guide-full admin-guide-full:: admin-guide admin-guide-info admin-guide-html @@ -90,6 +94,16 @@ krb5-user.info: $(USER_GUIDE_DEPS) user-guide-html:: user-guide.html user-guide.html: $(USER_GUIDE_DEPS) + $(MANTXT) $(SRCDIR)/appl/gssftp/ftp/ftp.M | $(MANHTML) > ftp.html + $(MANTXT) $(SRCDIR)/clients/kdestroy/kdestroy.M | $(MANHTML) > kdestroy.html + $(MANTXT) $(SRCDIR)/clients/kinit/kinit.M | $(MANHTML) > kinit.html + $(MANTXT) $(SRCDIR)/clients/klist/klist.M | $(MANHTML) > klist.html + $(MANTXT) $(SRCDIR)/clients/ksu/ksu.M | $(MANHTML) > ksu.html + $(MANTXT) $(SRCDIR)/appl/bsd/rcp.M | $(MANHTML) > rcp.html + $(MANTXT) $(SRCDIR)/appl/bsd/rlogin.M | $(MANHTML) > rlogin.html + $(MANTXT) $(SRCDIR)/appl/bsd/rsh.M | $(MANHTML) > rsh.html + $(MANTXT) $(SRCDIR)/appl/telnet/telnet/telnet.1 | $(MANHTML) > telnet.html + $(MANTXT) $(SRCDIR)/kadmin/passwd/kpasswd.M | $(MANHTML) > kpasswd.html $(HTML) user-guide.texinfo .PHONY: krb425-guide-full diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 37bda9669..d04ba7572 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -39,6 +39,7 @@ @ifinfo This document describes how to administrate a @value{PRODUCT} installation. +@end ifinfo @c The master menu is updated using emacs19's M-x texinfo-all-menus-update @c function. Don't forget to run M-x texinfo-every-node-update after @@ -71,7 +72,6 @@ installation. @node Copyright, Introduction, Top, Top @unnumbered Copyright @include copyright.texinfo -@end ifinfo @node Introduction, How Kerberos Works, Copyright, Top @@ -336,75 +336,31 @@ Following are definitions of some of the Kerberos terminology. @chapter Configuration Files @menu +* Supported Encryption Types:: +* Salts:: * krb5.conf:: * kdc.conf:: @end menu -@node krb5.conf, kdc.conf, Configuration Files, Configuration Files -@section krb5.conf - -The @code{krb5.conf} file contains Kerberos configuration information, -including the locations of KDCs and admin servers for the Kerberos -realms of interest, defaults for the current realm and for Kerberos -applications, and mappings of hostnames onto Kerberos realms. Normally, -you should install your @code{krb5.conf} file in the directory -@code{/etc}. You can override the default location by setting the -environment variable @samp{KRB5_CONFIG}. - -The @code{krb5.conf} file is set up in the style of a Windows INI file. -Sections are headed by the section name, in square brackets. Each -section may contain zero or more relations, of the form: - -@smallexample -foo = bar -@end smallexample - -@noindent -or - -@smallexample -@group -fubar = @{ - foo = bar - baz = quux -@} -@end group -@end smallexample - -The @code{krb5.conf} file may contain any or all of the following seven -sections: - -@table @b -@itemx libdefaults -Contains default values used by the Kerberos V5 library. +@node Supported Encryption Types, Salts, Configuration Files, Configuration Files +@section Supported Encryption Types -@itemx appdefaults -Contains default values used by Kerberos V5 applications. +@include support-enc.texinfo -@itemx realms -Contains subsections keyed by Kerberos realm names. Each subsection -describes realm-specific information, including where to find the -Kerberos servers for that realm. +@node Salts, krb5.conf, Supported Encryption Types, Configuration Files +@section Salts -@itemx domain_realm -Contains relations which map domain names and subdomains onto Kerberos -realm names. This is used by programs to determine what realm a host -should be in, given its fully qualified domain name. +Your Kerberos key is derived from your password. To ensure that people +who happen to pick the same password do not have the same key, Kerberos +5 incorporates more information into the key using something called a +salt. The supported values for salts are as follows. -@itemx logging -Contains relations which determine how Kerberos programs are to perform -logging. +@include salts.texinfo -@itemx capaths -Contains the authentication paths used with direct (nonhierarchical) -cross-realm authentication. Entries in this section are used by the -client to determine the intermediate realms which may be used in -cross-realm authentication. It is also used by the end-service when -checking the transited field for trusted intermediate realms. +@node krb5.conf, kdc.conf, Salts, Configuration Files +@section krb5.conf -@itemx kdc -For a KDC, may contain the location of the kdc.conf file. -@end table +@include krb5conf.texinfo @menu * libdefaults:: @@ -425,39 +381,84 @@ relations: @table @b @itemx default_realm Identifies the default Kerberos realm for the client. Set its value to -your Kerberos realm. +your Kerberos realm. If this is not specified and the TXT record +lookup is enabled (see @ref{Using DNS}), then that information will be +used to determine the default realm. If this tag is not set in this +configuration file and there is no DNS information found, then an error +will be returned. @itemx default_tgs_enctypes Identifies the supported list of session key encryption types that -should be returned by the KDC. The list may be delimited with commas or -whitespace. Currently, the supported encryption types are -"des3-hmac-sha1" and -"des-cbc-crc". Support for other encryption types is planned in the -future. +should be returned by the KDC. The list may be delimited with commas +or whitespace. Kerberos supports many different encryption types, and +support for more is planned in the future. (see @ref{Supported Encryption +Types} for a list of the accepted values for this tag). The default +value is @value{DefaultDefaultTgsEnctypes}. @itemx default_tkt_enctypes -Identifies the supported list of session key encryption -types that should be requested by the client. The format is the same as -for @emph{default_tkt_enctypes}. Again, the only supported encryption -types are "des3-hmac-sha1" and "des-cbc-crc". +Identifies the supported list of session key encryption types that +should be requested by the client. The format is the same as for +@emph{default_tkt_enctypes}. The default value for this tag is +@value{DefaultDefaultTktEnctypes}. @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is -invalid. The default value is 300 seconds, or five minutes. +invalid. The default value is @value{DefaultClockskew}. -@itemx checksum_type -Used for compatability with DCE security servers which do not support -the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. A value -of 1 indicates the default checksum type. Use a value of 2 to use the -CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and earlier. +@itemx kdc_req_checksum_type +@itemx ap_req_checksum_type +@itemx safe_checksum_type +An integer which specifies the type of checksum to use. Used for +compatability with DCE security servers which do not support the +default @value{DefaultChecksumType} used by this version of Kerberos. +The possible values and their meanings are as follows. +@comment taken from krb5/src/include/krb5.h[in] +@table @b +@item 1 +CRC32 +@item 2 +RSA MD4 +@item 3 +RSA MD4 DES +@item 4 +DES CBC +@item 7 +RSA MD5 +@item 8 +RSA MD5 DES +@item 9 +NIST SHA +@item 12 +HMAC SHA1 DES3 +@item -138 +Microsoft MD5 HMAC checksum type +@end table + +@comment see lib/krb5/ccache/fcc.h @itemx ccache_type -Use this parameter on systems which are DCE clients, to specify the type -of cache to be created by kinit, or when forwarded tickets are received. -DCE and Kerberos can share the cache, but some versions of DCE do not -support the default cache as created by this version of Kerberos. Use a -value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. +Use this parameter on systems which are DCE clients, to specify the +type of cache to be created by kinit, or when forwarded tickets are +received. DCE and Kerberos can share the cache, but some versions of +DCE do not support the default cache as created by this version of +Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on +DCE 1.1 systems. The default value is @value{DefaultCcacheTypeMac} +for Macintosh computers and @value{DefaultCcacheType} for other +platforms. + +@ignore +@itemx tkt_lifetime +The default lifetime of a ticket. The default is +@value{DefaultTktLifetime}. This is currently not supported by the +code. +@end ignore + +@itemx kdc_timesync +If this is set to 1 (for true), then client machines will attempt +to sync their time with the KDC using the timestamps in the tickets. +The default is @value{DefaultKDCTimesyncMac} for Macintosh computers +and @value{DefaultKDCTimesync} for all other platforms. @itemx dns_lookup_kdc Indicate whether DNS SRV records should be used to locate the KDCs and @@ -524,6 +525,12 @@ For example: encrypt = true autologin = true @} + telnet = @{ + @value{PRIMARYREALM} = @{ + forward = false + @} + @} + @end group @end smallexample @@ -542,16 +549,27 @@ tags may be specified in the realm's subsection: @table @b @itemx kdc The name of a host running a KDC for that realm. An optional port -number (separated from the hostname by a colon) may be included. +number (separated from the hostname by a colon) may be included. For +your computer to be able to communicate with the KDC for each realm, +this tag must be given a value in each realm subsection in the +configuration file, or there must be DNS SRV records specifying the +KDCs (see @ref{Using DNS}). @itemx admin_server Identifies the host where the administration server is running. -Typically, this is the master Kerberos server. +Typically, this is the master Kerberos server. This tag must be given +a value in order to communicate with the kadmin server for the realm. @itemx application defaults Application defaults that are specific to a particular realm may be specified within that realm's tag. Realm-specific application defaults override the global defaults specified in the [appdefaults] section. + +@itemx default_domain +This tag is used for Kerberos 4 compatibility. Kerberos 4 does not +require the entire hostname of a server to be in its principal like +Kerberos 5 does. This tag provides the domain name needed to produce a +full hostname. @end table @node domain_realm, logging, realms (krb5.conf), krb5.conf @@ -602,6 +620,10 @@ its logging. The relations in this section assign one or more values to the entity name. Currently, the following entities are used: @table @b + +@itemx kdc +These entries specify how the KDC is to perform its logging. + @itemx admin_server These entries specify how the administrative server is to perform its logging. @@ -768,16 +790,17 @@ Here is an example of a generic @code{krb5.conf} file: @smallexample @group [libdefaults] - ticket_lifetime = 600 default_realm = @value{PRIMARYREALM} default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false [realms] @value{PRIMARYREALM} = @{ kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN} kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} - kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN} + kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:750 admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN} default_domain = @value{PRIMARYDOMAIN} @} @@ -803,29 +826,7 @@ Here is an example of a generic @code{krb5.conf} file: @node kdc.conf, , krb5.conf, Configuration Files @section kdc.conf -The @code{kdc.conf} file contains KDC configuration information, -including defaults used when issuing Kerberos tickets. Normally, you -should install your @code{kdc.conf} file in the directory -@code{@value{ROOTDIR}/var/krb5kdc}. You can override the default -location by setting the environment variable @samp{KRB5_KDC_PROFILE}. - -The @code{kdc.conf} file is set up in the same format as the -@code{krb5.conf} file. (@xref{krb5.conf}.) The @code{kdc.conf} file -may contain any or all of the following three sections: - -@table @b -@itemx kdcdefaults -Contains default values for overall behavior of the KDC. - -@itemx realms -Contains subsections keyed by Kerberos realm names. Each subsection -describes realm-specific information, including where to find the -Kerberos servers for that realm. - -@itemx logging -Contains relations which determine how Kerberos programs are to perform -logging. -@end table +@include kdcconf.texinfo @menu * kdcdefaults:: @@ -840,11 +841,11 @@ The following relation is defined in the [kdcdefaults] section: @table @b @itemx kdc_ports -This relation lists the ports on which the Kerberos server should listen -by default. This list is a comma separated list of integers. If this -relation is not specified, the compiled-in default is usually port 88 -(the assigned Kerberos port) and port 750 (the port used by Kerberos -V4). +This relation lists the ports on which the Kerberos server should +listen by default. This list is a comma separated list of integers. +If this relation is not specified, the compiled-in default is +@value{DefaultKdcPorts}, the first being the assigned Kerberos port +and the second which was used by Kerberos V4. @end table @node realms (kdc.conf), Sample kdc.conf File, kdcdefaults, kdc.conf @@ -861,38 +862,41 @@ subsection: @itemx acl_file (String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the -database. The default is @code{@value{ROOTDIR}/var/krb5kdc/kadm5.acl}. +database. The default is @code{@value{DefaultAclFile}}. @itemx admin_keytab (String.) Location of the keytab file that kadmin uses to authenticate to the database. The default is -@code{@value{ROOTDIR}/var/krb5kdc/kadm5.keytab}. +@code{@value{DefaultAdminKeytab}}. @itemx database_name (String.) Location of the Kerberos database for this realm. The -default is @* @code{@value{ROOTDIR}/var/krb5kdc/principal}. +default is @* @code{@value{DefaultDatabaseName}}. @itemx default_principal_expiration (Absolute time string.) Specifies the default expiration date of -principals created in this realm. +principals created in this realm. The default value for this tag is +@value{DefaultDefaultPrincipalExpiration}. @itemx default_principal_flags (Flag string.) Specifies the default attributes of principals created -in this realm. +in this realm. The default value for this tag is +@value{DefaultDefaultPrincipalFlags}. @itemx dict_file (String.) Location of the dictionary file containing strings that are -not allowed as passwords. The default is -@code{@value{ROOTDIR}/var/krb5kdc/kadm5.dict}. +not allowed as passwords. If none is specified, no dictionary checks +of passwords will be performed. @itemx kadmind_port (Port number.) Specifies the port that the kadmind daemon is to listen -for this realm. The assigned port for kadmind is 749. +for this realm. The assigned port for kadmind is +@value{DefaultKadmindPort}. @itemx key_stash_file (String.) Specifies the location where the master key has been stored (via @code{kdb5_util stash}). The default is -@code{@value{ROOTDIR}/var/krb5kdc/.k5.@i{REALM}}, where @i{REALM} is the +@code{@value{DefaultKeyStashFileStub}@i{REALM}}, where @i{REALM} is the Kerberos realm. @itemx kdc_ports @@ -901,33 +905,33 @@ this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used. @itemx master_key_name -(String.) Specifies the name of the master key. +(String.) Specifies the name of the master key. The default is +@value{DefaultMasterKeyName}. @itemx master_key_type -(Key type string.) Specifies the master key's key type. Either -"des3-hmac-sha1" or -"des-cbc-crc" may be used at this time. +(Key type string.) Specifies the master key's key type. The default +value for this is @value{DefaultMasterKeyType}. For a list of all +possible values, see @ref{Supported Encryption Types}. @itemx max_life (Delta time string.) Specifes the maximum time period for which a -ticket may be valid in this realm. +ticket may be valid in this realm. The default value is +@value{DefaultMaxLife}. @itemx max_renewable_life (Delta time string.) Specifies the maximum time period during which a -valid ticket may be renewed in this realm. +valid ticket may be renewed in this realm. The default value is +@value{DefaultMaxRenewableLife}. @itemx supported_enctypes List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through -@code{kadmin} will have keys of these types. If you do not yet wish to -enable triple-DES support, you should set this tag to -@samp{des-cbc-crc:normal des-cbc-crc:v4}; otherwise, put -@samp{des3-hmac-sha1:normal} at the beginning of the list. +@code{kadmin} will have keys of these types. For lists of possible +values, see @ref{Supported Encryption Types} and @ref{Salts}. @itemx kdc_supported_enctypes -List of key:salt strings. Specifies the permitted key/salt combinations -of principals for this realm. You should set this tag to -@samp{des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4}. +Specifies the permitted key/salt combinations of principals for this +realm. The format is the same as @code{supported_enctypes} @itemx reject_bad_transit A boolean value (@code{true}, @code{false}). If set to @code{true}, the @@ -1097,10 +1101,9 @@ Pass @i{query} directly to @code{kadmin}. This is useful for writing scripts that pass specific queries to @code{kadmin}. @item @b{-e} @i{"enctypes ..."} -@b{(For @code{kadmin.local} only.)} -Sets the list of cryptosystem and salt types to be used for any new keys -created. Available types include @samp{des3-cbc-sha1:normal}, -@samp{des-cbc-crc:normal}, and @samp{des-cbc-crc:v4}. +@b{(For @code{kadmin.local} only.)} Sets the list of cryptosystem and +salt types to be used for any new keys created. See @ref{Supported +Encryption Types} and @ref{Salts} for available types. @end table @@ -1216,10 +1219,10 @@ Maximum life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Master key version: 1 Expires: Mon Jan 18 22:14:07 EDT 2038 -Password expires: Mon Sep 19 14:40:00 EDT 1996 -Password last changed: Mon Jan 31 02:06:40 EDT 1996 +Password expires: Mon Sep 19 14:40:00 EDT 2004 +Password last changed: Mon Jan 31 02:06:40 EDT 2004 Last modified: by @value{ADMINUSER}/admin@@@value{PRIMARYREALM} - on Wed Jul 13 18:27:08 EDT 1996 + on Wed Jul 13 18:27:08 EDT 2004 Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE, REQUIRES_HW_AUTH Salt type: DEFAULT @@ -1373,15 +1376,8 @@ following switches: @table @b @item -salt @i{salttype} -Uses the specified salt for generating the key. The valid salt types -are: - -@itemize @bullet -@item full_name (aliases ``v5_salt'' and ``normal''; this is the default) -@item name_only -@item realm_only -@item no_salt (alias ``v4_salt'') -@end itemize +Uses the specified salt for generating the key. For valid salt types, +see @ref{Salts}. @item -clearpolicy For @code{modify_principal}, removes the current policy from a @@ -1502,10 +1498,11 @@ prompt for a password (@code{add_principal} only). @value{COMPANY} does not recommend using this option. @item -e @i{enc:salt...} -Uses the specified list of enctype-salttype pairs for setting the key of -the principal. The quotes are necessary if there are multiple +Uses the specified list of enctype-salttype pairs for setting the key +of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons -earlier than krb5-1.2. +earlier than krb5-1.2. See @ref{Supported Encryption Types} and +@ref{Salts} for available types. @end table If you want to just use the default values, all you need to do is: @@ -1619,10 +1616,11 @@ Sets the password to the string @i{password}. @value{COMPANY} does not recommend using this option. @item @b{-e} @i{"enc:salt..."} -Uses the specified list of enctype-salttype pairs for setting the key of -the principal. The quotes are necessary if there are multiple +Uses the specified list of enctype-salttype pairs for setting the key +of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons -earlier than krb5-1.2. +earlier than krb5-1.2. See @ref{Supported Encryption Types} and +@ref{Salts} for possible values. @end table For example: @@ -2043,6 +2041,35 @@ It is important that you NOT FORGET this password.} @end group @end smallexample +If you need to destroy the current Kerberos database, use the +@code{kdb5_util} @code{destroy} command. The syntax is: + +@smallexample +@b{kdb5_util destroy} [@b{-f}] +@end smallexample + +The @code{destroy} command destroys the database, first overwriting the +disk sectors and then unlinking the files. If you specify the +@samp{-f} option, @code{kdb5_util} will not prompt you for a +confirmation before destroying the database. + +@smallexample +@group +@b{shell%} @value{ROOTDIR}/sbin/kdb5_util -r @value{PRIMARYREALM} destroy +@iftex +@b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure +(type yes to confirm)?} @i{@doubleleftarrow{}yes} +@end iftex +@ifinfo +@b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure +(type yes to confirm)?} @i{<== yes} +@end ifinfo +@b{OK, deleting database '@value{DefaultDatabaseName}'...} + +@b{shell%} +@end group +@end smallexample + @ignore @c @node The KDC Logs, , Creating and Destroying a Kerberos Database, Administrating Kerberos Database Entries @c @section The KDC Logs @@ -2106,11 +2133,12 @@ The @code{ktadd} command takes the following switches: use @i{keytab} as the keytab file. Otherwise, @code{ktadd} will use the default keytab file (@code{/etc/krb5.keytab}). -@item @b{-e} @i{"enc:salt..."} -Uses the specified list of enctype-salttype pairs for setting the key of -the principal. The quotes are necessary if there are multiple +@item @b{-e} @i{"enc:salt..."} +Uses the specified list of enctype-salttype pairs for setting the key +of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons -earlier than krb5-1.2. +earlier than krb5-1.2. See @ref{Supported Encryption Types} and +@ref{Salts} for all possible values. @item -q run in quiet mode. This causes @code{ktadd} to display less verbose diff --git a/doc/build.texinfo b/doc/build.texinfo index 18e51011a..671f55089 100644 --- a/doc/build.texinfo +++ b/doc/build.texinfo @@ -35,20 +35,22 @@ link tree for your build tree. @node Unpacking the Sources, Doing the Build, Build Requirements, Building Kerberos V5 @section Unpacking the Sources -The first step in each of these build procedures is to unpack the source -distribution. The Kerberos V5 distribution comes in two compressed tar -files. The first file, which is generally named -@file{krb5-@value{RELEASE}.src.tar.gz}, contains the sources for all of Kerberos -except for the crypto library, which is found in the file -@file{krb5-@value{RELEASE}.crypto.tar.gz}. - -Both files should be unpacked in the same directory, such as -@file{/u1/krb5-@value{RELEASE}}. (In the rest of this document, we will assume that -you have chosen to unpack the Kerberos V5 source distribution in this -directory. Note that the tarfiles will by default all unpack into the -@file{./krb5-@value{RELEASE}} directory, so that if your current directory is -@file{/u1} when you unpack the tarfiles, you will get -@file{/u1/krb5-@value{RELEASE}/src}, etc.) +The first step in each of these build procedures is to unpack the +source distribution. The Kerberos V5 distribution comes in a tar file, +generally named @file{krb5-@value{RELEASE}.tar}, which contains a +compressed tar file consisting of the sources for all of Kerberos +(generally @file{krb5-@value{RELEASE}.tar.gz}) and a PGP signature for +this source tree (generally @file{krb5-@value{RELEASE}.tar.gz.asc}). +@value{COMPANY} highly recommends that you verify the integrity of the +source code using this signature. + +Unpack the compressed tar file in some directory, such as +@file{/u1/krb5-@value{RELEASE}}. (In the rest of this document, we +will assume that you have chosen to unpack the Kerberos V5 source +distribution in this directory. Note that the tarfiles will by default +all unpack into the @file{./krb5-@value{RELEASE}} directory, so that if +your current directory is @file{/u1} when you unpack the tarfiles, you +will get @file{/u1/krb5-@value{RELEASE}/src}, etc.) @node Doing the Build, Testing the Build, Unpacking the Sources, Building Kerberos V5 diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo index 5a5b37cbf..91058b8cf 100644 --- a/doc/definitions.texinfo +++ b/doc/definitions.texinfo @@ -19,8 +19,8 @@ @set RANDOMUSER johndoe @set RANDOMUSER1 jennifer @set RANDOMUSER2 david -@set RELEASE 1.2 -@set PREVRELEASE 1.1 +@set RELEASE 1.3 +@set PREVRELEASE 1.2 @set INSTALLDIR /usr/@value{LCPRODUCT} @set PREVINSTALLDIR @value{INSTALLDIR} @set ROOTDIR /usr/local @@ -28,3 +28,99 @@ @set SECONDDOMAIN fubar.org @set SECONDREALM FUBAR.ORG @set UPDATED @today + +@ignore +The rest of the variables in this file are defaults for tags in the +configuration files. Each group of defaults come from the same file in +the code, which is specified in the ignore comment above the group. +After each variable, there should be a comment specifying the variable +in the code that holds the default variable, or the line in which the +default was set. +@end ignore + +@ignore +the following should be consistent with the variables set in +krb5/src/lib/krb5/krb/init_ctx.c +@end ignore +@set DefaultETypeList des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 +@comment DEFAULT_ETYPE_LIST +@set DefaultDefaultTgsEnctypes @value{DefaultETypeList} +@set DefaultDefaultTktEnctypes @value{DefaultETypeList} +@set DefaultClockskew 300 seconds, or five minutes +@comment libdefaults, clockskew +@set DefaultChecksumType RSA MD5 +@comment libdefaults, kdc_req_checksum_type, ap_req_checksum_type, safe_checksum_type +@set DefaultCcacheType 3 +@comment DEFAULT_CCACHE_TYPE +@set DefaultCcacheTypeMac 4 +@comment DEFAULT_CCACHE_TYPE +@set DefaultTktLifetime 10 hours +@comment libdefaults, tkt_lifetime +@set DefaultKDCTimesyncMac 1 +@set DefaultKDCTimesync 0 +@comment DEFAULT_KDC_TIMESYNC + +@ignore +the following defaults should be consistent with default variables set +in krb5/src/include/krb5/stock/osconf.h +@end ignore +@set DefaultMasterKeyType des-cbc-crc +@comment DEFAULT_KDC_ENCTYPE +@set DefaultKadmindPort 749 +@comment DEFAULT_KADM5_PORT +@set DefaultAclFile @value{ROOTDIR}/krb5kdc/kadm5.acl +@comment DEFAULT_KADM5_ACL_FILE +@set DefaultAdminKeytab @value{ROOTDIR}/krb5kdc/kadm5.keytab +@comment DEFAULT_KADM5_KEYTAB +@set DefaultDatabaseName /usr/local/var/krb5kdc/principal +@comment DEFAULT_KDB_FILE (@LOCALSTATEDIR is /usr/local/var) +@set DefaultKdcPorts 88,750 +@comment DEFAULT_KDC_PORTLIST +@set DefaultKpasswdPort 464 +@comment DEFAULT_KPASSWD_PORT +@set DefaultSecPort 750 +@comment KRB5_DEFAULT_SEC_PORT +@set DefaultPort 88 +@comment KRB5_DEFAULT_PORT +@set DefaultKeyStashFileStub /usr/local/var/krb5kdc/.k5. +@comment DEFAULT_KEYFILE_STUB + +@ignore +the following defaults should be consistent with the numbers set in +krb5/src/lib/kadm5/alt_prof.c +@end ignore +@set DefaultMaxLife 10 hours +@comment line 608 +@set DefaultMaxRenewableLife 0 +@comment line 622 +@set DefaultDefaultPrincipalExpiration 0 +@comment line 639 + +@ignore +the following defaults should be consistent with the values set in +krb5/src/include/krb5/kdb.h +@end ignore +@set DefaultDefaultPrincipalFlags no flags set +@comment KRB5_KDB_DEF_FLAGS set to 0 + +@ignore +in krb5/src/include/k5-int.h, the values KRB5_KDB_MAX_LIFE, +KRB5_KDB_MAX_RLIFE, and KRB5_KDB_EXPIRATION are set to one day, one week, +and Thursday Jan 1 2038, respectively +@end ignore + +@ignore +the following defaults should be consistent with the values set in +include/krb5/kdb.h +@end ignore +@set DefaultMasterKeyName K/M +@comment KRB5_KDB_M_NAME + +@ignore +krb5/src/lib/krb5/krb/init_ctx.c, line 195 has libdefault +kdc_default_options (KDC_OPT_RENEWABLE_OKAY) +@end ignore + +@comment this should be verified in the code +@set DefaultDNSLookupKDC true +@set DefaultDNSLookupRealm false diff --git a/doc/dnstxt.texinfo b/doc/dnstxt.texinfo index 535ac4438..e06d220cf 100644 --- a/doc/dnstxt.texinfo +++ b/doc/dnstxt.texinfo @@ -8,15 +8,15 @@ hostname-by-hostname basis. Since greater specificity takes precedence, you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. -The second mechanism, recently introduced into the MIT code base but not -currently used by default, works by looking up the information in -special @code{TXT} records in the Domain Name Service. If this -mechanism is enabled on the client, it will try to look up a @code{TXT} -record for the DNS name formed by putting the prefix @code{_kerberos} in -front of the hostname in question. If that record is not found, it will -try using @code{_kerberos} and the host's domain name, then its parent -domain, and so forth. So for the hostname -BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be: +The second mechanism works by looking up the information in special +@code{TXT} records in the Domain Name Service. This is currently not +used by default because security holes could result if the DNS TXT +records were spoofed. If this mechanism is enabled on the client, +it will try to look up a @code{TXT} record for the DNS name formed by +putting the prefix @code{_kerberos} in front of the hostname in question. +If that record is not found, it will try using @code{_kerberos} and the +host's domain name, then its parent domain, and so forth. So for the +hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be: @smallexample _kerberos.boston.engineering.foobar.com diff --git a/doc/install.texinfo b/doc/install.texinfo index 9dfd27958..9aa6654bc 100644 --- a/doc/install.texinfo +++ b/doc/install.texinfo @@ -42,6 +42,8 @@ This file documents how to install the @value{RELEASE} release of @value{PRODUCT}. +@end ifinfo + @c The master menu is updated using emacs19's M-x texinfo-all-menus-update @c function. Don't forget to run M-x texinfo-every-node-update after @c you add a new section or subsection, or after you've rearranged the @@ -66,15 +68,12 @@ This file documents how to install the @value{RELEASE} release of * Installing Kerberos V5:: * Upgrading Existing Kerberos V5 Installations:: * Bug Reports for Kerberos V5:: -* Files:: @end menu @node Copyright, Introduction, Top, Top @unnumbered Copyright @include copyright.texinfo -@end ifinfo - @node Introduction, Realm Configuration Decisions, Copyright, Top @chapter Introduction @@ -367,6 +366,8 @@ first few steps must be done on the master KDC. @menu * Edit the Configuration Files:: +* krb5.conf:: +* kdc.conf:: * Create the Database:: * Add Administrators to the Acl File:: * Add Administrators to the Kerberos Database:: @@ -374,21 +375,51 @@ first few steps must be done on the master KDC. * Start the Kerberos Daemons:: @end menu -@node Edit the Configuration Files, Create the Database, Install the Master KDC, Install the Master KDC +@node Edit the Configuration Files, krb5.conf, Install the Master KDC, Install the Master KDC @subsubsection Edit the Configuration Files -Modify the configuration files, @code{/etc/krb5.conf} -(@pxref{krb5.conf}) and @code{@value{ROOTDIR}/var/krb5kdc/kdc.conf} -(@pxref{kdc.conf}) to reflect the correct information (such as the -hostnames and realm name) for your realm. @value{COMPANY} recommends -that you keep @code{krb5.conf} in @code{/etc}. - -Among the settings in your @code{/etc/krb5.conf} file, be sure to create -a @code{[logging]} stanza so that the KDC and kadmind will generate -logging output. For example: +Modify the configuration files, @code{/etc/krb5.conf} and +@code{@value{ROOTDIR}/var/krb5kdc/kdc.conf} to reflect the correct +information (such as the hostnames and realm name) for your realm. +@value{COMPANY} recommends that you keep @code{krb5.conf} in @code{/etc}. + +Most of the tags in the configuration have default values that will +work well for most sites. There are some tags in the @code{krb5.conf} +file whose values must be specified, and this section will explain +those as well as give an overview of all of the sections in both +configuration files. For more information on changing defaults with +the configuration files, see the @value{PRODUCT} System Administrator's +Guide sections on configuration files. + +@node krb5.conf, kdc.conf, Edit the Configuration Files, Install the Master KDC +@subsubsection krb5.conf + +@include krb5conf.texinfo + +If you are not using DNS TXT records, you must specify the +@code{default_realm} in the @code{libdefaults} section. If you are not +using DNS SRV records, you must include the @code{kdc} tag for each +realm in the @code{realms} section. To communicate with the kadmin +server in each realm, the @code{admin_server} tag must be set in the +@code{realms} section. If your domain name and realm name are not the +same, you must provide a translation in @code{domain_realm}. It is +also higly recommeneded that you create a @code{[logging]} stanza if +the computer will be functioning as a KDC so that the KDC and kadmind +will generate logging output. + +An example @code{krb5.conf} file: @smallexample @group +[libdefaults] + default_realm = @value{PRIMARYREALM} + +[realms] + kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN} + kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} + kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN} + admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN} + [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log @@ -396,7 +427,12 @@ logging output. For example: @end group @end smallexample -@node Create the Database, Add Administrators to the Acl File, Edit the Configuration Files, Install the Master KDC +@node kdc.conf, Create the Database, krb5.conf, Install the Master KDC +@subsubsection kdc.conf + +@include kdcconf.texinfo + +@node Create the Database, Add Administrators to the Acl File, kdc.conf, Install the Master KDC @subsubsection Create the Database You will use the @code{kdb5_util} command @emph{on the Master KDC} to @@ -1439,120 +1475,10 @@ your application servers, and then change the default to include triple-DES. We recommend that you always include @code{des-cbc-crc} in the default list. -@node Bug Reports for Kerberos V5, Files, Upgrading Existing Kerberos V5 Installations, Top +@node Bug Reports for Kerberos V5, , Upgrading Existing Kerberos V5 Installations, Top @chapter Bug Reports for @value{PRODUCT} @include send-pr.texinfo -@node Files, , Bug Reports for Kerberos V5, Top -@appendix Files - -@menu -* krb5.conf:: -* kdc.conf:: -@end menu - -@node krb5.conf, kdc.conf, Files, Files -@appendixsec krb5.conf - -Here is an example @code{krb5.conf} file: - -@smallexample -@group -[libdefaults] - ticket_lifetime = 600 - default_realm = @value{PRIMARYREALM} - default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc - default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc - -[realms] - @value{PRIMARYREALM} = @{ - kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88 - kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88 - kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88 - admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749 - default_domain = @value{PRIMARYDOMAIN} - @} - -[domain_realm] - .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM} - @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} -@end group -@end smallexample - -For the KDCs, add a section onto the end of the @code{krb5.conf} file -telling how logging information should be stored, as in the following -example: - -@smallexample -@group -[logging] - kdc = FILE:/var/log/krb5kdc.log - admin_server = FILE:/var/log/kadmin.log - default = FILE:/var/log/krb5lib.log -@end group -@end smallexample - -@iftex -@vfill -@end iftex -@page - -@node kdc.conf, , krb5.conf, Files -@appendixsec kdc.conf - -Here's an example of a kdc.conf file: - -@smallexample -@group -[kdcdefaults] - kdc_ports = 88,750 - -[realms] - @value{PRIMARYREALM} = @{ - database_name = @value{ROOTDIR}/var/krb5kdc/principal - admin_keytab = @value{ROOTDIR}/var/krb5kdc/kadm5.keytab - acl_file = @value{ROOTDIR}/var/krb5kdc/kadm5.acl - dict_file = @value{ROOTDIR}/var/krb5kdc/kadm5.dict - key_stash_file = @value{ROOTDIR}/var/krb5kdc/.k5.@value{PRIMARYREALM} - kadmind_port = 749 - max_life = 10h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = des3-hmac-sha1 - supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal - @} -@end group -@end smallexample - -To add Kerberos V4 support, add @code{des-cbc-crc:v4} to the -@code{supported_enctypes} line. - -@menu -* Encryption Types and Salt Types:: -@end menu - -@node Encryption Types and Salt Types, , kdc.conf, kdc.conf -@appendixsubsec Encryption Types and Salt Types - -Currently, @value{PRODUCT} supports only DES and triple-DES encryption. -The encoding types include -@code{des-cbc-crc} and @code{des3-cbc-sha1}. The @dfn{salt} is -additional information encoded within the key that tells what kind of -key it is. The only salts that you will be likely to encounter are: - -@itemize @bullet -@item @dfn{normal}, which @value{COMPANY} recommends using for all of -your @value{PRODUCT} keys - -@item @dfn{v4}, which is necessary only for compatibility with a v4 KDC -or a v4 version of @code{kinit}, and then only with @code{des-cbc-crc} -encryption - -@item @dfn{afs}, which you will never need to generate, and which you will -encounter only if you dump an AFS database into a Kerberos database -@end itemize - -Support for additional encryption types is planned in the future. - @contents @bye diff --git a/doc/kdcconf.texinfo b/doc/kdcconf.texinfo new file mode 100644 index 000000000..8ff1f3570 --- /dev/null +++ b/doc/kdcconf.texinfo @@ -0,0 +1,24 @@ +The @code{kdc.conf} file contains KDC configuration information, +including defaults used when issuing Kerberos tickets. Normally, you +should install your @code{kdc.conf} file in the directory +@code{@value{ROOTDIR}/var/krb5kdc}. You can override the default +location by setting the environment variable @samp{KRB5_KDC_PROFILE}. + +The @code{kdc.conf} file is set up in the same format as the +@code{krb5.conf} file. (@xref{krb5.conf}.) The @code{kdc.conf} file +may contain any or all of the following three sections: + +@table @b +@itemx kdcdefaults +Contains default values for overall behavior of the KDC. + +@itemx realms +Contains subsections keyed by Kerberos realm names. Each subsection +describes realm-specific information, including where to find the +Kerberos servers for that realm. + +@itemx logging +Contains relations which determine how Kerberos programs are to perform +logging. +@end table + diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo index 12572e5cb..447383514 100644 --- a/doc/krb425.texinfo +++ b/doc/krb425.texinfo @@ -38,6 +38,7 @@ @ifinfo This document describes how to convert to @value{PRODUCT} from Kerberos V4. +@end ifinfo @menu * Copyright:: @@ -53,8 +54,6 @@ This document describes how to convert to @value{PRODUCT} from Kerberos V4. @unnumbered Copyright @include copyright.texinfo -@end ifinfo - @node Introduction, Configuration Files, Copyright, Top @chapter Introduction diff --git a/doc/krb5conf.texinfo b/doc/krb5conf.texinfo new file mode 100644 index 000000000..a712ee583 --- /dev/null +++ b/doc/krb5conf.texinfo @@ -0,0 +1,63 @@ +The @code{krb5.conf} file contains Kerberos configuration information, +including the locations of KDCs and admin servers for the Kerberos +realms of interest, defaults for the current realm and for Kerberos +applications, and mappings of hostnames onto Kerberos realms. Normally, +you should install your @code{krb5.conf} file in the directory +@code{/etc}. You can override the default location by setting the +environment variable @samp{KRB5_CONFIG}. + +The @code{krb5.conf} file is set up in the style of a Windows INI file. +Sections are headed by the section name, in square brackets. Each +section may contain zero or more relations, of the form: + +@smallexample +foo = bar +@end smallexample + +@noindent +or + +@smallexample +@group +fubar = @{ + foo = bar + baz = quux +@} +@end group +@end smallexample + +The @code{krb5.conf} file may contain any or all of the following seven +sections: + +@table @b +@itemx libdefaults +Contains default values used by the Kerberos V5 library. + +@itemx appdefaults +Contains default values used by Kerberos V5 applications. + +@itemx realms +Contains subsections keyed by Kerberos realm names. Each subsection +describes realm-specific information, including where to find the +Kerberos servers for that realm. + +@itemx domain_realm +Contains relations which map domain names and subdomains onto Kerberos +realm names. This is used by programs to determine what realm a host +should be in, given its fully qualified domain name. + +@itemx logging +Contains relations which determine how Kerberos programs are to perform +logging. + +@itemx capaths +Contains the authentication paths used with direct (nonhierarchical) +cross-realm authentication. Entries in this section are used by the +client to determine the intermediate realms which may be used in +cross-realm authentication. It is also used by the end-service when +checking the transited field for trusted intermediate realms. + +@itemx kdc +For a KDC, may contain the location of the kdc.conf file. +@end table + diff --git a/doc/man2html b/doc/man2html new file mode 100644 index 000000000..ea45686b8 --- /dev/null +++ b/doc/man2html @@ -0,0 +1,608 @@ +#!/usr/athena/bin/perl +#!/usr/local/bin/perl +##---------------------------------------------------------------------------## +## File: +## @(#) man2html 1.2 97/08/12 12:57:30 @(#) +## Author: +## Earl Hood, ehood@medusa.acs.uci.edu +## Description: +## man2html is a Perl program to convert formatted nroff output +## to HTML. +## +## Recommend command-line options based on platform: +## +## Platform Options +## --------------------------------------------------------------------- +## c2mp +## hp9000s700/800 -leftm 1 -topm 8 +## sun4 -sun +## --------------------------------------------------------------------- +## +##---------------------------------------------------------------------------## +## Copyright (C) 1995-1997 Earl Hood, ehood@medusa.acs.uci.edu +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +## 02111-1307, USA +##---------------------------------------------------------------------------## + +package Man2Html; + +use Getopt::Long; + +($PROG = $0) =~ s/.*\///; +$VERSION = "3.0.1"; + +## Input and outputs filehandles +$InFH = \*STDIN unless $InFH; +$OutFH = \*STDOUT unless $OutFH; + +## Backspace character: Used in overstriking detection +*bs = \"\b"; + +## Hash of section titles and their HTML tag wrapper. +## This list allows customization of what HTML tag is used for +## a given section head. +## +## The section title can be a regular expression. Therefore, one must +## be careful about quoting special characters. +## +%SectionHead = ( + + '\S.*OPTIONS.*' => '

', + 'AUTHORS?' => '

', + 'BUGS' => '

', + 'COMPATIBILITY' => '

', + 'DEPENDENCIES' => '

', + 'DESCRIPTION' => '

', + 'DIAGNOSTICS' => '

', + 'ENVIRONMENT' => '

', + 'ERRORS' => '

', + 'EXAMPLES' => '

', + 'EXTERNAL INFLUENCES' => '

', + 'FILES' => '

', + 'LIMITATIONS' => '

', + 'NAME' => '

', + 'NOTES?' => '

', + 'OPTIONS' => '

', + 'REFERENCES' => '

', + 'RETURN VALUE' => '

', + 'SECTION.*:' => '

', + 'SEE ALSO' => '

', + 'STANDARDS CONFORMANCE' => '

', + 'STYLE CONVENTION' => '

', + 'SYNOPSIS' => '

', + 'SYNTAX' => '

', + 'WARNINGS' => '

', + '\s+Section.*:' => '

', + +); + +## Fallback tag if above is not found +$HeadFallback = '

'; + +## Other gobals + +$Bare = 0; # Skip printing HTML head/foot flag +$BTag = 'B'; # Overstrike tag +$CgiUrl = ''; # CGI URL expression +$Compress = 0; # Do blank line compression flag +$K = 0; # Do keyword search processing flag +$NoDepage = 0; # Do not strip page information +$NoHeads = 0; # Do no header detection flag +$SeeAlso = 0; # Do only SEE ALSO xrefs flag +$Solaris = 0; # Solaris keyword search processing flag +$Sun = 0; # Headers not overstriken flag +$Title = ''; # Title +$UTag = 'I'; # Underline tag +$ftsz = 7; # Bottome margin size +$hdsz = 7; # Top margin size +$leftm = ''; # Left margin pad +$leftmsz = 0; # Left margin size +$pgsz = 66; # Size of page size +$txsz = 52; # Text body length size + +############################################################################# +## Main Block +############################################################################# +{ + if (get_cli_opts()) { + if ($K) { + man_k(); + } else { + do_it(); + } + } else { + usage(); + } +} + +############################################################################# +## Subroutines +############################################################################# + +sub do_it { + + ## Define while loop and then eval it when used. The reason + ## is to avoid the regular expression reevaulation in the + ## section head detection code. + + $doitcode =<<'EndOfDoItCode'; + + my($line, $tmp, $i, $head, $preindent, $see_also, $do); + + $see_also = !$SeeAlso; + print $OutFH "\n"; + LOOP: while(!eof($InFH)) { + $blank = 0; + for ($i=0; $i < $hdsz; $i++) { + last LOOP unless defined($_ = <$InFH>); + } + for ($i=0; $i < $txsz; $i++) { + last LOOP unless defined($_ = <$InFH>); + + ## Check if compress consecutive blank lines + if ($Compress and !/\S/) { + if ($blank) { next; } else { $blank = 1; } + } else { + $blank = 0; + } + + ## Try to check if line space is needed at page boundaries ## + if (!$NoDepage && ($i==0 || $i==($txsz-1)) && !/^\s*$/) { + /^(\s*)/; $tmp = length($1); + if ($do) { + if ($tmp < $preindent) { print $OutFH "\n"; } + } else { + $do = 1; + } + $preindent = $tmp; + } else { + $do = 0; $preindent = 0; + } + + ## Interpret line + $line = $_; + entitize(\$_); # Convert [$<>] to entity references + + ## Check for 'SEE ALSO' link only + if (!$see_also && $CgiUrl && $SeeAlso) { + ($tmp = $line) =~ s/.\010//go; + if ($tmp =~ /^\s*SEE\s+ALSO\s*$/o) { $see_also = 1; } + else { $see_also = 0; } + } + + ## Create anchor links for manpage references + s/((((.\010)+)?[\+_\.\w-])+\(((.\010)+)? + \d((.\010)+)?\w?\)) + /make_xref($1) + /geox if $see_also; + + ## Emphasize underlined words + # s/((_\010[^_])+[\.\(\)_]?(_\010[^_])+\)?)/emphasize($1)/oge; + # s/((_\010[^_])+([\.\(\)_]?(_\010[^_])+)?)/emphasize($1)/oge; + # + # The previous expressions were trying to be clever about + # detecting underlined text which contain non-alphanumeric + # characters. nroff will not underline non-alphanumeric + # characters in an underlined phrase, and the above was trying + # to detect that. It does not work all the time, and it + # screws up other text, so a simplified expression is used. + + s/((_\010[^_])+)/emphasize($1)/oge; + + $secth = 0; + ## Check for strong text and headings + if ($Sun || /.\010./o) { + if (!$NoHeads) { + $line =~ s/.\010//go; + $tmp = $HeadFallback; +EndOfDoItCode + + ## Create switch statement for detecting a heading + ## + $doitcode .= "HEADSW: {\n"; + foreach $head (keys %SectionHead) { + $doitcode .= join("", "\$tmp = '$SectionHead{$head}', ", + "\$secth = 1, last HEADSW ", + "if \$line =~ /^$leftm$head/o;\n"); + } + $doitcode .= "}\n"; + + ## Rest of routine + ## + $doitcode .=<<'EndOfDoItCode'; + if ($secth || $line =~ /^$leftm\S/o) { + chop $line; + $_ = $tmp . $line . $tmp; + s%<([^>]*)>$%%; + $_ = "\n\n" . $_ . "
\n";
+		    } else {
+			s/(((.\010)+.)+)/strongize($1)/oge;
+		    }
+		} else {
+		    s/(((.\010)+.)+)/strongize($1)/oge;
+		}
+	    }
+	    print $OutFH $_;
+	}
+
+	for ($i=0; $i < $ftsz; $i++) {
+	    last LOOP  unless defined($_ = <$InFH>);
+	}
+    }
+EndOfDoItCode
+
+
+    ##	Perform processing.
+
+    printhead()  unless $Bare;
+    print $OutFH "
\n";
+    eval $doitcode;			# $doitcode defined above
+    print $OutFH "
\n";
+    printtail()  unless $Bare;
+}
+
+##---------------------------------------------------------------------------
+##
+sub get_cli_opts {
+    return 0  unless
+    GetOptions(
+	"bare",		# Leave out HTML, HEAD, BODY tags.
+	"belem=s",	# HTML Element for overstriked text (def: "B")
+	"botm=i",	# Number of lines for bottom margin (def: 7)
+	"cgiurl=s",	# CGI URL for linking to other manpages
+	"cgiurlexp=s",	# CGI URL Perl expr for linking to other manpages
+	"compress",	# Compress consecutive blank lines
+	"headmap=s",	# Filename of user section head map file
+	"k",		# Process input from 'man -k' output.
+	"leftm=i",	# Character width of left margin (def: 0)
+	"nodepage",	# Do not remove pagination lines
+	"noheads",	# Do not detect for section heads
+	"pgsize=i",	# Number of lines in a page (def: 66)
+	"seealso",	# Link to other manpages only in the SEE ALSO section
+	"solaris",	# Parse 'man -k' output from a solaris system
+	"sun",		# Section heads are not overstriked in input
+	"title=s",	# Title of manpage (def: Not defined)
+	"topm=i",	# Number of lines for top margin (def: 7)
+	"uelem=s",	# HTML Element for underlined text (def: "I")
+
+	"help"		# Short usage message
+    );
+    return 0  if defined($opt_help);
+
+    $pgsz = $opt_pgsize || $pgsz;
+    if (defined($opt_nodepage)) {
+	$hdsz   = 0;
+	$ftsz   = 0;
+    } else {
+	$hdsz   = $opt_topm  if defined($opt_topm);
+	$ftsz   = $opt_botm  if defined($opt_botm);
+    }
+    $txsz       = $pgsz - ($hdsz + $ftsz);
+    $leftmsz    = $opt_leftm  if defined($opt_leftm);
+    $leftm      = ' ' x $leftmsz;
+
+    $Bare       = defined($opt_bare);
+    $Compress   = defined($opt_compress);
+    $K          = defined($opt_k);
+    $NoDepage   = defined($opt_nodepage);
+    $NoHeads    = defined($opt_noheads);
+    $SeeAlso    = defined($opt_seealso);
+    $Solaris    = defined($opt_solaris);
+    $Sun        = defined($opt_sun);
+
+    $Title      = $opt_title || $Title;
+    $CgiUrl     = $opt_cgiurlexp ||
+			($opt_cgiurl ? qq{return "$opt_cgiurl"} : '');
+
+    $BTag	= $opt_belem || $BTag;
+    $UTag	= $opt_uelem || $UTag;
+    $BTag	=~ s/[<>]//g;
+    $UTag	=~ s/[<>]//g;
+
+    if (defined($opt_headmap)) {
+	require $opt_headmap or warn "Unable to read $opt_headmap\n";
+    }
+    1;
+}
+
+##---------------------------------------------------------------------------
+sub printhead {
+    print $OutFH "\n";
+    print $OutFH "\n",
+		 "$Title\n",
+		 "\n"  if $Title;
+    print $OutFH "\n";
+    print $OutFH "
$Title
\n",
+		 "
\n"  if $Title;
+}
+
+##---------------------------------------------------------------------------
+sub printtail {
+    print $OutFH <
+

+Man(1) output converted with
+man2html
+

+
+
+EndOfRef
+}
+
+##---------------------------------------------------------------------------
+sub emphasize {
+    my($txt) = shift;
+    $txt =~ s/.\010//go;
+    $txt = "<$UTag>$txt";
+    $txt;
+}
+
+##---------------------------------------------------------------------------
+sub strongize {
+    my($txt) = shift;
+    $txt =~ s/.\010//go;
+    $txt = "<$BTag>$txt";
+    $txt;
+}
+
+##---------------------------------------------------------------------------
+sub entitize {
+    my($txt) = shift;
+
+    ## Check for special characters in overstrike text ##
+    $$txt =~ s/_\010\&/strike('_', '&')/geo;
+    $$txt =~ s/_\010/strike('_', '>')/geo;
+
+    $$txt =~ s/(\&\010)+\&/strike('&', '&')/geo;
+    $$txt =~ s/(<\010)+\010)+>/strike('>', '>')/geo;
+
+    ## Check for special characters in regular text.  Must be careful
+    ## to check before/after character in expression because it might be
+    ## a special character.
+    $$txt =~ s/([^\010]\&[^\010])/htmlize2($1)/geo;
+    $$txt =~ s/([^\010]<[^\010])/htmlize2($1)/geo;
+    $$txt =~ s/([^\010]>[^\010])/htmlize2($1)/geo;
+}
+
+##---------------------------------------------------------------------------
+##	escape special characters in a string, in-place
+##
+sub htmlize {
+    my($str) = shift;
+    $$str =~ s/&/\&/g;
+    $$str =~ s//\>/g;
+    $$str;
+}
+
+##---------------------------------------------------------------------------
+##	htmlize2() is used by entitize.
+##
+sub htmlize2 {
+    my($str) = shift;
+    $str =~ s/&/\&/g;
+    $str =~ s//\>/g;
+    $str;
+}
+
+##---------------------------------------------------------------------------
+##	strike converts HTML special characters in overstriked text
+##	into entity references.  The entities are overstriked so
+##	strongize() and emphasize() will recognize the entity to be
+##	wrapped in tags.
+##
+sub strike {
+    my($w, $char) = @_;
+    my($ret);
+    if ($w eq '_') {
+	if ($char eq '&') {
+	    $ret = "_$bs\&_${bs}a_${bs}m_${bs}p_${bs};";
+	} elsif ($char eq '<') {
+	    $ret = "_$bs\&_${bs}l_${bs}t_${bs};";
+	} elsif ($char eq '>') {
+	    $ret = "_$bs\&_${bs}g_${bs}t_${bs};";
+	} else {
+	    warn qq|Unrecognized character, "$char", passed to strike()\n|;
+	}
+    } else {
+	if ($char eq '&') {
+	    $ret = "\&$bs\&a${bs}am${bs}mp${bs}p;${bs};";
+	} elsif ($char eq '<') {
+	    $ret = "\&$bs\&l${bs}lt${bs}t;${bs};";
+	} elsif ($char eq '>') {
+	    $ret = "\&$bs\&g${bs}gt${bs}t;${bs};";
+	} else {
+	    warn qq|Unrecognized character, "$char", passed to strike()\n|;
+	}
+    }
+    $ret;
+}
+
+##---------------------------------------------------------------------------
+##	make_xref() converts a manpage crossreference into a hyperlink.
+##
+sub make_xref {
+    my $str = shift;
+    $str =~ s/.\010//go;			# Remove overstriking
+
+    if ($CgiUrl) {
+	my($title,$section,$subsection) =
+	    ($str =~ /([\+_\.\w-]+)\((\d)(\w?)\)/);
+
+	$title =~ s/\+/%2B/g;
+	my($href) = (eval $CgiUrl);
+	qq|$str|;
+    } else {
+	qq|$str|;
+    }
+}
+
+##---------------------------------------------------------------------------
+##	man_k() process a keyword search.  The problem we have is there
+##	is no standard for keyword search results from man.  Solaris
+##	systems have a different enough format to warrent dealing
+##	with it as a special case.  For other cases, we try our best.
+##	Unfortunately, there are some lines of results that may be
+##	skipped.
+##
+sub man_k {
+    my($line,$refs,$section,$subsection,$desc,$i,
+       %Sec1, %Sec1sub, %Sec2, %Sec2sub, %Sec3, %Sec3sub,
+       %Sec4, %Sec4sub, %Sec5, %Sec5sub, %Sec6, %Sec6sub,
+       %Sec7, %Sec7sub, %Sec8, %Sec8sub, %Sec9, %Sec9sub,
+       %SecN, %SecNsub, %SecNsec);
+
+    printhead()  unless $Bare;
+    print $OutFH "\n";
+
+    while ($line = <$InFH>) {
+	next if $line !~ /\(\d\w?\)\s+-\s/; # check if line can be handled
+	($refs,$section,$subsection,$desc) =
+	    $line =~ /^\s*(.*)\((\d)(\w?)\)\s*-\s*(.*)$/;
+
+	if ($Solaris) {
+	    $refs =~ s/^\s*([\+_\.\w-]+)\s+([\+_\.\w-]+)\s*$/$1/;
+					#   
+	} else {
+	    $refs =~ s/\s(and|or)\s/,/gi; # Convert and/or to commas
+	    $refs =~ s/^[^:\s]:\s*//;	# Remove prefixed whatis path
+	}
+	$refs =~ s/\s//g;		# Remove all whitespace
+	$refs =~ s/,/, /g;		# Put space after comma
+	htmlize(\$desc);		# Check for special chars in desc
+	$desc =~ s/^(.)/\U$1/;		# Uppercase first letter in desc
+
+	if ($section eq '1') {
+	    $Sec1{$refs} = $desc; $Sec1sub{$refs} = $subsection;
+	} elsif ($section eq '2') {
+	    $Sec2{$refs} = $desc; $Sec2sub{$refs} = $subsection;
+	} elsif ($section eq '3') {
+	    $Sec3{$refs} = $desc; $Sec3sub{$refs} = $subsection;
+	} elsif ($section eq '4') {
+	    $Sec4{$refs} = $desc; $Sec4sub{$refs} = $subsection;
+	} elsif ($section eq '5') {
+	    $Sec5{$refs} = $desc; $Sec5sub{$refs} = $subsection;
+	} elsif ($section eq '6') {
+	    $Sec6{$refs} = $desc; $Sec6sub{$refs} = $subsection;
+	} elsif ($section eq '7') {
+	    $Sec7{$refs} = $desc; $Sec7sub{$refs} = $subsection;
+	} elsif ($section eq '8') {
+	    $Sec8{$refs} = $desc; $Sec8sub{$refs} = $subsection;
+	} elsif ($section eq '9') {
+	    $Sec9{$refs} = $desc; $Sec9sub{$refs} = $subsection;
+	} else {			# Catch all
+	    $SecN{$refs} = $desc; $SecNsec{$refs} = $section;
+	    $SecNsub{$refs} = $subsection;
+	}
+    }
+    print_mank_sec(\%Sec1, 1, \%Sec1sub);
+    print_mank_sec(\%Sec2, 2, \%Sec2sub);
+    print_mank_sec(\%Sec3, 3, \%Sec3sub);
+    print_mank_sec(\%Sec4, 4, \%Sec4sub);
+    print_mank_sec(\%Sec5, 5, \%Sec5sub);
+    print_mank_sec(\%Sec6, 6, \%Sec6sub);
+    print_mank_sec(\%Sec7, 7, \%Sec7sub);
+    print_mank_sec(\%Sec8, 8, \%Sec8sub);
+    print_mank_sec(\%Sec9, 9, \%Sec9sub);
+    print_mank_sec(\%SecN, 'N', \%SecNsub, \%SecNsec);
+
+    printtail()  unless $Bare;
+}
+##---------------------------------------------------------------------------
+##	print_mank_sec() prints out manpage cross-refs of a specific section.
+##
+sub print_mank_sec {
+    my($sec, $sect, $secsub, $secsec) = @_;
+    my(@array, @refs, $href, $item, $title, $subsection, $i, $section,
+       $xref);
+    $section = $sect;
+
+    @array = sort keys %$sec;
+    if ($#array >= 0) {
+	print $OutFH "
Section $section
\n",
+		     "
\n";
+	foreach $item (@array) {
+	    @refs = split(/,/, $item);
+	    $section = $secsec->{$item}  if $sect eq 'N';
+	    $subsection = $secsub->{$item};
+	    if ($CgiUrl) {
+		($title = $refs[0]) =~ s/\(\)//g;  # watch out for extra ()'s
+		$xref = eval $CgiUrl;
+	    }
+	    print $OutFH "
\n";
+	    $i = 0;
+	    foreach (@refs) {
+		if ($CgiUrl) {
+		    print $OutFH qq|$_|;
+		} else {
+		    print $OutFH $_;
+		}
+		print $OutFH ", "  if $i < $#refs;
+		$i++;
+	    }
+	    print $OutFH " ($section$subsection)\n",
+			 "
\n",
+			 $sec->{$item}, "
\n";
+	}
+	print $OutFH "
\n";
+    }
+}
+
+##---------------------------------------------------------------------------
+##
+sub usage {
+    print $OutFH < outfile
+Options:
+  -bare            : Do not put in HTML, HEAD, BODY tags
+  -belem     : HTML Element for overstriked text (def: "B")
+  -botm <#>        : Number of lines for bottom margin (def: 7)
+  -cgiurl     : URL for linking to other manpages
+  -cgiurlexp  : Perl expression URL for linking to other manpages
+  -compress        : Compress consective blank lines
+  -headmap   : Filename of user section head map file
+  -help            : This message
+  -k               : Process a keyword search result
+  -leftm <#>       : Character width of left margin (def: 0)
+  -nodepage        : Do not remove pagination lines
+  -noheads         : Turn off section head detection
+  -pgsize <#>      : Number of lines in a page (def: 66)
+  -seealso         : Link to other manpages only in the SEE ALSO section
+  -solaris         : Process keyword search result in Solaris format
+  -sun             : Section heads are not overstriked in input
+  -title   : Title of manpage (def: Not defined)
+  -topm <#>        : Number of lines for top margin (def: 7)
+  -uelem     : HTML Element for underlined text (def: "I")
+
+Description:
+  $PROG takes formatted manpages from STDIN and converts it to HTML sent
+  to STDOUT.  The -topm and -botm arguments are the number of lines to the
+  main body text and NOT to the running headers/footers.
+
+Version:
+  $VERSION
+  Copyright (C) 1995-1997  Earl Hood, ehood\@medusa.acs.uci.edu
+  $PROG comes with ABSOLUTELY NO WARRANTY and $PROG may be copied only
+  under the terms of the GNU General Public License, which may be found in
+  the $PROG distribution.
+
+EndOfUsage
+    exit 0;
+}
diff --git a/doc/man2html.M b/doc/man2html.M
new file mode 100644
index 000000000..537d6073b
--- /dev/null
+++ b/doc/man2html.M
@@ -0,0 +1,761 @@
+.\" sccsid = "@(#)  man2html.1  1.2  08/12/97"
+.\"
+.\" ================================================
+.\" ARGUMENT MACRO:		.Ar "arg" [B]
+.de Ar
+.ie \\$2B  \%\fB\\$1\fR
+.el              \%\fI\\$1\fR
+..
+.\" ================================================
+.\" BRACKETED ARGUMENT MACRO:	.Br "arg" [B]
+.de Br
+.ie \\$2B  \%[\|\fB\\$1\fR\|]
+.el              \%[\|\fI\\$1\fR\|]
+..
+.\" ================================================
+.\" OPTION FLAG MACRO		.Of -x [arg]
+.de Of
+.ie \\n(.$==1      \%[\|\fB\\$1\fR\|]
+.el .if \\n(.$==2  \%[\|\fB\\$1\fR\0\fI\fI\\$2\fR\|]
+..
+.\" ================================================
+.\" SYNOPSIS START MACRO
+.de Ss				.Ss name
+.na
+.nr aA \w\\$1\\0u
+.in +\\n(aAu
+'ti -\\n(aAu
+.ta  \\n(aAu
+\&\fB\\$1\fR\t\c
+..
+.\" ================================================
+.\" SYNOPSIS END MACRO
+.de Se				.Se
+.ad
+.in
+..
+.\" ================================================
+.\"
+.\"
+.TH MAN2HTML 1 "97/08/12"
+.SH NAME
+.na
+man2html \- convert UNIX nroff(1) manual pages to HTML format
+.SH SYNOPSIS
+.na
+.Ss man2html
+.Of -bare
+.Of -belem name
+.Of -botm lines
+.Of -cgiurl string
+.Of -cgiurlexp expr
+.Of -compress
+.Of -headmap mapfile
+.Of -help
+.Of -k
+.Of -leftm chars
+.Of -nodepage
+.Of -noheads
+.Of -pgsize lines
+.Of -seealso
+.Of -solaris
+.Of -sun
+.Of -title string
+.Of -topm lines
+.Of -uelem name
+.Se
+.sp 2
+Typical Usage:
+.sp
+.Ss man2html
+.Of -options
+.BI "\0<\0" infile
+.BI "\0\0>\0" outfile
+.Se
+.sp
+.B man
+.I topic
+.B | man2html
+.Of -options
+.BI "\0>\0" outfile
+.\"
+.SH DESCRIPTION
+.na
+The
+.B man2html
+filter reads formatted nroff text from standard input
+.RI ( stdin )
+and writes a \s-1HTML\s+1 document to standard output
+.RI ( stdout ).
+.LP
+The formatted nroff output is surrounded with
+.B \s-1
\s+1
+tags with the following exceptions/additions:
+.RS 4n
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Section heads are wrapped in \s-1HTML\s+1
+.I header
+tags.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for additional information.
+The
+.B \%-noheads
+option can be used to disable this feature.
+.ad
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Bold words designated by a \%""
+sequences are wrapped in
+.B \s-1\s+1
+tags (or the element specified via the
+.B \%-belem
+option).
+.ad
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Underlined words designated by a \%"_"
+sequences are wrapped in
+.B \s-1\s+1
+tags (or the element specified via the
+.B \%-uelem
+option).
+.ad
+.RE
+.SH OPTIONS
+.na
+.TP 0.5i
+.B -bare
+This option will eliminate \s-1HTML\s+1
+.B \s-1\s+1
+and
+.B \s-1\s+1
+tags from the output.
+This is useful when you wish to incorporate the output into another
+\s-1HTML\s+1 document.
+.TP 0.5i 
+.BI -belem\0 name
+Use
+.I name
+as the name of the element to wrap overstriken characters.
+The default is \fBB\fR.
+.TP 0.5i 
+.BI -botm\0 lines
+The
+.I lines
+argument specifies the number of lines representing the bottom
+margin of the formatted nroff input.
+The line count includes any running footers.
+The default value is 7.
+.TP 0.5i
+.BI -cgiurl\0 string
+The
+.I string
+argument specifies a template \s-1URL\s+1 for creating links to other manpages.
+See the
+.B "\s-1LINKING\ TO\ OTHER\ MANPAGES\s+1"
+section below for additional information.
+.TP 0.5i
+.BI -cgiurlexp\0 expr
+The
+.I expr
+argument specifies a Perl expression evaluting to a \s-1URL\s+1 for
+creating links to other manpages.
+See the
+.B "\s-1LINKING\ TO\ OTHER\ MANPAGES\s+1"
+section below for additional information.
+.TP 0.5i
+.B -compress
+Compress consecutive blank lines into a single line.
+.TP 0.5i
+.BI -headmap\0 mapfile
+The
+.I mapfile
+argument is read to determine which \s-1HTML\s+1
+header tags are to be used for various section heading in the manpage.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for information on the format of the map file.
+.TP 0.5i
+.B -help
+Print out a short usage message and then exit immediately.
+.TP 0.5i
+.B -k
+Process input resulting from a manpage keyword search
+.RB ( "man\ -k" ).
+See the
+.B "\s-1KEYWORD\ SEARCH\s+1"
+section below for additional information.
+.TP 0.5i
+.BI -leftm\0 chars
+The
+.I chars
+argument specifies the width of the number of characters making
+up the left margin of the formatted nroff input.
+The default value is 0.
+.TP 0.5i
+.B -nodepage
+By default,
+.B man2html
+merges multi-page formatted nroff into a single page.
+This option may be used to disable depagination, causing
+running headers and footers in the formatted nroff input
+to be carried over into the \s-1HTML\s+1 output.
+.TP 0.5i
+.B -noheads
+By default,
+.B man2html
+wraps section heads in \s-1HTML\s+1
+header tags.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for additional information.
+This option may be specified to disabled this feature.
+.TP 0.5i
+.BI -pgsize\0 lines
+The
+.I lines
+argument specifies the number of lines making up the page size (length)
+of the formatted nroff input.
+The default value is 66.
+.TP 0.5i
+.B -seealso
+If the
+.B -cgiurl
+option has been specified, then this option restricts the
+creation of links to other manual pages to the
+.B "\%\s-1SEE\ ALSO\s+1"
+section only.
+.TP 0.5i
+.B -solaris
+If the
+.B -k
+option has been specified, then this option modifies its operation
+to process the alternate manual page keyword search format produced
+by the
+.BR man (1)
+utility on systems running
+.IR Solaris .
+See the
+.B "\s-1KEYWORD\ SEARCH\s+1"
+section below for additional information.
+.TP 0.5i
+.B -sun
+Do not require a section head to have bold overstriking in the
+formatted nroff input.
+The option is called
+.B \%sun
+because it was on a Sun workstation that section heads in
+manpages were found to not be overstruck.
+.TP 0.5i
+.BI -title\0 string
+By default,
+.B man2html
+does not generate a \s-1HTML\s+1 title
+.RB ( \s-1\s+1 ).
+This option sets the title of the \s-1HTML\s+1 output to the specified
+.IR string .
+.TP 0.5i
+.BI -topm\0 lines
+The
+.I lines
+argument specifies number number of lines representing the
+top margin of the formatted nroff input.
+The line count includes any running headers.
+The default value is 7.
+.TP 0.5i 
+.BI -uelem\0 name
+Use
+.I name
+as the name of the element to wrap underscored characters.
+The default is \fBI\fR.
+.\"
+.SH "SECTION HEAD MAP FILE"
+.na
+.LP
+The
+.B \%-headmap
+option may be used to customize which \s-1HTML\s+1 header tags,
+.BR "\s-1<H1>\s+1 ... \s-1<H6>\s+1" ,
+are used in manpage section headings.
+Normally,
+.B man2html
+treats lines that are flush to the left margin
+.RB ( -leftm ),
+and contain overstriking (overstrike check is canceled with the
+.B -sun
+option), as section heads.
+However, you can augment/override what \s-1HTML\s+1 header tags are used for
+any given section head.
+.LP
+In order to write a section head map file, you will need to know about
+.BR perl (1)
+associative arrays.
+You do not need to be an expert in
+.B perl
+to write a map file, however, having knowledge of
+.B perl
+allows you to be more clever.
+.\"
+.SS "Augmenting the Default Map" 
+.LP
+To add to the default mapping defined by
+.BR man2html ,
+your map file will contain lines with the following syntax:
+.sp
+.if t .RS 4n
+.B "$SectionHead{'<section head text>'} = '<html header tag>';"
+.if t .RE
+.sp
+where
+.IP "\fB\%<section\ head\ text>\fR"
+is the text of the manpage section head.
+For example:
+.B  \s-1SYNOPSIS\s+1
+or
+.BR \s-1DESCRIPTION\s+1 .
+.IP "\fB\%<html\ header\ tag>\fR"
+is the \s-1HTML\s+1 header tag to wrap the section head in.
+Legal values are:
+.BR \s-1<H1>\s+1 ,
+.BR \s-1<H2>\s+1 ,
+.BR \s-1<H3>\s+1 ,
+.BR \s-1<H4>\s+1 ,
+.BR \s-1<H5>\s+1 ,
+.BR \s-1<H6>\s+1 .
+.SS "Overriding the Default Map"
+To override the default mapping with your own, then your map file will
+have the following syntax:
+.sp
+.RS 4n
+.ft B
+.nf
+.ne 6v
+%SectionHead = (
+         \&'<section head text>', '<html header tag>',
+         \&'<section head text>', '<html header tag>',
+         \&# ... More section head/tag pairs
+         \&'<section head text>', '<html header tag>',
+);
+.fi
+.ft
+.RE
+.SS "The Default Map"
+.LP
+As of this writing, this is the default map used by
+.BR man2html :
+.RS 4n
+.sp
+.ft C
+.nf
+.ne 29v
+%SectionHead = (
+.ps -1
+    \&'\\S.*OPTIONS.*'             => '<H2>',
+    \&'AUTHORS?'                  => '<H2>',
+    \&'BUGS'                      => '<H2>',
+    \&'COMPATIBILITY'             => '<H2>',
+    \&'DEPENDENCIES'              => '<H2>',
+    \&'DESCRIPTION'               => '<H2>',
+    \&'DIAGNOSTICS'               => '<H2>',
+    \&'ENVIRONMENT'               => '<H2>',
+    \&'ERRORS'                    => '<H2>',
+    \&'EXAMPLES'                  => '<H2>',
+    \&'EXTERNAL INFLUENCES'       => '<H2>',
+    \&'FILES'                     => '<H2>',
+    \&'LIMITATIONS'               => '<H2>',
+    \&'NAME'                      => '<H2>',
+    \&'NOTES?'                    => '<H2>',
+    \&'OPTIONS'                   => '<H2>',
+    \&'REFERENCES'                => '<H2>',
+    \&'RETURN VALUE'              => '<H2>',
+    \&'SECTION.*:'                => '<H2>',
+    \&'SEE ALSO'                  => '<H2>',
+    \&'STANDARDS CONFORMANCE'     => '<H2>',
+    \&'STYLE CONVENTION'          => '<H2>',
+    \&'SYNOPSIS'                  => '<H2>',
+    \&'SYNTAX'                    => '<H2>',
+    \&'WARNINGS'                  => '<H2>',
+    \&'\\s+Section.*:'             => '<H3>',
+.ps +1
+);
+$HeadFallback = '\s-1<H2>\s+1';  # Fallback tag if above is not found.
+.fi
+.ft
+.RE
+.LP
+Check the
+.B perl
+source code of
+.B man2html
+for the latest default mapping.
+.LP 
+You can reassign the
+.B \%$HeadFallback
+variable to a different value if you choose.
+This value is used as the header tag of a section head if
+no matches are found in the \%\fB%SectionHead\fR map.
+.SS "Using Regular Expressions in the Map File"
+.LP
+You may have noticed unusual characters in the default map file, like
+"\\s" or "*".
+The
+.B man2html
+utility actual treats the
+.B "\%<section\ head\ text>"
+as a
+.B perl
+regular expression.
+If you are comfortable with
+.B perl
+regular expressions, then you have their full power to use
+in your map file.
+.LP
+.I Caution:
+The
+.B man2html
+utility already anchors the regular expression to the beginning of the
+line with left margin spacing specified by the
+.B \%-leftm
+option.
+Therefore, do not use the `\fB\fR^' character to anchor your regular
+expression to the beginning.
+However, you may end your expression with a `\fB$\fR' to anchor it to
+the end of the line.
+.LP 
+Since the
+.B "\%<section\ head\ text>"
+is actually a regular expression, you will have to be careful of
+special characters if you want them to be treated literally.
+Any of the characters
+.RB ` "[ ] ( ) . ^ { } $ * ? + \\ |" '
+should be escaped by prefixing them by the
+\&`\fB\\\fR' character if you want
+.B perl
+to treat them "as is".
+.LP
+.I Caution:
+One should use single quotes instead of double quotes to delimit
+.BR "\%<section\ head\ text>" .
+This will preserve any `\fB\\\fR' characters for character escaping
+or when the `\fB\\\fR' is used for special
+.B perl
+character matching sequences (e.g.,  \fB\\s\fR, \fB\\w\fR, \fB\\S\fR).
+.SS "Other Tid-bits on the Map File"
+.LP
+Comments can be inserted in the map file by using the '\fB#\fR'
+character.
+Anything after, and including, the '\fB#\fR' character is ignored,
+up to the end of line.
+.LP 
+You might be thinking that the above is quite-a-bit-of-stuff just for
+doing manpage section heads.
+However, you will be surprised how much better the \s-1HTML\s+1 output looks
+with header tags, even though, everything else is in a
+.B \s-1<PRE>\s+1
+tag.
+.\"
+.SH "LINKING TO OTHER MANPAGES"
+.na
+.LP 
+The
+.B man2html
+utility allows the ability to link to other manpage references.
+If the
+.B \%-cgiurl
+option is specified,
+.B man2html
+will create anchors that link to other manpages.
+.LP 
+The \s-1URL\s+1 entered with the
+.B \%-cgiurl
+option is actually a template that determines the actual \s-1URL\s+1 used to
+link to other manpages.
+The following variables are defined during run time that may be used in
+the template string:
+.sp
+.RS 4n
+.IP \fB$title\fR
+The title of the manual page referenced.
+.IP \fB$section\fR
+The section number of the manual page referenced.
+.IP \fB$subsection\fR
+The subsection of the manual page referenced.
+.RE
+.LP
+Any other text in the template is preserved "as is".
+.LP
+.I Caution:
+The
+.B man2html
+utility evaluates the template string as a
+.B perl
+string expression.
+Therefore, one might need to surround the variable names with
+\&'\fB{\|}\fR' (e.g.,
+.BR ${\|title\|}\| )
+so that
+.B man2html
+properly recognizes the variable.
+.LP
+.I Note:
+If a \s-1CGI\s+1 program calling
+.B man2html
+is actually a shell script or a
+.B perl
+program, make sure to properly escape the '\fB$\fR' character
+in the \s-1URL\s+1 template to avoid variable interpolation by the \s-1CGI\s+1
+program.
+.LP
+Normally, the \s-1URL\s+1 calls a \s-1CGI\s+1 program (hence the option name),
+but the \s-1URL\s+1 can easily link to statically converted documents.
+.SS "Example1:"
+.LP 
+The following template string is specified to call a \s-1CGI\s+1 program to
+retrieve the appropriate manpage linked to:
+.LP
+.nf
+.B "/cgi-bin/man.cgi?section=${section}${subsection}&topic=${title}"
+.fi
+.LP 
+If the
+.BR ls (1)
+manpage is referenced in the
+.B "SEE ALSO"
+section, the above template will translate to the following \s-1URL\s+1:
+.LP
+.B "/cgi-bin/man.cgi?section=1&topic=ls"
+.LP 
+The actual \s-1HTML\s+1 markup will look like the following:
+.LP
+\fB<A\ HREF="/cgi-bin/man.cgi?section=1&topic=ls">ls(1)</A>\fR
+.SS "Example2:"
+.LP 
+The following template string is specified to retrieve pre-converted
+manpages:
+.LP
+.B "http://foo.org/man$section/$title.$section$subsection.html"
+.LP 
+If the
+.BR mount (1M)
+manpage is referenced, the above template will translate to the
+following \s-1URL\s+1:
+.LP
+.B "http://foo.org/man1/mount.1M.html"
+.LP 
+The actual \s-1HTML\s+1 markup will look like the following:
+.LP
+\fB<A HREF="http://foo.org/man1/mount.1M.html">mount(1M)</A>\fR
+.SS "-cgiurlexp"
+The option
+.B \%-cgiurlexp
+is a more general form of the
+.B \%-cgiurl
+option.
+.B \%-cgiurlexp
+allows one to specify a general Perl expression.  For example:
+.LP
+\fB$title=~/^db_/i?"$title.html":"/cgi-bin/man?$title+$section"\fR
+.LP
+A
+.B \%-cgiurl
+.I string
+can be expressed as follows with \fB-cgiurlexp\fR:
+.LP
+\fBreturn "\fIstring\fB"\fR
+.\"
+.SH "KEYWORD SEARCH"
+.na
+.LP
+The
+.B man2html
+utility has the ability to process keyword search output generated
+by the \%\fBman\ -k\fR or \%\fBapropos\fR commands, through the
+use of the
+.B -k
+option.
+The
+.B man2html
+utility will generate an \s-1HTML\s+1 document of the keyword search input
+having the following format:
+.RS 4n 
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	All manpage references are listed by section.
+.ad
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Within each section listing, the manpage references
+are sorted alphabetically (case-sensitive) in a
+.B \s-1<DL>\s+1
+tag.
+The manpage references are listed in the
+.B \s-1<DT>\s+1
+section, and the summary text is listed in the
+.B \s-1<DD>\s+1
+section.
+.ad
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Each manpage reference listed is a hyperlink to the
+actual manpage as specified by the
+.B \%-cgiurl
+option.
+.ad
+.RE
+.LP 
+.na
+This ability to process keyword searches gives nice added functionality
+to a \s-1WWW\s+1 forms interface to
+.BR man (1).
+Even if you have statically converted manpages to \s-1HTML\s+1 via another
+man->\s-1HTML\s+1 program, you can use
+.B man2html
+and "\fBman\ -k\fR" to provide keyword search capabilities easily for
+your \s-1HTML\s+1 manpages.
+.SS "Processing Keyword Search Results"
+.na
+.LP 
+Unfortunately, there is no standard controlling the format of keyword
+search results.
+The
+.B man2html
+utility tries it best to handle all the variations.
+However, the keyword search results generated by the
+.I Solaris
+operating system is different enough from other systems that a
+special command-line option
+.RB ( -solaris )
+must be specified to handle its output.
+.SS "Example of raw Solaris-type keyword search results:"
+.LP
+.ft C
+.nf
+.ne 10v
+strcpy        strcpy (9f)  - copy a string from one location to another.
+strcpy        string (3c)  - string operations
+strncpy       strcpy (9f)  - copy a string from one location to another.
+strncpy       string (3c)  - string operations
+.fi
+.ft
+.LP 
+If keyword search results on your systems appear in the following format:
+.LP
+.RS 4n
+.B "<topic>  <actual_manpage> (#) - Description"
+.RE
+.LP
+then you need to specify the
+.B \%-solaris
+option in addition to the
+.B -k
+option.
+.SH "ADDITIONAL NOTES"
+.na
+.LP
+Different systems format manpages differently.
+Here is a list of recommended command-line options for certain systems:
+.RS 4n
+.LP
+.ta 1i
+.nf
+.ne 3v
+\fBConvex\fR:	<defaults should be okay>
+\fBHP\fR:	\fB-leftm 1 -topm 8\fR
+\fBSun\fR:	\fB-sun\fR (and \fB-solaris\fR when using \fB-k\fR)
+.fi
+.RE
+.LP
+Some line spacing gets lost in the formatted nroff since the
+spacing would occur in the middle of a page break.
+This can cause text to be merged that shouldn't be merged when
+.B man2html
+depaginates the text.
+To avoid this problem,
+.B man2html
+keeps track of the margin indent right before and after a page break.
+If the margin width of the line after the page break is less than the
+line before the page break, then
+.B man2html
+inserts a blank line in the \s-1HTML\s+1 output.
+.LP 
+A manpage cross-reference is detected by the following pseudo expression:
+\%\fB[A-z.-+_]+([0-9][A-z]?)\fR
+.LP
+The
+.B man2html
+utility only recognizes lines with "\fB - \fR" (the normal separator
+between manpage references and summary text) while in keyword
+search mode.
+.LP 
+The
+.B man2html
+utility can be hooked in a \s-1CGI\s+1 script/program to convert manpages
+on the fly.
+This is the reason for the
+.B \%-cgiurl
+option.
+.SH LIMITATIONS
+.na
+.LP 
+The order that section head mapping is searched is not defined.
+Therefore, if two or more
+.B "\%<section\ head\ text>"
+can match a give manpage section, there is no way to determine
+which map tag is chosen.
+.LP 
+If
+.B \%-seealso
+is specified, all xrefs are detected after the
+.B "\%SEE\ ALSO"
+heading.
+In other words, sections after
+.B "\%SEE\ ALSO"
+may contain hyperlinked xrefs.
+.SH BUGS
+.na
+.LP 
+Text that is flush to the left margin, but is not actually a
+section head, can be mistaken for a section head.
+This mistake is more likely when the
+.B \%-sun
+option is in affect.
+.SH VERSION
+.na
+This documentation describes
+.B man2html
+version 3.0.1
+.SH "SEE ALSO"
+.na
+.BR man (1),
+.BR nroff (1),
+.BR perl (1)
+.LP
+.I http://www.oac.uci.edu/indiv/ehood/man2html.html
+.SH AUTHOR
+.LP
+.B Earl Hood
+.br
+.I ehood@medusa.acs.uci.edu
+.\"
+.SH "ERRORS AND OMISSIONS"
+.na
+Troff version of this document initially created for version 2.1.0
+by C. Jeffery Small
+.RI ( jeff@cjsa.com )
+by copying, reformatting, rearranging and partially rewriting
+the contents of the ascii text file
+.BR doc/man2html.txt .
diff --git a/doc/salts.texinfo b/doc/salts.texinfo
new file mode 100644
index 000000000..3ed43db0e
--- /dev/null
+++ b/doc/salts.texinfo
@@ -0,0 +1,19 @@
+@ignore 
+the information in this file should be consistent with the information
+in krb5/src/lib/krb5/krb/str_conv.c, in the struct salttype_lookup_entry
+@end ignore
+
+@table @code
+@item normal
+default for Kerberos Version 5
+@item v4
+the only type used by Kerberos Version 4, no salt
+@item norealm
+same as the default, without using realm information
+@item onlyrealm
+uses only realm information as the salt
+@item afs3
+AFS version 3, only used for compatibility with Kerberos 4 in AFS
+@item special
+only used in very special cases; not fully supported
+@end table
diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo
new file mode 100644
index 000000000..3f030bad9
--- /dev/null
+++ b/doc/support-enc.texinfo
@@ -0,0 +1,27 @@
+@ignore 
+the information in this file should be consistent with the information
+in krb5/src/lib/crypto/etypes.c (and krb5/src/include/krb5.h[in]?)
+@end ignore
+
+@table @code
+@item des-cbc-crc 
+DES cbc mode with CRC-32
+@item des-cbc-md4 
+DES cbc mode with RSA-MD4
+@item des-cbc-md5 
+DES cbc mode with RSA-MD5
+@item des3-cbc-sha1 
+@itemx des3-hmac-sha1
+@itemx des3-cbc-sha1-kd
+triple DES cbc mode with HMAC/sha1
+@item des-hmac-sha1 
+DES with HMAC/sha1
+@item arcfour-hmac 
+@itemx rc4-hmac
+@itemx arcfour-hmac-md5
+RC4 with HMAC/MD5
+@item arcfour-hmac-exp 
+@itemx rc4-hmac-exp
+@itemx arcfour-hmac-md5-exp
+exportable RC4 with HMAC/MD5
+@end table
diff --git a/doc/user-guide.texinfo b/doc/user-guide.texinfo
index 59b9b08c5..78c45df40 100644
--- a/doc/user-guide.texinfo
+++ b/doc/user-guide.texinfo
@@ -36,6 +36,7 @@
 
 @ifinfo
 This file describes how to use the @value{PRODUCT} client programs.
+@end ifinfo
 
 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
 @c function.  Don't forget to run M-x texinfo-every-node-update after
@@ -62,7 +63,6 @@ This file describes how to use the @value{PRODUCT} client programs.
 @unnumbered Copyright
 
 @include copyright.texinfo
-@end ifinfo
 
 @node Introduction, Kerberos V5 Tutorial, Copyright, Top
 @chapter Introduction
@@ -96,11 +96,11 @@ a layer of security that is not dependent on which side of a firewall
 either client is on.  Since studies have shown that half of the computer
 security breaches in industry happen from @i{inside} firewalls,
 @value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
-nework security.
+network security.
 
 The @value{PRODUCT} package is designed to be easy to use.  Most of the
-commands are nearly identical to UNIX network programs you are already
-used to.  @value{PRODUCT} is a @dfn{single-sign-on} system, which means
+commands are nearly identical to UNIX network programs you already
+use.  @value{PRODUCT} is a @dfn{single-sign-on} system, which means
 that you have to type your password only once per session, and Kerberos
 does the authenticating and encrypting transparently.
 
@@ -226,12 +226,92 @@ or use a screensaver that locks the screen.
 
 @need 2000
 @menu
+* Kerberos Ticket Properties::  
 * Obtaining Tickets with kinit::  
 * Viewing Your Tickets with klist::  
 * Destroying Your Tickets with kdestroy::  
 @end menu
 
-@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Ticket Management, Ticket Management
+@node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management
+@subsection Kerberos Ticket Properties
+
+There are various properties that Kerberos tickets can have:
+
+If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with
+a different network address based on the forwardable ticket.  This
+allows for authentication forwarding without requiring a password to be
+typed in again.  For example, if a user with a forwardable TGT logs
+into a remote system, the KDC could issue a new TGT for that user with
+the netword address of the remote system, allowing authentication on
+that host to work as though the user were logged in locally.
+
+When the KDC creates a new ticket based on a forwardable ticket, it
+sets the @dfn{forwarded} flag on that new ticket.  Any tickets that are
+created based on a ticket with the forwarded flag set will also have
+their forwarded flags set.
+
+A @dfn{proxiable} ticket is similar to a forwardable ticket in that it
+allows a service to take on the identity of the client.  Unlike a
+forwardable ticket, however, a proxiable ticket is only issued for
+specific services.  In other words, a ticket-granting ticket cannot be
+issued based on a ticket that is proxiable but not forwardable.
+
+A @dfn{proxy} ticket is one that was issued based on a proxiable ticket.
+
+If a tickets is @dfn{postdated}, this means that it will become valid at a
+specific time in the future.  Postdated tickets can be issued for the
+time at which a job is going to start so that the time that valid
+tickets exist unused on a machine is minimized.
+
+Tickets with the @dfn{postdateable} flag set can be used to issue postdated
+tickets.
+
+@dfn{Renewable} tickets can be used to obtain new session keys without the
+user entering a new password.  A renewable ticket has two expiration
+times.  The first is the time at which this particular ticket expires.
+The second is the latest possible expiration time for any ticket issued
+based on this renewable ticket.
+
+A ticket with the @dfn{initial} flag set was issued based on the
+authentication protocol, and not on a ticket-granting ticket.   Clients
+that wish to ensure that the user's key has been recently presented for
+verification could specify that this flag must be set to accept the
+ticket.
+
+An @dfn{initial} ticket must be rejected by application servers.  Postdated
+tickets are usually issued with this flag set, and must be validated by
+the KDC before they can be used.
+
+A @dfn{preauthenticated} ticket is one that was only issued after the
+client requesting the ticket had authenticated itself to the KDC.
+
+The @dfn{hardware authentication} flag is set on a ticket which required
+the use of hardware expected to be possessed soley by the requesting
+client for authentication.
+
+If a ticket has the @dfn{transit policy checked} flag set, the the KDC that
+issued this ticket implements the transited-realm check policy and
+checked the transited-realms list on the ticket.  The transited-realms
+list contains a list of all intermediate realms between the realm of the
+KDC that issued the first ticket and that of the one that issued the
+current ticket.  If this flag is not set, then the application server
+must check the transited realms itself or else reject the ticket.
+
+The @dfn{okay as delegate} flag indicates that the server specified in the
+ticket is suitable as a delegate as determined by the policy of that
+realm.  A server that is acting as a delegate has been granted a proxy
+or a forwarded TGT.  The client can use this flag in its decision of
+whether or not to use this server as a delgate.  This flag is a new
+addition to the @value{PRODUCT} protocol and is not yet implemented on MIT
+servers.
+
+An @dfn{anonymous}  ticket is one in which the named principal is a generic
+principal for that realm; it does not actually specify the individual
+that will be using the ticket.  This ticket is meant only to securely
+distribute a session key.  This is a new addition to the @value{PRODUCT}
+protocol and is not yet implemented on MIT servers.
+
+@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Kerberos Ticket Properties, Ticket Management
 @subsection Obtaining Tickets with kinit
 
 If your site is using the @value{PRODUCT} login program, you will get
@@ -438,6 +518,16 @@ post@b{d}ated
 @b{I}nitial
 @itemx i
 @b{i}nvalid
+@itemx H
+@b{H}ardeware authenticated
+@itemx A
+pre@b{A}uthenticated
+@itemx T
+@b{T}ransit policy checked
+@itemx O
+@b{O}kay as delegate
+@itemx a
+@b{a}nonymous
 @end table
 
 @need 1500
@@ -893,7 +983,7 @@ requests tickets for the remote host in the specified realm, instead of
 determining the realm itself.
 
 @itemx -x, --encrypt
-turns on encryption.
+encrypts the input and output data streams (the command line is not encrypted)
 
 @itemx --noencrypt
 turns off encryption.
@@ -936,7 +1026,7 @@ and request an encrypted session as follows:
 @smallexample
 @group
 @b{shell%} rlogin @value{RANDOMHOST2}.@value{SECONDDOMAIN} -f -x
-@b{This rlogin session is using DES encryption for all data transmissions.
+@b{This rlogin session is encrypting all data transmissions.
 Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
 SunOS Release 4.1.4 (GENERIC) #2: Tue Nov 14 18:09:31 EST 1995
 Not checking quotas. Try quota.real if you need them.
@@ -1043,7 +1133,7 @@ requests tickets for the remote host in the specified realm, instead of
 determining the realm itself.
 
 @itemx -x, --encrypt
-turns on encryption.
+encrypts the input and output data streams (the command line is not encrypted)
 
 @itemx --noencrypt
 turns off encryption.
@@ -1057,7 +1147,7 @@ run the @samp{date} program as follows:
 @smallexample
 @group
 @b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
-@b{This rsh session is using DES encryption for all data transmissions.
+@b{This rsh session is encrypting input/output data transmissions.
 Fri Jun 21 17:06:12 EDT 1996
 shell%}
 @end group
@@ -1352,6 +1442,12 @@ M-x manual-entry @emph{command}
 Type @kbd{M-x manual-entry kinit} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="kinit.html"> kinit manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node klist Reference, kdestroy Reference, kinit Reference, Kerberos V5 Reference
 @section klist Reference
 
@@ -1364,6 +1460,12 @@ Type @kbd{M-x manual-entry kinit} to read this manual page.
 Type @kbd{M-x manual-entry klist} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="klist.html"> klist manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node kdestroy Reference, kpasswd Reference, klist Reference, Kerberos V5 Reference
 @section kdestroy Reference
 
@@ -1376,6 +1478,12 @@ Type @kbd{M-x manual-entry klist} to read this manual page.
 Type @kbd{M-x manual-entry kdestroy} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="kdestroy.html"> kdestroy manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
 @section kpasswd Reference
 
@@ -1388,6 +1496,12 @@ Type @kbd{M-x manual-entry kdestroy} to read this manual page.
 Type @kbd{M-x manual-entry kpasswd} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="kpasswd.html"> kpasswd manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node telnet Reference, rlogin Reference, kpasswd Reference, Kerberos V5 Reference
 @section telnet Reference
 
@@ -1432,6 +1546,12 @@ Type @kbd{M-x manual-entry kpasswd} to read this manual page.
 Type @kbd{M-x manual-entry telnet} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="telnet.html"> telnet manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node rlogin Reference, FTP Reference, telnet Reference, Kerberos V5 Reference
 @section rlogin Reference
 
@@ -1448,6 +1568,12 @@ Type @kbd{M-x manual-entry telnet} to read this manual page.
 Type @kbd{M-x manual-entry rlogin} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="rlogin.html"> rlogin manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node FTP Reference, rsh Reference, rlogin Reference, Kerberos V5 Reference
 @section FTP Reference
 
@@ -1488,6 +1614,12 @@ Type @kbd{M-x manual-entry rlogin} to read this manual page.
 Type @kbd{M-x manual-entry FTP} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="ftp.html"> ftp manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node rsh Reference, rcp Reference, FTP Reference, Kerberos V5 Reference
 @section rsh Reference
 
@@ -1504,6 +1636,12 @@ Type @kbd{M-x manual-entry FTP} to read this manual page.
 Type @kbd{M-x manual-entry rsh} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="rsh.html"> rsh manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node rcp Reference, ksu Reference, rsh Reference, Kerberos V5 Reference
 @section rcp Reference
 
@@ -1516,6 +1654,12 @@ Type @kbd{M-x manual-entry rsh} to read this manual page.
 Type @kbd{M-x manual-entry rcp} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="rcp.html"> rcp manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node ksu Reference,  , rcp Reference, Kerberos V5 Reference
 @section ksu Reference
 
@@ -1544,6 +1688,12 @@ Type @kbd{M-x manual-entry rcp} to read this manual page.
 Type @kbd{M-x manual-entry ksu} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="ksu.html"> ksu manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node Kerberos Glossary,  , Kerberos V5 Reference, Top
 @appendix Kerberos Glossary