Fixes from NetBSD via Thomas Klausner and Roland C. Dowdeswell

admin/ktutil.8

@@ -53,72 +53,43 @@
 is a program for managing keytabs.
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl v ,
-.Fl -verbose
-.Xc
+.It Fl v , Fl -verbose
 Verbose output.
 .El
 .Pp
 .Ar command
 can be one of the following:
 .Bl -tag -width srvconvert
-.It add Xo
-.Op Fl p Ar principal
-.Op Fl -principal= Ns Ar principal
-.Op Fl V Ar kvno
-.Op Fl -kvno= Ns Ar kvno
-.Op Fl e Ar enctype
-.Op Fl -enctype= Ns Ar enctype
-.Op Fl w Ar password
-.Op Fl -password= Ns Ar password
-.Op Fl r
-.Op Fl -random
-.Op Fl s
-.Op Fl -no-salt
-.Op Fl H
-.Op Fl -hex
-.Xc
+.It add Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \
+Oo Fl V Ar kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
+Oo Fl -enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
+Oo Fl -password= Ns Ar password Oc Oo Fl r Oc Oo Fl -random Oc \
+Oo Fl s Oc Oo Fl -no-salt Oc Oo Fl H Oc Op Fl -hex
 Adds a key to the keytab. Options that are not specified will be
 prompted for. This requires that you know the password or the hex key of the
 principal to add; if what you really want is to add a new principal to
 the keytab, you should consider the
 .Ar get
 command, which talks to the kadmin server.
-.It change Xo
-.Op Fl r Ar realm
-.Op Fl -realm= Ns Ar realm
-.Op Fl -a Ar host
-.Op Fl -admin-server= Ns Ar host
-.Op Fl -s Ar port
-.Op Fl -server-port= Ns Ar port
-.Xc
+.It change Oo Fl r Ar realm Oc Oo Fl -realm= Ns Ar realm Oc \
+Oo Fl -a Ar host Oc Oo Fl -admin-server= Ns Ar host Oc \
+Oo Fl -s Ar port Oc Op Fl -server-port= Ns Ar port
 Update one or several keys to new versions.  By default, use the admin
 server for the realm of a keytab entry.  Otherwise it will use the
 values specified by the options.
 .Pp
 If no principals are given, all the ones in the keytab are updated.
-.It copy Xo
-.Ar keytab-src
-.Ar keytab-dest
-.Xc
+.It copy Ar keytab-src Ar keytab-dest
 Copies all the entries from
 .Ar keytab-src
 to
 .Ar keytab-dest .
-.It get Xo
-.Op Fl p Ar admin principal
-.Op Fl -principal= Ns Ar admin principal
-.Op Fl e Ar enctype
-.Op Fl -enctypes= Ns Ar enctype
-.Op Fl r Ar realm
-.Op Fl -realm= Ns Ar realm
-.Op Fl a Ar admin server
-.Op Fl -admin-server= Ns Ar admin server
-.Op Fl s Ar server port
-.Op Fl -server-port= Ns Ar server port
-.Ar principal ...
-.Xc
+.It get Oo Fl p Ar admin principal Oc \
+Oo Fl -principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
+Oo Fl -enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
+Oo Fl -realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
+Oo Fl -admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
+Oo Fl -server-port= Ns Ar server port Oc Ar principal ...
 For each
 .Ar principal ,
 generate a new key for it (creating it if it doesn't already exist),
@@ -128,35 +99,22 @@ If no
 .Ar realm
 is specified, the realm to operate on is taken from the first
 principal.
-.It list Xo
-.Op Fl -keys
-.Op Fl -timestamp
-.Xc
+.It list Oo Fl -keys Oc Op Fl -timestamp
 List the keys stored in the keytab.
-.It remove Xo
-.Op Fl p Ar principal
-.Op Fl -principal= Ns Ar principal
-.Op Fl V kvno
-.Op Fl -kvno= Ns Ar kvno
-.Op Fl e enctype
-.Op Fl -enctype= Ns Ar enctype
-.Xc
+.It remove Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \
+Oo Fl V kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
+Oo Fl -enctype= Ns Ar enctype Oc
 Removes the specified key or keys. Not specifying a
 .Ar kvno
 removes keys with any version number. Not specifying an
 .Ar enctype
 removes keys of any type.
-.It rename Xo
-.Ar from-principal
-.Ar to-principal
-.Xc
+.It rename Ar from-principal Ar to-principal
 Renames all entries in the keytab that match the
 .Ar from-principal
 to
 .Ar to-principal .
-.It purge Xo
-.Op Fl -age= Ns Ar age
-.Xc
+.It purge Op Fl -age= Ns Ar age
 Removes all old versions of a key for which there is a newer version
 that is at least
 .Ar age

kadmin/kadmin.8

@@ -40,34 +40,13 @@
 .Sh SYNOPSIS
 .Nm
 .Bk -words
-.Oo Fl p Ar string \*(Ba Xo
-.Fl -principal= Ns Ar string
-.Xc
-.Oc
-.Oo Fl K Ar string \*(Ba Xo
-.Fl -keytab= Ns Ar string
-.Xc
-.Oc
-.Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
-.Xc
-.Oc
-.Oo Fl k Ar file \*(Ba Xo
-.Fl -key-file= Ns Ar file
-.Xc
-.Oc
-.Oo Fl r Ar realm \*(Ba Xo
-.Fl -realm= Ns Ar realm
-.Xc
-.Oc
-.Oo Fl a Ar host \*(Ba Xo
-.Fl -admin-server= Ns Ar host
-.Xc
-.Oc
-.Oo Fl s Ar port number \*(Ba Xo
-.Fl -server-port= Ns Ar port number
-.Xc
-.Oc
+.Op Fl p Ar string \*(Ba Fl -principal= Ns Ar string
+.Op Fl K Ar string \*(Ba Fl -keytab= Ns Ar string
+.Op Fl c Ar file \*(Ba Fl -config-file= Ns Ar file
+.Op Fl k Ar file \*(Ba Fl -key-file= Ns Ar file
+.Op Fl r Ar realm \*(Ba Fl -realm= Ns Ar realm
+.Op Fl a Ar host \*(Ba Fl -admin-server= Ns Ar host
+.Op Fl s Ar port number \*(Ba Fl -server-port= Ns Ar port number
 .Op Fl l | Fl -local
 .Op Fl h | Fl -help
 .Op Fl v | Fl -version
@@ -84,45 +63,21 @@ option).
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl p Ar string ,
-.Fl -principal= Ns Ar string
-.Xc
+.It Fl p Ar string , Fl -principal= Ns Ar string
 principal to authenticate as
-.It Xo
-.Fl K Ar string ,
-.Fl -keytab= Ns Ar string
-.Xc
+.It Fl K Ar string , Fl -keytab= Ns Ar string
 keytab for authentication principal
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 location of config file
-.It Xo
-.Fl k Ar file ,
-.Fl -key-file= Ns Ar file
-.Xc
+.It Fl k Ar file , Fl -key-file= Ns Ar file
 location of master key file
-.It Xo
-.Fl r Ar realm ,
-.Fl -realm= Ns Ar realm
-.Xc
+.It Fl r Ar realm , Fl -realm= Ns Ar realm
 realm to use
-.It Xo
-.Fl a Ar host ,
-.Fl -admin-server= Ns Ar host
-.Xc
+.It Fl a Ar host , Fl -admin-server= Ns Ar host
 server to contact
-.It Xo
-.Fl s Ar port number ,
-.Fl -server-port= Ns Ar port number
-.Xc
+.It Fl s Ar port number , Fl -server-port= Ns Ar port number
 port to use
-.It Xo
-.Fl l ,
-.Fl -local
-.Xc
+.It Fl l , Fl -local
 local admin mode
 .El
 .Pp
@@ -148,10 +103,7 @@ Commands include:
 .Nm add
 .Op Fl r | Fl -random-key
 .Op Fl -random-password
-.Oo Fl p Ar string \*(Ba Xo
-.Fl -password= Ns Ar string
-.Xc
-.Oc
+.Op Fl p Ar string \*(Ba Fl -password= Ns Ar string
 .Op Fl -key= Ns Ar string
 .Op Fl -max-ticket-life= Ns Ar lifetime
 .Op Fl -max-renewable-life= Ns Ar lifetime

kadmin/kadmind.8

@@ -117,34 +117,17 @@ glob-style pattern.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 location of config file
-.It Xo
-.Fl k Ar file ,
-.Fl -key-file= Ns Ar file
-.Xc
+.It Fl k Ar file , Fl -key-file= Ns Ar file
 location of master key file
-.It Xo
-.Fl -keytab= Ns Ar keytab
-.Xc
+.It Fl -keytab= Ns Ar keytab
 what keytab to use
-.It Xo
-.Fl r Ar realm ,
-.Fl -realm= Ns Ar realm
-.Xc
+.It Fl r Ar realm , Fl -realm= Ns Ar realm
 realm to use
-.It Xo
-.Fl d ,
-.Fl -debug
-.Xc
+.It Fl d , Fl -debug
 enable debugging
-.It Xo
-.Fl p Ar port ,
-.Fl -ports= Ns Ar port
-.Xc
+.It Fl p Ar port , Fl -ports= Ns Ar port
 ports to listen to. By default, if run as a daemon, it listens to port
 749, but you can add any number of ports with this option. The port
 string is a whitespace separated list of port specifications, with the

kcm/kcm.8

@@ -127,91 +127,42 @@ the ticket itself.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl -cache-name= Ns Ar cachename
-.Xc
+.It Fl -cache-name= Ns Ar cachename
 system cache name
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 location of config file
-.It Xo
-.Fl g Ar group ,
-.Fl -group= Ns Ar group
-.Xc
+.It Fl g Ar group , Fl -group= Ns Ar group
 system cache group
-.It Xo
-.Fl -max-request= Ns Ar size
-.Xc
+.It Fl -max-request= Ns Ar size
 max size for a kcm-request
-.It Xo
-.Fl -disallow-getting-krbtgt
-.Xc
+.It Fl -disallow-getting-krbtgt
 disallow extracting any krbtgt from the
 .Nm kcm
 daemon.
-.It Xo
-.Fl -detach
-.Xc
+.It Fl -detach
 detach from console
-.It Xo
-.Fl h ,
-.Fl -help
-.Xc
-.It Xo
-.Fl k Ar principal ,
-.Fl -system-principal= Ns Ar principal
-.Xc
+.It Fl h , Fl -help
+.It Fl k Ar principal , Fl -system-principal= Ns Ar principal
 system principal name
-.It Xo
-.Fl l Ar time ,
-.Fl -lifetime= Ns Ar time
-.Xc
+.It Fl l Ar time , Fl -lifetime= Ns Ar time
 lifetime of system tickets
-.It Xo
-.Fl m Ar mode ,
-.Fl -mode= Ns Ar mode
-.Xc
+.It Fl m Ar mode , Fl -mode= Ns Ar mode
 octal mode of system cache
-.It Xo
-.Fl n ,
-.Fl -no-name-constraints
-.Xc
+.It Fl n , Fl -no-name-constraints
 disable credentials cache name constraints
-.It Xo
-.Fl r Ar time ,
-.Fl -renewable-life= Ns Ar time
-.Xc
+.It Fl r Ar time , Fl -renewable-life= Ns Ar time
 renewable lifetime of system tickets
-.It Xo
-.Fl s Ar path ,
-.Fl -socket-path= Ns Ar path
-.Xc
+.It Fl s Ar path , Fl -socket-path= Ns Ar path
 path to kcm domain socket
-.It Xo
-.Fl -door-path= Ns Ar path
-.Xc
+.It Fl -door-path= Ns Ar path
 path to kcm door socket
-.It Xo
-.Fl S Ar principal ,
-.Fl -server= Ns Ar principal
-.Xc
+.It Fl S Ar principal , Fl -server= Ns Ar principal
 server to get system ticket for
-.It Xo
-.Fl t Ar keytab ,
-.Fl -keytab= Ns Ar keytab
-.Xc
+.It Fl t Ar keytab , Fl -keytab= Ns Ar keytab
 system keytab name
-.It Xo
-.Fl u Ar user ,
-.Fl -user= Ns Ar user
-.Xc
+.It Fl u Ar user , Fl -user= Ns Ar user
 system cache owner
-.It Xo
-.Fl v ,
-.Fl -version
-.Xc
+.It Fl v , Fl -version
 .El
 .\".Sh ENVIRONMENT
 .\".Sh FILES

kdc/hprop.8

@@ -89,19 +89,11 @@ specified on the command by opening a TCP connection to port 754
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl m Ar file ,
-.Fl -master-key= Ns Pa file
-.Xc
+.It Fl m Ar file , Fl -master-key= Ns Pa file
 Where to find the master key to encrypt or decrypt keys with.
-.It Xo
-.Fl d Ar file ,
-.Fl -database= Ns Pa file
-.Xc
+.It Fl d Ar file , Fl -database= Ns Pa file
 The database to be propagated.
-.It Xo
-.Fl -source= Ns Ar heimdal|mit-dump
-.Xc
+.It Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver
 Specifies the type of the source database. Alternatives include:
 .Pp
 .Bl -tag -width mit-dump -compact -offset indent
@@ -110,36 +102,21 @@ a Heimdal database
 .It mit-dump
 a MIT Kerberos 5 dump file
 .El
-.It Xo
-.Fl k Ar keytab ,
-.Fl -keytab= Ns Ar keytab
-.Xc
++.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab
 The keytab to use for fetching the key to be used for authenticating
 to the propagation daemon(s). The key
 .Pa hprop/hostname
 is used from this keytab.  The default is to fetch the key from the
 KDC database.
-.It Xo
-.Fl R Ar string ,
-.Fl -v5-realm= Ns Ar string
-.Xc
+.It Fl R Ar string , Fl -v5-realm= Ns Ar string
 Local realm override.
-.It Xo
-.Fl D ,
-.Fl -decrypt
-.Xc
+.It Fl D , Fl -decrypt
 The encryption keys in the database can either be in clear, or
 encrypted with a master key. This option transmits the database with
 unencrypted keys.
-.It Xo
-.Fl E ,
-.Fl -encrypt
-.Xc
+.It Fl E , Fl -encrypt
 This option transmits the database with encrypted keys.
-.It Xo
-.Fl n ,
-.Fl -stdout
-.Xc
+.It Fl n , Fl -stdout
 Dump the database on stdout, in a format that can be fed to hpropd.
 .El
 .Sh EXAMPLES

kdc/hpropd.8

@@ -73,34 +73,17 @@ are accepted.
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Xo
-.Fl d Ar file ,
-.Fl -database= Ns Ar file
-.Xc
+.It Fl d Ar file , Fl -database= Ns Ar file
 database
-.It Xo
-.Fl n ,
-.Fl -stdin
-.Xc
+.It Fl n , Fl -stdin
 read from stdin
-.It Xo
-.Fl -print
-.Xc
+.It Fl -print
 print dump to stdout
-.It Xo
-.Fl i ,
-.Fl -no-inetd
-.Xc
+.It Fl i , Fl -no-inetd
 not started from inetd
-.It Xo
-.Fl k Ar keytab ,
-.Fl -keytab= Ns Ar keytab
-.Xc
+.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab
 keytab to use for authentication
-.It Xo
-.Fl 4 ,
-.Fl -v4dump
-.Xc
+.It Fl 4 , Fl -v4dump
 create v4 type DB
 .El
 .Sh SEE ALSO

kdc/kdc.8

@@ -72,17 +72,11 @@ or from a default compiled-in value.
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 Specifies the location of the config file, the default is
 .Pa /var/heimdal/kdc.conf .
 This is the only value that can't be specified in the config file.
-.It Xo
-.Fl p ,
-.Fl -no-require-preauth
-.Xc
+.It Fl p , Fl -no-require-preauth
 Turn off the requirement for pre-autentication in the initial AS-REQ
 for all principals.
 The use of pre-authentication makes it more difficult to do offline
@@ -95,34 +89,20 @@ pre-athentication.
 The default is to require pre-authentication.
 Adding the require-preauth per principal is a more flexible way of
 handling this.
-.It Xo
-.Fl -max-request= Ns Ar size
-.Xc
+.It Fl -max-request= Ns Ar size
 Gives an upper limit on the size of the requests that the kdc is
 willing to handle.
-.It Xo
-.Fl H ,
-.Fl -enable-http
-.Xc
+.It Fl H , Fl -enable-http
 Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
-.It Xo
-.Fl -no-524
-.Xc
+.It Fl -no-524
 don't respond to 524 requests
-.It Xo
-.Fl -kerberos4
-.Xc
+.It Fl -kerberos4
 respond to Kerberos 4 requests
-.It Xo
-.Fl -kerberos4-cross-realm
-.Xc
+.It Fl -kerberos4-cross-realm
 respond to Kerberos 4 requests from foreign realms.
 This is a known security hole and should not be enabled unless you
 understand the consequences and are willing to live with them.
-.It Xo
-.Fl r Ar string ,
-.Fl -v4-realm= Ns Ar string
-.Xc
+.It Fl r Ar string , Fl -v4-realm= Ns Ar string
 What realm this server should act as when dealing with version 4
 requests.
 The database can contain any number of realms, but since the version 4
@@ -132,15 +112,9 @@ The default is whatever is returned by
 .Fn krb_get_lrealm .
 This option is only available if the KDC has been compiled with version
 4 support.
-.It Xo
-.Fl K ,
-.Fl -kaserver
-.Xc
+.It Fl K , Fl -kaserver
 Enable kaserver emulation (in case it's compiled in).
-.It Xo
-.Fl P Ar portspec ,
-.Fl -ports= Ns Ar portspec
-.Xc
+.It Fl P Ar portspec , Fl -ports= Ns Ar portspec
 Specifies the set of ports the KDC should listen on.
 It is given as a
 white-space separated list of services or port numbers.
@@ -198,11 +172,8 @@ Permit anonymous tickets with no addresses.
 .It Li max-kdc-datagram-reply-length = Va number
 Maximum packet size the UDP rely that the KDC will transmit, instead
 the KDC sends back a reply telling the client to use TCP instead.
-.It Li transited-policy = Xo
-.Li always-check \*(Ba
-.Li allow-per-principal |
-.Li always-honour-request
-.Xc
+.It Li transited-policy = Li always-check \*(Ba \
+Li allow-per-principal | Li always-honour-request
 This controls how KDC requests with the
 .Li disable-transited-check
 flag are handled. It can be one of:

kdc/kstash.8

@@ -62,28 +62,16 @@ used by the KDC.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl e Ar string ,
-.Fl -enctype= Ns Ar string
-.Xc
+.It Fl e Ar string , Fl -enctype= Ns Ar string
 the encryption type to use, defaults to DES3-CBC-SHA1.
-.It Xo
-.Fl k Ar file ,
-.Fl -key-file= Ns Ar file
-.Xc
+.It Fl k Ar file , Fl -key-file= Ns Ar file
 the name of the master key file.
-.It Xo
-.Fl -convert-file
-.Xc
+.It Fl -convert-file
 don't ask for a new master key, just read an old master key file, and
 write it back in the new keyfile format.
-.It Xo
-.Fl -random-key
-.Xc
+.It Fl -random-key
 generate a random master key.
-.It Xo
-.Fl -master-key-fd= Ns Ar fd
-.Xc
+.It Fl -master-key-fd= Ns Ar fd
 filedescriptor to read passphrase from, if not specified the
 passphrase will be read from the terminal.
 .El

kdc/string2key.8

@@ -65,46 +65,21 @@ performs the string-to-key function.
 This is useful when you want to handle the raw key instead of the password.
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl 5 ,
-.Fl -version5
-.Xc
+.It Fl 5 , Fl -version5
 Output Kerberos v5 string-to-key
-.It Xo
-.Fl 4 ,
-.Fl -version4
-.Xc
+.It Fl 4 , Fl -version4
 Output Kerberos v4 string-to-key
-.It Xo
-.Fl a ,
-.Fl -afs
-.Xc
+.It Fl a , Fl -afs
 Output AFS string-to-key
-.It Xo
-.Fl c Ar cell ,
-.Fl -cell= Ns Ar cell
-.Xc
+.It Fl c Ar cell , Fl -cell= Ns Ar cell
 AFS cell to use
-.It Xo
-.Fl w Ar password ,
-.Fl -password= Ns Ar password
-.Xc
+.It Fl w Ar password , Fl -password= Ns Ar password
 Password to use
-.It Xo
-.Fl p Ar principal ,
-.Fl -principal= Ns Ar principal
-.Xc
+.It Fl p Ar principal , Fl -principal= Ns Ar principal
 Kerberos v5 principal to use
-.It Xo
-.Fl k Ar string ,
-.Fl -keytype= Ns Ar string
-.Xc
+.It Fl k Ar string , Fl -keytype= Ns Ar string
 Keytype
-.It Xo
-.Fl -version
-.Xc
+.It Fl -version
 print version
-.It Xo
-.Fl -help
-.Xc
+.It Fl -help
 .El

kpasswd/kpasswdd.8

@@ -64,20 +64,14 @@ the database directly and should thus only run on the master KDC.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl -addresses= Ns Ar address
-.Xc
+.It Fl -addresses= Ns Ar address
 For each till the argument is given, add the address to what kpasswdd
 should listen too.
-.It Xo
-.Fl -check-library= Ns Ar library
-.Xc
+.It Fl -check-library= Ns Ar library
 If your system has support for dynamic loading of shared libraries,
 you can use an external function to check password quality. This
 option specifies which library to load.
-.It Xo
-.Fl -check-function= Ns Ar function
-.Xc
+.It Fl -check-function= Ns Ar function
 This is the function to call in the loaded library. The function
 should look like this:
 .Pp
@@ -92,20 +86,11 @@ is the one who tries to change passwords, and
 is the new password. Note that the password (in
 .Fa password->data )
 is not zero terminated.
-.It Xo
-.Fl k Ar kspec ,
-.Fl -keytab= Ns Ar kspec
-.Xc
+.It Fl k Ar kspec , Fl -keytab= Ns Ar kspec
 Keytab to get authentication key from.
-.It Xo
-.Fl r Ar realm ,
-.Fl -realm= Ns Ar realm
-.Xc
+.It Fl r Ar realm , Fl -realm= Ns Ar realm
 Default realm.
-.It Xo
-.Fl p Ar string ,
-.Fl -port= Ns Ar string
-.Xc
+.It Fl p Ar string , Fl -port= Ns Ar string
 Port to listen on (default service kpasswd - 464).
 .El
 .Sh DIAGNOSTICS

kuser/kdestroy.1

@@ -36,7 +36,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kdestroy
-.Nd remove one credental or destroy the current ticket file
+.Nd remove one credential or destroy the current ticket file
 .Sh SYNOPSIS
 .Nm
 .Bk -words

kuser/kgetcred.1

@@ -61,30 +61,16 @@ ticket or of a special type.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl -canonicalize
-.Xc
+.It Fl -canonicalize
 requests that the KDC canonicalize the principal.
-.It Xo
-.Fl c Ar cache ,
-.Fl -cache= Ns Ar cache
-.Xc
+.It Fl c Ar cache , Fl -cache= Ns Ar cache
 the credential cache to use.
-.It Xo
-.Fl e Ar enctype ,
-.Fl -enctype= Ns Ar enctype
-.Xc
+.It Fl e Ar enctype , Fl -enctype= Ns Ar enctype
 encryption type to use.
-.It Xo
-.Fl -no-transit-check
-.Xc
-requests that the KDC doesn't do trasnit checking.
-.It Xo
-.Fl -version
-.Xc
-.It Xo
-.Fl -help
-.Xc
+.It Fl -no-transit-check
+requests that the KDC doesn't do transit checking.
+.It Fl -version
+.It Fl -help
 .El
 .Sh SEE ALSO
 .Xr kinit 1 ,

kuser/kimpersonate.8

@@ -40,28 +40,14 @@
 impersonate a user when there exist a srvtab, keyfile or KeyFile
 .Sh SYNOPSIS
 .Nm
-.Oo Fl s Ar string \*(Ba Xo
-.Fl -server= Ns Ar string Oc
-.Xc
-.Oo Fl c Ar string \*(Ba Xo
-.Fl -client= Ns Ar string Oc
-.Xc
-.Oo Fl k Ar string \*(Ba Xo
-.Fl -keytab= Ns Ar string Oc
-.Xc
+.Op Fl s Ar string \*(Ba Fl -server= Ns Ar string
+.Op Fl c Ar string \*(Ba Fl -client= Ns Ar string
+.Op Fl k Ar string \*(Ba Fl -keytab= Ns Ar string
 .Op Fl 5 | Fl -krb5
-.Oo Fl e Ar integer \*(Ba Xo
-.Fl -expire-time= Ns Ar integer Oc
-.Xc
-.Oo Fl a Ar string \*(Ba Xo
-.Fl -client-address= Ns Ar string Oc
-.Xc
-.Oo Fl t Ar string \*(Ba Xo
-.Fl -enc-type= Ns Ar string Oc
-.Xc
-.Oo Fl f Ar string \*(Ba Xo
-.Fl -ticket-flags= Ns Ar string Oc
-.Xc
+.Op Fl e Ar integer \*(Ba Fl -expire-time= Ns Ar integer
+.Op Fl a Ar string \*(Ba Fl -client-address= Ns Ar string
+.Op Fl t Ar string \*(Ba Fl -enc-type= Ns Ar string
+.Op Fl f Ar string \*(Ba Fl -ticket-flags= Ns Ar string
 .Op Fl -verbose
 .Op Fl -version
 .Op Fl -help
@@ -73,57 +59,27 @@ The service key can be read from a Kerberos 5 keytab, AFS KeyFile or
 (if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl s Ar string Ns ,
-.Fl -server= Ns Ar string
-.Xc
+.It Fl s Ar string Ns , Fl -server= Ns Ar string
 name of server principal
-.It Xo
-.Fl c Ar string Ns ,
-.Fl -client= Ns Ar string
-.Xc
+.It Fl c Ar string Ns , Fl -client= Ns Ar string
 name of client principal
-.It Xo
-.Fl k Ar string Ns ,
-.Fl -keytab= Ns Ar string
-.Xc
+.It Fl k Ar string Ns , Fl -keytab= Ns Ar string
 name of keytab file
-.It Xo
-.Fl 5 Ns ,
-.Fl -krb5
-.Xc
+.It Fl 5 Ns , Fl -krb5
 create a Kerberos 5 ticket
-.It Xo
-.Fl e Ar integer Ns ,
-.Fl -expire-time= Ns Ar integer
-.Xc
+.It Fl e Ar integer Ns , Fl -expire-time= Ns Ar integer
 lifetime of ticket in seconds
-.It Xo
-.Fl a Ar string Ns ,
-.Fl -client-address= Ns Ar string
-.Xc
+.It Fl a Ar string Ns , Fl -client-address= Ns Ar string
 address of client
-.It Xo
-.Fl t Ar string Ns ,
-.Fl -enc-type= Ns Ar string
-.Xc
+.It Fl t Ar string Ns , Fl -enc-type= Ns Ar string
 encryption type
-.It Xo
-.Fl f Ar string Ns ,
-.Fl -ticket-flags= Ns Ar string
-.Xc
+.It Fl f Ar string Ns , Fl -ticket-flags= Ns Ar string
 ticket flags for krb5 ticket
-.It Xo
-.Fl -verbose
-.Xc
+.It Fl -verbose
 Verbose output
-.It Xo
-.Fl -version
-.Xc
+.It Fl -version
 Print version
-.It Xo
-.Fl -help
-.Xc
+.It Fl -help
 .El
 .Sh FILES
 Uses
@@ -131,9 +87,9 @@ Uses
 .Pa /etc/srvtab
 and
 .Pa /usr/afs/etc/KeyFile
-when avalible and the the
+when available and the
 .Fl k
-is used with appropriate prefix.
+option is used with an appropriate prefix.
 .Sh EXAMPLES
 .Nm
 can be used in

kuser/kinit.1

@@ -96,41 +96,23 @@ can later be used to obtain tickets for other services.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar cachename
-.Fl -cache= Ns Ar cachename
-.Xc
+.It Fl c Ar cachename Fl -cache= Ns Ar cachename
 The credentials cache to put the acquired ticket in, if other than
 default.
-.It Xo
-.Fl f
-.Fl -no-forwardable
-.Xc
+.It Fl f Fl -no-forwardable
 Get ticket that can be forwarded to another host, or if the negative
 flags use, don't get a forwardable flag.
-.It Xo
-.Fl t Ar keytabname ,
-.Fl -keytab= Ns Ar keytabname
-.Xc
+.It Fl t Ar keytabname , Fl -keytab= Ns Ar keytabname
 Don't ask for a password, but instead get the key from the specified
 keytab.
-.It Xo
-.Fl l Ar time ,
-.Fl -lifetime= Ns Ar time
-.Xc
+.It Fl l Ar time , Fl -lifetime= Ns Ar time
 Specifies the lifetime of the ticket.
 The argument can either be in seconds, or a more human readable string
 like
 .Sq 1h .
-.It Xo
-.Fl p ,
-.Fl -proxiable
-.Xc
+.It Fl p , Fl -proxiable
 Request tickets with the proxiable flag set.
-.It Xo
-.Fl R ,
-.Fl -renew
-.Xc
+.It Fl R , Fl -renew
 Try to renew ticket.
 The ticket must have the
 .Sq renewable
@@ -139,46 +121,26 @@ flag set, and must not be expired.
 The same as
 .Fl -renewable-life ,
 with an infinite time.
-.It Xo
-.Fl r Ar time ,
-.Fl -renewable-life= Ns Ar time
-.Xc
+.It Fl r Ar time , Fl -renewable-life= Ns Ar time
 The max renewable ticket life.
-.It Xo
-.Fl S Ar principal ,
-.Fl -server= Ns Ar principal
-.Xc
+.It Fl S Ar principal , Fl -server= Ns Ar principal
 Get a ticket for a service other than krbtgt/LOCAL.REALM.
-.It Xo
-.Fl s Ar time ,
-.Fl -start-time= Ns Ar time
-.Xc
+.It Fl s Ar time , Fl -start-time= Ns Ar time
 Obtain a ticket that starts to be valid
 .Ar time
 (which can really be a generic time specification, like
 .Sq 1h )
 seconds into the future.
-.It Xo
-.Fl k ,
-.Fl -use-keytab
-.Xc
+.It Fl k , Fl -use-keytab
 The same as
 .Fl -keytab ,
 but with the default keytab name (normally
 .Ar FILE:/etc/krb5.keytab ) .
-.It Xo
-.Fl v ,
-.Fl -validate
-.Xc
+.It Fl v , Fl -validate
 Try to validate an invalid ticket.
-.It Xo
-.Fl e ,
-.Fl -enctypes= Ns Ar enctypes
-.Xc
+.It Fl e , Fl -enctypes= Ns Ar enctypes
 Request tickets with this particular enctype.
-.It Xo
-.Fl -password-file= Ns Ar filename
-.Xc
+.It Fl -password-file= Ns Ar filename
 read the password from the first line of
 .Ar filename .
 If the
@@ -186,15 +148,10 @@ If the
 is
 .Ar STDIN ,
 the password will be read from the standard input.
-.It Xo
-.Fl -fcache-version= Ns Ar version-number
-.Xc
+.It Fl -fcache-version= Ns Ar version-number
 Create a credentials cache of version
 .Ar version-number .
-.It Xo
-.Fl a ,
-.Fl -extra-addresses= Ns Ar enctypes
-.Xc
+.It Fl a , Fl -extra-addresses= Ns Ar enctypes
 Adds a set of addresses that will, in addition to the systems local
 addresses, be put in the ticket.
 This can be useful if all addresses a client can use can't be
@@ -204,20 +161,13 @@ Also settable via
 .Li libdefaults/extra_addresses
 in
 .Xr krb5.conf 5 .
-.It Xo
-.Fl A ,
-.Fl -no-addresses
-.Xc
+.It Fl A , Fl -no-addresses
 Request a ticket with no addresses.
-.It Xo
-.Fl -anonymous
-.Xc
+.It Fl -anonymous
 Request an anonymous ticket (which means that the ticket will be
 issued to an anonymous principal, typically
 .Dq anonymous@REALM ) .
-.It Xo
-.Fl -enterprise
-.Xc
+.It Fl -enterprise
 Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
 names are email like principals that are stored in the name part of
 the principal, and since there are two @ characters the parser needs

kuser/klist.1

@@ -60,27 +60,14 @@ known as the ticket file).
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar cache ,
-.Fl -cache= Ns Ar cache
-.Xc
+.It Fl c Ar cache , Fl -cache= Ns Ar cache
 credential cache to list
-.It Xo
-.Fl s ,
-.Fl t ,
-.Fl -test
-.Xc
+.It Fl s , Fl t , Fl -test
 Test for there being an active and valid TGT for the local realm of
 the user in the credential cache.
-.It Xo
-.Fl T ,
-.Fl -tokens
-.Xc
+.It Fl T , Fl -tokens
 display AFS tokens
-.It Xo
-.Fl 5 ,
-.Fl -v5
-.Xc
+.It Fl 5 , Fl -v5
 display v5 cred cache (this is the default)
 .It Fl f
 Include ticket flags in short form, each character stands for a
@@ -113,10 +100,7 @@ hardware authenticated
 This information is also output with the
 .Fl -verbose
 option, but in a more verbose way.
-.It Xo
-.Fl v ,
-.Fl -verbose
-.Xc
+.It Fl v , Fl -verbose
 Verbose output. Include all possible information:
 .Bl -tag -width XXXX -offset indent
 .It Server
@@ -141,10 +125,7 @@ the flags set on the ticket
 .It Addresses
 the set of addresses from which this ticket is valid
 .El
-.It Xo
-.Fl l ,
-.Fl -list-caches
-.Xc
+.It Fl l , Fl -list-caches
 List the credential caches for the current users, not all cache types
 supports listing multiple caches.
 .Pp

kuser/klist.c

@@ -39,21 +39,29 @@
 #include "kcc-commands.h"
 
 static char*
-printable_time(time_t t)
+printable_time_internal(time_t t, int x)
 {
     static char s[128];
-    strlcpy(s, ctime(&t)+ 4, sizeof(s));
-    s[15] = 0;
+    char *p;
+
+    if ((p = ctime(&t)) == NULL)
+	strlcpy(s, "?", sizeof(s));
+    else
+	strlcpy(s, p + 4, sizeof(s));
+    s[x] = 0;
     return s;
 }
 
+static char*
+printable_time(time_t t)
+{
+    return printable_time_internal(t, 20);
+}
+
 static char*
 printable_time_long(time_t t)
 {
-    static char s[128];
-    strlcpy(s, ctime(&t)+ 4, sizeof(s));
-    s[20] = 0;
-    return s;
+    return printable_time_internal(t, 20);
 }
 
 #define COL_ISSUED		NP_("  Issued","")

lib/gssapi/gssapi.3

@@ -53,57 +53,52 @@ These functions constitute the gssapi library,
 .Em libgssapi .
 Declarations for these functions may be obtained from the include file
 .Pa gssapi.h .
-.sp 2
-.nf
-.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u
-\fIName/Page\fP	\fIDescription\fP
-.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC
-.sp 5p
-gss_accept_sec_context.3
-gss_acquire_cred.3
-gss_add_cred.3
-gss_add_oid_set_member.3
-gss_canonicalize_name.3
-gss_compare_name.3
-gss_context_time.3
-gss_create_empty_oid_set.3
-gss_delete_sec_context.3
-gss_display_name.3
-gss_display_status.3
-gss_duplicate_name.3
-gss_export_name.3
-gss_export_sec_context.3
-gss_get_mic.3
-gss_import_name.3
-gss_import_sec_context.3
-gss_indicate_mechs.3
-gss_init_sec_context.3
-gss_inquire_context.3
-gss_inquire_cred.3
-gss_inquire_cred_by_mech.3
-gss_inquire_mechs_for_name.3
-gss_inquire_names_for_mech.3
-gss_krb5_ccache_name.3
-gss_krb5_compat_des3_mic.3
-gss_krb5_copy_ccache.3
-gss_krb5_extract_authz_data_from_sec_context.3
-gss_krb5_import_ccache.3
-gss_process_context_token.3
-gss_release_buffer.3
-gss_release_cred.3
-gss_release_name.3
-gss_release_oid_set.3
-gss_seal.3
-gss_sign.3
-gss_test_oid_set_member.3
-gss_unseal.3
-gss_unwrap.3
-gss_verify.3
-gss_verify_mic.3
-gss_wrap.3
-gss_wrap_size_limit.3
-.ta
-.Fi
+.Bl -column -compact
+.It Sy Name/Page
+.It Xr gss_accept_sec_context 3
+.It Xr gss_acquire_cred 3
+.It Xr gss_add_cred 3
+.It Xr gss_add_oid_set_member 3
+.It Xr gss_canonicalize_name 3
+.It Xr gss_compare_name 3
+.It Xr gss_context_time 3
+.It Xr gss_create_empty_oid_set 3
+.It Xr gss_delete_sec_context 3
+.It Xr gss_display_name 3
+.It Xr gss_display_status 3
+.It Xr gss_duplicate_name 3
+.It Xr gss_export_name 3
+.It Xr gss_export_sec_context 3
+.It Xr gss_get_mic 3
+.It Xr gss_import_name 3
+.It Xr gss_import_sec_context 3
+.It Xr gss_indicate_mechs 3
+.It Xr gss_init_sec_context 3
+.It Xr gss_inquire_context 3
+.It Xr gss_inquire_cred 3
+.It Xr gss_inquire_cred_by_mech 3
+.It Xr gss_inquire_mechs_for_name 3
+.It Xr gss_inquire_names_for_mech 3
+.It Xr gss_krb5_ccache_name 3
+.It Xr gss_krb5_compat_des3_mic 3
+.It Xr gss_krb5_copy_ccache 3
+.It Xr gss_krb5_extract_authz_data_from_sec_context 3
+.It Xr gss_krb5_import_ccache 3
+.It Xr gss_process_context_token 3
+.It Xr gss_release_buffer 3
+.It Xr gss_release_cred 3
+.It Xr gss_release_name 3
+.It Xr gss_release_oid_set 3
+.It Xr gss_seal 3
+.It Xr gss_sign 3
+.It Xr gss_test_oid_set_member 3
+.It Xr gss_unseal 3
+.It Xr gss_unwrap 3
+.It Xr gss_verify 3
+.It Xr gss_verify_mic 3
+.It Xr gss_wrap 3
+.It Xr gss_wrap_size_limit 3
+.El
 .Sh COMPATIBILITY
 The
 .Nm Heimdal

lib/hx509/revoke.c

@@ -1054,8 +1054,13 @@ static char *
 printable_time(time_t t)
 {
     static char s[128];
-    strlcpy(s, ctime(&t)+ 4, sizeof(s));
-    s[20] = 0;
+    char *p;
+    if ((p = ctime(&t)) == NULL)
+       strlcpy(s, "?", sizeof(s));
+    else {
+       strlcpy(s, p + 4, sizeof(s));
+       s[20] = 0;
+    }
     return s;
 }
 

lib/kadm5/iprop-log.8

@@ -83,28 +83,17 @@ maintain the iprop log file
 .Sh DESCRIPTION
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl -version
-.Xc
-.It Xo
-.Fl h ,
-.Fl -help
-.Xc
+.It Fl -version
+.It Fl h , Fl -help
 .El
 .Pp
 command can be one of the following:
 .Bl -tag -width truncate
 .It truncate
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 configuration file
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
+.It Fl r Ar string , Fl -realm= Ns Ar string
 realm
 .El
 .Pp
@@ -113,10 +102,7 @@ last entry of the old log.  If the log is truncted by emptying the
 file, the log will start over at the first version (0).
 .It dump
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 configuration file
 .It Xo
 .Fl r Ar string ,
@@ -128,23 +114,15 @@ realm
 Print out all entries in the log to standard output.
 .It replay
 .Bl -tag -width Ds
-.It Xo
-.Fl -start-version= Ns Ar version-number
-.Xc
+.It Fl -start-version= Ns Ar version-number
 start replay with this version
 .It Xo
 .Fl -end-version= Ns Ar version-number
 .Xc
 end replay with this version
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 configuration file
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
+.It Fl r Ar string , Fl -realm= Ns Ar string
 realm
 .El
 .Pp
@@ -152,15 +130,9 @@ Replay the changes from specified entries (or all if none is
 specified) in the transaction log to the database.
 .It last-version
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 configuration file
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
+.It Fl r Ar string , Fl -realm= Ns Ar string
 realm
 .El
 .Pp

lib/kadm5/iprop.8

@@ -38,51 +38,49 @@
 .Nm iprop ,
 .Nm ipropd-master ,
 .Nm ipropd-slave
-.Nd
-propagate changes to a Heimdal Kerberos master KDC to slave KDCs
+.Nd propagate changes to a Heimdal Kerberos master KDC to slave KDCs
 .Sh SYNOPSIS
 .Nm ipropd-master
 .Oo Fl c Ar string \*(Ba Xo
-.Fl -config-file= Ns Ar string
+.Fl Fl config-file= Ns Ar string
 .Xc
 .Oc
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 .Oc
 .Oo Fl k Ar kspec \*(Ba Xo
-.Fl -keytab= Ns Ar kspec
+.Fl Fl keytab= Ns Ar kspec
 .Xc
 .Oc
 .Oo Fl d Ar file \*(Ba Xo
-.Fl -database= Ns Ar file
+.Fl Fl database= Ns Ar file
 .Xc
 .Oc
-.Op Fl -slave-stats-file= Ns Ar file
-.Op Fl -time-missing= Ns Ar time
-.Op Fl -time-gone= Ns Ar time
-.Op Fl -detach
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl slave-stats-file= Ns Ar file
+.Op Fl Fl time-missing= Ns Ar time
+.Op Fl Fl time-gone= Ns Ar time
+.Op Fl Fl detach
+.Op Fl Fl version
+.Op Fl Fl help
 .Nm ipropd-slave
 .Oo Fl c Ar string \*(Ba Xo
-.Fl -config-file= Ns Ar string
+.Fl Fl config-file= Ns Ar string
 .Xc
 .Oc
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 .Oc
 .Oo Fl k Ar kspec \*(Ba Xo
-.Fl -keytab= Ns Ar kspec
+.Fl Fl keytab= Ns Ar kspec
 .Xc
 .Oc
-.Op Fl -time-lost= Ns Ar time
-.Op Fl -detach
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl time-lost= Ns Ar time
+.Op Fl Fl detach
+.Op Fl Fl version
+.Op Fl Fl help
 .Ar master
-.Pp
 .Sh DESCRIPTION
 .Nm ipropd-master
 is used to propagate changes to a Heimdal Kerberos database from the
@@ -96,9 +94,9 @@ file in the KDC's database directory, e.g.\&
 .Pa /var/heimdal/slaves .
 This has principals one per-line of the form
 .Dl iprop/ Ns Ar slave Ns @ Ns Ar REALM
-where 
-.Ar slave 
-is the hostname of the slave server in the given 
+where
+.Ar slave
+is the hostname of the slave server in the given
 .Ar REALM ,
 e.g.\&
 .Dl iprop/kerberos-1.example.com@EXAMPLE.COM
@@ -110,20 +108,23 @@ In contrast to
 .Xr hprop 8 ,
 which sends the whole database to the slaves regularly,
 .Nm
-normally sends only the changes as they happen on the master.  The
-master keeps track of all the changes by assigning a version number to
-every change to the database.  The slaves know which was the latest
-version they saw, and in this way it can be determined if they are in
-sync or not.  A log of all the changes is kept on the master.  When a
-slave is at an older version than the oldest one in the log, the whole
-database has to be sent.
+normally sends only the changes as they happen on the master.
+The master keeps track of all the changes by assigning a version
+number to every change to the database.
+The slaves know which was the latest version they saw, and in this
+way it can be determined if they are in sync or not.
+A log of all the changes is kept on the master.
+When a slave is at an older version than the oldest one in the log,
+the whole database has to be sent.
 .Pp
 The changes are propagated over a secure channel (on port 2121 by
-default).  This should normally be defined as
+default).
+This should normally be defined as
 .Dq iprop/tcp
 in
 .Pa /etc/services
-or another source of the services database.  The master and slaves
+or another source of the services database.
+The master and slaves
 must each have access to a keytab with keys for the
 .Nm iprop
 service principal on the local host.
@@ -136,78 +137,37 @@ file (e.g.\&
 Supported options for
 .Nm ipropd-master :
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar string ,
-.Fl -config-file= Ns Ar string
-.Xc
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
-.It Xo
-.Fl k Ar kspec ,
-.Fl -keytab= Ns Ar kspec
-.Xc
+.It Fl c Ar string , Fl Fl config-file= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
+.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec
 keytab to get authentication from
-.It Xo
-.Fl d Ar file ,
-.Fl -database= Ns Ar file
-.Xc
+.It Fl d Ar file , Fl Fl database= Ns Ar file
 Database (default per KDC)
-.It Xo
-.Fl -slave-stats-file= Ns Ar file
-.Xc
+.It Fl Fl slave-stats-file= Ns Ar file
 file for slave status information
-.It Xo
-.Fl -time-missing= Ns Ar time
-.Xc
+.It Fl Fl time-missing= Ns Ar time
 time before slave is polled for presence (default 2 min)
-.It Xo
-.Fl -time-gone= Ns Ar time
-.Xc
+.It Fl Fl time-gone= Ns Ar time
 time of inactivity after which a slave is considered gone (default 5 min)
-.It Xo
-.Fl -detach
-.Xc
+.It Fl Fl detach
 detach from console
-.It Xo
-.Fl -version
-.Xc
-.It Xo
-.Fl -help
-.Xc
+.It Fl Fl version
+.It Fl Fl help
 .El
 .Pp
 Supported options for
 .Nm ipropd-slave :
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar string ,
-.Fl -config-file= Ns Ar string
-.Xc
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
-.It Xo
-.Fl k Ar kspec ,
-.Fl -keytab= Ns Ar kspec
-.Xc
+.It Fl c Ar string , Fl Fl config-file= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
+.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec
 keytab to get authentication from
-.It Xo
-.Fl -time-lost= Ns Ar time
-.Xc
+.It Fl Fl time-lost= Ns Ar time
 time before server is considered lost (default 5 min)
-.It Xo
-.Fl -detach
-.Xc
+.It Fl Fl detach
 detach from console
-.It Xo
-.Fl -version
-.Xc
-.It Xo
-.Fl -help
-.Xc
+.It Fl Fl version
+.It Fl Fl help
 .El
 Time arguments for the relevant options above may be specified in forms
 like 5 min, 300 s, or simply a number of seconds.

lib/krb5/auth_context.c

@@ -262,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context,
     return 0;
 }
 
+/* coverity[+alloc : arg-*2] */
 static krb5_error_code
 copy_key(krb5_context context,
 	 krb5_keyblock *in,
@@ -289,6 +290,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context,
     return copy_key(context, auth_context->local_subkey, keyblock);
 }
 
+/* coverity[+alloc : arg-*2] */ 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getremotesubkey(krb5_context context,
 			      krb5_auth_context auth_context,

lib/krb5/krb5_get_in_cred.3

@@ -169,7 +169,7 @@ but are more specialized.
 .Nm krb5_get_in_tkt_with_password
 uses the clients password to authenticate.
 If the password argument is
-.DV NULL
+.Dv NULL
 the user user queried with the default password query function.
 .Pp
 .Nm krb5_get_in_tkt_with_keytab

lib/krb5/krb5_init_context.3

@@ -219,7 +219,7 @@ error-code handler
 to the specified
 .Fa context .
 The error handler must generated by the the re-rentrant version of the
-.Xr compile_et 3
+.Xr compile_et 1
 program.
 .Fn krb5_add_extra_addresses
 add a list of addresses that should be added when requesting tickets.

lib/krb5/salt.c

@@ -33,6 +33,7 @@
 
 #include "krb5_locl.h"
 
+/* coverity[+alloc : arg-*3] */
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_salttype_to_string (krb5_context context,
 			 krb5_enctype etype,

lib/roken/get_window_size.c

@@ -58,32 +58,46 @@
 #include "roken.h"
 
 ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
-get_window_size(int fd, struct winsize *wp)
+get_window_size(int fd, int *lines, int *columns)
 {
-    int ret = -1;
-
-    memset(wp, 0, sizeof(*wp));
+    int ret;
+    char *s;
 
 #if defined(TIOCGWINSZ)
-    ret = ioctl(fd, TIOCGWINSZ, wp);
+    {
+	struct winsize ws;
+	ret = ioctl(fd, TIOCGWINSZ, &ws);
+	if (ret != -1) {
+	    if (lines)
+		*lines = ws.ws_row;
+	    if (columns)
+		*columns = ws.ws_col;
+	    return 0;
+	}
+    }
 #elif defined(TIOCGSIZE)
     {
 	struct ttysize ts;
 	
 	ret = ioctl(fd, TIOCGSIZE, &ts);
-	if(ret == 0) {
-	    wp->ws_row = ts.ts_lines;
-	    wp->ws_col = ts.ts_cols;
-	}
+	if (ret != -1) {
+	    if (lines)
+		*lines = ts.ws_lines;
+	    if (columns)
+		*columns = ts.ts_cols;
+	    return 0;
+ 	}
     }
 #elif defined(HAVE__SCRSIZE)
     {
 	int dst[2];
-	
-	_scrsize(dst);
-	wp->ws_row = dst[1];
-	wp->ws_col = dst[0];
-	ret = 0;
+ 	
+ 	_scrsize(dst);
+	if (lines)
+	    *lines = dst[1];
+	if (columns)
+	    *columns = dst[0];
+	return 0;
     }
 #elif defined(_WIN32)
     {
@@ -100,14 +114,17 @@ get_window_size(int fd, struct winsize *wp)
         }
     }
 #endif
-    if (ret != 0) {
-        char *s;
-        if((s = getenv("COLUMNS")))
-	    wp->ws_col = atoi(s);
-	if((s = getenv("LINES")))
-	    wp->ws_row = atoi(s);
-	if(wp->ws_col > 0 && wp->ws_row > 0)
-	    ret = 0;
+    if (columns) {
+    	if ((s = getenv("COLUMNS")))
+	    *columns = atoi(s);
+	else
+	    return -1;
     }
-    return ret;
+    if (lines) {
+	if ((s = getenv("LINES")))
+	    *lines = atoi(s);
+	else
+	    return -1;
+    }
+    return 0;
 }

lib/roken/getarg.c

@@ -228,7 +228,6 @@ arg_printusage_i18n (struct getargs *args,
     size_t i, max_len = 0;
     char buf[128];
     int col = 0, columns;
-    struct winsize ws;
 
     if (progname == NULL)
 	progname = getprogname();
@@ -240,9 +239,7 @@ arg_printusage_i18n (struct getargs *args,
 	mandoc_template(args, num_args, progname, extra_string, i18n);
 	return;
     }
-    if(get_window_size(2, &ws) == 0)
-	columns = ws.ws_col;
-    else
+    if(get_window_size(2, NULL, &columns) == -1)
 	columns = 80;
     col = 0;
     col += fprintf (stderr, "%s: %s", usage, progname);

lib/roken/roken.h.in

@@ -759,7 +759,7 @@ struct winsize {
 };
 #endif
 
-ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, struct winsize *);
+ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, int *, int *);
 
 #ifndef HAVE_VSYSLOG
 #define vsyslog rk_vsyslog

lib/vers/print_version.c

@@ -52,5 +52,7 @@ print_version(const char *progname)
 	package_list = "no version information";
     fprintf(stderr, "%s (%s)\n", progname, package_list);
     fprintf(stderr, "Copyright 1995-2011 Kungliga Tekniska Högskolan\n");
+#ifdef PACKAGE_BUGREPORT
     fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT);
+#endif
 }