Rename doc subdirectories

We like these names better, and they match the PDF document filenames.

admins -> admin
appldev -> appdev
users -> user

and catch up where the names are used elsewhere.

The relay/ directory has been removed, with its contents moved to the
top level in build_this.rst and a new about.rst.

The section headers for kadmind, krb5kdc, sserver, kpasswd, kswitch,
and sclient are misdetected as conflict markers.
bigredbutton: whitespace

ticket: 7433
tags: pullup

9 files changed, 1050 insertions, 0 deletions

diff --git a/doc/user/user_commands/index.rst b/doc/user/user_commands/index.rst
new file mode 100644
index 0000000000..b43fad69c7
--- /dev/null
+++ b/doc/user/user_commands/index.rst
@@ -0,0 +1,16 @@
+.. _user_commands:
+
+User commands
+=============
+
+.. toctree::
+   :maxdepth: 1
+
+   kdestroy.rst
+   kinit.rst
+   klist.rst
+   kpasswd.rst
+   ksu.rst
+   kswitch.rst
+   kvno.rst
+   sclient.rst
diff --git a/doc/user/user_commands/kdestroy.rst b/doc/user/user_commands/kdestroy.rst
new file mode 100644
index 0000000000..b8c67aba4c
--- /dev/null
+++ b/doc/user/user_commands/kdestroy.rst
@@ -0,0 +1,77 @@
+.. _kdestroy(1):
+
+kdestroy
+========
+
+SYNOPSIS
+--------
+
+**kdestroy**
+[**-A**]
+[**-q**]
+[**-c** *cache_name*]
+
+
+DESCRIPTION
+-----------
+
+The kdestroy utility destroys the user's active Kerberos authorization
+tickets by overwriting and deleting the credentials cache that
+contains them.  If the credentials cache is not specified, the default
+credentials cache is destroyed.
+
+
+OPTIONS
+-------
+
+**-A**
+    Destroys all caches in the collection, if a cache collection is
+    available.
+
+**-q**
+    Run quietly.  Normally kdestroy beeps if it fails to destroy the
+    user's tickets.  The **-q** flag suppresses this behavior.
+
+**-c** *cache_name*
+    Use *cache_name* as the credentials (ticket) cache name and
+    location; if this option is not used, the default cache name and
+    location are used.
+
+    The default credentials cache may vary between systems.  If the
+    **KRB5CCNAME** environment variable is set, its value is used to
+    name the default ticket cache.
+
+
+NOTE
+----
+
+Most installations recommend that you place the kdestroy command in
+your .logout file, so that your tickets are destroyed automatically
+when you log out.
+
+
+ENVIRONMENT
+-----------
+
+kdestroy uses the following environment variable:
+
+**KRB5CCNAME**
+    Location of the default Kerberos 5 credentials (ticket) cache, in
+    the form *type*:*residual*.  If no *type* prefix is present, the
+    **FILE** type is assumed.  The type of the default cache may
+    determine the availability of a cache collection; for instance, a
+    default cache of type **DIR** causes caches within the directory
+    to be present in the collection.
+
+
+FILES
+-----
+
+|ccache|
+    Default location of Kerberos 5 credentials cache
+
+
+SEE ALSO
+--------
+
+:ref:`kinit(1)`, :ref:`klist(1)`
diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst
new file mode 100644
index 0000000000..c2b3b7fed0
--- /dev/null
+++ b/doc/user/user_commands/kinit.rst
@@ -0,0 +1,220 @@
+.. _kinit(1):
+
+kinit
+=====
+
+SYNOPSIS
+--------
+
+**kinit**
+[**-V**]
+[**-l** *lifetime*]
+[**-s** *start_time*]
+[**-r** *renewable_life*]
+[**-p** | -**P**]
+[**-f** | -**F**]
+[**-a**]
+[**-A**]
+[**-C**]
+[**-E**]
+[**-v**]
+[**-R**]
+[**-k** [-**t** *keytab_file*]]
+[**-c** *cache_name*]
+[**-n**]
+[**-S** *service_name*]
+[**-I** *input_ccache*]
+[**-T** *armor_ccache*]
+[**-X** *attribute*\ [=\ *value*]]
+[*principal*]
+
+
+DESCRIPTION
+-----------
+
+kinit obtains and caches an initial ticket-granting ticket for
+*principal*.
+
+
+OPTIONS
+-------
+
+**-V**
+    display verbose output.
+
+**-l** *lifetime*
+    (:ref:`duration` string.)  Requests a ticket with the lifetime
+    *lifetime*.
+
+    For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``.
+
+    If the **-l** option is not specified, the default ticket lifetime
+    (configured by each site) is used.  Specifying a ticket lifetime
+    longer than the maximum ticket lifetime (configured by each site)
+    will not override the configured maximum ticket lifetime.
+
+**-s** *start_time*
+    (:ref:`duration` string.)  Requests a postdated ticket.  Postdated
+    tickets are issued with the **invalid** flag set, and need to be
+    resubmitted to the KDC for validation before use.
+
+    *start_time* specifies the duration of the delay before the ticket
+    can become valid.
+
+**-r** *renewable_life*
+    (:ref:`duration` string.)  Requests renewable tickets, with a total
+    lifetime of *renewable_life*.
+
+**-f**
+    requests forwardable tickets.
+
+**-F**
+    requests non-forwardable tickets.
+
+**-p**
+    requests proxiable tickets.
+
+**-P**
+    requests non-proxiable tickets.
+
+**-a**
+    requests tickets restricted to the host's local address[es].
+
+**-A**
+    requests tickets not restricted by address.
+
+**-C**
+    requests canonicalization of the principal name, and allows the
+    KDC to reply with a different client principal from the one
+    requested.
+
+**-E**
+    treats the principal name as an enterprise name (implies the
+    **-C** option).
+
+**-v**
+    requests that the ticket-granting ticket in the cache (with the
+    **invalid** flag set) be passed to the KDC for validation.  If the
+    ticket is within its requested time range, the cache is replaced
+    with the validated ticket.
+
+**-R**
+    requests renewal of the ticket-granting ticket.  Note that an
+    expired ticket cannot be renewed, even if the ticket is still
+    within its renewable life.
+
+**-k** [**-i** | **-t** *keytab_file*]
+    requests a ticket, obtained from a key in the local host's keytab.
+    The location of the keytab may be specified with the **-t**
+    *keytab_file* option, or with the **-i** option to specify the use
+    of the default client keytab; otherwise the default keytab will be
+    used.  By default, a host ticket for the local host is requested,
+    but any principal may be specified.  On a KDC, the special keytab
+    location ``KDB:`` can be used to indicate that kinit should open
+    the KDC database and look up the key directly.  This permits an
+    administrator to obtain tickets as any principal that supports
+    authentication based on the key.
+
+**-n**
+    Requests anonymous processing.  Two types of anonymous principals
+    are supported.
+
+    For fully anonymous Kerberos, configure pkinit on the KDC and
+    configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`.
+    Then use the **-n** option with a principal of the form ``@REALM``
+    (an empty principal name followed by the at-sign and a realm
+    name).  If permitted by the KDC, an anonymous ticket will be
+    returned.
+
+    A second form of anonymous tickets is supported; these
+    realm-exposed tickets hide the identity of the client but not the
+    client's realm.  For this mode, use ``kinit -n`` with a normal
+    principal name.  If supported by the KDC, the principal (but not
+    realm) will be replaced by the anonymous principal.
+
+    As of release 1.8, the MIT Kerberos KDC only supports fully
+    anonymous operation.
+
+**-I** *input_ccache*
+
+    Specifies the name of a credentials cache that already contains a
+    ticket.  When obtaining that ticket, if information about how that
+    ticket was obtained was also stored to the cache, that information
+    will be used to affect how new credentials are obtained, including
+    preselecting the same methods of authenticating to the KDC.
+
+**-T** *armor_ccache*
+    Specifies the name of a credentials cache that already contains a
+    ticket.  If supported by the KDC, this cache will be used to armor
+    the request, preventing offline dictionary attacks and allowing
+    the use of additional preauthentication mechanisms.  Armoring also
+    makes sure that the response from the KDC is not modified in
+    transit.
+
+**-c** *cache_name*
+    use *cache_name* as the Kerberos 5 credentials (ticket) cache
+    location.  If this option is not used, the default cache location
+    is used.
+
+    The default cache location may vary between systems.  If the
+    **KRB5CCNAME** environment variable is set, its value is used to
+    locate the default cache.  If a principal name is specified and
+    the type of the default cache supports a collection (such as the
+    DIR type), an existing cache containing credentials for the
+    principal is selected or a new one is created and becomes the new
+    primary cache.  Otherwise, any existing contents of the default
+    cache are destroyed by kinit.
+
+**-S** *service_name*
+    specify an alternate service name to use when getting initial
+    tickets.
+
+**-X** *attribute*\ [=\ *value*]
+    specify a pre-authentication *attribute* and *value* to be
+    interpreted by pre-authentication modules.  The acceptable
+    attribute and value values vary from module to module.  This
+    option may be specified multiple times to specify multiple
+    attributes.  If no value is specified, it is assumed to be "yes".
+
+    The following attributes are recognized by the PKINIT
+    pre-authentication mechanism:
+
+    **X509_user_identity**\ =\ *value*
+        specify where to find user's X509 identity information
+
+    **X509_anchors**\ =\ *value*
+        specify where to find trusted X509 anchor information
+
+    **flag_RSA_PROTOCOL**\ [**=yes**]
+        specify use of RSA, rather than the default Diffie-Hellman
+        protocol
+
+
+ENVIRONMENT
+-----------
+
+kinit uses the following environment variables:
+
+**KRB5CCNAME**
+    Location of the default Kerberos 5 credentials cache, in the form
+    *type*:*residual*.  If no *type* prefix is present, the **FILE**
+    type is assumed.  The type of the default cache may determine the
+    availability of a cache collection; for instance, a default cache
+    of type **DIR** causes caches within the directory to be present
+    in the collection.
+
+
+FILES
+-----
+
+|ccache|
+    default location of Kerberos 5 credentials cache
+
+|keytab|
+    default location for the local host's keytab.
+
+
+SEE ALSO
+--------
+
+:ref:`klist(1)`, :ref:`kdestroy(1)`, kerberos(1)
diff --git a/doc/user/user_commands/klist.rst b/doc/user/user_commands/klist.rst
new file mode 100644
index 0000000000..d303f34d83
--- /dev/null
+++ b/doc/user/user_commands/klist.rst
@@ -0,0 +1,135 @@
+.. _klist(1):
+
+klist
+=====
+
+SYNOPSIS
+--------
+
+**klist**
+[**-e**]
+[[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]]
+[**-C**]
+[**-k** [**-t**] [**-K**]]
+[**-V**]
+[*cache_name*\|\ *keytab_name*]
+
+
+DESCRIPTION
+-----------
+
+klist lists the Kerberos principal and Kerberos tickets held in a
+credentials cache, or the keys held in a keytab file.
+
+
+OPTIONS
+-------
+
+**-e**
+    Displays the encryption types of the session key and the ticket
+    for each credential in the credential cache, or each key in the
+    keytab file.
+
+**-l**
+    If a cache collection is available, displays a table summarizing
+    the caches present in the collection.
+
+**-A**
+    If a cache collection is available, displays the contents of all
+    of the caches in the collection.
+
+**-c**
+    List tickets held in a credentials cache. This is the default if
+    neither **-c** nor **-k** is specified.
+
+**-f**
+    Shows the flags present in the credentials, using the following
+    abbreviations:
+
+     ::
+
+        F    Forwardable
+        f    forwarded
+        P    Proxiable
+        p    proxy
+        D    postDateable
+        d    postdated
+        R    Renewable
+        I    Initial
+        i    invalid
+        H    Hardware authenticated
+        A    preAuthenticated
+        T    Transit policy checked
+        O    Okay as delegate
+        a    anonymous
+
+**-s**
+    Causes klist to run silently (produce no output), but to still set
+    the exit status according to whether it finds the credentials
+    cache.  The exit status is '0' if klist finds a credentials cache,
+    and '1' if it does not or if the tickets are expired.
+
+**-a**
+    Display list of addresses in credentials.
+
+**-n**
+    Show numeric addresses instead of reverse-resolving addresses.
+
+**-C**
+    List configuration data that has been stored in the credentials
+    cache when klist encounters it.  By default, configuration data
+    is not listed.
+
+**-k**
+    List keys held in a keytab file.
+
+**-i**
+    In combination with **-k**, defaults to using the default client
+    keytab instead of the default acceptor keytab, if no name is
+    given.
+
+**-t**
+    Display the time entry timestamps for each keytab entry in the
+    keytab file.
+
+**-K**
+    Display the value of the encryption key in each keytab entry in
+    the keytab file.
+
+**-V**
+    Display the Kerberos version number and exit.
+
+If *cache_name* or *keytab_name* is not specified, klist will display
+the credentials in the default credentials cache or keytab file as
+appropriate.  If the **KRB5CCNAME** environment variable is set, its
+value is used to locate the default ticket cache.
+
+
+ENVIRONMENT
+-----------
+
+klist uses the following environment variable:
+
+**KRB5CCNAME**
+    Location of the default Kerberos 5 credentials (ticket) cache, in
+    the form *type*:*residual*.  If no *type* prefix is present, the
+    **FILE** type is assumed.  The type of the default cache may
+    determine the availability of a cache collection; for instance, a
+    default cache of type **DIR** causes caches within the directory
+    to be present in the collection.
+
+
+FILES
+-----
+
+|ccache|
+    Default location of Kerberos 5 credentials cache
+
+|keytab|
+    Default location for the local host's keytab file.
+
+
+SEE ALSO
+--------
+
+:ref:`kinit(1)`, :ref:`kdestroy(1)`
diff --git a/doc/user/user_commands/kpasswd.rst b/doc/user/user_commands/kpasswd.rst
new file mode 100644
index 0000000000..1b64632659
--- /dev/null
+++ b/doc/user/user_commands/kpasswd.rst
@@ -0,0 +1,39 @@
+.. _kpasswd(1):
+
+kpasswd
+=======
+
+SYNOPSIS
+--------
+
+**kpasswd** [*principal*]
+
+
+DESCRIPTION
+-----------
+
+The kpasswd command is used to change a Kerberos principal's password.
+kpasswd first prompts for the current Kerberos password, then prompts
+the user twice for the new password, and the password is changed.
+
+If the principal is governed by a policy that specifies the length
+and/or number of character classes required in the new password, the
+new password must conform to the policy.  (The five character classes
+are lower case, upper case, numbers, punctuation, and all other
+characters.)
+
+
+OPTIONS
+-------
+
+*principal*
+    Change the password for the Kerberos principal principal.
+    Otherwise, kpasswd uses the principal name from an existing ccache
+    if there is one; if not, the principal is derived from the
+    identity of the user invoking the kpasswd command.
+
+
+SEE ALSO
+--------
+
+:ref:`kadmin(1)`, :ref:`kadmind(8)`
diff --git a/doc/user/user_commands/ksu.rst b/doc/user/user_commands/ksu.rst
new file mode 100644
index 0000000000..aa22c18a3c
--- /dev/null
+++ b/doc/user/user_commands/ksu.rst
@@ -0,0 +1,397 @@
+.. _ksu(1):
+
+ksu
+===
+
+SYNOPSIS
+--------
+
+**ksu**
+[ *target_user* ]
+[ **-n** *target_principal_name* ]
+[ **-c** *source_cache_name* ]
+[ **-k** ]
+[ **-D** ]
+[ **-r** time ]
+[ **-pf** ]
+[ **-l** *lifetime* ]
+[ **-z | Z** ]
+[ **-q** ]
+[ **-e** *command* [ args ...  ] ] [ **-a** [ args ...  ] ]
+
+
+REQUIREMENTS
+------------
+
+Must have Kerberos version 5 installed to compile ksu.  Must have a
+Kerberos version 5 server running to use ksu.
+
+
+DESCRIPTION
+-----------
+
+ksu is a Kerberized version of the su program that has two missions:
+one is to securely change the real and effective user ID to that of
+the target user, and the other is to create a new security context.
+
+.. note:: For the sake of clarity, all references to and attributes of
+          the user invoking the program will start with "source"
+          (e.g., "source user", "source cache", etc.).
+
+          Likewise, all references to and attributes of the target
+          account will start with "target".
+
+AUTHENTICATION
+--------------
+
+To fulfill the first mission, ksu operates in two phases:
+authentication and authorization.  Resolving the target principal name
+is the first step in authentication.  The user can either specify his
+principal name with the **-n** option (e.g., ``-n jqpublic@USC.EDU``)
+or a default principal name will be assigned using a heuristic
+described in the OPTIONS section (see **-n** option).  The target user
+name must be the first argument to ksu; if not specified root is the
+default.  If ``.`` is specified then the target user will be the
+source user (e.g., ``ksu .``).  If the source user is root or the
+target user is the source user, no authentication or authorization
+takes place.  Otherwise, ksu looks for an appropriate Kerberos ticket
+in the source cache.
+
+The ticket can either be for the end-server or a ticket granting
+ticket (TGT) for the target principal's realm.  If the ticket for the
+end-server is already in the cache, it's decrypted and verified.  If
+it's not in the cache but the TGT is, the TGT is used to obtain the
+ticket for the end-server.  The end-server ticket is then verified.
+If neither ticket is in the cache, but ksu is compiled with the
+**GET_TGT_VIA_PASSWD** define, the user will be prompted for a
+Kerberos password which will then be used to get a TGT.  If the user
+is logged in remotely and does not have a secure channel, the password
+may be exposed.  If neither ticket is in the cache and
+**GET_TGT_VIA_PASSWD** is not defined, authentication fails.
+
+
+AUTHORIZATION
+-------------
+
+This section describes authorization of the source user when ksu is
+invoked without the **-e** option.  For a description of the **-e**
+option, see the OPTIONS section.
+
+Upon successful authentication, ksu checks whether the target
+principal is authorized to access the target account.  In the target
+user's home directory, ksu attempts to access two authorization files:
+:ref:`.k5login(5)` and .k5users.  In the .k5login file each line
+contains the name of a principal that is authorized to access the
+account.
+
+For example:
+ ::
+
+    jqpublic@USC.EDU
+    jqpublic/secure@USC.EDU
+    jqpublic/admin@USC.EDU
+
+The format of .k5users is the same, except the principal name may be
+followed by a list of commands that the principal is authorized to
+execute (see the **-e** option in the OPTIONS section for details).
+
+Thus if the target principal name is found in the .k5login file the
+source user is authorized to access the target account.  Otherwise ksu
+looks in the .k5users file.  If the target principal name is found
+without any trailing commands or followed only by ``*`` then the
+source user is authorized.  If either .k5login or .k5users exist but
+an appropriate entry for the target principal does not exist then
+access is denied.  If neither file exists then the principal will be
+granted access to the account according to the aname->lname mapping
+rules.  Otherwise, authorization fails.
+
+
+EXECUTION OF THE TARGET SHELL
+-----------------------------
+
+Upon successful authentication and authorization, ksu proceeds in a
+similar fashion to su.  The environment is unmodified with the
+exception of USER, HOME and SHELL variables.  If the target user is
+not root, USER gets set to the target user name.  Otherwise USER
+remains unchanged.  Both HOME and SHELL are set to the target login's
+default values.  In addition, the environment variable **KRB5CCNAME**
+gets set to the name of the target cache.  The real and effective user
+ID are changed to that of the target user.  The target user's shell is
+then invoked (the shell name is specified in the password file).  Upon
+termination of the shell, ksu deletes the target cache (unless ksu is
+invoked with the **-k** option).  This is implemented by first doing a
+fork and then an exec, instead of just exec, as done by su.
+
+
+CREATING A NEW SECURITY CONTEXT
+-------------------------------
+
+ksu can be used to create a new security context for the target
+program (either the target shell, or command specified via the **-e**
+option).  The target program inherits a set of credentials from the
+source user.  By default, this set includes all of the credentials in
+the source cache plus any additional credentials obtained during
+authentication.  The source user is able to limit the credentials in
+this set by using **-z** or **-Z** option.  **-z** restricts the copy
+of tickets from the source cache to the target cache to only the
+tickets where client == the target principal name.  The **-Z** option
+provides the target user with a fresh target cache (no creds in the
+cache).  Note that for security reasons, when the source user is root
+and target user is non-root, **-z** option is the default mode of
+operation.
+
+While no authentication takes place if the source user is root or is
+the same as the target user, additional tickets can still be obtained
+for the target cache.  If **-n** is specified and no credentials can
+be copied to the target cache, the source user is prompted for a
+Kerberos password (unless **-Z** specified or **GET_TGT_VIA_PASSWD**
+is undefined).  If successful, a TGT is obtained from the Kerberos
+server and stored in the target cache.  Otherwise, if a password is
+not provided (user hit return) ksu continues in a normal mode of
+operation (the target cache will not contain the desired TGT).  If the
+wrong password is typed in, ksu fails.
+
+.. note:: During authentication, only the tickets that could be
+          obtained without providing a password are cached in in the
+          source cache.
+
+
+OPTIONS
+-------
+
+**-n** *target_principal_name*
+    Specify a Kerberos target principal name.  Used in authentication
+    and authorization phases of ksu.
+
+    If ksu is invoked without **-n**, a default principal name is
+    assigned via the following heuristic:
+
+    * Case 1: source user is non-root.
+
+      If the target user is the source user the default principal name
+      is set to the default principal of the source cache.  If the
+      cache does not exist then the default principal name is set to
+      ``target_user@local_realm``.  If the source and target users are
+      different and neither ``~target_user/.k5users`` nor
+      ``~target_user/.k5login`` exist then the default principal name
+      is ``target_user_login_name@local_realm``.  Otherwise, starting
+      with the first principal listed below, ksu checks if the
+      principal is authorized to access the target account and whether
+      there is a legitimate ticket for that principal in the source
+      cache.  If both conditions are met that principal becomes the
+      default target principal, otherwise go to the next principal.
+
+      a) default principal of the source cache
+      b) target_user\@local_realm
+      c) source_user\@local_realm
+
+      If a-c fails try any principal for which there is a ticket in
+      the source cache and that is authorized to access the target
+      account.  If that fails select the first principal that is
+      authorized to access the target account from the above list.  If
+      none are authorized and ksu is configured with
+      **PRINC_LOOK_AHEAD** turned on, select the default principal as
+      follows:
+
+      For each candidate in the above list, select an authorized
+      principal that has the same realm name and first part of the
+      principal name equal to the prefix of the candidate.  For
+      example if candidate a) is ``jqpublic@ISI.EDU`` and
+      ``jqpublic/secure@ISI.EDU`` is authorized to access the target
+      account then the default principal is set to
+      ``jqpublic/secure@ISI.EDU``.
+
+    * Case 2: source user is root.
+
+      If the target user is non-root then the default principal name
+      is ``target_user@local_realm``.  Else, if the source cache
+      exists the default principal name is set to the default
+      principal of the source cache.  If the source cache does not
+      exist, default principal name is set to ``root\@local_realm``.
+
+**-c** *source_cache_name*
+
+    Specify source cache name (e.g., ``-c FILE:/tmp/my_cache``).  If
+    **-c** option is not used then the name is obtained from
+    **KRB5CCNAME** environment variable.  If **KRB5CCNAME** is not
+    defined the source cache name is set to ``krb5cc_<source uid>``.
+    The target cache name is automatically set to ``krb5cc_<target
+    uid>.(gen_sym())``, where gen_sym generates a new number such that
+    the resulting cache does not already exist.  For example:
+
+     ::
+
+        krb5cc_1984.2
+
+**-k**
+    Do not delete the target cache upon termination of the target
+    shell or a command (**-e** command).  Without **-k**, ksu deletes
+    the target cache.
+
+**-D**
+    Turn on debug mode.
+
+**-z**
+    Restrict the copy of tickets from the source cache to the target
+    cache to only the tickets where client == the target principal
+    name.  Use the **-n** option if you want the tickets for other then
+    the default principal.  Note that the **-z** option is mutually
+    exclusive with the **-Z** option.
+
+**-Z**
+    Don't copy any tickets from the source cache to the target cache.
+    Just create a fresh target cache, where the default principal name
+    of the cache is initialized to the target principal name.  Note
+    that the **-Z** option is mutually exclusive with the **-z**
+    option.
+
+**-q**
+    Suppress the printing of status messages.
+
+Ticket granting ticket options:
+
+**-l** *lifetime* **-r** *time* **-pf**
+    The ticket granting ticket options only apply to the case where
+    there are no appropriate tickets in the cache to authenticate the
+    source user.  In this case if ksu is configured to prompt users
+    for a Kerberos password (**GET_TGT_VIA_PASSWD** is defined), the
+    ticket granting ticket options that are specified will be used
+    when getting a ticket granting ticket from the Kerberos server.
+
+**-l** *lifetime*
+    (:ref:`duration` string.)  Specifies the lifetime to be requested
+    for the ticket; if this option is not specified, the default ticket
+    lifetime (12 hours) is used instead.
+
+**-r** *time*
+    (:ref:`duration` string.)  Specifies that the **renewable** option
+    should be requested for the ticket, and specifies the desired
+    total lifetime of the ticket.
+
+**-p**
+    specifies that the **proxiable** option should be requested for
+    the ticket.
+
+**-f**
+    option specifies that the **forwardable** option should be
+    requested for the ticket.
+
+**-e** *command* [*args* ...]
+    ksu proceeds exactly the same as if it was invoked without the
+    **-e** option, except instead of executing the target shell, ksu
+    executes the specified command. Example of usage:
+
+     ::
+
+        ksu bob -e ls -lag
+
+    The authorization algorithm for **-e** is as follows:
+
+    If the source user is root or source user == target user, no
+    authorization takes place and the command is executed.  If source
+    user id != 0, and ``~target_user/.k5users`` file does not exist,
+    authorization fails.  Otherwise, ``~target_user/.k5users`` file
+    must have an appropriate entry for target principal to get
+    authorized.
+
+    The .k5users file format:
+
+    A single principal entry on each line that may be followed by a
+    list of commands that the principal is authorized to execute.  A
+    principal name followed by a ``*`` means that the user is
+    authorized to execute any command.  Thus, in the following
+    example:
+
+     ::
+
+        jqpublic@USC.EDU ls mail /local/kerberos/klist
+        jqpublic/secure@USC.EDU *
+        jqpublic/admin@USC.EDU
+
+    ``jqpublic@USC.EDU`` is only authorized to execute ``ls``,
+    ``mail`` and ``klist`` commands.  ``jqpublic/secure@USC.EDU`` is
+    authorized to execute any command.  ``jqpublic/admin@USC.EDU`` is
+    not authorized to execute any command.  Note, that
+    ``jqpublic/admin@USC.EDU`` is authorized to execute the target
+    shell (regular ksu, without the **-e** option) but
+    ``jqpublic@USC.EDU`` is not.
+
+    The commands listed after the principal name must be either a full
+    path names or just the program name.  In the second case,
+    **CMD_PATH** specifying the location of authorized programs must
+    be defined at the compilation time of ksu.  Which command gets
+    executed?
+
+    If the source user is root or the target user is the source user
+    or the user is authorized to execute any command (``*`` entry)
+    then command can be either a full or a relative path leading to
+    the target program.  Otherwise, the user must specify either a
+    full path or just the program name.
+
+**-a** *args*
+    Specify arguments to be passed to the target shell.  Note that all
+    flags and parameters following -a will be passed to the shell,
+    thus all options intended for ksu must precede **-a**.
+
+    The **-a** option can be used to simulate the **-e** option if
+    used as follows:
+
+     ::
+
+        -a -c [command [arguments]].
+
+    **-c** is interpreted by the c-shell to execute the command.
+
+
+INSTALLATION INSTRUCTIONS
+-------------------------
+
+ksu can be compiled with the following four flags:
+
+**GET_TGT_VIA_PASSWD**
+    In case no appropriate tickets are found in the source cache, the
+    user will be prompted for a Kerberos password.  The password is
+    then used to get a ticket granting ticket from the Kerberos
+    server.  The danger of configuring ksu with this macro is if the
+    source user is logged in remotely and does not have a secure
+    channel, the password may get exposed.
+
+**PRINC_LOOK_AHEAD**
+    During the resolution of the default principal name,
+    **PRINC_LOOK_AHEAD** enables ksu to find principal names in
+    the .k5users file as described in the OPTIONS section
+    (see **-n** option).
+
+**CMD_PATH**
+    Specifies a list of directories containing programs that users are
+    authorized to execute (via .k5users file).
+
+**HAVE_GETUSERSHELL**
+    If the source user is non-root, ksu insists that the target user's
+    shell to be invoked is a "legal shell".  *getusershell(3)* is
+    called to obtain the names of "legal shells".  Note that the
+    target user's shell is obtained from the passwd file.
+
+Sample configuration:
+ ::
+
+    KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
+
+ksu should be owned by root and have the set user id bit turned on.
+
+ksu attempts to get a ticket for the end server just as Kerberized
+telnet and rlogin.  Thus, there must be an entry for the server in the
+Kerberos database (e.g., ``host/nii.isi.edu@ISI.EDU``).  The keytab
+file must be in an appropriate location.
+
+
+SIDE EFFECTS
+------------
+
+ksu deletes all expired tickets from the source cache.
+
+
+AUTHOR OF KSU
+-------------
+
+GENNADY (ARI) MEDVINSKY
diff --git a/doc/user/user_commands/kswitch.rst b/doc/user/user_commands/kswitch.rst
new file mode 100644
index 0000000000..56e5915ac3
--- /dev/null
+++ b/doc/user/user_commands/kswitch.rst
@@ -0,0 +1,56 @@
+.. _kswitch(1):
+
+kswitch
+=======
+
+SYNOPSIS
+--------
+
+**kswitch**
+{**-c** *cachename*\|\ **-p** *principal*}
+
+
+DESCRIPTION
+-----------
+
+kswitch makes the specified credential cache the primary cache for the
+collection, if a cache collection is available.
+
+
+OPTIONS
+-------
+
+**-c** *cachename*
+    Directly specifies the credential cache to be made primary.
+
+**-p** *principal*
+    Causes the cache collection to be searched for a cache containing
+    credentials for *principal*.  If one is found, that collection is
+    made primary.
+
+
+ENVIRONMENT
+-----------
+
+kswitch uses the following environment variables:
+
+**KRB5CCNAME**
+    Location of the default Kerberos 5 credentials (ticket) cache, in
+    the form *type*:*residual*.  If no *type* prefix is present, the
+    **FILE** type is assumed.  The type of the default cache may
+    determine the availability of a cache collection; for instance, a
+    default cache of type **DIR** causes caches within the directory
+    to be present in the collection.
+
+
+FILES
+-----
+
+|ccache|
+    Default location of Kerberos 5 credentials cache
+
+
+SEE ALSO
+--------
+
+:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`), kerberos(1)
diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst
new file mode 100644
index 0000000000..31ca244606
--- /dev/null
+++ b/doc/user/user_commands/kvno.rst
@@ -0,0 +1,86 @@
+.. _kvno(1):
+
+kvno
+====
+
+SYNOPSIS
+--------
+
+**kvno**
+[**-c** *ccache*]
+[**-e** *etype*]
+[**-q**]
+[**-h**]
+[**-P**]
+[**-S** *sname*]
+[**-U** *for_user*]
+*service1 service2* ...
+
+
+DESCRIPTION
+-----------
+
+kvno acquires a service ticket for the specified Kerberos principals
+and prints out the key version numbers of each.
+
+
+OPTIONS
+-------
+
+**-c** *ccache*
+    Specifies the name of a credentials cache to use (if not the
+    default)
+
+**-e** *etype*
+    Specifies the enctype which will be requested for the session key
+    of all the services named on the command line.  This is useful in
+    certain backward compatibility situations.
+
+**-q**
+    Suppress printing output when successful.  If a service ticket
+    cannot be obtained, an error message will still be printed and
+    kvno will exit with nonzero status.
+
+**-h**
+    Prints a usage statement and exits.
+
+**-P**
+    Specifies that the *service1 service2* ...  arguments are to be
+    treated as services for which credentials should be acquired using
+    constrained delegation.  This option is only valid when used in
+    conjunction with protocol transition.
+
+**-S** *sname*
+    Specifies that the *service1 service2* ... arguments are
+    interpreted as hostnames, and the service principals are to be
+    constructed from those hostnames and the service name *sname*.
+    The service hostnames will be canonicalized according to the usual
+    rules for constructing service principals.
+
+**-U** *for_user*
+    Specifies that protocol transition (S4U2Self) is to be used to
+    acquire a ticket on behalf of *for_user*.  If constrained
+    delegation is not requested, the service name must match the
+    credentials cache client principal.
+
+
+ENVIRONMENT
+-----------
+
+kvno uses the following environment variable:
+
+**KRB5CCNAME**
+    Location of the credentials (ticket) cache.
+
+
+FILES
+-----
+
+|ccache|
+    Default location of the credentials cache
+
+
+SEE ALSO
+--------
+
+:ref:`kinit(1)`, :ref:`kdestroy(1)`
diff --git a/doc/user/user_commands/sclient.rst b/doc/user/user_commands/sclient.rst
new file mode 100644
index 0000000000..ebf7972536
--- /dev/null
+++ b/doc/user/user_commands/sclient.rst
@@ -0,0 +1,24 @@
+.. _sclient(1):
+
+sclient
+=======
+
+SYNOPSIS
+--------
+
+**sclient** *remotehost*
+
+
+DESCRIPTION
+-----------
+
+sclient is a sample application, primarily useful for testing
+purposes.  It contacts a sample server :ref:`sserver(8)` and
+authenticates to it using Kerberos version 5 tickets, then displays
+the server's response.
+
+
+SEE ALSO
+--------
+
+:ref:`kinit(1)`, :ref:`sserver(8)`