Use "Fl Fl" for long options.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2011-05-21 18:42:36 +02:00
parent 05a432aaed
commit db8e287e41
35 changed files with 588 additions and 588 deletions
--- a/admin/ktutil.8
+++ b/admin/ktutil.8
@@ -40,12 +40,12 @@
 .Sh SYNOPSIS
 .Nm
 .Oo Fl k Ar keytab \*(Ba Xo
-.Fl -keytab= Ns Ar keytab
+.Fl Fl keytab= Ns Ar keytab
 .Xc
 .Oc
-.Op Fl v | Fl -verbose
-.Op Fl -version
-.Op Fl h | Fl -help
+.Op Fl v | Fl Fl verbose
+.Op Fl Fl version
+.Op Fl h | Fl Fl help
 .Ar command
 .Op Ar args
 .Sh DESCRIPTION
@@ -53,27 +53,27 @@
 is a program for managing keytabs.
 Supported options:
 .Bl -tag -width Ds
-.It Fl v , Fl -verbose
+.It Fl v , Fl Fl verbose
 Verbose output.
 .El
 .Pp
 .Ar command
 can be one of the following:
 .Bl -tag -width srvconvert
-.It add Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \
-Oo Fl V Ar kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
-Oo Fl -enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
-Oo Fl -password= Ns Ar password Oc Oo Fl r Oc Oo Fl -random Oc \
-Oo Fl s Oc Oo Fl -no-salt Oc Oo Fl H Oc Op Fl -hex
+.It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
+Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
+Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
+Oo Fl Fl password= Ns Ar password Oc Oo Fl r Oc Oo Fl Fl random Oc \
+Oo Fl s Oc Oo Fl Fl no-salt Oc Oo Fl H Oc Op Fl Fl hex
 Adds a key to the keytab. Options that are not specified will be
 prompted for. This requires that you know the password or the hex key of the
 principal to add; if what you really want is to add a new principal to
 the keytab, you should consider the
 .Ar get
 command, which talks to the kadmin server.
-.It change Oo Fl r Ar realm Oc Oo Fl -realm= Ns Ar realm Oc \
-Oo Fl -a Ar host Oc Oo Fl -admin-server= Ns Ar host Oc \
-Oo Fl -s Ar port Oc Op Fl -server-port= Ns Ar port
+.It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
+Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \
+Oo Fl Fl s Ar port Oc Op Fl Fl server-port= Ns Ar port
 Update one or several keys to new versions.  By default, use the admin
 server for the realm of a keytab entry.  Otherwise it will use the
 values specified by the options.
@@ -85,11 +85,11 @@ Copies all the entries from
 to
 .Ar keytab-dest .
 .It get Oo Fl p Ar admin principal Oc \
-Oo Fl -principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
-Oo Fl -enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
-Oo Fl -realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
-Oo Fl -admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
-Oo Fl -server-port= Ns Ar server port Oc Ar principal ...
+Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
+Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
+Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
+Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
+Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ...
 For each
 .Ar principal ,
 generate a new key for it (creating it if it doesn't already exist),
@@ -99,11 +99,11 @@ If no
 .Ar realm
 is specified, the realm to operate on is taken from the first
 principal.
-.It list Oo Fl -keys Oc Op Fl -timestamp
+.It list Oo Fl Fl keys Oc Op Fl Fl timestamp
 List the keys stored in the keytab.
-.It remove Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \
-Oo Fl V kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
-Oo Fl -enctype= Ns Ar enctype Oc
+.It remove Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
+Oo Fl V kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
+Oo Fl Fl enctype= Ns Ar enctype Oc
 Removes the specified key or keys. Not specifying a
 .Ar kvno
 removes keys with any version number. Not specifying an
@@ -114,7 +114,7 @@ Renames all entries in the keytab that match the
 .Ar from-principal
 to
 .Ar to-principal .
-.It purge Op Fl -age= Ns Ar age
+.It purge Op Fl Fl age= Ns Ar age
 Removes all old versions of a key for which there is a newer version
 that is at least
 .Ar age
--- a/appl/afsutil/afslog.1
+++ b/appl/afsutil/afslog.1
@@ -40,27 +40,27 @@
 obtain AFS tokens
 .Sh SYNOPSIS
 .Nm
-.Op Fl h | Fl -help
-.Op Fl -no-v4
-.Op Fl -no-v5
-.Op Fl u | Fl -unlog
-.Op Fl v | Fl -verbose
-.Op Fl -version
+.Op Fl h | Fl Fl help
+.Op Fl Fl no-v4
+.Op Fl Fl no-v5
+.Op Fl u | Fl Fl unlog
+.Op Fl v | Fl Fl verbose
+.Op Fl Fl version
 .Oo Fl c Ar cell \*(Ba Xo
-.Fl -cell= Ns Ar cell
+.Fl Fl cell= Ns Ar cell
 .Xc
 .Oc
 .Oo Fl k Ar realm \*(Ba Xo
-.Fl -realm= Ns Ar realm
+.Fl Fl realm= Ns Ar realm
 .Xc
 .Oc
 .Oo Fl P Ar principal \*(Ba Xo
-.Fl -principal= Ns Ar principal
+.Fl Fl principal= Ns Ar principal
 .Xc
 .Oc
 .Bk -words
 .Oo Fl p Ar path \*(Ba Xo
-.Fl -file= Ns Ar path
+.Fl Fl file= Ns Ar path
 .Xc
 .Oc
 .Ek
@@ -77,51 +77,51 @@ decides upon.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl -no-v4
+.It Fl Fl no-v4
 This makes
 .Nm
 not try using Kerberos 4.
-.It Fl -no-v5
+.It Fl Fl no-v5
 This makes
 .Nm
 not try using Kerberos 5.
 .It Xo
 .Fl P Ar principal ,
-.Fl -principal Ar principal
+.Fl Fl principal Ar principal
 .Xc
 select what Kerberos 5 principal to use.
-.It Fl -cache Ar cache
+.It Fl Fl cache Ar cache
 select what Kerberos 5 credential cache to use.
-.Fl -principal
+.Fl Fl principal
 overrides this option.
 .It Xo
 .Fl u ,
-.Fl -unlog
+.Fl Fl unlog
 .Xc
 Destroy tokens instead of obtaining new. If this is specified, all
 other options are ignored (except for
-.Fl -help
+.Fl Fl help
 and
-.Fl -version ) .
+.Fl Fl version ) .
 .It Xo
 .Fl v ,
-.Fl -verbose
+.Fl Fl verbose
 .Xc
 Adds more verbosity for what is actually going on.
 .It Xo
 .Fl c Ar cell,
-.Fl -cell= Ns Ar cell
+.Fl Fl cell= Ns Ar cell
 .Xc
 This specified one or more cell names to get tokens for.
 .It Xo
 .Fl k Ar realm ,
-.Fl -realm= Ns Ar realm
+.Fl Fl realm= Ns Ar realm
 .Xc
 This is the Kerberos realm the AFS servers live in, this should
 normally not be specified.
 .It Xo
 .Fl p Ar path ,
-.Fl -file= Ns Ar path
+.Fl Fl file= Ns Ar path
 .Xc
 This specified one or more file paths for which tokens should be
 obtained.
--- a/appl/afsutil/pagsh.1
+++ b/appl/afsutil/pagsh.1
@@ -41,9 +41,9 @@ creates a new credential cache sandbox
 .Sh SYNOPSIS
 .Nm
 .Op Fl c Ar command-string
-.Op Fl h | Fl -help
-.Op Fl -version
-.Op Fl -cache-type= Ns Ar string
+.Op Fl h | Fl Fl help
+.Op Fl Fl version
+.Op Fl Fl cache-type= Ns Ar string
 .Ar command [args...]
 .Sh DESCRIPTION
 Supported options:
@@ -54,14 +54,14 @@ Executes command(s) contained in
 .Ar command-string .
 .Xc
 .It Xo
-.Fl -cache-type= Ns Ar string
+.Fl Fl cache-type= Ns Ar string
 .Xc
 .It Xo
 .Fl h ,
-.Fl -help
+.Fl Fl help
 .Xc
 .It Xo
-.Fl -version
+.Fl Fl version
 .Xc
 .El
 .Pp
@@ -75,7 +75,7 @@ the credential cache type that was used at the time of
 .Nm
 invocation.
 The credential cache type can be controlled by the option
-.Fl -cache-type .
+.Fl Fl cache-type .
 .Sh EXAMPLES
 Create a new sandbox where new credentials can be used, while the old
 credentials can be used by other processes.
--- a/appl/ftp/ftp/ftp.1
+++ b/appl/ftp/ftp/ftp.1
@@ -53,8 +53,8 @@ file transfer program
 .Op Fl t
 .Op Fl v
 .Op Fl x
-.Op Fl -no-gss-bindings
-.Op Fl -no-gss-delegate
+.Op Fl Fl no-gss-bindings
+.Op Fl Fl no-gss-delegate
 .Op Ar host
 .Sh DESCRIPTION
 .Nm
@@ -103,10 +103,10 @@ Turn on passive mode.
 Enables debugging.
 .It Fl g
 Disables file name globbing.
- .It Fl -no-gss-bindings
+ .It Fl Fl no-gss-bindings
 Don't use GSS-API bindings when talking to peer. IP addresses will not
 be checked to ensure they match.
-.It Fl -no-gss-delegate
+.It Fl Fl no-gss-delegate
 Disable delegation of GSSAPI credentials.
 .It Fl l
 Disables command line editing.
--- a/appl/ftp/ftpd/ftpd.8
+++ b/appl/ftp/ftpd/ftpd.8
@@ -47,11 +47,11 @@
 .Op Fl p Ar port
 .Op Fl T Ar maxtimeout
 .Op Fl t Ar timeout
-.Op Fl -gss-bindings
-.Op Fl I | Fl -no-insecure-oob
+.Op Fl Fl gss-bindings
+.Op Fl I | Fl Fl no-insecure-oob
 .Op Fl u Ar default umask
-.Op Fl B | Fl -builtin-ls
-.Op Fl -good-chars= Ns Ar string
+.Op Fl B | Fl Fl builtin-ls
+.Op Fl Fl good-chars= Ns Ar string
 .Sh DESCRIPTION
 .Nm Ftpd
 is the
@@ -101,7 +101,7 @@ Debugging information is written to the syslog using LOG_FTP.
 .It Fl g
 Anonymous users will get a umask of
 .Ar umask .
-.It Fl -gss-bindings
+.It Fl Fl gss-bindings
 require the peer to use GSS-API bindings (ie make sure IP addresses match).
 .It Fl i
 Open a socket and wait for a connection. This is mainly used for
@@ -144,16 +144,16 @@ revert to the old behavior.
 Verbose mode.
 .It Xo
 .Fl B ,
-.Fl -builtin-ls
+.Fl Fl builtin-ls
 .Xc
 use built-in ls to list files
 .It Xo
-.Fl -good-chars= Ns Ar string
+.Fl Fl good-chars= Ns Ar string
 .Xc
 allowed anonymous upload filename chars
 .It Xo
 .Fl I
-.Fl -no-insecure-oob
+.Fl Fl no-insecure-oob
 .Xc
 don't allow insecure out of band.
 Heimdal ftp clients before 0.6.3 doesn't support secure oob, so turning
--- a/appl/kf/kf.1
+++ b/appl/kf/kf.1
@@ -41,20 +41,20 @@
 .Nm
 .Oo
 .Fl p Ar port |
-.Fl -port Ns = Ns Ar port
+.Fl Fl port Ns = Ns Ar port
 .Oc
 .Oo
 .Fl l Ar login |
-.Fl -login Ns = Ns Ar login
+.Fl Fl login Ns = Ns Ar login
 .Oc
 .Oo
 .Fl c Ar ccache |
-.Fl -ccache Ns = Ns Ar ccache
+.Fl Fl ccache Ns = Ns Ar ccache
 .Oc
 .Op Fl F | -forwardable
 .Op Fl G | -no-forwardable
 .Op Fl h | -help
-.Op Fl -version
+.Op Fl Fl version
 .Ar host ...
 .Sh DESCRIPTION
 The
@@ -65,17 +65,17 @@ Options supported are:
 .Bl -tag -width indent
 .It Xo
 .Fl p Ar port ,
-.Fl -port Ns = Ns Ar port
+.Fl Fl port Ns = Ns Ar port
 .Xc
 port to connect to
 .It Xo
 .Fl l Ar login ,
-.Fl -login Ns = Ns Ar login
+.Fl Fl login Ns = Ns Ar login
 .Xc
 remote login name
 .It Xo
 .Fl c Ar ccache ,
-.Fl -ccache Ns = Ns Ar ccache
+.Fl Fl ccache Ns = Ns Ar ccache
 .Xc
 remote cred cache
 .It Fl F , -forwardable
@@ -83,7 +83,7 @@ forward forwardable credentials
 .It Fl G , -no-forwardable
 do not forward forwardable credentials
 .It Fl h , -help
-.It Fl -version
+.It Fl Fl version
 .El
 .Pp
 .Nm
@@ -94,7 +94,7 @@ In order for
 .Nm
 to work you will need to acquire your initial ticket with forwardable
 flag, i.e.
-.Nm kinit Fl -forwardable .
+.Nm kinit Fl Fl forwardable .
 .Pp
 .Nm telnet
 is able to forward tickets by itself.
--- a/appl/kf/kfd.8
+++ b/appl/kf/kfd.8
@@ -41,15 +41,15 @@
 .Nm
 .Oo
 .Fl p Ar port |
-.Fl -port Ns = Ns Ar port
+.Fl Fl port Ns = Ns Ar port
 .Oc
 .Op Fl i | -inetd
 .Oo
 .Fl R Ar regpag |
-.Fl -regpag Ns = Ns Ar regpag
+.Fl Fl regpag Ns = Ns Ar regpag
 .Oc
 .Op Fl h | -help
-.Op Fl -version
+.Op Fl Fl version
 .Sh DESCRIPTION
 This is the daemon for
 .Xr kf 1 .
@@ -57,14 +57,14 @@ Supported options:
 .Bl -tag -width indent
 .It Xo
 .Fl p Ar port ,
-.Fl -port Ns = Ns Ar port
+.Fl Fl port Ns = Ns Ar port
 .Xc
 port to listen to
 .It Fl i , -inetd
 not started from inetd
 .It Xo
 .Fl R Ar regpag ,
-.Fl -regpag= Ns Ar regpag
+.Fl Fl regpag= Ns Ar regpag
 .Xc
 path to regpag binary
 .El
--- a/appl/popper/popper.8
+++ b/appl/popper/popper.8
@@ -47,7 +47,7 @@ POP3 server
 .Op Fl d
 .Op Fl i
 .Op Fl p Ar port
-.Op Fl -address-log= Ns Pa file
+.Op Fl Fl address-log= Ns Pa file
 .Sh DESCRIPTION
 .Nm
 serves mail via the Post Office Protocol.  Supported options include:
@@ -60,7 +60,7 @@ which authentication mode is acceptable,
 enables SASL (RFC2222),  and
 .Ar otp
 enables OTP (RFC1938) authentication. Both disable plaintext passwords.
-.It Fl -address-log= Ns Pa file
+.It Fl Fl address-log= Ns Pa file
 Logs the addresses (along with a timestamp) of all clients to the
 specified file. This can be used to implement POP-before-SMTP
 authentication.
--- a/appl/push/pfrom.1
+++ b/appl/push/pfrom.1
@@ -39,13 +39,13 @@
 .Nd "fetch a list of the current mail via POP"
 .Sh SYNOPSIS
 .Nm
-.Op Fl 4 | Fl -krb4
-.Op Fl 5 | Fl -krb5
-.Op Fl v | Fl -verbose
+.Op Fl 4 | Fl Fl krb4
+.Op Fl 5 | Fl Fl krb5
+.Op Fl v | Fl Fl verbose
 .Op Fl c | -count
-.Op Fl -header
+.Op Fl Fl header
 .Oo Fl p Ar port-spec  \*(Ba Xo
-.Fl -port= Ns Ar port-spec
+.Fl Fl port= Ns Ar port-spec
 .Xc
 .Oc
 .Sh DESCRIPTION
--- a/appl/push/push.8
+++ b/appl/push/push.8
@@ -8,15 +8,15 @@
 .Nd fetch mail via POP
 .Sh SYNOPSIS
 .Nm
-.Op Fl 5 | Fl -krb5
-.Op Fl v | Fl -verbose
-.Op Fl f | Fl -fork
+.Op Fl 5 | Fl Fl krb5
+.Op Fl v | Fl Fl verbose
+.Op Fl f | Fl Fl fork
 .Op Fl l | -leave
-.Op Fl -from
+.Op Fl Fl from
 .Op Fl c | -count
-.Op Fl -headers Ns = Ns Ar headers
+.Op Fl Fl headers Ns = Ns Ar headers
 .Oo Fl p Ar port-spec  \*(Ba Xo
-.Fl -port Ns = Ns Ar port-spec
+.Fl Fl port Ns = Ns Ar port-spec
 .Xc
 .Oc
 .Ar po-box
@@ -51,35 +51,35 @@ Supported options:
 .Bl -tag -width Ds
 .It Xo
 .Fl 5 ,
-.Fl -krb5
+.Fl Fl krb5
 .Xc
 use Kerberos 5 (if compiled with support for Kerberos 5)
 .It Xo
 .Fl f ,
-.Fl -fork
+.Fl Fl fork
 .Xc
 fork before starting to delete messages
 .It Xo
 .Fl l ,
-.Fl -leave
+.Fl Fl leave
 .Xc
 don't delete fetched mail
 .It Xo
-.Fl -from
+.Fl Fl from
 .Xc
 behave like from.
 .It Xo
 .Fl c ,
-.Fl -count
+.Fl Fl count
 .Xc
 first print how many messages and bytes there are.
 .It Xo
-.Fl -headers Ns = Ns Ar headers
+.Fl Fl headers Ns = Ns Ar headers
 .Xc
 a list of comma-separated headers that should get printed.
 .It Xo
 .Fl p Ar port-spec ,
-.Fl -port Ns = Ns Ar port-spec
+.Fl Fl port Ns = Ns Ar port-spec
 .Xc
 use this port instead of the default
 .Ql kpop
--- a/appl/rsh/rsh.1
+++ b/appl/rsh/rsh.1
@@ -63,7 +63,7 @@ Valid options are:
 .Bl -tag -width Ds
 .It Xo
 .Fl 4 ,
-.Fl -krb4
+.Fl Fl krb4
 .Xc
 The
 .Fl 4
@@ -72,7 +72,7 @@ authentication mechanisms will be tried, but in some cases more
 explicit control is desired.
 .It Xo
 .Fl 5 ,
-.Fl -krb5
+.Fl Fl krb5
 .Xc
 The
 .Fl 5
@@ -81,7 +81,7 @@ option requests Kerberos 5 authentication. This is analogous to the
 option.
 .It Xo
 .Fl K ,
-.Fl -broken
+.Fl Fl broken
 .Xc
 The
 .Fl K
@@ -90,7 +90,7 @@ mode relies on reserved ports. The long name is an indication of how
 good this is.
 .It Xo
 .Fl n ,
-.Fl -no-input
+.Fl Fl no-input
 .Xc
 The
 .Fl n
@@ -105,13 +105,13 @@ Enable
 socket debugging.
 .It Xo
 .Fl e ,
-.Fl -no-stderr
+.Fl Fl no-stderr
 .Xc
 Don't use a separate socket for the stderr stream. This can be
 necessary if rsh-ing through a NAT bridge.
 .It Xo
 .Fl x ,
-.Fl -encrypt
+.Fl Fl encrypt
 .Xc
 The
 .Fl x
@@ -132,7 +132,7 @@ section of
 when using Kerberos 5.
 .It Xo
 .Fl f ,
-.Fl -forward
+.Fl Fl forward
 .Xc
 Forward Kerberos 5 credentials to the remote host.
 Also settable via
@@ -141,7 +141,7 @@ Also settable via
 .Xr krb5.conf ) .
 .It Xo
 .Fl F ,
-.Fl -forwardable
+.Fl Fl forwardable
 .Xc
 Make the forwarded credentials re-forwardable. 
 Also settable via
@@ -150,7 +150,7 @@ Also settable via
 .Xr krb5.conf ) .
 .It Xo
 .Fl l Ar string ,
-.Fl -user= Ns Ar string
+.Fl Fl user= Ns Ar string
 .Xc
 By default the remote username is the same as the local. The
 .Fl l
@@ -159,7 +159,7 @@ option or the
 format allow the remote name to be specified.
 .It Xo
 .Fl n ,
-.Fl -no-input
+.Fl Fl no-input
 .Xc
 Direct input from 
 .Pa /dev/null
@@ -168,7 +168,7 @@ Direct input from
 section).
 .It Xo
 .Fl p Ar number-or-service ,
-.Fl -port= Ns Ar number-or-service
+.Fl Fl port= Ns Ar number-or-service
 .Xc
 Connect to this port instead of the default (which is 514 when using
 old port based authentication, 544 for Kerberos 5 and non-encrypted
@@ -177,7 +177,7 @@ the contents of
 .Pa /etc/services ) .
 .It Xo
 .Fl P Ar N|O|1|2 ,
-.Fl -protocol= Ns Ar N|O|1|2
+.Fl Fl protocol= Ns Ar N|O|1|2
 .Xc
 Specifies the protocol version to use with Kerberos 5.
 .Ar N
@@ -193,20 +193,20 @@ default. Unless asked for a specific version,
 will try both.  This behaviour may change in the future.
 .It Xo
 .Fl u ,
-.Fl -unique
+.Fl Fl unique
 .Xc
 Make sure the remote credentials cache is unique, that is, don't reuse
 any existing cache. Mutually exclusive to
 .Fl U .
 .It Xo
 .Fl U Pa string ,
-.Fl -tkfile= Ns Pa string
+.Fl Fl tkfile= Ns Pa string
 .Xc
 Name of the remote credentials cache. Mutually exclusive to
 .Fl u .
 .It Xo
 .Fl x ,
-.Fl -encrypt
+.Fl Fl encrypt
 .Xc
 The
 .Fl x
--- a/appl/rsh/rshd.8
+++ b/appl/rsh/rshd.8
@@ -52,14 +52,14 @@ service.  Supported options are:
 .Bl -tag -width Ds
 .It Xo
 .Fl n ,
-.Fl -no-keepalive
+.Fl Fl no-keepalive
 .Xc
 Disables keep-alive messages.
 Keep-alives are packets sent at certain intervals to make sure that the
 client is still there, even when it doesn't send any data.
 .It Xo
 .Fl k ,
-.Fl -kerberos
+.Fl Fl kerberos
 .Xc
 Assume that clients connecting to this server will use some form of
 Kerberos authentication. See the
@@ -69,7 +69,7 @@ section for a sample
 configuration.
 .It Xo
 .Fl x ,
-.Fl -encrypt
+.Fl Fl encrypt
 .Xc
 For Kerberos 4 this means that the connections are encrypted. Kerberos
 5 can negotiate encryption even without this option, but if it's
@@ -79,14 +79,14 @@ will deny unencrypted connections. This option implies
 .Fl k .
 .\".It Xo
 .\".Fl l ,
-.\".Fl -no-rhosts
+.\".Fl Fl no-rhosts
 .\".Xc
 .\"When using old port-based authentication, the user's
 .\".Pa .rhosts
 .\"files are normally checked. This option disables this.
 .It Xo
 .Fl v ,
-.Fl -vacuous
+.Fl Fl vacuous
 .Xc
 If the connecting client does not use any Kerberised authentication,
 print a message that complains about this fact, and exit. This is
@@ -104,7 +104,7 @@ it possible to share tokens between sessions. This is only useful in
 peculiar environments, such as some batch systems.
 .It Xo
 .Fl i ,
-.Fl -no-inetd
+.Fl Fl no-inetd
 .Xc
 The
 .Fl i
@@ -115,7 +115,7 @@ to create a socket, instead of assuming that its stdin came from
 This is mostly useful for debugging.
 .It Xo
 .Fl p Ar port ,
-.Fl -port= Ns Ar port
+.Fl Fl port= Ns Ar port
 .Xc
 Port to use with
 .Fl i .
--- a/appl/su/su.1
+++ b/appl/su/su.1
@@ -39,16 +39,16 @@
 .Nd substitute user identity
 .Sh SYNOPSIS
 .Nm su
-.Op Fl K | Fl -no-kerberos
+.Op Fl K | Fl Fl no-kerberos
 .Op Fl f
-.Op Fl l | Fl -full
+.Op Fl l | Fl Fl full
 .Op Fl m
 .Oo Fl i Ar instance \*(Ba Xo
-.Fl -instance= Ns Ar instance
+.Fl Fl instance= Ns Ar instance
 .Xc
 .Oc
 .Oo Fl c Ar command \*(Ba Xo
-.Fl -command= Ns Ar command
+.Fl Fl command= Ns Ar command
 .Xc
 .Oc
 .Op Ar login Op Ar "shell arguments"
@@ -100,24 +100,24 @@ The options are as follows:
 .Bl -item -width Ds
 .It
 .Fl K ,
-.Fl -no-kerberos
+.Fl Fl no-kerberos
 don't use Kerberos.
 .It
 .Fl f
 don't read .cshrc.
 .It
 .Fl l ,
-.Fl -full
+.Fl Fl full
 simulate full login.
 .It
 .Fl m
 leave environment unmodified.
 .It
 .Fl i Ar instance ,
-.Fl -instance= Ns Ar instance
+.Fl Fl instance= Ns Ar instance
 root instance to use.
 .It
 .Fl c Ar command ,
-.Fl -command= Ns Ar command
+.Fl Fl command= Ns Ar command
 command to execute.
 .El
--- a/kadmin/kadmin.8
+++ b/kadmin/kadmin.8
@@ -40,16 +40,16 @@
 .Sh SYNOPSIS
 .Nm
 .Bk -words
-.Op Fl p Ar string \*(Ba Fl -principal= Ns Ar string
-.Op Fl K Ar string \*(Ba Fl -keytab= Ns Ar string
-.Op Fl c Ar file \*(Ba Fl -config-file= Ns Ar file
-.Op Fl k Ar file \*(Ba Fl -key-file= Ns Ar file
-.Op Fl r Ar realm \*(Ba Fl -realm= Ns Ar realm
-.Op Fl a Ar host \*(Ba Fl -admin-server= Ns Ar host
-.Op Fl s Ar port number \*(Ba Fl -server-port= Ns Ar port number
-.Op Fl l | Fl -local
-.Op Fl h | Fl -help
-.Op Fl v | Fl -version
+.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
+.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
+.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
+.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
+.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
+.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
+.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
+.Op Fl l | Fl Fl local
+.Op Fl h | Fl Fl help
+.Op Fl v | Fl Fl version
 .Op Ar command
 .Ek
 .Sh DESCRIPTION
@@ -63,21 +63,21 @@ option).
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl p Ar string , Fl -principal= Ns Ar string
+.It Fl p Ar string , Fl Fl principal= Ns Ar string
 principal to authenticate as
-.It Fl K Ar string , Fl -keytab= Ns Ar string
+.It Fl K Ar string , Fl Fl keytab= Ns Ar string
 keytab for authentication principal
-.It Fl c Ar file , Fl -config-file= Ns Ar file
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
 location of config file
-.It Fl k Ar file , Fl -key-file= Ns Ar file
+.It Fl k Ar file , Fl Fl key-file= Ns Ar file
 location of master key file
-.It Fl r Ar realm , Fl -realm= Ns Ar realm
+.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
 realm to use
-.It Fl a Ar host , Fl -admin-server= Ns Ar host
+.It Fl a Ar host , Fl Fl admin-server= Ns Ar host
 server to contact
-.It Fl s Ar port number , Fl -server-port= Ns Ar port number
+.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
 port to use
-.It Fl l , Fl -local
+.It Fl l , Fl Fl local
 local admin mode
 .El
 .Pp
@@ -101,15 +101,15 @@ Commands include:
 .\" with nested Xo/Xc
 .Pp
 .Nm add
-.Op Fl r | Fl -random-key
-.Op Fl -random-password
-.Op Fl p Ar string \*(Ba Fl -password= Ns Ar string
-.Op Fl -key= Ns Ar string
-.Op Fl -max-ticket-life= Ns Ar lifetime
-.Op Fl -max-renewable-life= Ns Ar lifetime
-.Op Fl -attributes= Ns Ar attributes
-.Op Fl -expiration-time= Ns Ar time
-.Op Fl -pw-expiration-time= Ns Ar time
+.Op Fl r | Fl Fl random-key
+.Op Fl Fl random-password
+.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
+.Op Fl Fl key= Ns Ar string
+.Op Fl Fl max-ticket-life= Ns Ar lifetime
+.Op Fl Fl max-renewable-life= Ns Ar lifetime
+.Op Fl Fl attributes= Ns Ar attributes
+.Op Fl Fl expiration-time= Ns Ar time
+.Op Fl Fl pw-expiration-time= Ns Ar time
 .Ar principal...
 .Bd -ragged -offset indent
 Adds a new principal to the database. The options not passed on the
@@ -117,7 +117,7 @@ command line will be promped for.
 .Ed
 .Pp
 .Nm add_enctype
-.Op Fl r | Fl -random-key
+.Op Fl r | Fl Fl random-key
 .Ar principal enctypes...
 .Pp
 .Bd -ragged -offset indent
@@ -141,7 +141,7 @@ enctypes.
 .Pp
 .Nm ext_keytab
 .Oo Fl k Ar string \*(Ba Xo
-.Fl -keytab= Ns Ar string
+.Fl Fl keytab= Ns Ar string
 .Xc
 .Oc
 .Ar principal...
@@ -150,10 +150,10 @@ Creates a keytab with the keys of the specified principals.
 .Ed
 .Pp
 .Nm get
-.Op Fl l | Fl -long
-.Op Fl s | Fl -short
-.Op Fl t | Fl -terse
-.Op Fl o Ar string | Fl -column-info= Ns Ar string
+.Op Fl l | Fl Fl long
+.Op Fl s | Fl Fl short
+.Op Fl t | Fl Fl terse
+.Op Fl o Ar string | Fl Fl column-info= Ns Ar string
 .Ar principal...
 .Bd -ragged -offset indent
 Lists the matching principals, short prints the result as a table,
@@ -192,14 +192,14 @@ and
 .Pp
 .Nm modify
 .Oo Fl a Ar attributes \*(Ba Xo
-.Fl -attributes= Ns Ar attributes
+.Fl Fl attributes= Ns Ar attributes
 .Xc
 .Oc
-.Op Fl -max-ticket-life= Ns Ar lifetime
-.Op Fl -max-renewable-life= Ns Ar lifetime
-.Op Fl -expiration-time= Ns Ar time
-.Op Fl -pw-expiration-time= Ns Ar time
-.Op Fl -kvno= Ns Ar number
+.Op Fl Fl max-ticket-life= Ns Ar lifetime
+.Op Fl Fl max-renewable-life= Ns Ar lifetime
+.Op Fl Fl expiration-time= Ns Ar time
+.Op Fl Fl pw-expiration-time= Ns Ar time
+.Op Fl Fl kvno= Ns Ar number
 .Ar principal...
 .Bd -ragged -offset indent
 Modifies certain attributes of a principal. If run without command
@@ -228,13 +228,13 @@ kadmin -l modify -a -disallow-proxiable user
 .Ed
 .Pp
 .Nm passwd
-.Op Fl r | Fl -random-key
-.Op Fl -random-password
+.Op Fl r | Fl Fl random-key
+.Op Fl Fl random-password
 .Oo Fl p Ar string \*(Ba Xo
-.Fl -password= Ns Ar string
+.Fl Fl password= Ns Ar string
 .Xc
 .Oc
-.Op Fl -key= Ns Ar string
+.Op Fl Fl key= Ns Ar string
 .Ar principal...
 .Bd -ragged -offset indent
 Changes the password of an existing principal.
@@ -285,20 +285,20 @@ no realm is given, the default realm is used.
 When running in local mode, the following commands can also be used:
 .Pp
 .Nm dump
-.Op Fl d | Fl -decrypt
+.Op Fl d | Fl Fl decrypt
 .Op Ar dump-file
 .Bd -ragged -offset indent
 Writes the database in
 .Dq human readable
 form to the specified file, or standard out. If the database is
 encrypted, the dump will also have encrypted keys, unless
-.Fl -decrypt
+.Fl Fl decrypt
 is used.
 .Ed
 .Pp
 .Nm init
-.Op Fl -realm-max-ticket-life= Ns Ar string
-.Op Fl -realm-max-renewable-life= Ns Ar string
+.Op Fl Fl realm-max-ticket-life= Ns Ar string
+.Op Fl Fl realm-max-renewable-life= Ns Ar string
 .Ar realm
 .Bd -ragged -offset indent
 Initializes the Kerberos database with entries for a new realm. It's
@@ -322,15 +322,15 @@ but just modifies the database with the entries in the dump file.
 .Pp
 .Nm stash
 .Oo Fl e Ar enctype \*(Ba Xo
-.Fl -enctype= Ns Ar enctype
+.Fl Fl enctype= Ns Ar enctype
 .Xc
 .Oc
 .Oo Fl k Ar keyfile \*(Ba Xo
-.Fl -key-file= Ns Ar keyfile
+.Fl Fl key-file= Ns Ar keyfile
 .Xc
 .Oc
-.Op Fl -convert-file
-.Op Fl -master-key-fd= Ns Ar fd
+.Op Fl Fl convert-file
+.Op Fl Fl master-key-fd= Ns Ar fd
 .Bd -ragged -offset indent
 Writes the Kerberos master key to a file used by the KDC.
 .Ed
--- a/kadmin/kadmind.8
+++ b/kadmin/kadmind.8
@@ -41,21 +41,21 @@
 .Nm
 .Bk -words
 .Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
+.Fl Fl config-file= Ns Ar file
 .Xc
 .Oc
 .Oo Fl k Ar file \*(Ba Xo
-.Fl -key-file= Ns Ar file
+.Fl Fl key-file= Ns Ar file
 .Xc
 .Oc
-.Op Fl -keytab= Ns Ar keytab
+.Op Fl Fl keytab= Ns Ar keytab
 .Oo Fl r Ar realm \*(Ba Xo
-.Fl -realm= Ns Ar realm
+.Fl Fl realm= Ns Ar realm
 .Xc
 .Oc
-.Op Fl d | Fl -debug
+.Op Fl d | Fl Fl debug
 .Oo Fl p Ar port \*(Ba Xo
-.Fl -ports= Ns Ar port
+.Fl Fl ports= Ns Ar port
 .Xc
 .Oc
 .Ek
@@ -67,7 +67,7 @@ assumes that it has been started by
 .Xr inetd 8 ,
 otherwise it behaves as a daemon, forking processes for each new
 connection. The
-.Fl -debug
+.Fl Fl debug
 option causes
 .Nm
 to accept exactly one connection, which is useful for debugging.
@@ -117,17 +117,17 @@ glob-style pattern.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl c Ar file , Fl -config-file= Ns Ar file
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
 location of config file
-.It Fl k Ar file , Fl -key-file= Ns Ar file
+.It Fl k Ar file , Fl Fl key-file= Ns Ar file
 location of master key file
-.It Fl -keytab= Ns Ar keytab
+.It Fl Fl keytab= Ns Ar keytab
 what keytab to use
-.It Fl r Ar realm , Fl -realm= Ns Ar realm
+.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
 realm to use
-.It Fl d , Fl -debug
+.It Fl d , Fl Fl debug
 enable debugging
-.It Fl p Ar port , Fl -ports= Ns Ar port
+.It Fl p Ar port , Fl Fl ports= Ns Ar port
 ports to listen to. By default, if run as a daemon, it listens to port
 749, but you can add any number of ports with this option. The port
 string is a whitespace separated list of port specifications, with the
@@ -144,7 +144,7 @@ This will cause
 to listen to port 4711 in addition to any
 compiled in defaults:
 .Pp
-.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &"
+.D1 Nm Fl Fl ports Ns Li "=\*[q]+ 4711\*[q] &"
 .Pp
 This acl file will grant Joe all rights, and allow Mallory to view and
 add host principals.
--- a/kcm/kcm.8
+++ b/kcm/kcm.8
@@ -40,57 +40,57 @@
 is a process based credential cache for Kerberos tickets.
 .Sh SYNOPSIS
 .Nm
-.Op Fl -cache-name= Ns Ar cachename
+.Op Fl Fl cache-name= Ns Ar cachename
 .Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
+.Fl Fl config-file= Ns Ar file
 .Xc
 .Oc
 .Oo Fl g Ar group \*(Ba Xo
-.Fl -group= Ns Ar group
+.Fl Fl group= Ns Ar group
 .Xc
 .Oc
-.Op Fl -max-request= Ns Ar size
-.Op Fl -disallow-getting-krbtgt
-.Op Fl -detach
-.Op Fl h | Fl -help
+.Op Fl Fl max-request= Ns Ar size
+.Op Fl Fl disallow-getting-krbtgt
+.Op Fl Fl detach
+.Op Fl h | Fl Fl help
 .Oo Fl k Ar principal \*(Ba Xo
-.Fl -system-principal= Ns Ar principal
+.Fl Fl system-principal= Ns Ar principal
 .Xc
 .Oc
 .Oo Fl l Ar time \*(Ba Xo
-.Fl -lifetime= Ns Ar time
+.Fl Fl lifetime= Ns Ar time
 .Xc
 .Oc
 .Oo Fl m Ar mode \*(Ba Xo
-.Fl -mode= Ns Ar mode
+.Fl Fl mode= Ns Ar mode
 .Xc
 .Oc
-.Op Fl n | Fl -no-name-constraints
+.Op Fl n | Fl Fl no-name-constraints
 .Oo Fl r Ar time \*(Ba Xo
-.Fl -renewable-life= Ns Ar time
+.Fl Fl renewable-life= Ns Ar time
 .Xc
 .Oc
 .Oo Fl s Ar path \*(Ba Xo
-.Fl -socket-path= Ns Ar path
+.Fl Fl socket-path= Ns Ar path
 .Xc
 .Oc
 .Oo Xo
-.Fl -door-path= Ns Ar path
+.Fl Fl door-path= Ns Ar path
 .Xc
 .Oc
 .Oo Fl S Ar principal \*(Ba Xo
-.Fl -server= Ns Ar principal
+.Fl Fl server= Ns Ar principal
 .Xc
 .Oc
 .Oo Fl t Ar keytab \*(Ba Xo
-.Fl -keytab= Ns Ar keytab
+.Fl Fl keytab= Ns Ar keytab
 .Xc
 .Oc
 .Oo Fl u Ar user \*(Ba Xo
-.Fl -user= Ns Ar user
+.Fl Fl user= Ns Ar user
 .Xc
 .Oc
-.Op Fl v | Fl -version
+.Op Fl v | Fl Fl version
 .Sh DESCRIPTION
 .Nm
 is a process based credential cache.
@@ -127,42 +127,42 @@ the ticket itself.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl -cache-name= Ns Ar cachename
+.It Fl Fl cache-name= Ns Ar cachename
 system cache name
-.It Fl c Ar file , Fl -config-file= Ns Ar file
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
 location of config file
-.It Fl g Ar group , Fl -group= Ns Ar group
+.It Fl g Ar group , Fl Fl group= Ns Ar group
 system cache group
-.It Fl -max-request= Ns Ar size
+.It Fl Fl max-request= Ns Ar size
 max size for a kcm-request
-.It Fl -disallow-getting-krbtgt
+.It Fl Fl disallow-getting-krbtgt
 disallow extracting any krbtgt from the
 .Nm kcm
 daemon.
-.It Fl -detach
+.It Fl Fl detach
 detach from console
-.It Fl h , Fl -help
-.It Fl k Ar principal , Fl -system-principal= Ns Ar principal
+.It Fl h , Fl Fl help
+.It Fl k Ar principal , Fl Fl system-principal= Ns Ar principal
 system principal name
-.It Fl l Ar time , Fl -lifetime= Ns Ar time
+.It Fl l Ar time , Fl Fl lifetime= Ns Ar time
 lifetime of system tickets
-.It Fl m Ar mode , Fl -mode= Ns Ar mode
+.It Fl m Ar mode , Fl Fl mode= Ns Ar mode
 octal mode of system cache
-.It Fl n , Fl -no-name-constraints
+.It Fl n , Fl Fl no-name-constraints
 disable credentials cache name constraints
-.It Fl r Ar time , Fl -renewable-life= Ns Ar time
+.It Fl r Ar time , Fl Fl renewable-life= Ns Ar time
 renewable lifetime of system tickets
-.It Fl s Ar path , Fl -socket-path= Ns Ar path
+.It Fl s Ar path , Fl Fl socket-path= Ns Ar path
 path to kcm domain socket
-.It Fl -door-path= Ns Ar path
+.It Fl Fl door-path= Ns Ar path
 path to kcm door socket
-.It Fl S Ar principal , Fl -server= Ns Ar principal
+.It Fl S Ar principal , Fl Fl server= Ns Ar principal
 server to get system ticket for
-.It Fl t Ar keytab , Fl -keytab= Ns Ar keytab
+.It Fl t Ar keytab , Fl Fl keytab= Ns Ar keytab
 system keytab name
-.It Fl u Ar user , Fl -user= Ns Ar user
+.It Fl u Ar user , Fl Fl user= Ns Ar user
 system cache owner
-.It Fl v , Fl -version
+.It Fl v , Fl Fl version
 .El
 .\".Sh ENVIRONMENT
 .\".Sh FILES
--- a/kdc/hprop.8
+++ b/kdc/hprop.8
@@ -41,36 +41,36 @@
 .Nm
 .Bk -words
 .Oo Fl m Ar file \*(Ba Xo
-.Fl -master-key= Ns Pa file
+.Fl Fl master-key= Ns Pa file
 .Xc
 .Oc
 .Oo Fl d Ar file \*(Ba Xo
-.Fl -database= Ns Pa file
+.Fl Fl database= Ns Pa file
 .Xc
 .Oc
-.Op Fl -source= Ns Ar heimdal|mit-dump
+.Op Fl Fl source= Ns Ar heimdal|mit-dump
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -v4-realm= Ns Ar string
+.Fl Fl v4-realm= Ns Ar string
 .Xc
 .Oc
 .Oo Fl c Ar cell \*(Ba Xo
-.Fl -cell= Ns Ar cell
+.Fl Fl cell= Ns Ar cell
 .Xc
 .Oc
 .Oo Fl k Ar keytab \*(Ba Xo
-.Fl -keytab= Ns Ar keytab
+.Fl Fl keytab= Ns Ar keytab
 .Xc
 .Oc
 .Oo Fl R Ar string \*(Ba Xo
-.Fl -v5-realm= Ns Ar string
+.Fl Fl v5-realm= Ns Ar string
 .Xc
 .Oc
-.Op Fl D | Fl -decrypt
-.Op Fl E | Fl -encrypt
-.Op Fl n | Fl -stdout
-.Op Fl v | Fl -verbose
-.Op Fl -version
-.Op Fl h | Fl -help
+.Op Fl D | Fl Fl decrypt
+.Op Fl E | Fl Fl encrypt
+.Op Fl n | Fl Fl stdout
+.Op Fl v | Fl Fl verbose
+.Op Fl Fl version
+.Op Fl h | Fl Fl help
 .Op Ar host Ns Op : Ns Ar port
 .Ar ...
 .Ek
@@ -89,11 +89,11 @@ specified on the command by opening a TCP connection to port 754
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl m Ar file , Fl -master-key= Ns Pa file
+.It Fl m Ar file , Fl Fl master-key= Ns Pa file
 Where to find the master key to encrypt or decrypt keys with.
-.It Fl d Ar file , Fl -database= Ns Pa file
+.It Fl d Ar file , Fl Fl database= Ns Pa file
 The database to be propagated.
-.It Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver
+.It Fl Fl source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver
 Specifies the type of the source database. Alternatives include:
 .Pp
 .Bl -tag -width mit-dump -compact -offset indent
@@ -102,21 +102,21 @@ a Heimdal database
 .It mit-dump
 a MIT Kerberos 5 dump file
 .El
-+.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab
+.It Fl k Ar keytab , Fl Fl keytab= Ns Ar keytab
 The keytab to use for fetching the key to be used for authenticating
 to the propagation daemon(s). The key
 .Pa hprop/hostname
 is used from this keytab.  The default is to fetch the key from the
 KDC database.
-.It Fl R Ar string , Fl -v5-realm= Ns Ar string
+.It Fl R Ar string , Fl Fl v5-realm= Ns Ar string
 Local realm override.
-.It Fl D , Fl -decrypt
+.It Fl D , Fl Fl decrypt
 The encryption keys in the database can either be in clear, or
 encrypted with a master key. This option transmits the database with
 unencrypted keys.
-.It Fl E , Fl -encrypt
+.It Fl E , Fl Fl encrypt
 This option transmits the database with encrypted keys.
-.It Fl n , Fl -stdout
+.It Fl n , Fl Fl stdout
 Dump the database on stdout, in a format that can be fed to hpropd.
 .El
 .Sh EXAMPLES
--- a/kdc/hpropd.8
+++ b/kdc/hpropd.8
@@ -41,17 +41,17 @@
 .Nm
 .Bk -words
 .Oo Fl d Ar file \*(Ba Xo
-.Fl -database= Ns Ar file
+.Fl Fl database= Ns Ar file
 .Xc
 .Oc
-.Op Fl n | Fl -stdin
-.Op Fl -print
-.Op Fl i | Fl -no-inetd
+.Op Fl n | Fl Fl stdin
+.Op Fl Fl print
+.Op Fl i | Fl Fl no-inetd
 .Oo Fl k Ar keytab \*(Ba Xo
-.Fl -keytab= Ns Ar keytab
+.Fl Fl keytab= Ns Ar keytab
 .Xc
 .Oc
-.Op Fl 4 | Fl -v4dump
+.Op Fl 4 | Fl Fl v4dump
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -73,17 +73,17 @@ are accepted.
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Fl d Ar file , Fl -database= Ns Ar file
+.It Fl d Ar file , Fl Fl database= Ns Ar file
 database
-.It Fl n , Fl -stdin
+.It Fl n , Fl Fl stdin
 read from stdin
-.It Fl -print
+.It Fl Fl print
 print dump to stdout
-.It Fl i , Fl -no-inetd
+.It Fl i , Fl Fl no-inetd
 not started from inetd
-.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab
+.It Fl k Ar keytab , Fl Fl keytab= Ns Ar keytab
 keytab to use for authentication
-.It Fl 4 , Fl -v4dump
+.It Fl 4 , Fl Fl v4dump
 create v4 type DB
 .El
 .Sh SEE ALSO
--- a/kdc/kdc.8
+++ b/kdc/kdc.8
@@ -41,27 +41,27 @@
 .Nm
 .Bk -words
 .Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
+.Fl Fl config-file= Ns Ar file
 .Xc
 .Oc
-.Op Fl p | Fl -no-require-preauth
-.Op Fl -max-request= Ns Ar size
-.Op Fl H | Fl -enable-http
-.Op Fl -no-524
-.Op Fl -kerberos4
-.Op Fl -kerberos4-cross-realm
+.Op Fl p | Fl Fl no-require-preauth
+.Op Fl Fl max-request= Ns Ar size
+.Op Fl H | Fl Fl enable-http
+.Op Fl Fl no-524
+.Op Fl Fl kerberos4
+.Op Fl Fl kerberos4-cross-realm
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -v4-realm= Ns Ar string
+.Fl Fl v4-realm= Ns Ar string
 .Xc
 .Oc
-.Op Fl K | Fl -kaserver
+.Op Fl K | Fl Fl kaserver
 .Oo Fl P Ar portspec \*(Ba Xo
-.Fl -ports= Ns Ar portspec
+.Fl Fl ports= Ns Ar portspec
 .Xc
 .Oc
-.Op Fl -detach
-.Op Fl -disable-des
-.Op Fl -addresses= Ns Ar list of addresses
+.Op Fl Fl detach
+.Op Fl Fl disable-des
+.Op Fl Fl addresses= Ns Ar list of addresses
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -72,11 +72,11 @@ or from a default compiled-in value.
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Fl c Ar file , Fl -config-file= Ns Ar file
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
 Specifies the location of the config file, the default is
 .Pa /var/heimdal/kdc.conf .
 This is the only value that can't be specified in the config file.
-.It Fl p , Fl -no-require-preauth
+.It Fl p , Fl Fl no-require-preauth
 Turn off the requirement for pre-autentication in the initial AS-REQ
 for all principals.
 The use of pre-authentication makes it more difficult to do offline
@@ -89,20 +89,20 @@ pre-athentication.
 The default is to require pre-authentication.
 Adding the require-preauth per principal is a more flexible way of
 handling this.
-.It Fl -max-request= Ns Ar size
+.It Fl Fl max-request= Ns Ar size
 Gives an upper limit on the size of the requests that the kdc is
 willing to handle.
-.It Fl H , Fl -enable-http
+.It Fl H , Fl Fl enable-http
 Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
-.It Fl -no-524
+.It Fl Fl no-524
 don't respond to 524 requests
-.It Fl -kerberos4
+.It Fl Fl kerberos4
 respond to Kerberos 4 requests
-.It Fl -kerberos4-cross-realm
+.It Fl Fl kerberos4-cross-realm
 respond to Kerberos 4 requests from foreign realms.
 This is a known security hole and should not be enabled unless you
 understand the consequences and are willing to live with them.
-.It Fl r Ar string , Fl -v4-realm= Ns Ar string
+.It Fl r Ar string , Fl Fl v4-realm= Ns Ar string
 What realm this server should act as when dealing with version 4
 requests.
 The database can contain any number of realms, but since the version 4
@@ -112,21 +112,21 @@ The default is whatever is returned by
 .Fn krb_get_lrealm .
 This option is only available if the KDC has been compiled with version
 4 support.
-.It Fl K , Fl -kaserver
+.It Fl K , Fl Fl kaserver
 Enable kaserver emulation (in case it's compiled in).
-.It Fl P Ar portspec , Fl -ports= Ns Ar portspec
+.It Fl P Ar portspec , Fl Fl ports= Ns Ar portspec
 Specifies the set of ports the KDC should listen on.
 It is given as a
 white-space separated list of services or port numbers.
-.It Fl -addresses= Ns Ar list of addresses
+.It Fl Fl addresses= Ns Ar list of addresses
 The list of addresses to listen for requests on.
 By default, the kdc will listen on all the locally configured
 addresses.
 If only a subset is desired, or the automatic detection fails, this
 option might be used.
-.It Fl -detach
+.It Fl Fl detach
 detach from pty and run as a daemon.
-.It Fl -disable-des
+.It Fl Fl disable-des
 disable add des encryption types, makes the kdc not use them.
 .El
 .Pp
@@ -153,7 +153,7 @@ specified as:
 .Dl require-preauth = no
 .Pp
 (in fact you can specify the option as
-.Fl -require-preauth=no ) .
+.Fl Fl require-preauth=no ) .
 .Pp
 And there are some configuration options which do not have
 command-line equivalents:
--- a/kdc/kstash.8
+++ b/kdc/kstash.8
@@ -41,19 +41,19 @@
 .Nm
 .Bk -words
 .Oo Fl e Ar string \*(Ba Xo
-.Fl -enctype= Ns Ar string
+.Fl Fl enctype= Ns Ar string
 .Xc
 .Oc
 .Oo Fl k Ar file \*(Ba Xo
-.Fl -key-file= Ns Ar file
+.Fl Fl key-file= Ns Ar file
 .Xc
 .Oc
-.Op Fl -convert-file
-.Op Fl -random-key
-.Op Fl -master-key-fd= Ns Ar fd
-.Op Fl -random-key
-.Op Fl h | Fl -help
-.Op Fl -version
+.Op Fl Fl convert-file
+.Op Fl Fl random-key
+.Op Fl Fl master-key-fd= Ns Ar fd
+.Op Fl Fl random-key
+.Op Fl h | Fl Fl help
+.Op Fl Fl version
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -62,16 +62,16 @@ used by the KDC.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl e Ar string , Fl -enctype= Ns Ar string
+.It Fl e Ar string , Fl Fl enctype= Ns Ar string
 the encryption type to use, defaults to DES3-CBC-SHA1.
-.It Fl k Ar file , Fl -key-file= Ns Ar file
+.It Fl k Ar file , Fl Fl key-file= Ns Ar file
 the name of the master key file.
-.It Fl -convert-file
+.It Fl Fl convert-file
 don't ask for a new master key, just read an old master key file, and
 write it back in the new keyfile format.
-.It Fl -random-key
+.It Fl Fl random-key
 generate a random master key.
-.It Fl -master-key-fd= Ns Ar fd
+.It Fl Fl master-key-fd= Ns Ar fd
 filedescriptor to read passphrase from, if not specified the
 passphrase will be read from the terminal.
 .El
--- a/kdc/string2key.8
+++ b/kdc/string2key.8
@@ -39,23 +39,23 @@
 .Nd map a password into a key
 .Sh SYNOPSIS
 .Nm
-.Op Fl 5 | Fl -version5
-.Op Fl 4 | Fl -version4
-.Op Fl a | Fl -afs
+.Op Fl 5 | Fl Fl version5
+.Op Fl 4 | Fl Fl version4
+.Op Fl a | Fl Fl afs
 .Oo Fl c Ar cell \*(Ba Xo
-.Fl -cell= Ns Ar cell
+.Fl Fl cell= Ns Ar cell
 .Xc
 .Oc
 .Oo Fl w Ar password \*(Ba Xo
-.Fl -password= Ns Ar password
+.Fl Fl password= Ns Ar password
 .Xc
 .Oc
 .Oo Fl p Ar principal \*(Ba Xo
-.Fl -principal= Ns Ar principal
+.Fl Fl principal= Ns Ar principal
 .Xc
 .Oc
 .Oo Fl k Ar string \*(Ba Xo
-.Fl -keytype= Ns Ar string
+.Fl Fl keytype= Ns Ar string
 .Xc
 .Oc
 .Ar password
@@ -65,21 +65,21 @@ performs the string-to-key function.
 This is useful when you want to handle the raw key instead of the password.
 Supported options:
 .Bl -tag -width Ds
-.It Fl 5 , Fl -version5
+.It Fl 5 , Fl Fl version5
 Output Kerberos v5 string-to-key
-.It Fl 4 , Fl -version4
+.It Fl 4 , Fl Fl version4
 Output Kerberos v4 string-to-key
-.It Fl a , Fl -afs
+.It Fl a , Fl Fl afs
 Output AFS string-to-key
-.It Fl c Ar cell , Fl -cell= Ns Ar cell
+.It Fl c Ar cell , Fl Fl cell= Ns Ar cell
 AFS cell to use
-.It Fl w Ar password , Fl -password= Ns Ar password
+.It Fl w Ar password , Fl Fl password= Ns Ar password
 Password to use
-.It Fl p Ar principal , Fl -principal= Ns Ar principal
+.It Fl p Ar principal , Fl Fl principal= Ns Ar principal
 Kerberos v5 principal to use
-.It Fl k Ar string , Fl -keytype= Ns Ar string
+.It Fl k Ar string , Fl Fl keytype= Ns Ar string
 Keytype
-.It Fl -version
+.It Fl Fl version
 print version
-.It Fl -help
+.It Fl Fl help
 .El
--- a/kpasswd/kpasswd.1
+++ b/kpasswd/kpasswd.1
@@ -39,9 +39,9 @@
 .Nd Kerberos 5 password changing program
 .Sh SYNOPSIS
 .Nm
-.Op Fl -admin-principal= Ns Ar principal
+.Op Fl Fl admin-principal= Ns Ar principal
 .Oo Fl c Ar cache \*(Ba Xo
-.Fl -cache= Ns Ar cache
+.Fl Fl cache= Ns Ar cache
 .Xc
 .Oc
 .Op Ar principal ...
@@ -58,7 +58,7 @@ If the administrator isn't specified on the command prompt, the
 principal of the default credential cache will be used.
 .Pp
 If a credential cache is given, the
-.Fl -admin-principal
+.Fl Fl admin-principal
 flag is ignored and use the default name of the credential cache is
 used instead.
 .Sh DIAGNOSTICS
--- a/kpasswd/kpasswdd.8
+++ b/kpasswd/kpasswdd.8
@@ -38,23 +38,23 @@
 .Sh SYNOPSIS
 .Nm
 .Bk -words
-.Op Fl -addresses= Ns Ar address
-.Op Fl -check-library= Ns Ar library
-.Op Fl -check-function= Ns Ar function
+.Op Fl Fl addresses= Ns Ar address
+.Op Fl Fl check-library= Ns Ar library
+.Op Fl Fl check-function= Ns Ar function
 .Oo Fl k Ar kspec \*(Ba Xo
-.Fl -keytab= Ns Ar kspec
+.Fl Fl keytab= Ns Ar kspec
 .Xc
 .Oc
 .Oo Fl r Ar realm \*(Ba Xo
-.Fl -realm= Ns Ar realm
+.Fl Fl realm= Ns Ar realm
 .Xc
 .Oc
 .Oo Fl p Ar string \*(Ba Xo
-.Fl -port= Ns Ar string
+.Fl Fl port= Ns Ar string
 .Xc
 .Oc
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl version
+.Op Fl Fl help
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -64,14 +64,14 @@ the database directly and should thus only run on the master KDC.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl -addresses= Ns Ar address
+.It Fl Fl addresses= Ns Ar address
 For each till the argument is given, add the address to what kpasswdd
 should listen too.
-.It Fl -check-library= Ns Ar library
+.It Fl Fl check-library= Ns Ar library
 If your system has support for dynamic loading of shared libraries,
 you can use an external function to check password quality. This
 option specifies which library to load.
-.It Fl -check-function= Ns Ar function
+.It Fl Fl check-function= Ns Ar function
 This is the function to call in the loaded library. The function
 should look like this:
 .Pp
@@ -86,11 +86,11 @@ is the one who tries to change passwords, and
 is the new password. Note that the password (in
 .Fa password->data )
 is not zero terminated.
-.It Fl k Ar kspec , Fl -keytab= Ns Ar kspec
+.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec
 Keytab to get authentication key from.
-.It Fl r Ar realm , Fl -realm= Ns Ar realm
+.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
 Default realm.
-.It Fl p Ar string , Fl -port= Ns Ar string
+.It Fl p Ar string , Fl Fl port= Ns Ar string
 Port to listen on (default service kpasswd - 464).
 .El
 .Sh DIAGNOSTICS
--- a/kuser/copy_cred_cache.1
+++ b/kuser/copy_cred_cache.1
@@ -40,12 +40,12 @@
 copy credentials from one cache to another
 .Sh SYNOPSIS
 .Nm
-.Op Fl -krbtgt-only
-.Op Fl -service= Ns Ar principal
-.Op Fl -enctype= Ns Ar enctype
-.Op Fl -flags= Ns Ar ticketflags
-.Op Fl -valid-for= Ns Ar time
-.Op Fl -fcache-version= Ns Ar integer
+.Op Fl Fl krbtgt-only
+.Op Fl Fl service= Ns Ar principal
+.Op Fl Fl enctype= Ns Ar enctype
+.Op Fl Fl flags= Ns Ar ticketflags
+.Op Fl Fl valid-for= Ns Ar time
+.Op Fl Fl fcache-version= Ns Ar integer
 .Op Aq Ar from-cache
 .Aq Ar to-cache
 .Sh DESCRIPTION
@@ -57,20 +57,20 @@ copies credentials from
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl -krbtgt-only
+.It Fl Fl krbtgt-only
 Copies only krbtgt credentials for the client's realm. This is
 equivalent to
-.Fl -service= Ns Li krbtgt/ Ns Ao Ar CLIENTREALM Ac Ns Li @ Ns Ao Ar CLIENTREALM Ac .
-.It Fl -service= Ns Ar principal
+.Fl Fl service= Ns Li krbtgt/ Ns Ao Ar CLIENTREALM Ac Ns Li @ Ns Ao Ar CLIENTREALM Ac .
+.It Fl Fl service= Ns Ar principal
 Copies only credentials matching this service principal.
-.It Fl -enctype= Ns Ar enctype
+.It Fl Fl enctype= Ns Ar enctype
 Copies only credentials a matching enctype.
-.It Fl -flags= Ns Ar ticketflags
+.It Fl Fl flags= Ns Ar ticketflags
 Copies only credentials with these ticket flags set.
-.It Fl -valid-for= Ns Ar time
+.It Fl Fl valid-for= Ns Ar time
 Copies only credentials that are valid for at least this long. This
 does not take renewable creds into account.
-.It Fl -fcache-version= Ns Ar integer
+.It Fl Fl fcache-version= Ns Ar integer
 The created cache, If a standard
 .Li FILE
 cache is created, it will have this file format version.
--- a/kuser/kdestroy.1
+++ b/kuser/kdestroy.1
@@ -41,13 +41,13 @@
 .Nm
 .Bk -words
 .Op Fl c Ar cachefile
-.Op Fl -credential= Ns Ar principal
-.Op Fl -cache= Ns Ar cachefile
-.Op Fl A | Fl -all
-.Op Fl -no-unlog
-.Op Fl -no-delete-v4
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl credential= Ns Ar principal
+.Op Fl Fl cache= Ns Ar cachefile
+.Op Fl A | Fl Fl all
+.Op Fl Fl no-unlog
+.Op Fl Fl no-delete-v4
+.Op Fl Fl version
+.Op Fl Fl help
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -63,11 +63,11 @@ from the credential cache if it exists.
 .It Fl cache= Ns Ar cachefile
 The cache file to remove.
 .It Fl A
-.It Fl -all
+.It Fl Fl all
 remove all credential caches.
-.It Fl -no-unlog
+.It Fl Fl no-unlog
 Do not remove AFS tokens.
-.It Fl -no-delete-v4
+.It Fl Fl no-delete-v4
 Do not remove v4 tickets.
 .El
 .Sh SEE ALSO
--- a/kuser/kdigest.8
+++ b/kuser/kdigest.8
@@ -40,209 +40,209 @@
 userland tool to access digest interface in the KDC
 .Sh SYNOPSIS
 .Nm
-.Op Fl -ccache= Ns Ar string
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl ccache= Ns Ar string
+.Op Fl Fl version
+.Op Fl Fl help
 command
 .Op arguments
 .Sh DESCRIPTION
 Supported options:
 .Bl -tag -width Ds
 .It Xo
-.Fl -ccache= Ns Ar string
+.Fl Fl ccache= Ns Ar string
 .Xc
 credential cache
 .It Xo
-.Fl -version
+.Fl Fl version
 .Xc
 print version
 .It Xo
-.Fl -help
+.Fl Fl help
 .Xc
 .El
 .Pp
 Available commands are:
 .Bl -tag -width Ds
 .It Xo digest-probe
-.Op Fl -realm= Ns Ar string
-.Op Fl h | Fl -help
+.Op Fl Fl realm= Ns Ar string
+.Op Fl h | Fl Fl help
 .Xc
 .Bl -tag -width Ds
 .It Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 Kerberos realm to communicate with
 .El
 .It Xo digest-server-init
-.Op Fl -type= Ns Ar string
-.Op Fl -kerberos-realm= Ns Ar realm
-.Op Fl -digest= Ns Ar digest-type
-.Op Fl -cb-type= Ns Ar type
-.Op Fl -cb-value= Ns Ar value
-.Op Fl -hostname= Ns Ar hostname
-.Op Fl -realm= Ns Ar string
+.Op Fl Fl type= Ns Ar string
+.Op Fl Fl kerberos-realm= Ns Ar realm
+.Op Fl Fl digest= Ns Ar digest-type
+.Op Fl Fl cb-type= Ns Ar type
+.Op Fl Fl cb-value= Ns Ar value
+.Op Fl Fl hostname= Ns Ar hostname
+.Op Fl Fl realm= Ns Ar string
 .Xc
 .Bl -tag -width Ds
 .It Xo
-.Fl -type= Ns Ar string
+.Fl Fl type= Ns Ar string
 .Xc
 digest type
 .It Xo
-.Fl -kerberos-realm= Ns Ar realm
+.Fl Fl kerberos-realm= Ns Ar realm
 .Xc
 .It Xo
-.Fl -digest= Ns Ar digest-type
+.Fl Fl digest= Ns Ar digest-type
 .Xc
 digest type to use in the algorithm
 .It Xo
-.Fl -cb-type= Ns Ar type
+.Fl Fl cb-type= Ns Ar type
 .Xc
 type of channel bindings
 .It Xo
-.Fl -cb-value= Ns Ar value
+.Fl Fl cb-value= Ns Ar value
 .Xc
 value of channel bindings
 .It Xo
-.Fl -hostname= Ns Ar hostname
+.Fl Fl hostname= Ns Ar hostname
 .Xc
 hostname of the server
 .It Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 Kerberos realm to communicate with
 .El
 .It Xo digest-server-request
-.Op Fl -type= Ns Ar string
-.Op Fl -kerberos-realm= Ns Ar realm
-.Op Fl -username= Ns Ar name
-.Op Fl -server-nonce= Ns Ar nonce
-.Op Fl -server-identifier= Ns Ar nonce
-.Op Fl -client-nonce= Ns Ar nonce
-.Op Fl -client-response= Ns Ar response
-.Op Fl -opaque= Ns Ar string
-.Op Fl -authentication-name= Ns Ar name
-.Op Fl -realm= Ns Ar realm
-.Op Fl -method= Ns Ar method
-.Op Fl -uri= Ns Ar uri
-.Op Fl -nounce-count= Ns Ar count
-.Op Fl -qop= Ns Ar qop
-.Op Fl -ccache= Ns Ar ccache
+.Op Fl Fl type= Ns Ar string
+.Op Fl Fl kerberos-realm= Ns Ar realm
+.Op Fl Fl username= Ns Ar name
+.Op Fl Fl server-nonce= Ns Ar nonce
+.Op Fl Fl server-identifier= Ns Ar nonce
+.Op Fl Fl client-nonce= Ns Ar nonce
+.Op Fl Fl client-response= Ns Ar response
+.Op Fl Fl opaque= Ns Ar string
+.Op Fl Fl authentication-name= Ns Ar name
+.Op Fl Fl realm= Ns Ar realm
+.Op Fl Fl method= Ns Ar method
+.Op Fl Fl uri= Ns Ar uri
+.Op Fl Fl nounce-count= Ns Ar count
+.Op Fl Fl qop= Ns Ar qop
+.Op Fl Fl ccache= Ns Ar ccache
 .Xc
 .Bl -tag -width Ds
 .It Xo
-.Fl -type= Ns Ar string
+.Fl Fl type= Ns Ar string
 .Xc
 digest type
 .It Xo
-.Fl -kerberos-realm= Ns Ar realm
+.Fl Fl kerberos-realm= Ns Ar realm
 .Xc
 .It Xo
-.Fl -username= Ns Ar name
+.Fl Fl username= Ns Ar name
 .Xc
 digest type
 .It Xo
-.Fl -server-nonce= Ns Ar nonce
+.Fl Fl server-nonce= Ns Ar nonce
 .Xc
 .It Xo
-.Fl -server-identifier= Ns Ar nonce
+.Fl Fl server-identifier= Ns Ar nonce
 .Xc
 .It Xo
-.Fl -client-nonce= Ns Ar nonce
+.Fl Fl client-nonce= Ns Ar nonce
 .Xc
 .It Xo
-.Fl -client-response= Ns Ar response
+.Fl Fl client-response= Ns Ar response
 .Xc
 .It Xo
-.Fl -opaque= Ns Ar string
+.Fl Fl opaque= Ns Ar string
 .Xc
 .It Xo
-.Fl -authentication-name= Ns Ar name
+.Fl Fl authentication-name= Ns Ar name
 .Xc
 .It Xo
-.Fl -realm= Ns Ar realm
+.Fl Fl realm= Ns Ar realm
 .Xc
 .It Xo
-.Fl -method= Ns Ar method
+.Fl Fl method= Ns Ar method
 .Xc
 .It Xo
-.Fl -uri= Ns Ar uri
+.Fl Fl uri= Ns Ar uri
 .Xc
 .It Xo
-.Fl -nounce-count= Ns Ar count
+.Fl Fl nounce-count= Ns Ar count
 .Xc
 .It Xo
-.Fl -qop= Ns Ar qop
+.Fl Fl qop= Ns Ar qop
 .Xc
 .It Xo
-.Fl -ccache= Ns Ar ccache
+.Fl Fl ccache= Ns Ar ccache
 .Xc
 Where the the credential cache is created when the KDC returns tickets
 .El
 .It Xo digest-client-request
-.Op Fl -type= Ns Ar string
-.Op Fl -username= Ns Ar name
-.Op Fl -password= Ns Ar password
-.Op Fl -server-nonce= Ns Ar nonce
-.Op Fl -server-identifier= Ns Ar nonce
-.Op Fl -client-nonce= Ns Ar nonce
-.Op Fl -opaque= Ns Ar string
-.Op Fl -realm= Ns Ar realm
-.Op Fl -method= Ns Ar method
-.Op Fl -uri= Ns Ar uri
-.Op Fl -nounce-count= Ns Ar count
-.Op Fl -qop= Ns Ar qop
+.Op Fl Fl type= Ns Ar string
+.Op Fl Fl username= Ns Ar name
+.Op Fl Fl password= Ns Ar password
+.Op Fl Fl server-nonce= Ns Ar nonce
+.Op Fl Fl server-identifier= Ns Ar nonce
+.Op Fl Fl client-nonce= Ns Ar nonce
+.Op Fl Fl opaque= Ns Ar string
+.Op Fl Fl realm= Ns Ar realm
+.Op Fl Fl method= Ns Ar method
+.Op Fl Fl uri= Ns Ar uri
+.Op Fl Fl nounce-count= Ns Ar count
+.Op Fl Fl qop= Ns Ar qop
 .Xc
 .Bl -tag -width Ds
 .It Xo
-.Fl -type= Ns Ar string
+.Fl Fl type= Ns Ar string
 .Xc
 digest type
 .It Xo
-.Fl -username= Ns Ar name
+.Fl Fl username= Ns Ar name
 .Xc
 digest type
 .It Xo
-.Fl -password= Ns Ar password
+.Fl Fl password= Ns Ar password
 .Xc
 .It Xo
-.Fl -server-nonce= Ns Ar nonce
+.Fl Fl server-nonce= Ns Ar nonce
 .Xc
 .It Xo
-.Fl -server-identifier= Ns Ar nonce
+.Fl Fl server-identifier= Ns Ar nonce
 .Xc
 .It Xo
-.Fl -client-nonce= Ns Ar nonce
+.Fl Fl client-nonce= Ns Ar nonce
 .Xc
 .It Xo
-.Fl -opaque= Ns Ar string
+.Fl Fl opaque= Ns Ar string
 .Xc
 .It Xo
-.Fl -realm= Ns Ar realm
+.Fl Fl realm= Ns Ar realm
 .Xc
 .It Xo
-.Fl -method= Ns Ar method
+.Fl Fl method= Ns Ar method
 .Xc
 .It Xo
-.Fl -uri= Ns Ar uri
+.Fl Fl uri= Ns Ar uri
 .Xc
 .It Xo
-.Fl -nounce-count= Ns Ar count
+.Fl Fl nounce-count= Ns Ar count
 .Xc
 .It Xo
-.Fl -qop= Ns Ar qop
+.Fl Fl qop= Ns Ar qop
 .Xc
 .El
 .It Xo ntlm-server-init
-.Op Fl -version= Ns Ar integer
-.Op Fl -kerberos-realm= Ns Ar string
+.Op Fl Fl version= Ns Ar integer
+.Op Fl Fl kerberos-realm= Ns Ar string
 .Xc
 .Bl -tag -width Ds
 .It Xo
-.Fl -version= Ns Ar integer
+.Fl Fl version= Ns Ar integer
 .Xc
 ntlm version
 .It Xo
-.Fl -kerberos-realm= Ns Ar string
+.Fl Fl kerberos-realm= Ns Ar string
 .Xc
 Kerberos realm to communicate with
 .El
--- a/kuser/kgetcred.1
+++ b/kuser/kgetcred.1
@@ -39,18 +39,18 @@
 .Nd "get a ticket for a particular service"
 .Sh SYNOPSIS
 .Nm
-.Op Fl -canonicalize
+.Op Fl Fl canonicalize
 .Oo Fl c cache \*(Ba Xo
-.Fl -cache= Ns Ar cache
+.Fl Fl cache= Ns Ar cache
 .Xc
 .Oc
 .Oo Fl e Ar enctype \*(Ba Xo
-.Fl -enctype= Ns Ar enctype
+.Fl Fl enctype= Ns Ar enctype
 .Xc
 .Oc
-.Op Fl -no-transit-check
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl no-transit-check
+.Op Fl Fl version
+.Op Fl Fl help
 .Ar service
 .Sh DESCRIPTION
 .Nm
@@ -61,16 +61,16 @@ ticket or of a special type.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl -canonicalize
+.It Fl Fl canonicalize
 requests that the KDC canonicalize the principal.
-.It Fl c Ar cache , Fl -cache= Ns Ar cache
+.It Fl c Ar cache , Fl Fl cache= Ns Ar cache
 the credential cache to use.
-.It Fl e Ar enctype , Fl -enctype= Ns Ar enctype
+.It Fl e Ar enctype , Fl Fl enctype= Ns Ar enctype
 encryption type to use.
-.It Fl -no-transit-check
+.It Fl Fl no-transit-check
 requests that the KDC doesn't do transit checking.
-.It Fl -version
-.It Fl -help
+.It Fl Fl version
+.It Fl Fl help
 .El
 .Sh SEE ALSO
 .Xr kinit 1 ,
--- a/kuser/kimpersonate.8
+++ b/kuser/kimpersonate.8
@@ -40,17 +40,17 @@
 impersonate a user when there exist a srvtab, keyfile or KeyFile
 .Sh SYNOPSIS
 .Nm
-.Op Fl s Ar string \*(Ba Fl -server= Ns Ar string
-.Op Fl c Ar string \*(Ba Fl -client= Ns Ar string
-.Op Fl k Ar string \*(Ba Fl -keytab= Ns Ar string
-.Op Fl 5 | Fl -krb5
-.Op Fl e Ar integer \*(Ba Fl -expire-time= Ns Ar integer
-.Op Fl a Ar string \*(Ba Fl -client-address= Ns Ar string
-.Op Fl t Ar string \*(Ba Fl -enc-type= Ns Ar string
-.Op Fl f Ar string \*(Ba Fl -ticket-flags= Ns Ar string
-.Op Fl -verbose
-.Op Fl -version
-.Op Fl -help
+.Op Fl s Ar string \*(Ba Fl Fl server= Ns Ar string
+.Op Fl c Ar string \*(Ba Fl Fl client= Ns Ar string
+.Op Fl k Ar string \*(Ba Fl Fl keytab= Ns Ar string
+.Op Fl 5 | Fl Fl krb5
+.Op Fl e Ar integer \*(Ba Fl Fl expire-time= Ns Ar integer
+.Op Fl a Ar string \*(Ba Fl Fl client-address= Ns Ar string
+.Op Fl t Ar string \*(Ba Fl Fl enc-type= Ns Ar string
+.Op Fl f Ar string \*(Ba Fl Fl ticket-flags= Ns Ar string
+.Op Fl Fl verbose
+.Op Fl Fl version
+.Op Fl Fl help
 .Sh DESCRIPTION
 The
 .Nm
@@ -59,27 +59,27 @@ The service key can be read from a Kerberos 5 keytab, AFS KeyFile or
 (if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
 Supported options:
 .Bl -tag -width Ds
-.It Fl s Ar string Ns , Fl -server= Ns Ar string
+.It Fl s Ar string Ns , Fl Fl server= Ns Ar string
 name of server principal
-.It Fl c Ar string Ns , Fl -client= Ns Ar string
+.It Fl c Ar string Ns , Fl Fl client= Ns Ar string
 name of client principal
-.It Fl k Ar string Ns , Fl -keytab= Ns Ar string
+.It Fl k Ar string Ns , Fl Fl keytab= Ns Ar string
 name of keytab file
-.It Fl 5 Ns , Fl -krb5
+.It Fl 5 Ns , Fl Fl krb5
 create a Kerberos 5 ticket
-.It Fl e Ar integer Ns , Fl -expire-time= Ns Ar integer
+.It Fl e Ar integer Ns , Fl Fl expire-time= Ns Ar integer
 lifetime of ticket in seconds
-.It Fl a Ar string Ns , Fl -client-address= Ns Ar string
+.It Fl a Ar string Ns , Fl Fl client-address= Ns Ar string
 address of client
-.It Fl t Ar string Ns , Fl -enc-type= Ns Ar string
+.It Fl t Ar string Ns , Fl Fl enc-type= Ns Ar string
 encryption type
-.It Fl f Ar string Ns , Fl -ticket-flags= Ns Ar string
+.It Fl f Ar string Ns , Fl Fl ticket-flags= Ns Ar string
 ticket flags for krb5 ticket
-.It Fl -verbose
+.It Fl Fl verbose
 Verbose output
-.It Fl -version
+.It Fl Fl version
 Print version
-.It Fl -help
+.It Fl Fl help
 .El
 .Sh FILES
 Uses
--- a/kuser/kinit.1
+++ b/kuser/kinit.1
@@ -39,52 +39,52 @@
 .Nd acquire initial tickets
 .Sh SYNOPSIS
 .Nm kinit
-.Op Fl -afslog
+.Op Fl Fl afslog
 .Oo Fl c Ar cachename \*(Ba Xo
-.Fl -cache= Ns Ar cachename
+.Fl Fl cache= Ns Ar cachename
 .Xc
 .Oc
-.Op Fl f | Fl -no-forwardable
+.Op Fl f | Fl Fl no-forwardable
 .Oo Fl t Ar keytabname \*(Ba Xo
-.Fl -keytab= Ns Ar keytabname
+.Fl Fl keytab= Ns Ar keytabname
 .Xc
 .Oc
 .Oo Fl l Ar time \*(Ba Xo
-.Fl -lifetime= Ns Ar time
+.Fl Fl lifetime= Ns Ar time
 .Xc
 .Oc
-.Op Fl p | Fl -proxiable
-.Op Fl R | Fl -renew
-.Op Fl -renewable
+.Op Fl p | Fl Fl proxiable
+.Op Fl R | Fl Fl renew
+.Op Fl Fl renewable
 .Oo Fl r Ar time \*(Ba Xo
-.Fl -renewable-life= Ns Ar time
+.Fl Fl renewable-life= Ns Ar time
 .Xc
 .Oc
 .Oo Fl S Ar principal \*(Ba Xo
-.Fl -server= Ns Ar principal
+.Fl Fl server= Ns Ar principal
 .Xc
 .Oc
 .Oo Fl s Ar time \*(Ba Xo
-.Fl -start-time= Ns Ar time
+.Fl Fl start-time= Ns Ar time
 .Xc
 .Oc
-.Op Fl k | Fl -use-keytab
-.Op Fl v | Fl -validate
+.Op Fl k | Fl Fl use-keytab
+.Op Fl v | Fl Fl validate
 .Oo Fl e Ar enctypes \*(Ba Xo
-.Fl -enctypes= Ns Ar enctypes
+.Fl Fl enctypes= Ns Ar enctypes
 .Xc
 .Oc
 .Oo Fl a Ar addresses \*(Ba Xo
-.Fl -extra-addresses= Ns Ar addresses
+.Fl Fl extra-addresses= Ns Ar addresses
 .Xc
 .Oc
-.Op Fl -password-file= Ns Ar filename
-.Op Fl -fcache-version= Ns Ar version-number
-.Op Fl A | Fl -no-addresses
-.Op Fl -anonymous
-.Op Fl -enterprise
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl password-file= Ns Ar filename
+.Op Fl Fl fcache-version= Ns Ar version-number
+.Op Fl A | Fl Fl no-addresses
+.Op Fl Fl anonymous
+.Op Fl Fl enterprise
+.Op Fl Fl version
+.Op Fl Fl help
 .Op Ar principal Op Ar command
 .Sh DESCRIPTION
 .Nm
@@ -96,51 +96,51 @@ can later be used to obtain tickets for other services.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl c Ar cachename Fl -cache= Ns Ar cachename
+.It Fl c Ar cachename Fl Fl cache= Ns Ar cachename
 The credentials cache to put the acquired ticket in, if other than
 default.
-.It Fl f Fl -no-forwardable
+.It Fl f Fl Fl no-forwardable
 Get ticket that can be forwarded to another host, or if the negative
 flags use, don't get a forwardable flag.
-.It Fl t Ar keytabname , Fl -keytab= Ns Ar keytabname
+.It Fl t Ar keytabname , Fl Fl keytab= Ns Ar keytabname
 Don't ask for a password, but instead get the key from the specified
 keytab.
-.It Fl l Ar time , Fl -lifetime= Ns Ar time
+.It Fl l Ar time , Fl Fl lifetime= Ns Ar time
 Specifies the lifetime of the ticket.
 The argument can either be in seconds, or a more human readable string
 like
 .Sq 1h .
-.It Fl p , Fl -proxiable
+.It Fl p , Fl Fl proxiable
 Request tickets with the proxiable flag set.
-.It Fl R , Fl -renew
+.It Fl R , Fl Fl renew
 Try to renew ticket.
 The ticket must have the
 .Sq renewable
 flag set, and must not be expired.
-.It Fl -renewable
+.It Fl Fl renewable
 The same as
-.Fl -renewable-life ,
+.Fl Fl renewable-life ,
 with an infinite time.
-.It Fl r Ar time , Fl -renewable-life= Ns Ar time
+.It Fl r Ar time , Fl Fl renewable-life= Ns Ar time
 The max renewable ticket life.
-.It Fl S Ar principal , Fl -server= Ns Ar principal
+.It Fl S Ar principal , Fl Fl server= Ns Ar principal
 Get a ticket for a service other than krbtgt/LOCAL.REALM.
-.It Fl s Ar time , Fl -start-time= Ns Ar time
+.It Fl s Ar time , Fl Fl start-time= Ns Ar time
 Obtain a ticket that starts to be valid
 .Ar time
 (which can really be a generic time specification, like
 .Sq 1h )
 seconds into the future.
-.It Fl k , Fl -use-keytab
+.It Fl k , Fl Fl use-keytab
 The same as
-.Fl -keytab ,
+.Fl Fl keytab ,
 but with the default keytab name (normally
 .Ar FILE:/etc/krb5.keytab ) .
-.It Fl v , Fl -validate
+.It Fl v , Fl Fl validate
 Try to validate an invalid ticket.
-.It Fl e , Fl -enctypes= Ns Ar enctypes
+.It Fl e , Fl Fl enctypes= Ns Ar enctypes
 Request tickets with this particular enctype.
-.It Fl -password-file= Ns Ar filename
+.It Fl Fl password-file= Ns Ar filename
 read the password from the first line of
 .Ar filename .
 If the
@@ -148,10 +148,10 @@ If the
 is
 .Ar STDIN ,
 the password will be read from the standard input.
-.It Fl -fcache-version= Ns Ar version-number
+.It Fl Fl fcache-version= Ns Ar version-number
 Create a credentials cache of version
 .Ar version-number .
-.It Fl a , Fl -extra-addresses= Ns Ar enctypes
+.It Fl a , Fl Fl extra-addresses= Ns Ar enctypes
 Adds a set of addresses that will, in addition to the systems local
 addresses, be put in the ticket.
 This can be useful if all addresses a client can use can't be
@@ -161,13 +161,13 @@ Also settable via
 .Li libdefaults/extra_addresses
 in
 .Xr krb5.conf 5 .
-.It Fl A , Fl -no-addresses
+.It Fl A , Fl Fl no-addresses
 Request a ticket with no addresses.
-.It Fl -anonymous
+.It Fl Fl anonymous
 Request an anonymous ticket (which means that the ticket will be
 issued to an anonymous principal, typically
 .Dq anonymous@REALM ) .
-.It Fl -enterprise
+.It Fl Fl enterprise
 Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
 names are email like principals that are stored in the name part of
 the principal, and since there are two @ characters the parser needs
@@ -177,7 +177,7 @@ An example of an enterprise name is
 and this option is usually used with canonicalize so that the
 principal returned from the KDC will typically be the real principal
 name.
-.It Fl -afslog
+.It Fl Fl afslog
 Gets AFS tickets, converts them to version 4 format, and stores them
 in the kernel.
 Only useful if you have AFS.
--- a/kuser/klist.1
+++ b/kuser/klist.1
@@ -41,17 +41,17 @@
 .Nm
 .Bk -words
 .Oo Fl c Ar cache \*(Ba Xo
-.Fl -cache= Ns Ar cache
+.Fl Fl cache= Ns Ar cache
 .Xc
 .Oc
-.Op Fl s | Fl t | Fl -test
-.Op Fl T | Fl -tokens
-.Op Fl 5 | Fl -v5
-.Op Fl v | Fl -verbose
-.Op Fl l | Fl -list-caches
+.Op Fl s | Fl t | Fl Fl test
+.Op Fl T | Fl Fl tokens
+.Op Fl 5 | Fl Fl v5
+.Op Fl v | Fl Fl verbose
+.Op Fl l | Fl Fl list-caches
 .Op Fl f
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl version
+.Op Fl Fl help
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -60,14 +60,14 @@ known as the ticket file).
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Fl c Ar cache , Fl -cache= Ns Ar cache
+.It Fl c Ar cache , Fl Fl cache= Ns Ar cache
 credential cache to list
-.It Fl s , Fl t , Fl -test
+.It Fl s , Fl t , Fl Fl test
 Test for there being an active and valid TGT for the local realm of
 the user in the credential cache.
-.It Fl T , Fl -tokens
+.It Fl T , Fl Fl tokens
 display AFS tokens
-.It Fl 5 , Fl -v5
+.It Fl 5 , Fl Fl v5
 display v5 cred cache (this is the default)
 .It Fl f
 Include ticket flags in short form, each character stands for a
@@ -98,9 +98,9 @@ hardware authenticated
 .El
 .Pp
 This information is also output with the
-.Fl -verbose
+.Fl Fl verbose
 option, but in a more verbose way.
-.It Fl v , Fl -verbose
+.It Fl v , Fl Fl verbose
 Verbose output. Include all possible information:
 .Bl -tag -width XXXX -offset indent
 .It Server
@@ -125,7 +125,7 @@ the flags set on the ticket
 .It Addresses
 the set of addresses from which this ticket is valid
 .El
-.It Fl l , Fl -list-caches
+.It Fl l , Fl Fl list-caches
 List the credential caches for the current users, not all cache types
 supports listing multiple caches.
 .Pp
--- a/kuser/kswitch.1
+++ b/kuser/kswitch.1
@@ -39,48 +39,48 @@ switch between default credential caches
 .Sh SYNOPSIS
 .Nm
 .Oo Fl t Ar type \*(Ba Xo
-.Fl -type= Ns Ar type
+.Fl Fl type= Ns Ar type
 .Xc
 .Oc
 .Oo Fl c Ar cache \*(Ba Xo
-.Fl -cache= Ns Ar cache
+.Fl Fl cache= Ns Ar cache
 .Xc
 .Oc
 .Oo Fl p Ar principal \*(Ba Xo
-.Fl -principal= Ns Ar principal
+.Fl Fl principal= Ns Ar principal
 .Xc
 .Oc
-.Op Fl i | Fl -interactive
-.Op Fl -version
-.Op Fl -help
+.Op Fl i | Fl Fl interactive
+.Op Fl Fl version
+.Op Fl Fl help
 .Sh DESCRIPTION
 Supported options:
 .Bl -tag -width Ds
 .It Xo
 .Fl t Ar type ,
-.Fl -type= Ns Ar type
+.Fl Fl type= Ns Ar type
 .Xc
 type of credential cache
 .It Xo
 .Fl c Ar cache ,
-.Fl -cache= Ns Ar cache
+.Fl Fl cache= Ns Ar cache
 .Xc
 name of credential cache to switch to
 .It Xo
 .Fl p Ar principal ,
-.Fl -principal= Ns Ar principal
+.Fl Fl principal= Ns Ar principal
 .Xc
 name of principal to switch to
 .It Xo
 .Fl i ,
-.Fl -interactive
+.Fl Fl interactive
 .Xc
 interactive switching between credentials.
 .It Xo
-.Fl -version
+.Fl Fl version
 .Xc
 print version
 .It Xo
-.Fl -help
+.Fl Fl help
 .Xc
 .El
--- a/lib/kadm5/iprop-log.8
+++ b/lib/kadm5/iprop-log.8
@@ -42,58 +42,58 @@
 maintain the iprop log file
 .Sh SYNOPSIS
 .Nm
-.Op Fl -version
-.Op Fl h | Fl -help
+.Op Fl Fl version
+.Op Fl h | Fl Fl help
 .Ar command
 .Pp
 .Nm iprop-log truncate
 .Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
+.Fl Fl config-file= Ns Ar file
 .Xc
 .Oc
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 .Oc
-.Op Fl h | Fl -help
+.Op Fl h | Fl Fl help
 .Pp
 .Nm iprop-log dump
 .Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
+.Fl Fl config-file= Ns Ar file
 .Xc
 .Oc
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 .Oc
-.Op Fl h | Fl -help
+.Op Fl h | Fl Fl help
 .Pp
 .Nm iprop-log replay
-.Op Fl -start-version= Ns Ar version-number
-.Op Fl -end-version= Ns Ar version-number
+.Op Fl Fl start-version= Ns Ar version-number
+.Op Fl Fl end-version= Ns Ar version-number
 .Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
+.Fl Fl config-file= Ns Ar file
 .Xc
 .Oc
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 .Oc
-.Op Fl h | Fl -help
+.Op Fl h | Fl Fl help
 .Sh DESCRIPTION
 Supported options:
 .Bl -tag -width Ds
-.It Fl -version
-.It Fl h , Fl -help
+.It Fl Fl version
+.It Fl h , Fl Fl help
 .El
 .Pp
 command can be one of the following:
 .Bl -tag -width truncate
 .It truncate
 .Bl -tag -width Ds
-.It Fl c Ar file , Fl -config-file= Ns Ar file
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
 configuration file
-.It Fl r Ar string , Fl -realm= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
 realm
 .El
 .Pp
@@ -102,11 +102,11 @@ last entry of the old log.  If the log is truncted by emptying the
 file, the log will start over at the first version (0).
 .It dump
 .Bl -tag -width Ds
-.It Fl c Ar file , Fl -config-file= Ns Ar file
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
 configuration file
 .It Xo
 .Fl r Ar string ,
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 realm
 .El
@@ -114,15 +114,15 @@ realm
 Print out all entries in the log to standard output.
 .It replay
 .Bl -tag -width Ds
-.It Fl -start-version= Ns Ar version-number
+.It Fl Fl start-version= Ns Ar version-number
 start replay with this version
 .It Xo
-.Fl -end-version= Ns Ar version-number
+.Fl Fl end-version= Ns Ar version-number
 .Xc
 end replay with this version
-.It Fl c Ar file , Fl -config-file= Ns Ar file
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
 configuration file
-.It Fl r Ar string , Fl -realm= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
 realm
 .El
 .Pp
@@ -130,9 +130,9 @@ Replay the changes from specified entries (or all if none is
 specified) in the transaction log to the database.
 .It last-version
 .Bl -tag -width Ds
-.It Fl c Ar file , Fl -config-file= Ns Ar file
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
 configuration file
-.It Fl r Ar string , Fl -realm= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
 realm
 .El
 .Pp
--- a/lib/roken/getarg.3
+++ b/lib/roken/getarg.3
@@ -246,20 +246,20 @@ or
 .Pp
 Long option names are prefixed with -- (double dash), and the value
 with a = (equal),
-.Fl -foo= Ns Ar bar .
+.Fl Fl foo= Ns Ar bar .
 Long option flags can either be specified as they are
-.Pf ( Fl -help ) ,
+.Pf ( Fl Fl help ) ,
 or with an (boolean parsable) option
-.Pf ( Fl -help= Ns Ar yes ,
-.Fl -help= Ns Ar true ,
+.Pf ( Fl Fl help= Ns Ar yes ,
+.Fl Fl help= Ns Ar true ,
 or similar), or they can also be negated
-.Pf ( Fl -no-help
+.Pf ( Fl Fl no-help
 is the same as
-.Fl -help= Ns no ) ,
+.Fl Fl help= Ns no ) ,
 and if you're really confused you can do it multiple times
-.Pf ( Fl -no-no-help= Ns Ar false ,
+.Pf ( Fl Fl no-no-help= Ns Ar false ,
 or even
-.Fl -no-no-help= Ns Ar maybe ) .
+.Fl Fl no-no-help= Ns Ar maybe ) .
 .Sh EXAMPLE
 .Bd -literal
 #include <stdio.h>
--- a/lib/roken/getarg.c
+++ b/lib/roken/getarg.c
@@ -133,7 +133,7 @@ mandoc_template(struct getargs *args,
 	    }
 	    if(args[i].long_name) {
 		print_arg(buf, sizeof(buf), 1, 1, args + i, i18n);
-		printf("Fl -%s%s%s",
+		printf("Fl Fl %s%s%s",
 		       args[i].type == arg_negative_flag ? "no-" : "",
 		       args[i].long_name, buf);
 	    }
@@ -142,7 +142,7 @@ mandoc_template(struct getargs *args,
 	    print_arg(buf, sizeof(buf), 1, 0, args + i, i18n);
 	    printf(".Oo Fl %c%s \\*(Ba Xo\n", args[i].short_name, buf);
 	    print_arg(buf, sizeof(buf), 1, 1, args + i, i18n);
-	    printf(".Fl -%s%s\n.Xc\n.Oc\n", args[i].long_name, buf);
+	    printf(".Fl Fl %s%s\n.Xc\n.Oc\n", args[i].long_name, buf);
 	}
    /*
 	    if(args[i].type == arg_strings)
@@ -165,7 +165,7 @@ mandoc_template(struct getargs *args,
 	    printf("\n");
 	}
 	if(args[i].long_name){
-	    printf(".Fl -%s%s",
+	    printf(".Fl Fl %s%s",
 		   args[i].type == arg_negative_flag ? "no-" : "",
 		   args[i].long_name);
 	    print_arg(buf, sizeof(buf), 1, 1, args + i, i18n);
--- a/tools/krb5-config.1
+++ b/tools/krb5-config.1
@@ -37,10 +37,10 @@
 .Nd "give information on how to link code against Heimdal libraries"
 .Sh SYNOPSIS
 .Nm
-.Op Fl -prefix Ns Op = Ns Ar dir
-.Op Fl -exec-prefix Ns Op = Ns Ar dir
-.Op Fl -libs
-.Op Fl -cflags
+.Op Fl Fl prefix Ns Op = Ns Ar dir
+.Op Fl Fl exec-prefix Ns Op = Ns Ar dir
+.Op Fl Fl libs
+.Op Fl Fl cflags
 .Op Ar libraries
 .Sh DESCRIPTION
 .Nm
@@ -49,19 +49,19 @@ and link programs against the libraries installed by Heimdal.
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Fl -prefix Ns Op = Ns Ar dir
+.It Fl Fl prefix Ns Op = Ns Ar dir
 Print the prefix if no
 .Ar dir
 is specified, otherwise set prefix to
 .Ar dir .
-.It Fl -exec-prefix Ns Op = Ns Ar dir
+.It Fl Fl exec-prefix Ns Op = Ns Ar dir
 Print the exec-prefix if no
 .Ar dir
 is specified, otherwise set exec-prefix to
 .Ar dir .
-.It Fl -libs
+.It Fl Fl libs
 Output the set of libraries that should be linked against.
-.It Fl -cflags
+.It Fl Fl cflags
 Output the set of flags to give to the C compiler when using the
 Heimdal libraries.
 .El