* Makefile: changed the way html output is generated, made "make all"

        remove generated tex files
        * admin.texinfo: added sections about encryption types and salts,
        updated the configuration file sections, revised the example
        configuration files, updated dates on output strings, added an
        explanation of destroying a Kerberos database
        * build.texinfo: changed the description of the tarball
        * definitions.texinfo: added variables for all the default values
        so that they can all be updated in one place, changed the release
        from 1.2 to 1.3
        * dnstxt.texinfo updated the information
        * install.texinfo added more description of the configuration files
        and the minimum needed in the files to set up a kerberos realm,
        revised the examples of the configuration file sections, took out
        old encryption type and salt information
        * kdcconf.texinfo: new file, taken from the admin guide and included
        in both the admin and install guides, provides descriptions of the
        sections in kdc.conf
        * krb425.texinfo: moved a texinfo tag so that makeinfo --html would
        work
        * krb5conf.texinfo: new file, take from the admin guide and included
        in both the admin and install guides, provides descriptions of the
        sections in krb5.conf
        * man2html, man2html.M: new files, a perl program to create html pages
        from the output of the man command
        * salts.texinfo: new file, a description of the different salt types
        that are currently supported
        * support-enc.texinfo: new file, a description of the currently
        supported encryptions types
        * user-guide.texinfo: added a section describing different ticket
        flags, added a way to have the man pages in the reference section
        accessible in the html version of the documentation

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14587 dc483132-0cff-0310-8789-dd5450dbe970

15 files changed, 2078 insertions, 326 deletions

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 37b52c4d0f..7ea57f4d79 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,38 @@
+2002-06-26 Jen Selby <jenselby@mit.edu>
+
+	* Makefile: changed the way html output is generated, made "make all"
+	remove generated tex files
+	* admin.texinfo: added sections about encryption types and salts,
+	updated the configuration file sections, revised the example 
+	configuration files, updated dates on output strings, added an
+	explanation of destroying a Kerberos database
+	* build.texinfo: changed the description of the tarball
+	* definitions.texinfo: added variables for all the default values
+	so that they can all be updated in one place, changed the release
+	from 1.2 to 1.3
+	* dnstxt.texinfo updated the information
+	* install.texinfo added more description of the configuration files
+	and the minimum needed in the files to set up a kerberos realm,
+	revised the examples of the configuration file sections, took out
+	old encryption type and salt information
+	* kdcconf.texinfo: new file, taken from the admin guide and included
+	in both the admin and install guides, provides descriptions of the
+	sections in kdc.conf
+	* krb425.texinfo: moved a texinfo tag so that makeinfo --html would
+	work
+	* krb5conf.texinfo: new file, take from the admin guide and included
+	in both the admin and install guides, provides descriptions of the
+	sections in krb5.conf
+	* man2html, man2html.M: new files, a perl program to create html pages 
+	from the output of the man command
+	* salts.texinfo: new file, a description of the different salt types
+	that are currently supported
+	* support-enc.texinfo: new file, a description of the currently
+	supported encryptions types
+	* user-guide.texinfo: added a section describing different ticket
+	flags, added a way to have the man pages in the reference section
+	accessible in the html version of the documentation
+
 2002-06-21  Ezra Eeisach  <epeisach@bu.edu>
 
 	* implementor.texinfo (IPv6 Support): Update fact that IRIX 6.5.16
diff --git a/doc/Makefile b/doc/Makefile
index f8c29969b7..a5b8d13fee 100644
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -2,18 +2,22 @@ SRCDIR=../src
 DVI=texi2dvi
 DVIPS=dvips -o "$@"
 INFO=makeinfo
-HTML=texi2html
+HTML=makeinfo --html
 RM=rm -f
 TAR=tar -chvf
 GZIP=gzip -9
 MANPS=./man2ps
+MANTXT=nroff -man 
+MANHTML=./man2html
 
 ADMIN_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \
-	glossary.texinfo send-pr.texinfo
+	glossary.texinfo support-enc.texinfo salts.texinfo krb5conf.texinfo \
+	kdcconf.texinfo dnstxt.texinfo dnssrv.texinfo send-pr.texinfo
 ADMIN_DEPS=admin.texinfo $(ADMIN_INCLUDES)
 
 INSTALL_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \
-	build.texinfo bug-report.texinfo send-pr.texinfo
+	dnstxt.texinfo dnssrv.texinfo build.texinfo bug-report.texinfo \
+	krb5conf.texinfo kdcconf.texinfo send-pr.texinfo
 INSTALL_DEPS=install.texinfo $(INSTALL_INCLUDES)
 
 USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo
@@ -23,7 +27,7 @@ KRB425_INCLUDES=definitions.texinfo copyright.texinfo
 KRB425_DEPS=krb425.texinfo $(KRB425_INCLUDES)
 
 .PHONY: all
-all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps
+all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps clean-tex
 
 .PHONY: admin-guide-full
 admin-guide-full:: admin-guide admin-guide-info admin-guide-html
@@ -90,6 +94,16 @@ krb5-user.info: $(USER_GUIDE_DEPS)
 user-guide-html:: user-guide.html
 
 user-guide.html: $(USER_GUIDE_DEPS)
+	$(MANTXT) $(SRCDIR)/appl/gssftp/ftp/ftp.M | $(MANHTML) > ftp.html
+	$(MANTXT) $(SRCDIR)/clients/kdestroy/kdestroy.M | $(MANHTML) > kdestroy.html
+	$(MANTXT) $(SRCDIR)/clients/kinit/kinit.M | $(MANHTML) > kinit.html
+	$(MANTXT) $(SRCDIR)/clients/klist/klist.M | $(MANHTML) > klist.html
+	$(MANTXT) $(SRCDIR)/clients/ksu/ksu.M | $(MANHTML) > ksu.html
+	$(MANTXT) $(SRCDIR)/appl/bsd/rcp.M | $(MANHTML) > rcp.html
+	$(MANTXT) $(SRCDIR)/appl/bsd/rlogin.M | $(MANHTML) > rlogin.html
+	$(MANTXT) $(SRCDIR)/appl/bsd/rsh.M | $(MANHTML) > rsh.html
+	$(MANTXT) $(SRCDIR)/appl/telnet/telnet/telnet.1 | $(MANHTML) > telnet.html
+	$(MANTXT) $(SRCDIR)/kadmin/passwd/kpasswd.M | $(MANHTML) > kpasswd.html
 	$(HTML) user-guide.texinfo		
 
 .PHONY: krb425-guide-full
diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 37bda96692..d04ba75722 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -39,6 +39,7 @@
 @ifinfo
 This document describes how to administrate a @value{PRODUCT}
 installation.
+@end ifinfo
 
 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
 @c function.  Don't forget to run M-x texinfo-every-node-update after
@@ -71,7 +72,6 @@ installation.
 @node Copyright, Introduction, Top, Top
 @unnumbered Copyright
 @include copyright.texinfo
-@end ifinfo
 
 
 @node Introduction, How Kerberos Works, Copyright, Top
@@ -336,75 +336,31 @@ Following are definitions of some of the Kerberos terminology.
 @chapter Configuration Files
 
 @menu
+* Supported Encryption Types::  
+* Salts::                       
 * krb5.conf::                   
 * kdc.conf::                    
 @end menu
 
-@node krb5.conf, kdc.conf, Configuration Files, Configuration Files
-@section krb5.conf
-
-The @code{krb5.conf} file contains Kerberos configuration information,
-including the locations of KDCs and admin servers for the Kerberos
-realms of interest, defaults for the current realm and for Kerberos
-applications, and mappings of hostnames onto Kerberos realms.  Normally,
-you should install your @code{krb5.conf} file in the directory
-@code{/etc}.  You can override the default location by setting the
-environment variable @samp{KRB5_CONFIG}.
-
-The @code{krb5.conf} file is set up in the style of a Windows INI file.
-Sections are headed by the section name, in square brackets.  Each
-section may contain zero or more relations, of the form:
-
-@smallexample
-foo = bar
-@end smallexample
-
-@noindent
-or
-
-@smallexample
-@group
-fubar = @{
-        foo = bar
-        baz = quux
-@}
-@end group
-@end smallexample
-
-The @code{krb5.conf} file may contain any or all of the following seven
-sections:
-
-@table @b
-@itemx libdefaults
-Contains default values used by the Kerberos V5 library.
+@node Supported Encryption Types, Salts, Configuration Files, Configuration Files
+@section Supported Encryption Types
 
-@itemx appdefaults
-Contains default values used by Kerberos V5 applications.
+@include support-enc.texinfo
 
-@itemx realms
-Contains subsections keyed by Kerberos realm names.  Each subsection
-describes realm-specific information, including where to find the
-Kerberos servers for that realm.
+@node Salts, krb5.conf, Supported Encryption Types, Configuration Files
+@section Salts
 
-@itemx domain_realm
-Contains relations which map domain names and subdomains onto Kerberos
-realm names.  This is used by programs to determine what realm a host
-should be in, given its fully qualified domain name.
+Your Kerberos key is derived from your password.  To ensure that people
+who happen to pick the same password do not have the same key, Kerberos
+5 incorporates more information into the key using something called a
+salt.  The supported values for salts are as follows.
 
-@itemx logging
-Contains relations which determine how Kerberos programs are to perform
-logging.
+@include salts.texinfo
 
-@itemx capaths
-Contains the authentication paths used with direct (nonhierarchical)
-cross-realm authentication.  Entries in this section are used by the
-client to determine the intermediate realms which may be used in
-cross-realm authentication.  It is also used by the end-service when
-checking the transited field for trusted intermediate realms.
+@node krb5.conf, kdc.conf, Salts, Configuration Files
+@section krb5.conf
 
-@itemx kdc
-For a KDC, may contain the location of the kdc.conf file.
-@end table
+@include krb5conf.texinfo
 
 @menu
 * libdefaults::                 
@@ -425,39 +381,84 @@ relations:
 @table @b
 @itemx default_realm
 Identifies the default Kerberos realm for the client.  Set its value to
-your Kerberos realm.
+your Kerberos realm.  If this is not specified and the TXT record
+lookup is enabled (see @ref{Using DNS}), then that information will be
+used to determine the default realm.  If this tag is not set in this
+configuration file and there is no DNS information found, then an error
+will be returned.
 
 @itemx default_tgs_enctypes
 Identifies the supported list of session key encryption types that
-should be returned by the KDC.  The list may be delimited with commas or
-whitespace.  Currently, the supported encryption types are
-"des3-hmac-sha1" and
-"des-cbc-crc".  Support for other encryption types is planned in the
-future.
+should be returned by the KDC.  The list may be delimited with commas
+or whitespace.  Kerberos supports many different encryption types, and
+support for more is planned in the future. (see @ref{Supported Encryption
+Types} for a list of the accepted values for this tag).  The default
+value is @value{DefaultDefaultTgsEnctypes}.
 
 @itemx default_tkt_enctypes
-Identifies the supported list of session key encryption
-types that should be requested by the client.  The format is the same as
-for @emph{default_tkt_enctypes}.  Again, the only supported encryption
-types are "des3-hmac-sha1" and "des-cbc-crc".
+Identifies the supported list of session key encryption types that
+should be requested by the client.  The format is the same as for
+@emph{default_tkt_enctypes}.  The default value for this tag is
+@value{DefaultDefaultTktEnctypes}.
 
 @itemx clockskew
 Sets the maximum allowable amount of clockskew in seconds that the
 library  will tolerate before assuming that a Kerberos message is
-invalid.  The default value is 300 seconds, or five minutes.
+invalid.  The default value is @value{DefaultClockskew}.
 
-@itemx checksum_type
-Used for compatability with DCE security servers which do not support
-the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos.  A value
-of 1 indicates the default checksum type.  Use a value of 2 to use the
-CKSUMTYPE_RSA_MD4 instead.  This applies to DCE 1.1 and earlier.
+@itemx kdc_req_checksum_type
+@itemx ap_req_checksum_type
+@itemx safe_checksum_type
+An integer which specifies the type of checksum to use.  Used for
+compatability with DCE security servers which do not support the
+default @value{DefaultChecksumType} used by this version of Kerberos.
+The possible values and their meanings are as follows.
 
+@comment taken from krb5/src/include/krb5.h[in]
+@table @b
+@item 1
+CRC32
+@item 2
+RSA MD4
+@item 3
+RSA MD4 DES
+@item 4
+DES CBC
+@item 7
+RSA MD5
+@item 8
+RSA MD5 DES
+@item 9
+NIST SHA
+@item 12
+HMAC SHA1 DES3
+@item -138
+Microsoft MD5 HMAC checksum type
+@end table
+
+@comment see lib/krb5/ccache/fcc.h
 @itemx ccache_type
-Use this parameter on systems which are DCE clients, to specify the type
-of cache to be created by kinit, or when forwarded tickets are received.
-DCE and Kerberos can share the cache, but some versions of DCE do not
-support the default cache as created by this version of Kerberos.  Use a
-value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems.
+Use this parameter on systems which are DCE clients, to specify the
+type of cache to be created by kinit, or when forwarded tickets are
+received.  DCE and Kerberos can share the cache, but some versions of
+DCE do not support the default cache as created by this version of
+Kerberos.  Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
+DCE 1.1 systems.  The default value is @value{DefaultCcacheTypeMac}
+for Macintosh computers and @value{DefaultCcacheType} for other
+platforms.
+
+@ignore
+@itemx tkt_lifetime
+The default lifetime of a ticket.  The default is
+@value{DefaultTktLifetime}.  This is currently not supported by the
+code.
+@end ignore
+
+@itemx kdc_timesync
+If this is set to 1 (for true), then client machines will attempt
+to sync their time with the KDC using the timestamps in the tickets.
+The default is @value{DefaultKDCTimesyncMac} for Macintosh computers
+and @value{DefaultKDCTimesync} for all other platforms.
 
 @itemx dns_lookup_kdc
 Indicate whether DNS SRV records should be used to locate the KDCs and
@@ -524,6 +525,12 @@ For example:
         encrypt = true
         autologin = true
     @}
+    telnet = @{
+        @value{PRIMARYREALM} = @{
+             forward = false
+        @}
+    @}
+
 @end group
 @end smallexample
 
@@ -542,16 +549,27 @@ tags may be specified in the realm's subsection:
 @table @b
 @itemx kdc
 The name of a host running a KDC for that realm.  An optional port
-number (separated from the hostname by a colon) may be included.
+number (separated from the hostname by a colon) may be included.  For
+your computer to be able to communicate with the KDC for each realm,
+this tag must be given a value in each realm subsection in the
+configuration file, or there must be DNS SRV records specifying the
+KDCs (see @ref{Using DNS}).
 
 @itemx admin_server
 Identifies the host where the administration server is running.
-Typically, this is the master Kerberos server.
+Typically, this is the master Kerberos server.  This tag must be given
+a value in order to communicate with the kadmin server for the realm.
 
 @itemx application defaults
 Application defaults that are specific to a particular realm may be
 specified within that realm's tag.  Realm-specific application defaults
 override the global defaults specified in the [appdefaults] section.
+
+@itemx default_domain
+This tag is used for Kerberos 4 compatibility.  Kerberos 4 does not
+require the entire hostname of a server to be in its principal like
+Kerberos 5 does.  This tag provides the domain name needed to produce a
+full hostname.
 @end table
 
 @node domain_realm, logging, realms (krb5.conf), krb5.conf
@@ -602,6 +620,10 @@ its logging.  The relations in this section assign one or more values to
 the entity name.  Currently, the following entities are used:
 
 @table @b
+
+@itemx kdc
+These entries specify how the KDC is to perform its logging.
+
 @itemx admin_server
 These entries specify how the administrative server
 is to perform its logging.
@@ -768,16 +790,17 @@ Here is an example of a generic @code{krb5.conf} file:
 @smallexample
 @group
 [libdefaults]
-    ticket_lifetime = 600
     default_realm = @value{PRIMARYREALM}
     default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
     default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
+    dns_lookup_kdc = true
+    dns_lookup_realm = false
 
 [realms]
     @value{PRIMARYREALM} = @{
         kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
         kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
-        kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
+        kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:750
         admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
         default_domain = @value{PRIMARYDOMAIN}
     @}
@@ -803,29 +826,7 @@ Here is an example of a generic @code{krb5.conf} file:
 @node kdc.conf,  , krb5.conf, Configuration Files
 @section kdc.conf
 
-The @code{kdc.conf} file contains KDC configuration information,
-including defaults used when issuing Kerberos tickets.  Normally, you
-should install your @code{kdc.conf} file in the directory
-@code{@value{ROOTDIR}/var/krb5kdc}.  You can override the default
-location by setting the environment variable @samp{KRB5_KDC_PROFILE}.
-
-The @code{kdc.conf} file is set up in the same format as the
-@code{krb5.conf} file.  (@xref{krb5.conf}.)  The @code{kdc.conf} file
-may contain any or all of the following three sections:
-
-@table @b
-@itemx kdcdefaults
-Contains default values for overall behavior of the KDC.
-
-@itemx realms
-Contains subsections keyed by Kerberos realm names.  Each subsection
-describes realm-specific information, including where to find the
-Kerberos servers for that realm.
-
-@itemx logging
-Contains relations which determine how Kerberos programs are to perform
-logging.
-@end table
+@include kdcconf.texinfo
 
 @menu
 * kdcdefaults::                 
@@ -840,11 +841,11 @@ The following relation is defined in the [kdcdefaults] section:
 
 @table @b
 @itemx kdc_ports
-This relation lists the ports on which the Kerberos server should listen
-by default.  This list is a comma separated list of integers.  If this
-relation is not specified, the compiled-in default is usually port 88
-(the assigned Kerberos port) and port 750 (the port used by Kerberos
-V4).
+This relation lists the ports on which the Kerberos server should
+listen by default.  This list is a comma separated list of integers.
+If this relation is not specified, the compiled-in default is
+@value{DefaultKdcPorts}, the first being the assigned Kerberos port
+and the second which was used by Kerberos V4.
 @end table
 
 @node realms (kdc.conf), Sample kdc.conf File, kdcdefaults, kdc.conf
@@ -861,38 +862,41 @@ subsection:
 @itemx acl_file
 (String.)  Location of the access control list (acl) file that kadmin
 uses to determine which principals are allowed which permissions on the
-database.  The default is @code{@value{ROOTDIR}/var/krb5kdc/kadm5.acl}.
+database.  The default is @code{@value{DefaultAclFile}}.
 
 @itemx admin_keytab
 (String.)  Location of the keytab file that kadmin uses to authenticate
 to the database.  The default is
-@code{@value{ROOTDIR}/var/krb5kdc/kadm5.keytab}.
+@code{@value{DefaultAdminKeytab}}.
 
 @itemx database_name
 (String.)  Location of the Kerberos database for this realm.  The
-default is @* @code{@value{ROOTDIR}/var/krb5kdc/principal}.
+default is @* @code{@value{DefaultDatabaseName}}.
 
 @itemx default_principal_expiration
 (Absolute time string.)  Specifies the default expiration date of
-principals created in this realm.
+principals created in this realm.  The default value for this tag is
+@value{DefaultDefaultPrincipalExpiration}.
 
 @itemx default_principal_flags
 (Flag string.)  Specifies the default attributes of principals created
-in this realm.
+in this realm.  The default value for this tag is
+@value{DefaultDefaultPrincipalFlags}.
 
 @itemx dict_file
 (String.)  Location of the dictionary file containing strings that are
-not allowed as passwords.  The default is
-@code{@value{ROOTDIR}/var/krb5kdc/kadm5.dict}.
+not allowed as passwords.  If none is specified, no dictionary checks
+of passwords will be performed.
 
 @itemx kadmind_port
 (Port number.)  Specifies the port that the kadmind daemon is to listen
-for this realm.  The assigned port for kadmind is 749.
+for this realm.  The assigned port for kadmind is
+@value{DefaultKadmindPort}.
 
 @itemx key_stash_file
 (String.)  Specifies the location where the master key has been stored
 (via @code{kdb5_util stash}).  The default is
-@code{@value{ROOTDIR}/var/krb5kdc/.k5.@i{REALM}}, where @i{REALM} is the
+@code{@value{DefaultKeyStashFileStub}@i{REALM}}, where @i{REALM} is the
 Kerberos realm.
 
 @itemx kdc_ports
@@ -901,33 +905,33 @@ this realm.  By default, the value of kdc_ports as specified in the
 [kdcdefaults] section is used.
 
 @itemx master_key_name
-(String.)  Specifies the name of the master key.
+(String.)  Specifies the name of the master key.  The default is
+@value{DefaultMasterKeyName}.
 
 @itemx master_key_type
-(Key type string.)  Specifies the master key's key type.  Either
-"des3-hmac-sha1" or
-"des-cbc-crc" may be used at this time.
+(Key type string.)  Specifies the master key's key type.  The default
+value for this is @value{DefaultMasterKeyType}.  For a list of all
+possible values, see @ref{Supported Encryption Types}.
 
 @itemx max_life
 (Delta time string.)  Specifes the maximum time period for which a
-ticket may be valid in this realm.
+ticket may be valid in this realm.  The default value is
+@value{DefaultMaxLife}.
 
 @itemx max_renewable_life
 (Delta time string.)  Specifies the maximum time period during which a
-valid ticket may be renewed in this realm.
+valid ticket may be renewed in this realm.  The default value is
+@value{DefaultMaxRenewableLife}.
 
 @itemx supported_enctypes
 List of key:salt strings.  Specifies the default key/salt combinations
 of principals for this realm.  Any principals created through
-@code{kadmin} will have keys of these types.  If you do not yet wish to
-enable triple-DES support, you should set this tag to
-@samp{des-cbc-crc:normal des-cbc-crc:v4}; otherwise, put
-@samp{des3-hmac-sha1:normal} at the beginning of the list.
+@code{kadmin} will have keys of these types.  For lists of possible
+values, see @ref{Supported Encryption Types} and @ref{Salts}. 
 
 @itemx kdc_supported_enctypes
-List of key:salt strings.  Specifies the permitted key/salt combinations
-of principals for this realm.  You should set this tag to
-@samp{des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4}.
+Specifies the permitted key/salt combinations of principals for this
+realm.  The format is the same as @code{supported_enctypes}
 
 @itemx reject_bad_transit
 A boolean value (@code{true}, @code{false}).  If set to @code{true}, the
@@ -1097,10 +1101,9 @@ Pass @i{query} directly to @code{kadmin}.  This is useful for writing
 scripts that pass specific queries to @code{kadmin}.
 
 @item @b{-e} @i{"enctypes ..."}
-@b{(For @code{kadmin.local} only.)}
-Sets the list of cryptosystem and salt types to be used for any new keys
-created.  Available types include @samp{des3-cbc-sha1:normal},
-@samp{des-cbc-crc:normal}, and @samp{des-cbc-crc:v4}.
+@b{(For @code{kadmin.local} only.)} Sets the list of cryptosystem and
+salt types to be used for any new keys created.  See @ref{Supported
+Encryption Types} and @ref{Salts} for available types.
 
 @end table
 
@@ -1216,10 +1219,10 @@ Maximum life: 1 day 00:00:00
 Maximum renewable life: 7 days 00:00:00
 Master key version: 1
 Expires: Mon Jan 18 22:14:07 EDT 2038
-Password expires: Mon Sep 19 14:40:00 EDT 1996
-Password last changed: Mon Jan 31 02:06:40 EDT 1996
+Password expires: Mon Sep 19 14:40:00 EDT 2004
+Password last changed: Mon Jan 31 02:06:40 EDT 2004
 Last modified: by @value{ADMINUSER}/admin@@@value{PRIMARYREALM}
-	on Wed Jul 13 18:27:08 EDT 1996
+	on Wed Jul 13 18:27:08 EDT 2004
 Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE,
 	REQUIRES_HW_AUTH
 Salt type: DEFAULT
@@ -1373,15 +1376,8 @@ following switches:
 
 @table @b
 @item -salt @i{salttype}
-Uses the specified salt for generating the key.  The valid salt types
-are:
-
-@itemize @bullet
-@item full_name (aliases ``v5_salt'' and ``normal''; this is the default)
-@item name_only
-@item realm_only
-@item no_salt (alias ``v4_salt'')
-@end itemize
+Uses the specified salt for generating the key.  For valid salt types,
+see @ref{Salts}.
 
 @item -clearpolicy
 For @code{modify_principal}, removes the current policy from a
@@ -1502,10 +1498,11 @@ prompt for a password (@code{add_principal} only).  @value{COMPANY} does
 not recommend using this option.
 
 @item -e @i{enc:salt...}
-Uses the specified list of enctype-salttype pairs for setting the key of
-the principal.  The quotes are necessary if there are multiple
+Uses the specified list of enctype-salttype pairs for setting the key
+of the principal.  The quotes are necessary if there are multiple
 enctype-salttype pairs.  This will not function against kadmin daemons
-earlier than krb5-1.2.
+earlier than krb5-1.2.  See @ref{Supported Encryption Types} and
+@ref{Salts} for available types.
 @end table
 
 If you want to just use the default values, all you need to do is:
@@ -1619,10 +1616,11 @@ Sets the password to the string @i{password}.  @value{COMPANY} does not
 recommend using this option.
 
 @item @b{-e} @i{"enc:salt..."}
-Uses the specified list of enctype-salttype pairs for setting the key of
-the principal.  The quotes are necessary if there are multiple
+Uses the specified list of enctype-salttype pairs for setting the key
+of the principal.  The quotes are necessary if there are multiple
 enctype-salttype pairs.  This will not function against kadmin daemons
-earlier than krb5-1.2.
+earlier than krb5-1.2.  See @ref{Supported Encryption Types} and
+@ref{Salts} for possible values.
 @end table
 
 For example:
@@ -2043,6 +2041,35 @@ It is important that you NOT FORGET this password.}
 @end group
 @end smallexample
 
+If you need to destroy the current Kerberos database, use the
+@code{kdb5_util} @code{destroy} command.  The syntax is:
+
+@smallexample
+@b{kdb5_util destroy} [@b{-f}]
+@end smallexample
+
+The @code{destroy} command destroys the database, first overwriting the
+disk sectors and then unlinking the files.  If you specify the
+@samp{-f} option, @code{kdb5_util} will not prompt you for a
+confirmation before destroying the database.
+
+@smallexample
+@group
+@b{shell%} @value{ROOTDIR}/sbin/kdb5_util -r @value{PRIMARYREALM} destroy
+@iftex
+@b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure 
+(type yes to confirm)?} @i{@doubleleftarrow{}yes}
+@end iftex
+@ifinfo
+@b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure 
+(type yes to confirm)?} @i{<== yes}
+@end ifinfo
+@b{OK, deleting database '@value{DefaultDatabaseName}'...}
+
+@b{shell%}
+@end group
+@end smallexample
+
 @ignore
 @c @node The KDC Logs,  , Creating and Destroying a Kerberos Database, Administrating Kerberos Database Entries
 @c @section The KDC Logs
@@ -2106,11 +2133,12 @@ The @code{ktadd} command takes the following switches:
 use @i{keytab} as the keytab file.  Otherwise, @code{ktadd} will use the
 default keytab file (@code{/etc/krb5.keytab}).
 
-@item @b{-e} @i{"enc:salt..."}
-Uses the specified list of enctype-salttype pairs for setting the key of
-the principal.  The quotes are necessary if there are multiple
+@item @b{-e} @i{"enc:salt..."} 
+Uses the specified list of enctype-salttype pairs for setting the key
+of the principal.  The quotes are necessary if there are multiple
 enctype-salttype pairs.  This will not function against kadmin daemons
-earlier than krb5-1.2.
+earlier than krb5-1.2.  See @ref{Supported Encryption Types} and
+@ref{Salts} for all possible values.
 
 @item -q
 run in quiet mode.  This causes @code{ktadd} to display less verbose
diff --git a/doc/build.texinfo b/doc/build.texinfo
index 18e51011a8..671f55089e 100644
--- a/doc/build.texinfo
+++ b/doc/build.texinfo
@@ -35,20 +35,22 @@ link tree for your build tree.
 @node Unpacking the Sources, Doing the Build, Build Requirements, Building Kerberos V5
 @section Unpacking the Sources
 
-The first step in each of these build procedures is to unpack the source
-distribution.  The Kerberos V5 distribution comes in two compressed tar
-files.  The first file, which is generally named
-@file{krb5-@value{RELEASE}.src.tar.gz}, contains the sources for all of Kerberos
-except for the crypto library, which is found in the file
-@file{krb5-@value{RELEASE}.crypto.tar.gz}.
-
-Both files should be unpacked in the same directory, such as
-@file{/u1/krb5-@value{RELEASE}}.  (In the rest of this document, we will assume that
-you have chosen to unpack the Kerberos V5 source distribution in this
-directory.  Note that the tarfiles will by default all unpack into the
-@file{./krb5-@value{RELEASE}} directory, so that if your current directory is
-@file{/u1} when you unpack the tarfiles, you will get
-@file{/u1/krb5-@value{RELEASE}/src}, etc.)
+The first step in each of these build procedures is to unpack the
+source distribution.  The Kerberos V5 distribution comes in a tar file,
+generally named @file{krb5-@value{RELEASE}.tar}, which contains a
+compressed tar file consisting of the sources for all of Kerberos
+(generally @file{krb5-@value{RELEASE}.tar.gz}) and a PGP signature for
+this source tree (generally @file{krb5-@value{RELEASE}.tar.gz.asc}).
+@value{COMPANY} highly recommends that you verify the integrity of the
+source code using this signature.
+
+Unpack the compressed tar file in some directory, such as
+@file{/u1/krb5-@value{RELEASE}}.  (In the rest of this document, we
+will assume that you have chosen to unpack the Kerberos V5 source
+distribution in this directory.  Note that the tarfiles will by default
+all unpack into the @file{./krb5-@value{RELEASE}} directory, so that if
+your current directory is @file{/u1} when you unpack the tarfiles, you
+will get @file{/u1/krb5-@value{RELEASE}/src}, etc.)
 
 
 @node Doing the Build, Testing the Build, Unpacking the Sources, Building Kerberos V5
diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo
index 5a5b37cbf1..91058b8cf5 100644
--- a/doc/definitions.texinfo
+++ b/doc/definitions.texinfo
@@ -19,8 +19,8 @@
 @set RANDOMUSER johndoe
 @set RANDOMUSER1 jennifer
 @set RANDOMUSER2 david
-@set RELEASE 1.2
-@set PREVRELEASE 1.1
+@set RELEASE 1.3
+@set PREVRELEASE 1.2
 @set INSTALLDIR /usr/@value{LCPRODUCT}
 @set PREVINSTALLDIR @value{INSTALLDIR}
 @set ROOTDIR /usr/local
@@ -28,3 +28,99 @@
 @set SECONDDOMAIN fubar.org
 @set SECONDREALM FUBAR.ORG
 @set UPDATED @today
+
+@ignore
+The rest of the variables in this file are defaults for tags in the
+configuration files.  Each group of defaults come from the same file in
+the code, which is specified in the ignore comment above the group.
+After each variable, there should be a comment specifying the variable
+in the code that holds the default variable, or the line in which the
+default was set.
+@end ignore
+
+@ignore 
+the following should be consistent with the variables set in
+krb5/src/lib/krb5/krb/init_ctx.c
+@end ignore
+@set DefaultETypeList des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 
+@comment DEFAULT_ETYPE_LIST
+@set DefaultDefaultTgsEnctypes @value{DefaultETypeList}
+@set DefaultDefaultTktEnctypes @value{DefaultETypeList}
+@set DefaultClockskew 300 seconds, or five minutes 
+@comment libdefaults, clockskew
+@set DefaultChecksumType RSA MD5 
+@comment libdefaults, kdc_req_checksum_type, ap_req_checksum_type, safe_checksum_type
+@set DefaultCcacheType 3 
+@comment DEFAULT_CCACHE_TYPE 
+@set DefaultCcacheTypeMac 4 
+@comment DEFAULT_CCACHE_TYPE
+@set DefaultTktLifetime 10 hours
+@comment libdefaults, tkt_lifetime
+@set DefaultKDCTimesyncMac 1
+@set DefaultKDCTimesync 0
+@comment DEFAULT_KDC_TIMESYNC
+
+@ignore
+the following defaults should be consistent with default variables set
+in krb5/src/include/krb5/stock/osconf.h
+@end ignore
+@set DefaultMasterKeyType des-cbc-crc 
+@comment DEFAULT_KDC_ENCTYPE
+@set DefaultKadmindPort 749 
+@comment DEFAULT_KADM5_PORT
+@set DefaultAclFile @value{ROOTDIR}/krb5kdc/kadm5.acl 
+@comment DEFAULT_KADM5_ACL_FILE
+@set DefaultAdminKeytab @value{ROOTDIR}/krb5kdc/kadm5.keytab 
+@comment DEFAULT_KADM5_KEYTAB
+@set DefaultDatabaseName /usr/local/var/krb5kdc/principal
+@comment DEFAULT_KDB_FILE (@LOCALSTATEDIR is /usr/local/var)
+@set DefaultKdcPorts 88,750 
+@comment DEFAULT_KDC_PORTLIST
+@set DefaultKpasswdPort 464 
+@comment DEFAULT_KPASSWD_PORT
+@set DefaultSecPort 750 
+@comment KRB5_DEFAULT_SEC_PORT
+@set DefaultPort 88 
+@comment KRB5_DEFAULT_PORT
+@set DefaultKeyStashFileStub /usr/local/var/krb5kdc/.k5. 
+@comment DEFAULT_KEYFILE_STUB
+
+@ignore
+the following defaults should be consistent with the numbers set in
+krb5/src/lib/kadm5/alt_prof.c
+@end ignore
+@set DefaultMaxLife 10 hours 
+@comment line 608
+@set DefaultMaxRenewableLife 0 
+@comment line 622
+@set DefaultDefaultPrincipalExpiration 0 
+@comment line 639
+
+@ignore
+the following defaults should be consistent with the values set in
+krb5/src/include/krb5/kdb.h
+@end ignore
+@set DefaultDefaultPrincipalFlags no flags set 
+@comment KRB5_KDB_DEF_FLAGS set to 0
+
+@ignore
+in krb5/src/include/k5-int.h, the values KRB5_KDB_MAX_LIFE,
+KRB5_KDB_MAX_RLIFE, and KRB5_KDB_EXPIRATION are set to one day, one week,
+and Thursday Jan 1 2038, respectively
+@end ignore
+
+@ignore
+the following defaults should be consistent with the values set in
+include/krb5/kdb.h
+@end ignore
+@set DefaultMasterKeyName K/M
+@comment KRB5_KDB_M_NAME
+
+@ignore
+krb5/src/lib/krb5/krb/init_ctx.c, line 195 has libdefault
+kdc_default_options (KDC_OPT_RENEWABLE_OKAY)
+@end ignore
+
+@comment this should be verified in the code
+@set DefaultDNSLookupKDC true
+@set DefaultDNSLookupRealm false
diff --git a/doc/dnstxt.texinfo b/doc/dnstxt.texinfo
index 535ac44381..e06d220cf9 100644
--- a/doc/dnstxt.texinfo
+++ b/doc/dnstxt.texinfo
@@ -8,15 +8,15 @@ hostname-by-hostname basis.  Since greater specificity takes precedence,
 you would do this by specifying the mappings for a given domain or
 subdomain and listing the exceptions.
 
-The second mechanism, recently introduced into the MIT code base but not
-currently used by default, works by looking up the information in
-special @code{TXT} records in the Domain Name Service.  If this
-mechanism is enabled on the client, it will try to look up a @code{TXT}
-record for the DNS name formed by putting the prefix @code{_kerberos} in
-front of the hostname in question.  If that record is not found, it will
-try using @code{_kerberos} and the host's domain name, then its parent
-domain, and so forth.  So for the hostname
-BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
+The second mechanism works by looking up the information in special
+@code{TXT} records in the Domain Name Service.  This is currently not
+used by default because security holes could result if the DNS TXT
+records were spoofed.  If this mechanism is enabled on the client,
+it will try to look up a @code{TXT} record for the DNS name formed by
+putting the prefix @code{_kerberos} in front of the hostname in question.
+If that record is not found, it will try using @code{_kerberos} and the
+host's domain name, then its parent domain, and so forth.  So for the
+hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
 
 @smallexample
 _kerberos.boston.engineering.foobar.com
diff --git a/doc/install.texinfo b/doc/install.texinfo
index 9dfd27958a..9aa6654bc0 100644
--- a/doc/install.texinfo
+++ b/doc/install.texinfo
@@ -42,6 +42,8 @@
 This file documents how to install the @value{RELEASE} release of
 @value{PRODUCT}.
 
+@end ifinfo
+
 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
 @c function.  Don't forget to run M-x texinfo-every-node-update after
 @c you add a new section or subsection, or after you've rearranged the
@@ -66,15 +68,12 @@ This file documents how to install the @value{RELEASE} release of
 * Installing Kerberos V5::      
 * Upgrading Existing Kerberos V5 Installations::  
 * Bug Reports for Kerberos V5::  
-* Files::                       
 @end menu
 
 @node Copyright, Introduction, Top, Top
 @unnumbered Copyright
 @include copyright.texinfo
 
-@end ifinfo
-
 @node Introduction, Realm Configuration Decisions, Copyright, Top
 @chapter Introduction
 
@@ -367,6 +366,8 @@ first few steps must be done on the master KDC.
 
 @menu
 * Edit the Configuration Files::  
+* krb5.conf::                   
+* kdc.conf::                    
 * Create the Database::         
 * Add Administrators to the Acl File::  
 * Add Administrators to the Kerberos Database::  
@@ -374,21 +375,51 @@ first few steps must be done on the master KDC.
 * Start the Kerberos Daemons::  
 @end menu
 
-@node Edit the Configuration Files, Create the Database, Install the Master KDC, Install the Master KDC
+@node Edit the Configuration Files, krb5.conf, Install the Master KDC, Install the Master KDC
 @subsubsection Edit the Configuration Files
 
-Modify the configuration files, @code{/etc/krb5.conf}
-(@pxref{krb5.conf}) and @code{@value{ROOTDIR}/var/krb5kdc/kdc.conf}
-(@pxref{kdc.conf}) to reflect the correct information (such as the
-hostnames and realm name) for your realm.  @value{COMPANY} recommends
-that you keep @code{krb5.conf} in @code{/etc}.
-
-Among the settings in your @code{/etc/krb5.conf} file, be sure to create
-a @code{[logging]} stanza so that the KDC and kadmind will generate
-logging output.  For example:
+Modify the configuration files, @code{/etc/krb5.conf} and
+@code{@value{ROOTDIR}/var/krb5kdc/kdc.conf} to reflect the correct
+information (such as the hostnames and realm name) for your realm.
+@value{COMPANY} recommends that you keep @code{krb5.conf} in @code{/etc}.
+
+Most of the tags in the configuration have default values that will
+work well for most sites.  There are some tags in the @code{krb5.conf}
+file whose values must be specified, and this section will explain
+those as well as give an overview of all of the sections in both
+configuration files.  For more information on changing defaults with
+the configuration files, see the @value{PRODUCT} System Administrator's
+Guide sections on configuration files. 
+
+@node krb5.conf, kdc.conf, Edit the Configuration Files, Install the Master KDC
+@subsubsection krb5.conf
+
+@include krb5conf.texinfo
+
+If you are not using DNS TXT records, you must specify the
+@code{default_realm} in the @code{libdefaults} section.  If you are not
+using DNS SRV records, you must include the @code{kdc} tag for each
+realm in the @code{realms} section.  To communicate with the kadmin
+server in each realm, the @code{admin_server} tag must be set in the
+@code{realms} section.  If your domain name and realm name are not the
+same, you must provide a translation in @code{domain_realm}.  It is
+also higly recommeneded that you create a @code{[logging]} stanza if
+the computer will be functioning as a KDC so that the KDC and kadmind
+will generate logging output.
+
+An example @code{krb5.conf} file:
 
 @smallexample
 @group
+[libdefaults]
+    default_realm = @value{PRIMARYREALM}
+
+[realms]
+    kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
+    kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
+    kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
+    admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
+
 [logging]
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmin.log
@@ -396,7 +427,12 @@ logging output.  For example:
 @end group
 @end smallexample
 
-@node Create the Database, Add Administrators to the Acl File, Edit the Configuration Files, Install the Master KDC
+@node kdc.conf, Create the Database, krb5.conf, Install the Master KDC
+@subsubsection kdc.conf
+
+@include kdcconf.texinfo
+
+@node Create the Database, Add Administrators to the Acl File, kdc.conf, Install the Master KDC
 @subsubsection Create the Database
 
 You will use the @code{kdb5_util} command @emph{on the Master KDC} to
@@ -1439,120 +1475,10 @@ your application servers, and then change the default to include
 triple-DES.  We recommend that you always include @code{des-cbc-crc} in
 the default list.
 
-@node Bug Reports for Kerberos V5, Files, Upgrading Existing Kerberos V5 Installations, Top
+@node Bug Reports for Kerberos V5,  , Upgrading Existing Kerberos V5 Installations, Top
 @chapter Bug Reports for @value{PRODUCT}
 
 @include send-pr.texinfo
 
-@node Files,  , Bug Reports for Kerberos V5, Top
-@appendix Files
-
-@menu
-* krb5.conf::                   
-* kdc.conf::                    
-@end menu
-
-@node krb5.conf, kdc.conf, Files, Files
-@appendixsec krb5.conf
-
-Here is an example @code{krb5.conf} file:
-
-@smallexample
-@group
-[libdefaults]
-    ticket_lifetime = 600
-    default_realm = @value{PRIMARYREALM}
-    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
-    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
-
-[realms]
-    @value{PRIMARYREALM} = @{
-        kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88
-        kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88
-        kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88
-        admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749
-        default_domain = @value{PRIMARYDOMAIN}
-    @}
-
-[domain_realm]
-    .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
-    @value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
-@end group
-@end smallexample
-
-For the KDCs, add a section onto the end of the @code{krb5.conf} file
-telling how logging information should be stored, as in the following
-example:
-
-@smallexample
-@group
-[logging]
-    kdc = FILE:/var/log/krb5kdc.log
-    admin_server = FILE:/var/log/kadmin.log
-    default = FILE:/var/log/krb5lib.log
-@end group
-@end smallexample
-
-@iftex
-@vfill
-@end iftex
-@page
-
-@node kdc.conf,  , krb5.conf, Files
-@appendixsec kdc.conf
-
-Here's an example of a kdc.conf file:
-
-@smallexample
-@group
-[kdcdefaults]
-    kdc_ports = 88,750
-
-[realms]
-    @value{PRIMARYREALM} = @{
-        database_name = @value{ROOTDIR}/var/krb5kdc/principal
-        admin_keytab = @value{ROOTDIR}/var/krb5kdc/kadm5.keytab
-        acl_file = @value{ROOTDIR}/var/krb5kdc/kadm5.acl
-        dict_file = @value{ROOTDIR}/var/krb5kdc/kadm5.dict
-        key_stash_file = @value{ROOTDIR}/var/krb5kdc/.k5.@value{PRIMARYREALM}
-        kadmind_port = 749
-        max_life = 10h 0m 0s
-        max_renewable_life = 7d 0h 0m 0s
-        master_key_type = des3-hmac-sha1
-        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
-    @}
-@end group
-@end smallexample
-
-To add Kerberos V4 support, add @code{des-cbc-crc:v4} to the
-@code{supported_enctypes} line.
-
-@menu
-* Encryption Types and Salt Types::  
-@end menu
-
-@node Encryption Types and Salt Types,  , kdc.conf, kdc.conf
-@appendixsubsec Encryption Types and Salt Types
-
-Currently, @value{PRODUCT} supports only DES and triple-DES encryption.
-The encoding types include
-@code{des-cbc-crc} and @code{des3-cbc-sha1}.  The @dfn{salt} is
-additional information encoded within the key that tells what kind of
-key it is.  The only salts that you will be likely to encounter are:
-
-@itemize @bullet
-@item @dfn{normal}, which @value{COMPANY} recommends using for all of
-your @value{PRODUCT} keys
-
-@item @dfn{v4}, which is necessary only for compatibility with a v4 KDC
-or a v4 version of @code{kinit}, and then only with @code{des-cbc-crc}
-encryption
-
-@item @dfn{afs}, which you will never need to generate, and which you will
-encounter only if you dump an AFS database into a Kerberos database
-@end itemize
-
-Support for additional encryption types is planned in the future.
-
 @contents
 @bye
diff --git a/doc/kdcconf.texinfo b/doc/kdcconf.texinfo
new file mode 100644
index 0000000000..8ff1f35709
--- /dev/null
+++ b/doc/kdcconf.texinfo
@@ -0,0 +1,24 @@
+The @code{kdc.conf} file contains KDC configuration information,
+including defaults used when issuing Kerberos tickets.  Normally, you
+should install your @code{kdc.conf} file in the directory
+@code{@value{ROOTDIR}/var/krb5kdc}.  You can override the default
+location by setting the environment variable @samp{KRB5_KDC_PROFILE}.
+
+The @code{kdc.conf} file is set up in the same format as the
+@code{krb5.conf} file.  (@xref{krb5.conf}.)  The @code{kdc.conf} file
+may contain any or all of the following three sections:
+
+@table @b
+@itemx kdcdefaults
+Contains default values for overall behavior of the KDC.
+
+@itemx realms
+Contains subsections keyed by Kerberos realm names.  Each subsection
+describes realm-specific information, including where to find the
+Kerberos servers for that realm.
+
+@itemx logging
+Contains relations which determine how Kerberos programs are to perform
+logging.
+@end table
+
diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo
index 12572e5cbe..447383514d 100644
--- a/doc/krb425.texinfo
+++ b/doc/krb425.texinfo
@@ -38,6 +38,7 @@
 
 @ifinfo
 This document describes how to convert to @value{PRODUCT} from Kerberos V4.
+@end ifinfo
 
 @menu
 * Copyright::                   
@@ -53,8 +54,6 @@ This document describes how to convert to @value{PRODUCT} from Kerberos V4.
 @unnumbered Copyright
 @include copyright.texinfo
 
-@end ifinfo
-
 @node Introduction, Configuration Files, Copyright, Top
 @chapter Introduction
 
diff --git a/doc/krb5conf.texinfo b/doc/krb5conf.texinfo
new file mode 100644
index 0000000000..a712ee583f
--- /dev/null
+++ b/doc/krb5conf.texinfo
@@ -0,0 +1,63 @@
+The @code{krb5.conf} file contains Kerberos configuration information,
+including the locations of KDCs and admin servers for the Kerberos
+realms of interest, defaults for the current realm and for Kerberos
+applications, and mappings of hostnames onto Kerberos realms.  Normally,
+you should install your @code{krb5.conf} file in the directory
+@code{/etc}.  You can override the default location by setting the
+environment variable @samp{KRB5_CONFIG}.
+
+The @code{krb5.conf} file is set up in the style of a Windows INI file.
+Sections are headed by the section name, in square brackets.  Each
+section may contain zero or more relations, of the form:
+
+@smallexample
+foo = bar
+@end smallexample
+
+@noindent
+or
+
+@smallexample
+@group
+fubar = @{
+        foo = bar
+        baz = quux
+@}
+@end group
+@end smallexample
+
+The @code{krb5.conf} file may contain any or all of the following seven
+sections:
+
+@table @b
+@itemx libdefaults
+Contains default values used by the Kerberos V5 library.
+
+@itemx appdefaults
+Contains default values used by Kerberos V5 applications.
+
+@itemx realms
+Contains subsections keyed by Kerberos realm names.  Each subsection
+describes realm-specific information, including where to find the
+Kerberos servers for that realm.
+
+@itemx domain_realm
+Contains relations which map domain names and subdomains onto Kerberos
+realm names.  This is used by programs to determine what realm a host
+should be in, given its fully qualified domain name.
+
+@itemx logging
+Contains relations which determine how Kerberos programs are to perform
+logging.
+
+@itemx capaths
+Contains the authentication paths used with direct (nonhierarchical)
+cross-realm authentication.  Entries in this section are used by the
+client to determine the intermediate realms which may be used in
+cross-realm authentication.  It is also used by the end-service when
+checking the transited field for trusted intermediate realms.
+
+@itemx kdc
+For a KDC, may contain the location of the kdc.conf file.
+@end table
+
diff --git a/doc/man2html b/doc/man2html
new file mode 100644
index 0000000000..ea45686b89
--- /dev/null
+++ b/doc/man2html
@@ -0,0 +1,608 @@
+#!/usr/athena/bin/perl
+#!/usr/local/bin/perl
+##---------------------------------------------------------------------------##
+##  File:
+##      @(#) man2html 1.2 97/08/12 12:57:30 @(#)
+##  Author:
+##      Earl Hood, ehood@medusa.acs.uci.edu
+##  Description:
+##      man2html is a Perl program to convert formatted nroff output
+##	to HTML.
+##	
+##	Recommend command-line options based on platform:
+##
+##	Platform		Options
+##	---------------------------------------------------------------------
+##	c2mp			<None, the defaults should be okay>
+##	hp9000s700/800		-leftm 1 -topm 8
+##	sun4			-sun
+##	---------------------------------------------------------------------
+##
+##---------------------------------------------------------------------------##
+##  Copyright (C) 1995-1997	Earl Hood, ehood@medusa.acs.uci.edu
+##
+##  This program is free software; you can redistribute it and/or modify
+##  it under the terms of the GNU General Public License as published by
+##  the Free Software Foundation; either version 2 of the License, or
+##  (at your option) any later version.
+##  
+##  This program is distributed in the hope that it will be useful,
+##  but WITHOUT ANY WARRANTY; without even the implied warranty of
+##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+##  GNU General Public License for more details.
+##  
+##  You should have received a copy of the GNU General Public License
+##  along with this program; if not, write to the Free Software
+##  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+##  02111-1307, USA
+##---------------------------------------------------------------------------##
+
+package Man2Html;
+
+use Getopt::Long;
+
+($PROG = $0) =~ s/.*\///;
+$VERSION = "3.0.1";
+
+## Input and outputs filehandles
+$InFH	= \*STDIN   unless $InFH;
+$OutFH	= \*STDOUT  unless $OutFH;
+
+## Backspace character:  Used in overstriking detection
+*bs = \"\b";
+
+##	Hash of section titles and their HTML tag wrapper.
+##	This list allows customization of what HTML tag is used for
+##	a given section head.
+##
+##	The section title can be a regular expression.  Therefore, one must
+##	be careful about quoting special characters.
+##
+%SectionHead = (
+
+    '\S.*OPTIONS.*'		=> '<H2>',
+    'AUTHORS?'  		=> '<H2>',
+    'BUGS'      		=> '<H2>',
+    'COMPATIBILITY'		=> '<H2>',
+    'DEPENDENCIES'		=> '<H2>',
+    'DESCRIPTION'		=> '<H2>',
+    'DIAGNOSTICS'		=> '<H2>',
+    'ENVIRONMENT'		=> '<H2>',
+    'ERRORS'    		=> '<H2>',
+    'EXAMPLES'  		=> '<H2>',
+    'EXTERNAL INFLUENCES'	=> '<H2>',
+    'FILES'      		=> '<H2>',
+    'LIMITATIONS'		=> '<H2>',
+    'NAME'      		=> '<H2>',
+    'NOTES?'    		=> '<H2>',
+    'OPTIONS'    		=> '<H2>',
+    'REFERENCES'		=> '<H2>',
+    'RETURN VALUE'		=> '<H2>',
+    'SECTION.*:'		=> '<H2>',
+    'SEE ALSO'  		=> '<H2>',
+    'STANDARDS CONFORMANCE'	=> '<H2>',
+    'STYLE CONVENTION'		=> '<H2>',
+    'SYNOPSIS'  		=> '<H2>',
+    'SYNTAX'    		=> '<H2>',
+    'WARNINGS'  		=> '<H2>',
+    '\s+Section.*:'		=> '<H3>',
+
+);
+
+## Fallback tag if above is not found
+$HeadFallback = '<H2>';
+
+## Other gobals
+
+$Bare      = 0;		# Skip printing HTML head/foot flag
+$BTag	   = 'B';	# Overstrike tag
+$CgiUrl    = '';	# CGI URL expression
+$Compress  = 0;		# Do blank line compression flag
+$K         = 0;		# Do keyword search processing flag
+$NoDepage  = 0;		# Do not strip page information
+$NoHeads   = 0;		# Do no header detection flag
+$SeeAlso   = 0;		# Do only SEE ALSO xrefs flag
+$Solaris   = 0;		# Solaris keyword search processing flag
+$Sun       = 0;		# Headers not overstriken flag
+$Title     = '';	# Title
+$UTag	   = 'I';	# Underline tag
+$ftsz	   = 7;		# Bottome margin size
+$hdsz	   = 7;		# Top margin size
+$leftm     = '';	# Left margin pad
+$leftmsz   = 0;		# Left margin size
+$pgsz	   = 66;	# Size of page size
+$txsz      = 52;	# Text body length size
+
+#############################################################################
+##	Main Block
+#############################################################################
+{
+    if (get_cli_opts()) {
+	if ($K) {
+	    man_k();
+	} else {
+	    do_it();
+	}
+    } else {
+	usage();
+    }
+}
+
+#############################################################################
+##	Subroutines
+#############################################################################
+
+sub do_it {
+
+    ##	Define while loop and then eval it when used.  The reason
+    ##	is to avoid the regular expression reevaulation in the
+    ##	section head detection code.
+
+    $doitcode =<<'EndOfDoItCode';
+
+    my($line, $tmp, $i, $head, $preindent, $see_also, $do);
+
+    $see_also = !$SeeAlso;
+    print $OutFH "<!-- Manpage converted by man2html $VERSION -->\n";
+    LOOP: while(!eof($InFH)) {
+	$blank = 0;
+	for ($i=0; $i < $hdsz; $i++) {
+	    last LOOP  unless defined($_ = <$InFH>);
+	}
+	for ($i=0; $i < $txsz; $i++) {
+	    last LOOP  unless defined($_ = <$InFH>);
+
+	    ## Check if compress consecutive blank lines
+	    if ($Compress and !/\S/) {
+		if ($blank) { next; } else { $blank = 1; }
+	    } else {
+		$blank = 0;
+	    }
+
+	    ## Try to check if line space is needed at page boundaries ##
+	    if (!$NoDepage && ($i==0 || $i==($txsz-1)) && !/^\s*$/) {
+		/^(\s*)/;  $tmp = length($1);
+		if ($do) {
+		    if ($tmp < $preindent) { print $OutFH "\n"; }
+		} else {
+		    $do = 1;
+		}
+		$preindent = $tmp;
+	    } else {
+		$do = 0;  $preindent = 0;
+	    }
+
+	    ## Interpret line
+	    $line = $_;
+	    entitize(\$_);		# Convert [$<>] to entity references
+
+	    ## Check for 'SEE ALSO' link only
+	    if (!$see_also && $CgiUrl && $SeeAlso) {
+		($tmp = $line) =~ s/.\010//go;
+		if ($tmp =~ /^\s*SEE\s+ALSO\s*$/o) { $see_also = 1; }
+		else { $see_also = 0; }
+	    }
+
+	    ## Create anchor links for manpage references
+	    s/((((.\010)+)?[\+_\.\w-])+\(((.\010)+)?
+	      \d((.\010)+)?\w?\))
+	     /make_xref($1)
+	     /geox  if $see_also;
+
+	    ## Emphasize underlined words
+	    # s/((_\010[^_])+[\.\(\)_]?(_\010[^_])+\)?)/emphasize($1)/oge;
+	    # s/((_\010[^_])+([\.\(\)_]?(_\010[^_])+)?)/emphasize($1)/oge;
+	    #
+	    # The previous expressions were trying to be clever about
+	    # detecting underlined text which contain non-alphanumeric
+	    # characters.  nroff will not underline non-alphanumeric
+	    # characters in an underlined phrase, and the above was trying
+	    # to detect that.  It does not work all the time, and it
+	    # screws up other text, so a simplified expression is used.
+
+	    s/((_\010[^_])+)/emphasize($1)/oge;
+
+	    $secth = 0;
+	    ## Check for strong text and headings
+	    if ($Sun || /.\010./o) {
+		if (!$NoHeads) {
+		    $line =~ s/.\010//go;
+		    $tmp = $HeadFallback;
+EndOfDoItCode
+
+    ##  Create switch statement for detecting a heading
+    ##
+    $doitcode .= "HEADSW: {\n";
+    foreach $head (keys %SectionHead) {
+	$doitcode .= join("", "\$tmp = '$SectionHead{$head}', ",
+			      "\$secth = 1, last HEADSW  ",
+			      "if \$line =~ /^$leftm$head/o;\n");
+    }
+    $doitcode .= "}\n";
+
+    ##  Rest of routine
+    ##
+    $doitcode .=<<'EndOfDoItCode';
+		    if ($secth || $line =~ /^$leftm\S/o) {
+			chop $line;
+			$_ = $tmp . $line . $tmp;
+			s%<([^>]*)>$%</$1>%;
+			$_ = "\n</PRE>\n" . $_ . "<PRE>\n";
+		    } else {
+			s/(((.\010)+.)+)/strongize($1)/oge;
+		    }
+		} else {
+		    s/(((.\010)+.)+)/strongize($1)/oge;
+		}
+	    }
+	    print $OutFH $_;
+	}
+
+	for ($i=0; $i < $ftsz; $i++) {
+	    last LOOP  unless defined($_ = <$InFH>);
+	}
+    }
+EndOfDoItCode
+
+
+    ##	Perform processing.
+
+    printhead()  unless $Bare;
+    print $OutFH "<PRE>\n";
+    eval $doitcode;			# $doitcode defined above
+    print $OutFH "</PRE>\n";
+    printtail()  unless $Bare;
+}
+
+##---------------------------------------------------------------------------
+##
+sub get_cli_opts {
+    return 0  unless
+    GetOptions(
+	"bare",		# Leave out HTML, HEAD, BODY tags.
+	"belem=s",	# HTML Element for overstriked text (def: "B")
+	"botm=i",	# Number of lines for bottom margin (def: 7)
+	"cgiurl=s",	# CGI URL for linking to other manpages
+	"cgiurlexp=s",	# CGI URL Perl expr for linking to other manpages
+	"compress",	# Compress consecutive blank lines
+	"headmap=s",	# Filename of user section head map file
+	"k",		# Process input from 'man -k' output.
+	"leftm=i",	# Character width of left margin (def: 0)
+	"nodepage",	# Do not remove pagination lines
+	"noheads",	# Do not detect for section heads
+	"pgsize=i",	# Number of lines in a page (def: 66)
+	"seealso",	# Link to other manpages only in the SEE ALSO section
+	"solaris",	# Parse 'man -k' output from a solaris system
+	"sun",		# Section heads are not overstriked in input
+	"title=s",	# Title of manpage (def: Not defined)
+	"topm=i",	# Number of lines for top margin (def: 7)
+	"uelem=s",	# HTML Element for underlined text (def: "I")
+
+	"help"		# Short usage message
+    );
+    return 0  if defined($opt_help);
+
+    $pgsz = $opt_pgsize || $pgsz;
+    if (defined($opt_nodepage)) {
+	$hdsz   = 0;
+	$ftsz   = 0;
+    } else {
+	$hdsz   = $opt_topm  if defined($opt_topm);
+	$ftsz   = $opt_botm  if defined($opt_botm);
+    }
+    $txsz       = $pgsz - ($hdsz + $ftsz);
+    $leftmsz    = $opt_leftm  if defined($opt_leftm);
+    $leftm      = ' ' x $leftmsz;
+
+    $Bare       = defined($opt_bare);
+    $Compress   = defined($opt_compress);
+    $K          = defined($opt_k);
+    $NoDepage   = defined($opt_nodepage);
+    $NoHeads    = defined($opt_noheads);
+    $SeeAlso    = defined($opt_seealso);
+    $Solaris    = defined($opt_solaris);
+    $Sun        = defined($opt_sun);
+
+    $Title      = $opt_title || $Title;
+    $CgiUrl     = $opt_cgiurlexp ||
+			($opt_cgiurl ? qq{return "$opt_cgiurl"} : '');
+
+    $BTag	= $opt_belem || $BTag;
+    $UTag	= $opt_uelem || $UTag;
+    $BTag	=~ s/[<>]//g;
+    $UTag	=~ s/[<>]//g;
+
+    if (defined($opt_headmap)) {
+	require $opt_headmap or warn "Unable to read $opt_headmap\n";
+    }
+    1;
+}
+
+##---------------------------------------------------------------------------
+sub printhead {
+    print $OutFH "<HTML>\n";
+    print $OutFH "<HEAD>\n",
+		 "<TITLE>$Title</TITLE>\n",
+		 "</HEAD>\n"  if $Title;
+    print $OutFH "<BODY>\n";
+    print $OutFH "<H1>$Title</H1>\n",
+		 "<HR>\n"  if $Title;
+}
+
+##---------------------------------------------------------------------------
+sub printtail {
+    print $OutFH <<EndOfRef;
+<HR>
+<ADDRESS>
+Man(1) output converted with
+<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
+</ADDRESS>
+</BODY>
+</HTML>
+EndOfRef
+}
+
+##---------------------------------------------------------------------------
+sub emphasize {
+    my($txt) = shift;
+    $txt =~ s/.\010//go;
+    $txt = "<$UTag>$txt</$UTag>";
+    $txt;
+}
+
+##---------------------------------------------------------------------------
+sub strongize {
+    my($txt) = shift;
+    $txt =~ s/.\010//go;
+    $txt = "<$BTag>$txt</$BTag>";
+    $txt;
+}
+
+##---------------------------------------------------------------------------
+sub entitize {
+    my($txt) = shift;
+
+    ## Check for special characters in overstrike text ##
+    $$txt =~ s/_\010\&/strike('_', '&')/geo;
+    $$txt =~ s/_\010</strike('_', '<')/geo;
+    $$txt =~ s/_\010>/strike('_', '>')/geo;
+
+    $$txt =~ s/(\&\010)+\&/strike('&', '&')/geo;
+    $$txt =~ s/(<\010)+</strike('<', '<')/geo;
+    $$txt =~ s/(>\010)+>/strike('>', '>')/geo;
+
+    ## Check for special characters in regular text.  Must be careful
+    ## to check before/after character in expression because it might be
+    ## a special character.
+    $$txt =~ s/([^\010]\&[^\010])/htmlize2($1)/geo;
+    $$txt =~ s/([^\010]<[^\010])/htmlize2($1)/geo;
+    $$txt =~ s/([^\010]>[^\010])/htmlize2($1)/geo;
+}
+
+##---------------------------------------------------------------------------
+##	escape special characters in a string, in-place
+##
+sub htmlize {
+    my($str) = shift;
+    $$str =~ s/&/\&amp;/g;
+    $$str =~ s/</\&lt;/g;
+    $$str =~ s/>/\&gt;/g;
+    $$str;
+}
+
+##---------------------------------------------------------------------------
+##	htmlize2() is used by entitize.
+##
+sub htmlize2 {
+    my($str) = shift;
+    $str =~ s/&/\&amp;/g;
+    $str =~ s/</\&lt;/g;
+    $str =~ s/>/\&gt;/g;
+    $str;
+}
+
+##---------------------------------------------------------------------------
+##	strike converts HTML special characters in overstriked text
+##	into entity references.  The entities are overstriked so
+##	strongize() and emphasize() will recognize the entity to be
+##	wrapped in tags.
+##
+sub strike {
+    my($w, $char) = @_;
+    my($ret);
+    if ($w eq '_') {
+	if ($char eq '&') {
+	    $ret = "_$bs\&_${bs}a_${bs}m_${bs}p_${bs};";
+	} elsif ($char eq '<') {
+	    $ret = "_$bs\&_${bs}l_${bs}t_${bs};";
+	} elsif ($char eq '>') {
+	    $ret = "_$bs\&_${bs}g_${bs}t_${bs};";
+	} else {
+	    warn qq|Unrecognized character, "$char", passed to strike()\n|;
+	}
+    } else {
+	if ($char eq '&') {
+	    $ret = "\&$bs\&a${bs}am${bs}mp${bs}p;${bs};";
+	} elsif ($char eq '<') {
+	    $ret = "\&$bs\&l${bs}lt${bs}t;${bs};";
+	} elsif ($char eq '>') {
+	    $ret = "\&$bs\&g${bs}gt${bs}t;${bs};";
+	} else {
+	    warn qq|Unrecognized character, "$char", passed to strike()\n|;
+	}
+    }
+    $ret;
+}
+
+##---------------------------------------------------------------------------
+##	make_xref() converts a manpage crossreference into a hyperlink.
+##
+sub make_xref {
+    my $str = shift;
+    $str =~ s/.\010//go;			# Remove overstriking
+
+    if ($CgiUrl) {
+	my($title,$section,$subsection) =
+	    ($str =~ /([\+_\.\w-]+)\((\d)(\w?)\)/);
+
+	$title =~ s/\+/%2B/g;
+	my($href) = (eval $CgiUrl);
+	qq|<B><A HREF="$href">$str</A></B>|;
+    } else {
+	qq|<B>$str</B>|;
+    }
+}
+
+##---------------------------------------------------------------------------
+##	man_k() process a keyword search.  The problem we have is there
+##	is no standard for keyword search results from man.  Solaris
+##	systems have a different enough format to warrent dealing
+##	with it as a special case.  For other cases, we try our best.
+##	Unfortunately, there are some lines of results that may be
+##	skipped.
+##
+sub man_k {
+    my($line,$refs,$section,$subsection,$desc,$i,
+       %Sec1, %Sec1sub, %Sec2, %Sec2sub, %Sec3, %Sec3sub,
+       %Sec4, %Sec4sub, %Sec5, %Sec5sub, %Sec6, %Sec6sub,
+       %Sec7, %Sec7sub, %Sec8, %Sec8sub, %Sec9, %Sec9sub,
+       %SecN, %SecNsub, %SecNsec);
+
+    printhead()  unless $Bare;
+    print $OutFH "<!-- Man keyword results converted by ",
+		      "man2html $VERSION -->\n";
+
+    while ($line = <$InFH>) {
+	next if $line !~ /\(\d\w?\)\s+-\s/; # check if line can be handled
+	($refs,$section,$subsection,$desc) =
+	    $line =~ /^\s*(.*)\((\d)(\w?)\)\s*-\s*(.*)$/;
+
+	if ($Solaris) {
+	    $refs =~ s/^\s*([\+_\.\w-]+)\s+([\+_\.\w-]+)\s*$/$1/;
+					#  <topic> <manpage>
+	} else {
+	    $refs =~ s/\s(and|or)\s/,/gi; # Convert and/or to commas
+	    $refs =~ s/^[^:\s]:\s*//;	# Remove prefixed whatis path
+	}
+	$refs =~ s/\s//g;		# Remove all whitespace
+	$refs =~ s/,/, /g;		# Put space after comma
+	htmlize(\$desc);		# Check for special chars in desc
+	$desc =~ s/^(.)/\U$1/;		# Uppercase first letter in desc
+
+	if ($section eq '1') {
+	    $Sec1{$refs} = $desc; $Sec1sub{$refs} = $subsection;
+	} elsif ($section eq '2') {
+	    $Sec2{$refs} = $desc; $Sec2sub{$refs} = $subsection;
+	} elsif ($section eq '3') {
+	    $Sec3{$refs} = $desc; $Sec3sub{$refs} = $subsection;
+	} elsif ($section eq '4') {
+	    $Sec4{$refs} = $desc; $Sec4sub{$refs} = $subsection;
+	} elsif ($section eq '5') {
+	    $Sec5{$refs} = $desc; $Sec5sub{$refs} = $subsection;
+	} elsif ($section eq '6') {
+	    $Sec6{$refs} = $desc; $Sec6sub{$refs} = $subsection;
+	} elsif ($section eq '7') {
+	    $Sec7{$refs} = $desc; $Sec7sub{$refs} = $subsection;
+	} elsif ($section eq '8') {
+	    $Sec8{$refs} = $desc; $Sec8sub{$refs} = $subsection;
+	} elsif ($section eq '9') {
+	    $Sec9{$refs} = $desc; $Sec9sub{$refs} = $subsection;
+	} else {			# Catch all
+	    $SecN{$refs} = $desc; $SecNsec{$refs} = $section;
+	    $SecNsub{$refs} = $subsection;
+	}
+    }
+    print_mank_sec(\%Sec1, 1, \%Sec1sub);
+    print_mank_sec(\%Sec2, 2, \%Sec2sub);
+    print_mank_sec(\%Sec3, 3, \%Sec3sub);
+    print_mank_sec(\%Sec4, 4, \%Sec4sub);
+    print_mank_sec(\%Sec5, 5, \%Sec5sub);
+    print_mank_sec(\%Sec6, 6, \%Sec6sub);
+    print_mank_sec(\%Sec7, 7, \%Sec7sub);
+    print_mank_sec(\%Sec8, 8, \%Sec8sub);
+    print_mank_sec(\%Sec9, 9, \%Sec9sub);
+    print_mank_sec(\%SecN, 'N', \%SecNsub, \%SecNsec);
+
+    printtail()  unless $Bare;
+}
+##---------------------------------------------------------------------------
+##	print_mank_sec() prints out manpage cross-refs of a specific section.
+##
+sub print_mank_sec {
+    my($sec, $sect, $secsub, $secsec) = @_;
+    my(@array, @refs, $href, $item, $title, $subsection, $i, $section,
+       $xref);
+    $section = $sect;
+
+    @array = sort keys %$sec;
+    if ($#array >= 0) {
+	print $OutFH "<H2>Section $section</H2>\n",
+		     "<DL COMPACT>\n";
+	foreach $item (@array) {
+	    @refs = split(/,/, $item);
+	    $section = $secsec->{$item}  if $sect eq 'N';
+	    $subsection = $secsub->{$item};
+	    if ($CgiUrl) {
+		($title = $refs[0]) =~ s/\(\)//g;  # watch out for extra ()'s
+		$xref = eval $CgiUrl;
+	    }
+	    print $OutFH "<DT>\n";
+	    $i = 0;
+	    foreach (@refs) {
+		if ($CgiUrl) {
+		    print $OutFH qq|<B><A HREF="$xref">$_</A></B>|;
+		} else {
+		    print $OutFH $_;
+		}
+		print $OutFH ", "  if $i < $#refs;
+		$i++;
+	    }
+	    print $OutFH " ($section$subsection)\n",
+			 "</DT><DD>\n",
+			 $sec->{$item}, "</DD>\n";
+	}
+	print $OutFH "</DL>\n";
+    }
+}
+
+##---------------------------------------------------------------------------
+##
+sub usage {
+    print $OutFH <<EndOfUsage;
+Usage: $PROG [ options ] < infile > outfile
+Options:
+  -bare            : Do not put in HTML, HEAD, BODY tags
+  -belem <elem>    : HTML Element for overstriked text (def: "B")
+  -botm <#>        : Number of lines for bottom margin (def: 7)
+  -cgiurl <url>    : URL for linking to other manpages
+  -cgiurlexp <url> : Perl expression URL for linking to other manpages
+  -compress        : Compress consective blank lines
+  -headmap <file>  : Filename of user section head map file
+  -help            : This message
+  -k               : Process a keyword search result
+  -leftm <#>       : Character width of left margin (def: 0)
+  -nodepage        : Do not remove pagination lines
+  -noheads         : Turn off section head detection
+  -pgsize <#>      : Number of lines in a page (def: 66)
+  -seealso         : Link to other manpages only in the SEE ALSO section
+  -solaris         : Process keyword search result in Solaris format
+  -sun             : Section heads are not overstriked in input
+  -title <string>  : Title of manpage (def: Not defined)
+  -topm <#>        : Number of lines for top margin (def: 7)
+  -uelem <elem>    : HTML Element for underlined text (def: "I")
+
+Description:
+  $PROG takes formatted manpages from STDIN and converts it to HTML sent
+  to STDOUT.  The -topm and -botm arguments are the number of lines to the
+  main body text and NOT to the running headers/footers.
+
+Version:
+  $VERSION
+  Copyright (C) 1995-1997  Earl Hood, ehood\@medusa.acs.uci.edu
+  $PROG comes with ABSOLUTELY NO WARRANTY and $PROG may be copied only
+  under the terms of the GNU General Public License, which may be found in
+  the $PROG distribution.
+
+EndOfUsage
+    exit 0;
+}
diff --git a/doc/man2html.M b/doc/man2html.M
new file mode 100644
index 0000000000..537d6073b3
--- /dev/null
+++ b/doc/man2html.M
@@ -0,0 +1,761 @@
+.\" sccsid = "@(#)  man2html.1  1.2  08/12/97"
+.\"
+.\" ================================================
+.\" ARGUMENT MACRO:		.Ar "arg" [B]
+.de Ar
+.ie \\$2B  \%\fB\\$1\fR
+.el              \%\fI\\$1\fR
+..
+.\" ================================================
+.\" BRACKETED ARGUMENT MACRO:	.Br "arg" [B]
+.de Br
+.ie \\$2B  \%[\|\fB\\$1\fR\|]
+.el              \%[\|\fI\\$1\fR\|]
+..
+.\" ================================================
+.\" OPTION FLAG MACRO		.Of -x [arg]
+.de Of
+.ie \\n(.$==1      \%[\|\fB\\$1\fR\|]
+.el .if \\n(.$==2  \%[\|\fB\\$1\fR\0\fI\fI\\$2\fR\|]
+..
+.\" ================================================
+.\" SYNOPSIS START MACRO
+.de Ss				.Ss name
+.na
+.nr aA \w\\$1\\0u
+.in +\\n(aAu
+'ti -\\n(aAu
+.ta  \\n(aAu
+\&\fB\\$1\fR\t\c
+..
+.\" ================================================
+.\" SYNOPSIS END MACRO
+.de Se				.Se
+.ad
+.in
+..
+.\" ================================================
+.\"
+.\"
+.TH MAN2HTML 1 "97/08/12"
+.SH NAME
+.na
+man2html \- convert UNIX nroff(1) manual pages to HTML format
+.SH SYNOPSIS
+.na
+.Ss man2html
+.Of -bare
+.Of -belem name
+.Of -botm lines
+.Of -cgiurl string
+.Of -cgiurlexp expr
+.Of -compress
+.Of -headmap mapfile
+.Of -help
+.Of -k
+.Of -leftm chars
+.Of -nodepage
+.Of -noheads
+.Of -pgsize lines
+.Of -seealso
+.Of -solaris
+.Of -sun
+.Of -title string
+.Of -topm lines
+.Of -uelem name
+.Se
+.sp 2
+Typical Usage:
+.sp
+.Ss man2html
+.Of -options
+.BI "\0<\0" infile
+.BI "\0\0>\0" outfile
+.Se
+.sp
+.B man
+.I topic
+.B | man2html
+.Of -options
+.BI "\0>\0" outfile
+.\"
+.SH DESCRIPTION
+.na
+The
+.B man2html
+filter reads formatted nroff text from standard input
+.RI ( stdin )
+and writes a \s-1HTML\s+1 document to standard output
+.RI ( stdout ).
+.LP
+The formatted nroff output is surrounded with
+.B \s-1<PRE>\s+1
+tags with the following exceptions/additions:
+.RS 4n
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Section heads are wrapped in \s-1HTML\s+1
+.I header
+tags.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for additional information.
+The
+.B \%-noheads
+option can be used to disable this feature.
+.ad
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Bold words designated by a \%"<char><bs><char>"
+sequences are wrapped in
+.B \s-1<B>\s+1
+tags (or the element specified via the
+.B \%-belem
+option).
+.ad
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Underlined words designated by a \%"_<bs><char>"
+sequences are wrapped in
+.B \s-1<I>\s+1
+tags (or the element specified via the
+.B \%-uelem
+option).
+.ad
+.RE
+.SH OPTIONS
+.na
+.TP 0.5i
+.B -bare
+This option will eliminate \s-1HTML\s+1
+.B \s-1<HEAD>\s+1
+and
+.B \s-1<BODY>\s+1
+tags from the output.
+This is useful when you wish to incorporate the output into another
+\s-1HTML\s+1 document.
+.TP 0.5i 
+.BI -belem\0 name
+Use
+.I name
+as the name of the element to wrap overstriken characters.
+The default is \fBB\fR.
+.TP 0.5i 
+.BI -botm\0 lines
+The
+.I lines
+argument specifies the number of lines representing the bottom
+margin of the formatted nroff input.
+The line count includes any running footers.
+The default value is 7.
+.TP 0.5i
+.BI -cgiurl\0 string
+The
+.I string
+argument specifies a template \s-1URL\s+1 for creating links to other manpages.
+See the
+.B "\s-1LINKING\ TO\ OTHER\ MANPAGES\s+1"
+section below for additional information.
+.TP 0.5i
+.BI -cgiurlexp\0 expr
+The
+.I expr
+argument specifies a Perl expression evaluting to a \s-1URL\s+1 for
+creating links to other manpages.
+See the
+.B "\s-1LINKING\ TO\ OTHER\ MANPAGES\s+1"
+section below for additional information.
+.TP 0.5i
+.B -compress
+Compress consecutive blank lines into a single line.
+.TP 0.5i
+.BI -headmap\0 mapfile
+The
+.I mapfile
+argument is read to determine which \s-1HTML\s+1
+header tags are to be used for various section heading in the manpage.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for information on the format of the map file.
+.TP 0.5i
+.B -help
+Print out a short usage message and then exit immediately.
+.TP 0.5i
+.B -k
+Process input resulting from a manpage keyword search
+.RB ( "man\ -k" ).
+See the
+.B "\s-1KEYWORD\ SEARCH\s+1"
+section below for additional information.
+.TP 0.5i
+.BI -leftm\0 chars
+The
+.I chars
+argument specifies the width of the number of characters making
+up the left margin of the formatted nroff input.
+The default value is 0.
+.TP 0.5i
+.B -nodepage
+By default,
+.B man2html
+merges multi-page formatted nroff into a single page.
+This option may be used to disable depagination, causing
+running headers and footers in the formatted nroff input
+to be carried over into the \s-1HTML\s+1 output.
+.TP 0.5i
+.B -noheads
+By default,
+.B man2html
+wraps section heads in \s-1HTML\s+1
+header tags.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for additional information.
+This option may be specified to disabled this feature.
+.TP 0.5i
+.BI -pgsize\0 lines
+The
+.I lines
+argument specifies the number of lines making up the page size (length)
+of the formatted nroff input.
+The default value is 66.
+.TP 0.5i
+.B -seealso
+If the
+.B -cgiurl
+option has been specified, then this option restricts the
+creation of links to other manual pages to the
+.B "\%\s-1SEE\ ALSO\s+1"
+section only.
+.TP 0.5i
+.B -solaris
+If the
+.B -k
+option has been specified, then this option modifies its operation
+to process the alternate manual page keyword search format produced
+by the
+.BR man (1)
+utility on systems running
+.IR Solaris .
+See the
+.B "\s-1KEYWORD\ SEARCH\s+1"
+section below for additional information.
+.TP 0.5i
+.B -sun
+Do not require a section head to have bold overstriking in the
+formatted nroff input.
+The option is called
+.B \%sun
+because it was on a Sun workstation that section heads in
+manpages were found to not be overstruck.
+.TP 0.5i
+.BI -title\0 string
+By default,
+.B man2html
+does not generate a \s-1HTML\s+1 title
+.RB ( \s-1<TITLE>\s+1 ).
+This option sets the title of the \s-1HTML\s+1 output to the specified
+.IR string .
+.TP 0.5i
+.BI -topm\0 lines
+The
+.I lines
+argument specifies number number of lines representing the
+top margin of the formatted nroff input.
+The line count includes any running headers.
+The default value is 7.
+.TP 0.5i 
+.BI -uelem\0 name
+Use
+.I name
+as the name of the element to wrap underscored characters.
+The default is \fBI\fR.
+.\"
+.SH "SECTION HEAD MAP FILE"
+.na
+.LP
+The
+.B \%-headmap
+option may be used to customize which \s-1HTML\s+1 header tags,
+.BR "\s-1<H1>\s+1 ... \s-1<H6>\s+1" ,
+are used in manpage section headings.
+Normally,
+.B man2html
+treats lines that are flush to the left margin
+.RB ( -leftm ),
+and contain overstriking (overstrike check is canceled with the
+.B -sun
+option), as section heads.
+However, you can augment/override what \s-1HTML\s+1 header tags are used for
+any given section head.
+.LP
+In order to write a section head map file, you will need to know about
+.BR perl (1)
+associative arrays.
+You do not need to be an expert in
+.B perl
+to write a map file, however, having knowledge of
+.B perl
+allows you to be more clever.
+.\"
+.SS "Augmenting the Default Map" 
+.LP
+To add to the default mapping defined by
+.BR man2html ,
+your map file will contain lines with the following syntax:
+.sp
+.if t .RS 4n
+.B "$SectionHead{'<section head text>'} = '<html header tag>';"
+.if t .RE
+.sp
+where
+.IP "\fB\%<section\ head\ text>\fR"
+is the text of the manpage section head.
+For example:
+.B  \s-1SYNOPSIS\s+1
+or
+.BR \s-1DESCRIPTION\s+1 .
+.IP "\fB\%<html\ header\ tag>\fR"
+is the \s-1HTML\s+1 header tag to wrap the section head in.
+Legal values are:
+.BR \s-1<H1>\s+1 ,
+.BR \s-1<H2>\s+1 ,
+.BR \s-1<H3>\s+1 ,
+.BR \s-1<H4>\s+1 ,
+.BR \s-1<H5>\s+1 ,
+.BR \s-1<H6>\s+1 .
+.SS "Overriding the Default Map"
+To override the default mapping with your own, then your map file will
+have the following syntax:
+.sp
+.RS 4n
+.ft B
+.nf
+.ne 6v
+%SectionHead = (
+         \&'<section head text>', '<html header tag>',
+         \&'<section head text>', '<html header tag>',
+         \&# ... More section head/tag pairs
+         \&'<section head text>', '<html header tag>',
+);
+.fi
+.ft
+.RE
+.SS "The Default Map"
+.LP
+As of this writing, this is the default map used by
+.BR man2html :
+.RS 4n
+.sp
+.ft C
+.nf
+.ne 29v
+%SectionHead = (
+.ps -1
+    \&'\\S.*OPTIONS.*'             => '<H2>',
+    \&'AUTHORS?'                  => '<H2>',
+    \&'BUGS'                      => '<H2>',
+    \&'COMPATIBILITY'             => '<H2>',
+    \&'DEPENDENCIES'              => '<H2>',
+    \&'DESCRIPTION'               => '<H2>',
+    \&'DIAGNOSTICS'               => '<H2>',
+    \&'ENVIRONMENT'               => '<H2>',
+    \&'ERRORS'                    => '<H2>',
+    \&'EXAMPLES'                  => '<H2>',
+    \&'EXTERNAL INFLUENCES'       => '<H2>',
+    \&'FILES'                     => '<H2>',
+    \&'LIMITATIONS'               => '<H2>',
+    \&'NAME'                      => '<H2>',
+    \&'NOTES?'                    => '<H2>',
+    \&'OPTIONS'                   => '<H2>',
+    \&'REFERENCES'                => '<H2>',
+    \&'RETURN VALUE'              => '<H2>',
+    \&'SECTION.*:'                => '<H2>',
+    \&'SEE ALSO'                  => '<H2>',
+    \&'STANDARDS CONFORMANCE'     => '<H2>',
+    \&'STYLE CONVENTION'          => '<H2>',
+    \&'SYNOPSIS'                  => '<H2>',
+    \&'SYNTAX'                    => '<H2>',
+    \&'WARNINGS'                  => '<H2>',
+    \&'\\s+Section.*:'             => '<H3>',
+.ps +1
+);
+$HeadFallback = '\s-1<H2>\s+1';  # Fallback tag if above is not found.
+.fi
+.ft
+.RE
+.LP
+Check the
+.B perl
+source code of
+.B man2html
+for the latest default mapping.
+.LP 
+You can reassign the
+.B \%$HeadFallback
+variable to a different value if you choose.
+This value is used as the header tag of a section head if
+no matches are found in the \%\fB%SectionHead\fR map.
+.SS "Using Regular Expressions in the Map File"
+.LP
+You may have noticed unusual characters in the default map file, like
+"\\s" or "*".
+The
+.B man2html
+utility actual treats the
+.B "\%<section\ head\ text>"
+as a
+.B perl
+regular expression.
+If you are comfortable with
+.B perl
+regular expressions, then you have their full power to use
+in your map file.
+.LP
+.I Caution:
+The
+.B man2html
+utility already anchors the regular expression to the beginning of the
+line with left margin spacing specified by the
+.B \%-leftm
+option.
+Therefore, do not use the `\fB\fR^' character to anchor your regular
+expression to the beginning.
+However, you may end your expression with a `\fB$\fR' to anchor it to
+the end of the line.
+.LP 
+Since the
+.B "\%<section\ head\ text>"
+is actually a regular expression, you will have to be careful of
+special characters if you want them to be treated literally.
+Any of the characters
+.RB ` "[ ] ( ) . ^ { } $ * ? + \\ |" '
+should be escaped by prefixing them by the
+\&`\fB\\\fR' character if you want
+.B perl
+to treat them "as is".
+.LP
+.I Caution:
+One should use single quotes instead of double quotes to delimit
+.BR "\%<section\ head\ text>" .
+This will preserve any `\fB\\\fR' characters for character escaping
+or when the `\fB\\\fR' is used for special
+.B perl
+character matching sequences (e.g.,  \fB\\s\fR, \fB\\w\fR, \fB\\S\fR).
+.SS "Other Tid-bits on the Map File"
+.LP
+Comments can be inserted in the map file by using the '\fB#\fR'
+character.
+Anything after, and including, the '\fB#\fR' character is ignored,
+up to the end of line.
+.LP 
+You might be thinking that the above is quite-a-bit-of-stuff just for
+doing manpage section heads.
+However, you will be surprised how much better the \s-1HTML\s+1 output looks
+with header tags, even though, everything else is in a
+.B \s-1<PRE>\s+1
+tag.
+.\"
+.SH "LINKING TO OTHER MANPAGES"
+.na
+.LP 
+The
+.B man2html
+utility allows the ability to link to other manpage references.
+If the
+.B \%-cgiurl
+option is specified,
+.B man2html
+will create anchors that link to other manpages.
+.LP 
+The \s-1URL\s+1 entered with the
+.B \%-cgiurl
+option is actually a template that determines the actual \s-1URL\s+1 used to
+link to other manpages.
+The following variables are defined during run time that may be used in
+the template string:
+.sp
+.RS 4n
+.IP \fB$title\fR
+The title of the manual page referenced.
+.IP \fB$section\fR
+The section number of the manual page referenced.
+.IP \fB$subsection\fR
+The subsection of the manual page referenced.
+.RE
+.LP
+Any other text in the template is preserved "as is".
+.LP
+.I Caution:
+The
+.B man2html
+utility evaluates the template string as a
+.B perl
+string expression.
+Therefore, one might need to surround the variable names with
+\&'\fB{\|}\fR' (e.g.,
+.BR ${\|title\|}\| )
+so that
+.B man2html
+properly recognizes the variable.
+.LP
+.I Note:
+If a \s-1CGI\s+1 program calling
+.B man2html
+is actually a shell script or a
+.B perl
+program, make sure to properly escape the '\fB$\fR' character
+in the \s-1URL\s+1 template to avoid variable interpolation by the \s-1CGI\s+1
+program.
+.LP
+Normally, the \s-1URL\s+1 calls a \s-1CGI\s+1 program (hence the option name),
+but the \s-1URL\s+1 can easily link to statically converted documents.
+.SS "Example1:"
+.LP 
+The following template string is specified to call a \s-1CGI\s+1 program to
+retrieve the appropriate manpage linked to:
+.LP
+.nf
+.B "/cgi-bin/man.cgi?section=${section}${subsection}&topic=${title}"
+.fi
+.LP 
+If the
+.BR ls (1)
+manpage is referenced in the
+.B "SEE ALSO"
+section, the above template will translate to the following \s-1URL\s+1:
+.LP
+.B "/cgi-bin/man.cgi?section=1&topic=ls"
+.LP 
+The actual \s-1HTML\s+1 markup will look like the following:
+.LP
+\fB<A\ HREF="/cgi-bin/man.cgi?section=1&topic=ls">ls(1)</A>\fR
+.SS "Example2:"
+.LP 
+The following template string is specified to retrieve pre-converted
+manpages:
+.LP
+.B "http://foo.org/man$section/$title.$section$subsection.html"
+.LP 
+If the
+.BR mount (1M)
+manpage is referenced, the above template will translate to the
+following \s-1URL\s+1:
+.LP
+.B "http://foo.org/man1/mount.1M.html"
+.LP 
+The actual \s-1HTML\s+1 markup will look like the following:
+.LP
+\fB<A HREF="http://foo.org/man1/mount.1M.html">mount(1M)</A>\fR
+.SS "-cgiurlexp"
+The option
+.B \%-cgiurlexp
+is a more general form of the
+.B \%-cgiurl
+option.
+.B \%-cgiurlexp
+allows one to specify a general Perl expression.  For example:
+.LP
+\fB$title=~/^db_/i?"$title.html":"/cgi-bin/man?$title+$section"\fR
+.LP
+A
+.B \%-cgiurl
+.I string
+can be expressed as follows with \fB-cgiurlexp\fR:
+.LP
+\fBreturn "\fIstring\fB"\fR
+.\"
+.SH "KEYWORD SEARCH"
+.na
+.LP
+The
+.B man2html
+utility has the ability to process keyword search output generated
+by the \%\fBman\ -k\fR or \%\fBapropos\fR commands, through the
+use of the
+.B -k
+option.
+The
+.B man2html
+utility will generate an \s-1HTML\s+1 document of the keyword search input
+having the following format:
+.RS 4n 
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	All manpage references are listed by section.
+.ad
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Within each section listing, the manpage references
+are sorted alphabetically (case-sensitive) in a
+.B \s-1<DL>\s+1
+tag.
+The manpage references are listed in the
+.B \s-1<DT>\s+1
+section, and the summary text is listed in the
+.B \s-1<DD>\s+1
+section.
+.ad
+.LP
+.na
+'ti -2n
+'ta  2n
+\(bu	Each manpage reference listed is a hyperlink to the
+actual manpage as specified by the
+.B \%-cgiurl
+option.
+.ad
+.RE
+.LP 
+.na
+This ability to process keyword searches gives nice added functionality
+to a \s-1WWW\s+1 forms interface to
+.BR man (1).
+Even if you have statically converted manpages to \s-1HTML\s+1 via another
+man->\s-1HTML\s+1 program, you can use
+.B man2html
+and "\fBman\ -k\fR" to provide keyword search capabilities easily for
+your \s-1HTML\s+1 manpages.
+.SS "Processing Keyword Search Results"
+.na
+.LP 
+Unfortunately, there is no standard controlling the format of keyword
+search results.
+The
+.B man2html
+utility tries it best to handle all the variations.
+However, the keyword search results generated by the
+.I Solaris
+operating system is different enough from other systems that a
+special command-line option
+.RB ( -solaris )
+must be specified to handle its output.
+.SS "Example of raw Solaris-type keyword search results:"
+.LP
+.ft C
+.nf
+.ne 10v
+strcpy        strcpy (9f)  - copy a string from one location to another.
+strcpy        string (3c)  - string operations
+strncpy       strcpy (9f)  - copy a string from one location to another.
+strncpy       string (3c)  - string operations
+.fi
+.ft
+.LP 
+If keyword search results on your systems appear in the following format:
+.LP
+.RS 4n
+.B "<topic>  <actual_manpage> (#) - Description"
+.RE
+.LP
+then you need to specify the
+.B \%-solaris
+option in addition to the
+.B -k
+option.
+.SH "ADDITIONAL NOTES"
+.na
+.LP
+Different systems format manpages differently.
+Here is a list of recommended command-line options for certain systems:
+.RS 4n
+.LP
+.ta 1i
+.nf
+.ne 3v
+\fBConvex\fR:	<defaults should be okay>
+\fBHP\fR:	\fB-leftm 1 -topm 8\fR
+\fBSun\fR:	\fB-sun\fR (and \fB-solaris\fR when using \fB-k\fR)
+.fi
+.RE
+.LP
+Some line spacing gets lost in the formatted nroff since the
+spacing would occur in the middle of a page break.
+This can cause text to be merged that shouldn't be merged when
+.B man2html
+depaginates the text.
+To avoid this problem,
+.B man2html
+keeps track of the margin indent right before and after a page break.
+If the margin width of the line after the page break is less than the
+line before the page break, then
+.B man2html
+inserts a blank line in the \s-1HTML\s+1 output.
+.LP 
+A manpage cross-reference is detected by the following pseudo expression:
+\%\fB[A-z.-+_]+([0-9][A-z]?)\fR
+.LP
+The
+.B man2html
+utility only recognizes lines with "\fB - \fR" (the normal separator
+between manpage references and summary text) while in keyword
+search mode.
+.LP 
+The
+.B man2html
+utility can be hooked in a \s-1CGI\s+1 script/program to convert manpages
+on the fly.
+This is the reason for the
+.B \%-cgiurl
+option.
+.SH LIMITATIONS
+.na
+.LP 
+The order that section head mapping is searched is not defined.
+Therefore, if two or more
+.B "\%<section\ head\ text>"
+can match a give manpage section, there is no way to determine
+which map tag is chosen.
+.LP 
+If
+.B \%-seealso
+is specified, all xrefs are detected after the
+.B "\%SEE\ ALSO"
+heading.
+In other words, sections after
+.B "\%SEE\ ALSO"
+may contain hyperlinked xrefs.
+.SH BUGS
+.na
+.LP 
+Text that is flush to the left margin, but is not actually a
+section head, can be mistaken for a section head.
+This mistake is more likely when the
+.B \%-sun
+option is in affect.
+.SH VERSION
+.na
+This documentation describes
+.B man2html
+version 3.0.1
+.SH "SEE ALSO"
+.na
+.BR man (1),
+.BR nroff (1),
+.BR perl (1)
+.LP
+.I http://www.oac.uci.edu/indiv/ehood/man2html.html
+.SH AUTHOR
+.LP
+.B Earl Hood
+.br
+.I ehood@medusa.acs.uci.edu
+.\"
+.SH "ERRORS AND OMISSIONS"
+.na
+Troff version of this document initially created for version 2.1.0
+by C. Jeffery Small
+.RI ( jeff@cjsa.com )
+by copying, reformatting, rearranging and partially rewriting
+the contents of the ascii text file
+.BR doc/man2html.txt .
diff --git a/doc/salts.texinfo b/doc/salts.texinfo
new file mode 100644
index 0000000000..3ed43db0e1
--- /dev/null
+++ b/doc/salts.texinfo
@@ -0,0 +1,19 @@
+@ignore 
+the information in this file should be consistent with the information
+in krb5/src/lib/krb5/krb/str_conv.c, in the struct salttype_lookup_entry
+@end ignore
+
+@table @code
+@item normal
+default for Kerberos Version 5
+@item v4
+the only type used by Kerberos Version 4, no salt
+@item norealm
+same as the default, without using realm information
+@item onlyrealm
+uses only realm information as the salt
+@item afs3
+AFS version 3, only used for compatibility with Kerberos 4 in AFS
+@item special
+only used in very special cases; not fully supported
+@end table
diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo
new file mode 100644
index 0000000000..3f030bad9e
--- /dev/null
+++ b/doc/support-enc.texinfo
@@ -0,0 +1,27 @@
+@ignore 
+the information in this file should be consistent with the information
+in krb5/src/lib/crypto/etypes.c (and krb5/src/include/krb5.h[in]?)
+@end ignore
+
+@table @code
+@item des-cbc-crc 
+DES cbc mode with CRC-32
+@item des-cbc-md4 
+DES cbc mode with RSA-MD4
+@item des-cbc-md5 
+DES cbc mode with RSA-MD5
+@item des3-cbc-sha1 
+@itemx des3-hmac-sha1
+@itemx des3-cbc-sha1-kd
+triple DES cbc mode with HMAC/sha1
+@item des-hmac-sha1 
+DES with HMAC/sha1
+@item arcfour-hmac 
+@itemx rc4-hmac
+@itemx arcfour-hmac-md5
+RC4 with HMAC/MD5
+@item arcfour-hmac-exp 
+@itemx rc4-hmac-exp
+@itemx arcfour-hmac-md5-exp
+exportable RC4 with HMAC/MD5
+@end table
diff --git a/doc/user-guide.texinfo b/doc/user-guide.texinfo
index 59b9b08c53..78c45df407 100644
--- a/doc/user-guide.texinfo
+++ b/doc/user-guide.texinfo
@@ -36,6 +36,7 @@
 
 @ifinfo
 This file describes how to use the @value{PRODUCT} client programs.
+@end ifinfo
 
 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
 @c function.  Don't forget to run M-x texinfo-every-node-update after
@@ -62,7 +63,6 @@ This file describes how to use the @value{PRODUCT} client programs.
 @unnumbered Copyright
 
 @include copyright.texinfo
-@end ifinfo
 
 @node Introduction, Kerberos V5 Tutorial, Copyright, Top
 @chapter Introduction
@@ -96,11 +96,11 @@ a layer of security that is not dependent on which side of a firewall
 either client is on.  Since studies have shown that half of the computer
 security breaches in industry happen from @i{inside} firewalls,
 @value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
-nework security.
+network security.
 
 The @value{PRODUCT} package is designed to be easy to use.  Most of the
-commands are nearly identical to UNIX network programs you are already
-used to.  @value{PRODUCT} is a @dfn{single-sign-on} system, which means
+commands are nearly identical to UNIX network programs you already
+use.  @value{PRODUCT} is a @dfn{single-sign-on} system, which means
 that you have to type your password only once per session, and Kerberos
 does the authenticating and encrypting transparently.
 
@@ -226,12 +226,92 @@ or use a screensaver that locks the screen.
 
 @need 2000
 @menu
+* Kerberos Ticket Properties::  
 * Obtaining Tickets with kinit::  
 * Viewing Your Tickets with klist::  
 * Destroying Your Tickets with kdestroy::  
 @end menu
 
-@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Ticket Management, Ticket Management
+@node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management
+@subsection Kerberos Ticket Properties
+
+There are various properties that Kerberos tickets can have:
+
+If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with
+a different network address based on the forwardable ticket.  This
+allows for authentication forwarding without requiring a password to be
+typed in again.  For example, if a user with a forwardable TGT logs
+into a remote system, the KDC could issue a new TGT for that user with
+the netword address of the remote system, allowing authentication on
+that host to work as though the user were logged in locally.
+
+When the KDC creates a new ticket based on a forwardable ticket, it
+sets the @dfn{forwarded} flag on that new ticket.  Any tickets that are
+created based on a ticket with the forwarded flag set will also have
+their forwarded flags set.
+
+A @dfn{proxiable} ticket is similar to a forwardable ticket in that it
+allows a service to take on the identity of the client.  Unlike a
+forwardable ticket, however, a proxiable ticket is only issued for
+specific services.  In other words, a ticket-granting ticket cannot be
+issued based on a ticket that is proxiable but not forwardable.
+
+A @dfn{proxy} ticket is one that was issued based on a proxiable ticket.
+
+If a tickets is @dfn{postdated}, this means that it will become valid at a
+specific time in the future.  Postdated tickets can be issued for the
+time at which a job is going to start so that the time that valid
+tickets exist unused on a machine is minimized.
+
+Tickets with the @dfn{postdateable} flag set can be used to issue postdated
+tickets.
+
+@dfn{Renewable} tickets can be used to obtain new session keys without the
+user entering a new password.  A renewable ticket has two expiration
+times.  The first is the time at which this particular ticket expires.
+The second is the latest possible expiration time for any ticket issued
+based on this renewable ticket.
+
+A ticket with the @dfn{initial} flag set was issued based on the
+authentication protocol, and not on a ticket-granting ticket.   Clients
+that wish to ensure that the user's key has been recently presented for
+verification could specify that this flag must be set to accept the
+ticket.
+
+An @dfn{initial} ticket must be rejected by application servers.  Postdated
+tickets are usually issued with this flag set, and must be validated by
+the KDC before they can be used.
+
+A @dfn{preauthenticated} ticket is one that was only issued after the
+client requesting the ticket had authenticated itself to the KDC.
+
+The @dfn{hardware authentication} flag is set on a ticket which required
+the use of hardware expected to be possessed soley by the requesting
+client for authentication.
+
+If a ticket has the @dfn{transit policy checked} flag set, the the KDC that
+issued this ticket implements the transited-realm check policy and
+checked the transited-realms list on the ticket.  The transited-realms
+list contains a list of all intermediate realms between the realm of the
+KDC that issued the first ticket and that of the one that issued the
+current ticket.  If this flag is not set, then the application server
+must check the transited realms itself or else reject the ticket.
+
+The @dfn{okay as delegate} flag indicates that the server specified in the
+ticket is suitable as a delegate as determined by the policy of that
+realm.  A server that is acting as a delegate has been granted a proxy
+or a forwarded TGT.  The client can use this flag in its decision of
+whether or not to use this server as a delgate.  This flag is a new
+addition to the @value{PRODUCT} protocol and is not yet implemented on MIT
+servers.
+
+An @dfn{anonymous}  ticket is one in which the named principal is a generic
+principal for that realm; it does not actually specify the individual
+that will be using the ticket.  This ticket is meant only to securely
+distribute a session key.  This is a new addition to the @value{PRODUCT}
+protocol and is not yet implemented on MIT servers.
+
+@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Kerberos Ticket Properties, Ticket Management
 @subsection Obtaining Tickets with kinit
 
 If your site is using the @value{PRODUCT} login program, you will get
@@ -438,6 +518,16 @@ post@b{d}ated
 @b{I}nitial
 @itemx i
 @b{i}nvalid
+@itemx H
+@b{H}ardeware authenticated
+@itemx A
+pre@b{A}uthenticated
+@itemx T
+@b{T}ransit policy checked
+@itemx O
+@b{O}kay as delegate
+@itemx a
+@b{a}nonymous
 @end table
 
 @need 1500
@@ -893,7 +983,7 @@ requests tickets for the remote host in the specified realm, instead of
 determining the realm itself.
 
 @itemx -x, --encrypt
-turns on encryption.
+encrypts the input and output data streams (the command line is not encrypted)
 
 @itemx --noencrypt
 turns off encryption.
@@ -936,7 +1026,7 @@ and request an encrypted session as follows:
 @smallexample
 @group
 @b{shell%} rlogin @value{RANDOMHOST2}.@value{SECONDDOMAIN} -f -x
-@b{This rlogin session is using DES encryption for all data transmissions.
+@b{This rlogin session is encrypting all data transmissions.
 Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
 SunOS Release 4.1.4 (GENERIC) #2: Tue Nov 14 18:09:31 EST 1995
 Not checking quotas. Try quota.real if you need them.
@@ -1043,7 +1133,7 @@ requests tickets for the remote host in the specified realm, instead of
 determining the realm itself.
 
 @itemx -x, --encrypt
-turns on encryption.
+encrypts the input and output data streams (the command line is not encrypted)
 
 @itemx --noencrypt
 turns off encryption.
@@ -1057,7 +1147,7 @@ run the @samp{date} program as follows:
 @smallexample
 @group
 @b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
-@b{This rsh session is using DES encryption for all data transmissions.
+@b{This rsh session is encrypting input/output data transmissions.
 Fri Jun 21 17:06:12 EDT 1996
 shell%}
 @end group
@@ -1352,6 +1442,12 @@ M-x manual-entry @emph{command}
 Type @kbd{M-x manual-entry kinit} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="kinit.html"> kinit manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node klist Reference, kdestroy Reference, kinit Reference, Kerberos V5 Reference
 @section klist Reference
 
@@ -1364,6 +1460,12 @@ Type @kbd{M-x manual-entry kinit} to read this manual page.
 Type @kbd{M-x manual-entry klist} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="klist.html"> klist manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node kdestroy Reference, kpasswd Reference, klist Reference, Kerberos V5 Reference
 @section kdestroy Reference
 
@@ -1376,6 +1478,12 @@ Type @kbd{M-x manual-entry klist} to read this manual page.
 Type @kbd{M-x manual-entry kdestroy} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="kdestroy.html"> kdestroy manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
 @section kpasswd Reference
 
@@ -1388,6 +1496,12 @@ Type @kbd{M-x manual-entry kdestroy} to read this manual page.
 Type @kbd{M-x manual-entry kpasswd} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="kpasswd.html"> kpasswd manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node telnet Reference, rlogin Reference, kpasswd Reference, Kerberos V5 Reference
 @section telnet Reference
 
@@ -1432,6 +1546,12 @@ Type @kbd{M-x manual-entry kpasswd} to read this manual page.
 Type @kbd{M-x manual-entry telnet} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="telnet.html"> telnet manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node rlogin Reference, FTP Reference, telnet Reference, Kerberos V5 Reference
 @section rlogin Reference
 
@@ -1448,6 +1568,12 @@ Type @kbd{M-x manual-entry telnet} to read this manual page.
 Type @kbd{M-x manual-entry rlogin} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="rlogin.html"> rlogin manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node FTP Reference, rsh Reference, rlogin Reference, Kerberos V5 Reference
 @section FTP Reference
 
@@ -1488,6 +1614,12 @@ Type @kbd{M-x manual-entry rlogin} to read this manual page.
 Type @kbd{M-x manual-entry FTP} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="ftp.html"> ftp manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node rsh Reference, rcp Reference, FTP Reference, Kerberos V5 Reference
 @section rsh Reference
 
@@ -1504,6 +1636,12 @@ Type @kbd{M-x manual-entry FTP} to read this manual page.
 Type @kbd{M-x manual-entry rsh} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="rsh.html"> rsh manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node rcp Reference, ksu Reference, rsh Reference, Kerberos V5 Reference
 @section rcp Reference
 
@@ -1516,6 +1654,12 @@ Type @kbd{M-x manual-entry rsh} to read this manual page.
 Type @kbd{M-x manual-entry rcp} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="rcp.html"> rcp manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node ksu Reference,  , rcp Reference, Kerberos V5 Reference
 @section ksu Reference
 
@@ -1544,6 +1688,12 @@ Type @kbd{M-x manual-entry rcp} to read this manual page.
 Type @kbd{M-x manual-entry ksu} to read this manual page.
 @end ifinfo
 
+@ifhtml
+@html
+<a href="ksu.html"> ksu manpage</a>
+@end rawhtml
+@end ifhtml
+
 @node Kerberos Glossary,  , Kerberos V5 Reference, Top
 @appendix Kerberos Glossary