Remove nroff man pages

We generate man pages from RST sources now; they are checked into
the tree in src/man/.

The gen-manpages directory is no longer needed.

9 files changed, 0 insertions, 1253 deletions

diff --git a/src/clients/kcpytkt/kcpytkt.M b/src/clients/kcpytkt/kcpytkt.M
deleted file mode 100644
index 11ed93929..000000000
--- a/src/clients/kcpytkt/kcpytkt.M
+++ /dev/null
@@ -1,37 +0,0 @@
-.\"
-.\" clients/kvnol/kcpytkt.M
-.\" "
-.TH KCPYTKT 1
-.SH NAME
-kcpytkt \- copies one or more service tickets between credentials caches
-.SH SYNOPSIS
-\fBkcpytkt\fP [\fB\-h\fP] [\fB\-c source_ccache\fP] [\fB\-e etype\fP] [\fB\-f flags\fP] 
-\fBdest_ccache\fP \fBservice1\fP \fBservice2\fP \fB...\fP
-.br
-.SH DESCRIPTION
-.I kcpytkt
-copies the specified service tickets to the destination credentials cache
-.SH OPTIONS
-.TP
-.B \-c
-specifies the source credentials cache from which service tickets will be.
-copied.  if no ccache is specified, the default ccache is used.
-.TP
-.B \-e
-specifies the session key enctype of the service tickets you wish to delete.
-.TP
-.B \-h
-prints a usage statement and exits
-.SH ENVIRONMENT
-.B kcpytkt
-uses the following environment variable:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the credentials (ticket) cache.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of the credentials cache ([uid] is the decimal UID of
-the user).
-.SH SEE ALSO
-kinit(1), kdestroy(1), krb5(3)
diff --git a/src/clients/kdeltkt/kdeltkt.M b/src/clients/kdeltkt/kdeltkt.M
deleted file mode 100644
index a9f369418..000000000
--- a/src/clients/kdeltkt/kdeltkt.M
+++ /dev/null
@@ -1,37 +0,0 @@
-.\"
-.\" clients/kvnol/kdeltkt.M
-.\" "
-.TH KDELTKT 1
-.SH NAME
-kdeltkt \- delete one or more service tickets from the credentials cache
-.SH SYNOPSIS
-\fBkdeltkt\fP [\fB\-h\fP] [\fB\-c ccache\fP] [\fB\-e etype\fP] [\fB\-f flags\fP] 
-\fBservice1\fP \fBservice2\fP \fB...\fP
-.br
-.SH DESCRIPTION
-.I kdeltkt
-deletes the specified service tickets from the credentials cache
-.SH OPTIONS
-.TP
-.B \-c
-specifies the credentials cache from which service tickets will be deleted.
-if no cache is specified, the default cache is used.
-.TP
-.B \-e
-specifies the session key enctype of the service tickets you wish to delete.
-.TP
-.B \-h
-prints a usage statement and exits
-.SH ENVIRONMENT
-.B kdeltkt
-uses the following environment variable:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the credentials (ticket) cache.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of the credentials cache ([uid] is the decimal UID of
-the user).
-.SH SEE ALSO
-kinit(1), kdestroy(1), krb5(3)
diff --git a/src/clients/kdestroy/kdestroy.M b/src/clients/kdestroy/kdestroy.M
deleted file mode 100644
index 4deaa5fde..000000000
--- a/src/clients/kdestroy/kdestroy.M
+++ /dev/null
@@ -1,89 +0,0 @@
-.\" clients/kdestroy/kdestroy.M
-.\"
-.\" Copyright 1992 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KDESTROY 1
-.SH NAME
-kdestroy \- destroy Kerberos tickets
-.SH SYNOPSIS
-.B kdestroy
-[\fB\-A\fP] [\fB\-q\fP] [\fB\-c\fP \fIcache_name]
-.br
-.SH DESCRIPTION
-The
-.I kdestroy
-utility destroys the user's active Kerberos authorization tickets by
-writing zeros to the specified credentials cache that contains them.  If
-the credentials cache is not specified, the default credentials cache is
-destroyed.
-.SH OPTIONS
-.TP
-.B \-A
-Destroys all caches in the collection, if a cache collection is
-available.
-.B \-q
-Run quietly.  Normally
-.B kdestroy
-beeps if it fails to destroy the user's tickets.  The
-.B \-q
-flag suppresses this behavior.
-.TP
-\fB\-c\fP \fIcache_name\fP
-use
-.I cache_name
-as the credentials (ticket) cache name and location; if this option is
-not used, the default cache name and location are used.
-.sp
-The default credentials cache may vary between systems.  If the
-.SM KRB5CCNAME
-environment variable is set, its value is used to name the default
-ticket cache.
-.PP
-Most installations recommend that you place the
-.I kdestroy
-command in your
-.I .logout
-file, so that your tickets are destroyed automatically when you log out.
-.SH ENVIRONMENT
-.B Kdestroy
-uses the following environment variables:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the default Kerberos 5 credentials (ticket) cache, in the
-form \fItype\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed.  The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory to
-be present in the collection.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of Kerberos 5 credentials cache 
-([uid] is the decimal UID of the user).
-.SH SEE ALSO
-kinit(1), klist(1), krb5(3)
-.SH BUGS
-.PP
-Only the tickets in the specified credentials cache are destroyed.
-Separate ticket caches are used to hold root instance and password
-changing tickets.  These should probably be destroyed too, or all of a
-user's tickets kept in a single credentials cache.
diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M
deleted file mode 100644
index 0a919c09f..000000000
--- a/src/clients/kinit/kinit.M
+++ /dev/null
@@ -1,239 +0,0 @@
-.\" clients/kinit/kinit.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KINIT 1
-.SH NAME
-kinit \- obtain and cache Kerberos ticket-granting ticket
-.SH SYNOPSIS
-.TP
-.B kinit
-.ad l
-[\fB\-V\fP]
-[\fB\-l\fP \fIlifetime\fP] [\fB\-s\fP \fIstart_time\fP]
-[\fB\-r\fP \fIrenewable_life\fP]
-[\fB\-p\fP | \fB\-P\fP]
-[\fB\-f\fP | \fB\-F\fP]
-[\fB\-a\fP]
-[\fB\-A\fP]
-[\fB\-C\fP]
-[\fB\-E\fP]
-[\fB\-v\fP] [\fB\-R\fP]
-[\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP]
-[\fB\-n\fP]
-[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP]
-[\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
-[\fIprincipal\fP]
-.ad b
-.br
-.SH DESCRIPTION
-.I kinit
-obtains and caches an initial ticket-granting ticket for
-.IR principal .  
-.SH OPTIONS
-.TP
-.B \-V
-display verbose output.
-.TP
-\fB\-l\fP \fIlifetime\fP
-requests a ticket with the lifetime
-.IR lifetime .
-The value for
-.I lifetime
-must be followed immediately by one of the following delimiters:
-.sp
-.nf
-.in +.3i
-\fBs\fP  seconds
-\fBm\fP  minutes
-\fBh\fP  hours
-\fBd\fP  days
-.in -.3i
-.fi
-.sp
-as in "kinit -l 90m".  You cannot mix units; a value of `3h30m' will
-result in an error.
-.sp
-If the
-.B \-l
-option is not specified, the default ticket lifetime (configured by each
-site) is used.  Specifying a ticket lifetime longer than the maximum
-ticket lifetime (configured by each site) results in a ticket with the
-maximum lifetime.
-.TP
-\fB\-s\fP \fIstart_time\fP
-requests a postdated ticket, valid starting at
-.IR start_time .
-Postdated tickets are issued with the
-.I invalid
-flag set, and need to be fed back to the kdc before use.
-.TP
-\fB\-r\fP \fIrenewable_life\fP
-requests renewable tickets, with a total lifetime of
-.IR renewable_life .
-The duration is in the same format as the
-.B \-l
-option, with the same delimiters.
-.TP
-.B \-f
-request forwardable tickets.
-.TP
-.B \-F
-do not request forwardable tickets.
-.TP
-.B \-p
-request proxiable tickets.
-.TP
-.B \-P
-do not request proxiable tickets.
-.TP
-.B \-a
-request tickets with the local address[es].
-.TP
-.B \-A
-request address-less tickets.
-.TP
-.B \-C
-requests canonicalization of the principal name.
-.TP
-.B \-E
-treats the principal name as an enterprise name.
-.TP
-.B \-v
-requests that the ticket granting ticket in the cache (with the 
-.I invalid
-flag set) be passed to the kdc for validation.  If the ticket is within
-its requested time range, the cache is replaced with the validated
-ticket.
-.TP
-.B \-R
-requests renewal of the ticket-granting ticket.  Note that an expired
-ticket cannot be renewed, even if the ticket is still within its
-renewable life.
-.TP
-\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
-requests a ticket, obtained from a key in the local host's
-.I keytab
-file.  The name and location of the keytab file may be specified with
-the
-.B \-t
-.I keytab_file
-option; otherwise the default name and location will be used.  By
-default a host ticket is requested but any principal may be
-specified. On a KDC, the special keytab location
-.B KDB:
-can be used to indicate that kinit should open the KDC database and
-look up the key directly.  This permits an administrator to obtain
-tickets as any principal that supports password-based authentication.
-.TP
-\fB-n\fP
-Requests anonymous processing.  Two types of anonymous principals are
-supported.  For fully anonymous Kerberos, configure pkinit on the KDC
-and configure
-.I pkinit_anchors
-in the client's krb5.conf.  Then use the
-.B -n
-option with a principal of the form
-.I @REALM
-(an empty principal name followed by the at-sign and a realm name).
-If permitted by the KDC, an anonymous ticket will be returned.
-A second form of anonymous tickets is supported; these realm-exposed
-tickets hide the identity of the client but not the client's realm.
-For this mode, use
-.B kinit -n
-with a normal principal name.  If supported by the KDC, the principal
-(but not realm) will be replaced by the anonymous principal.
-As of release 1.8, the MIT Kerberos KDC only supports fully anonymous
-operation.
-.TP
-\fB\-T\fP \fIarmor_ccache\fP
-Specifies the name of a credential cache that already contains a
-ticket.  If supported by the KDC, This ccache will be used to armor
-the request so that an attacker would have to know both the key of the
-armor ticket and the key of the principal used for authentication in
-order to attack the request. Armoring also makes sure that the
-response from the KDC is not modified in transit.
-.TP
-\fB\-c\fP \fIcache_name\fP
-use
-.I cache_name
-as the Kerberos 5 credentials (ticket) cache name and location; if this 
-option is not used, the default cache name and location are used.
-.sp
-The default credentials cache may vary between systems.  If the
-.B KRB5CCNAME
-environment variable is set, its value is used to name the default
-ticket cache.  If a principal name is specified and the type of the
-default credentials cache supports a collection (such as the DIR
-type), an existing cache containing credentials for the principal is
-selected or a new one is created and becomes the new primary cache.
-Otherwise, any existing contents of the default cache are destroyed by
-.IR kinit .
-.TP
-\fB\-S\fP \fIservice_name\fP
-specify an alternate service name to use when
-getting initial tickets.
-.TP
-\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
-specify a pre\-authentication attribute and value to be passed to
-pre\-authentication plugins.  The acceptable \fIattribute\fP and
-\fIvalue\fP values vary from pre\-authentication plugin to plugin.
-This option may be specified multiple times to specify multiple
-attributes.  If no \fIvalue\fP is specified, it is assumed to be
-"yes".
-.sp
-.nf
-The following attributes are recognized by the OpenSSL pkinit
-pre-authentication mechanism:
-.in +.3i
-\fBX509_user_identity\fP=\fIvalue\fP
-   specify where to find user's X509 identity information
-\fBX509_anchors\fP=\fIvalue\fP
-   specify where to find trusted X509 anchor information
-\fBflag_RSA_PROTOCOL\fP[=yes]
-   specify use of RSA, rather than the default Diffie-Hellman protocol
-.in -.3i
-.fi
-.sp
-.SH ENVIRONMENT
-.B Kinit
-uses the following environment variables:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the default Kerberos 5 credentials (ticket) cache, in the
-form \fItype\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed.  The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory to
-be present in the collection.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of Kerberos 5 credentials cache 
-([uid] is the decimal UID of the user).
-.TP
-/etc/krb5.keytab
-default location for the local host's
-.B keytab
-file.
-.SH SEE ALSO
-klist(1), kdestroy(1), kswitch(1), kerberos(1)
diff --git a/src/clients/klist/klist.M b/src/clients/klist/klist.M
deleted file mode 100644
index 32aed10ac..000000000
--- a/src/clients/klist/klist.M
+++ /dev/null
@@ -1,147 +0,0 @@
-.\" clients/klist/klist.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KLIST 1
-.SH NAME
-klist \- list cached Kerberos tickets
-.SH SYNOPSIS
-\fBklist\fP [\fB\-e\fP] [[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] 
-[\fB\-s\fP] [\fB\-a\fP  [\fB\-n\fP]]]
-[\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]]
-[\fIcache_name\fP | \fIkeytab_name\fP]
-.br
-.SH DESCRIPTION
-.I Klist
-lists the Kerberos principal and Kerberos tickets held in a credentials
-cache, or the keys held in a
-.B keytab
-file.
-.SH OPTIONS
-.TP
-.B \-e
-displays the encryption types of the session key and the ticket for each
-credential in the credential cache, or each key in the keytab file.
-.TP
-.B \-c
-List tickets held in a credentials cache.  This is the default if
-neither
-.B \-c
-nor
-.B \-k
-is specified.
-.TP
-.B \-l
-If a cache collection is available, displays a table summarizing the
-caches present in the collection.
-.TP
-.B \-A
-If a cache collection is available, displays the contents of all of
-the caches in the collection.
-.TP
-.B \-f
-shows the flags present in the credentials, using the following
-abbreviations:
-.sp
-.nf
-.in +.5i
-F	\fBF\fPorwardable
-f	\fBf\fPorwarded
-P	\fBP\fProxiable
-p	\fBp\fProxy
-D	post\fBD\fPateable
-d	post\fBd\fPated
-R	\fBR\fPenewable
-I	\fBI\fPnitial
-i	\fBi\fPnvalid
-H	\fBH\fPardware authenticated
-A	pre\fBA\fPuthenticated
-T	\fBT\fPransit policy checked
-O	\fBO\fPkay as delegate
-a	\fBa\fPnonymous
-.in -.5i
-.fi
-.TP
-.B \-s
-causes
-.B klist
-to run silently (produce no output), but to still set the exit status
-according to whether it finds the credentials cache.  The exit status is
-`0' if
-.B klist
-finds a credentials cache, and `1' if it does not or if the tickets are
- expired.
-.TP
-.B \-a
-display list of addresses in credentials.
-.TP
-.B \-n
-show numeric addresses instead of reverse-resolving addresses.
-.TP
-\fB\-k\fP
-List keys held in a
-.B keytab
-file.  
-.TP
-.B \-t
-display the time entry timestamps for each keytab entry in the keytab
-file.
-.TP
-.B \-K
-display the value of the encryption key in each keytab entry in the
-keytab file.
-.TP
-.B \-V
-display the Kerberos version number and exit.
-.PP
-If
-.I cache_name
-or
-.I keytab_name
-is not specified, klist will display the credentials in the default
-credentials cache or keytab file as appropriate.  If the
-.B KRB5CCNAME
-environment variable is set, its value is used to name the default
-ticket cache.
-.SH ENVIRONMENT
-.B Klist
-uses the following environment variables:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the default Kerberos 5 credentials (ticket) cache, in the
-form \fItype\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed.  The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory to
-be present in the collection.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of Kerberos 5 credentials cache 
-([uid] is the decimal UID of the user).
-.TP
-/etc/krb5.keytab
-default location for the local host's
-.B keytab
-file.
-.SH SEE ALSO
-kinit(1), kdestroy(1), krb5(3)
diff --git a/src/clients/kpasswd/kpasswd.M b/src/clients/kpasswd/kpasswd.M
deleted file mode 100644
index ea71f383b..000000000
--- a/src/clients/kpasswd/kpasswd.M
+++ /dev/null
@@ -1,74 +0,0 @@
-.\" clients/kpasswd/kpasswd.M
-.\" 
-.\" Copyright 1995 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KPASSWD 1
-.SH NAME
-kpasswd \- change a user's Kerberos password
-.SH SYNOPSIS
-.B kpasswd
-[\fIprincipal\fP]
-.SH DESCRIPTION
-.PP
-The
-.I kpasswd
-command is used to change a Kerberos principal's password.
-.I Kpasswd
-prompts for the current Kerberos password, which is used to obtain a 
-.B changepw
-ticket from the
-.SM KDC
-for the user's Kerberos realm.  If
-.B kpasswd
-successfully obtains the
-.B changepw
-ticket, the user is prompted twice for the new password, and the
-password is changed.
-.PP
-If the principal is governed by a policy that specifies the length and/or
-number of character classes required in the new password, the new
-password must conform to the policy.  (The five character classes are
-lower case, upper case, numbers, punctuation, and all other characters.)
-.SH OPTIONS
-.TP
-.I principal
-change the password for the Kerberos principal
-.IR principal .
-Otherwise, 
-.I kpasswd
-uses the principal name from an existing ccache if there is one; if
-not, the principal is derived from the identity of the user
-invoking the
-.I kpasswd
-command.
-.SH PORTS
-.B kpasswd 
-looks first for kpasswd_server = host:port in the [realms] section of
-the krb5.conf file under the current realm.  If that is missing,
-.B kpasswd
-looks for the admin_server entry, but substitutes 464 for the port.
-.SH SEE ALSO
-kadmin(8), kadmind(8)
-.SH BUGS
-.PP
-.B kpasswd
-may not work with multi-homed hosts running on the Solaris platform.
diff --git a/src/clients/ksu/ksu.M b/src/clients/ksu/ksu.M
deleted file mode 100644
index 00e000847..000000000
--- a/src/clients/ksu/ksu.M
+++ /dev/null
@@ -1,481 +0,0 @@
-.\" Copyright (c) 1994 by the University of Southern California
-.\"
-.\" EXPORT OF THIS SOFTWARE from the United States of America may
-.\"     require a specific license from the United States Government.
-.\"     It is the responsibility of any person or organization contemplating
-.\"     export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
-.\"     this software and its documentation in source and binary forms is
-.\"     hereby granted, provided that any documentation or other materials
-.\"     related to such distribution or use acknowledge that the software
-.\"     was developed by the University of Southern California. 
-.\"
-.\" DISCLAIMER OF WARRANTY.  THIS SOFTWARE IS PROVIDED "AS IS".  The
-.\"     University of Southern California MAKES NO REPRESENTATIONS OR
-.\"     WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
-.\"     limitation, the University of Southern California MAKES NO
-.\"     REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
-.\"     PARTICULAR PURPOSE. The University of Southern
-.\"     California shall not be held liable for any liability nor for any
-.\"     direct, indirect, or consequential damages with respect to any
-.\"     claim by the user or distributor of the ksu software.
-.\"
-.\" KSU was written by:  Ari Medvinsky, ari@isi.edu
-.\" "
-.TH KSU 1
-.SH NAME
-ksu \- Kerberized super-user    	
-.SH SYNOPSIS
-.B ksu 
-[
-.I target_user
-] [
-.B \-n
-.I target_principal_name 
-] [
-.B \-c
-.I source_cache_name
-] [
-.B \-k
-] [
-.B \-D
-] [
-.B \-r
-.I time
-] [
-.B \-pf
-] [
-.B \-l 
-.I lifetime
-] [
-.B \-zZ
-] [
-.B \-q
-] [
-.B \-e
-.I command
-[
-.I args ...
-] ] [
-.B \-a 
-[
-.I args ...
-] ] 
-.br
-.SH REQUIREMENTS
-Must have Kerberos version 5 installed to compile ksu.
-Must have a Kerberos version 5 server running to use ksu.
-.br
-.SH DESCRIPTION
-.I ksu
-is a Kerberized version of the su program that has two missions:
-one is to securely change the real and effective user ID to that
-of the target user, and the other is to create a new security context.
-For the sake of clarity, all references to and attributes of
-the user invoking the program will start with 'source' (e.g.
-source user, source cache, etc.).  Likewise, all references
-to and attributes of the target account will start with 'target'.
-.br
-.SH AUTHENTICATION
-To fulfill the first mission, ksu operates in two phases: authentication
-and authorization.  Resolving the target principal name is the
-first step in authentication.  The user
-can either specify his principal name with the
-.B \-n
-option
-(e.g.
-.B \-n
-jqpublic@USC.EDU) or a default principal name will be assigned
-using a heuristic described in the OPTIONS section (see
-.B \-n
-option).
-The target user name must be the first argument to ksu; if not specified
-root is the default.  If '.' is specified then the target user will be
-the source user (e.g. ksu .). 
-If the source user is root or the target user is the source user, no 
-authentication or authorization takes place.  Otherwise, ksu looks
-for an appropriate Kerberos ticket in the source cache.
-.PP
-The ticket can either be for
-the end-server
-or a ticket granting ticket (TGT) for the target principal's realm.  If the
-ticket for the end-server is already in the cache, it's decrypted and
-verified.  If it's not in the cache but the TGT is, the TGT is used to
-obtain the ticket for the end-server.   The end-server ticket is then
-verified.  If neither ticket is in the cache, but ksu is compiled
-with the GET_TGT_VIA_PASSWD define, the user will be prompted
-for a Kerberos password which will then be used to get a TGT.
-If the user is logged in remotely and
-does not have a secure channel, the password may be exposed.
-If neither ticket is in the cache and GET_TGT_VIA_PASSWD is not defined,
-authentication fails.
-.br
-.SH AUTHORIZATION
-This section describes authorization of the source user when ksu
-is invoked without the
-.B \-e
-option.
-For a description of the
-.B \-e
-option, see the OPTIONS section.
-.PP
-Upon successful authentication, ksu checks whether the target principal
-is authorized to access the target account.
-In the target user's home directory, ksu attempts to access
-two authorization files: .k5login and .k5users.  In the .k5login  
-file each line contains the name of a
-principal that is authorized to access the account.
-.TP 12
-For example:
-jqpublic@USC.EDU
-.br
-jqpublic/secure@USC.EDU
-.br
-jqpublic/admin@USC.EDU
-.PP
-The format of .k5users is the same, except the
-principal name may be followed by a list of commands that
-the principal is authorized to execute. (see the
-.B \-e
-option in the OPTIONS section for details).
-.PP
-Thus if the target principal
-name is found in the .k5login file the source user is authorized to access
-the target account. Otherwise ksu looks in the .k5users file.
-If the target principal name is found without any trailing commands
-or followed only by '*' then the source user is authorized.  
-If either .k5login or .k5users exist but an appropriate entry for the target
-principal does not exist then access is denied. If neither
-file exists then the principal will be granted access 
-to the account according to the aname\->lname mapping rules (see
-.IR krb5_anadd(8) 
-for more details).
-Otherwise, authorization fails.
-.br
-.SH EXECUTION OF THE TARGET SHELL
-Upon successful authentication and authorization, ksu
-proceeds in a similar fashion to su.  The environment
-is unmodified with the exception of USER, HOME and SHELL variables.
-If the target user is not root, USER gets set to the target user
-name. Otherwise USER remains unchanged. Both HOME and SHELL are
-set to the target login's default values.
-In addition, the environment variable KRB5CCNAME gets set to the
-name of the target cache.
-The real and effective user ID are changed to that of the
-target user.  The target user's shell is then invoked
-(the shell name is specified in the password file).
-Upon termination of the shell, ksu deletes the target cache (unless
-ksu is invoked with the
-.B \-k option).
-This is implemented by first doing a fork and then an exec, instead
-of just exec, as done by su.
-.br
-.SH CREATING A NEW SECURITY CONTEXT
-.PP
-Ksu can be used to create a new security context for the
-target program (either the target
-shell, or command specified via the -e option).
-The target program inherits a set
-of credentials from the source user.
-By default, this set includes all of the credentials
-in the source cache plus any
-additional credentials obtained during authentication.
-The source user is able to limit the credentials in this set
-by using -z or -Z option.
--z restricts the copy of tickets from the source cache
-to the target cache to only the tickets where client ==
-the target principal name.  The -Z option
-provides the target user with a fresh target cache
-(no creds in the cache). Note that for security reasons,
-when the source user is root and target user is non-root,
--z option is the default mode of operation. 
-
-While no authentication takes place if the source user
-is root or is the same as the target user, additional
-tickets can still be obtained for the target cache.
-If -n is specified and no credentials can be copied to the target
-cache,  the  source user is prompted for a Kerberos password
-(unless -Z specified or GET_TGT_VIA_PASSWD is undefined). If
-successful,  a  TGT is obtained from the Kerberos server and
-stored in the target cache.  Otherwise,
-if a password is not provided (user hit return)
-ksu continues  in  a
-normal  mode  of  operation (the target cache will
-not contain the desired TGT).
-If the wrong password is typed in, ksu fails.
-.PP
-\fISide Note:\fP during authentication, only the tickets that could be
-obtained without providing a password are cached in
-in the source cache.
-.SH OPTIONS
-.TP 10
-\fB\-n \fItarget_principal_name
-Specify a Kerberos target principal name.
-Used in authentication and authorization
-phases of ksu.
-
-If ksu is invoked without
-.B \-n,
-a default principal name is
-assigned via the following heuristic:
-
-\fICase 1:\fP source user is non-root.
-.br
-If the target user is the source user the default principal name
-is set to the default principal of the source cache. If the
-cache does not exist then the default principal name is set to
-target_user@local_realm.
-If the source and target users are different and
-neither ~target_user/.k5users
-nor ~target_user/.k5login exist then
-the default principal name is
-target_user_login_name@local_realm. Otherwise,
-starting with the first principal listed below,
-ksu checks if the principal is authorized
-to  access the target account and whether
-there is a legitimate ticket for that principal
-in the source cache. If both conditions are met
-that principal becomes the default target principal,
-otherwise go to the next principal.
-
-a) default principal of the source cache
-.br
-b) target_user@local_realm
-.br
-c) source_user@local_realm
-
-If a-c fails try any principal for which there is
-a ticket in the source cache and that is
-authorized to access the target account.
-If that fails select the first principal that
-is authorized to access the target account from
-the above list.
-If none are authorized and ksu is configured with PRINC_LOOK_AHEAD
-turned on, select the default principal as follows:
-
-For each candidate in the above list,
-select an authorized principal that has
-the same realm name and first part
-of the principal name equal to the prefix of the candidate.
-For example if candidate a) is jqpublic@ISI.EDU and jqpublic/secure@ISI.EDU
-is authorized to access the target account then the default principal
-is set to jqpublic/secure@ISI.EDU.
-
-\fICase 2:\fP source user is root.
-.br
-If the target user is non-root then the
-default principal name is target_user@local_realm.
-Else, if the source cache exists the default
-principal name is set to the default principal
-of the source cache. If the source cache does not
-exist, default principal name is set to
-root@local_realm.
-.TP 10
-\fB\-c \fIsource_cache_name
-Specify source cache name (e.g.
-.B \-c
-FILE:/tmp/my_cache).
-If
-.B \-c
-option is not used then the
-name is obtained from KRB5CCNAME environment variable.
-If KRB5CCNAME is not defined the source cache name
-is set to krb5cc_<source uid>.
-The target cache name is automatically
-set to krb5cc_<target uid>.(gen_sym()),
-where gen_sym generates a new number such that
-the resulting cache does not already exist.
-.br
-For example: krb5cc_1984.2
-.TP 10
-\fB\-k
-Do not delete the target cache upon termination of the
-target shell or a command (
-.B \-e
-command).
-Without
-.B \-k,
-ksu deletes the target cache.
-.TP 10
-\fB\-D
-turn on debug mode.
-.TP 10
-\fITicket granting ticket options: -l lifetime -r time -pf\fP
-The ticket granting ticket options only apply to the
-case where there are no appropriate tickets in
-the cache to authenticate the source user. In this case
-if ksu is configured to prompt users for a
-Kerberos password (GET_TGT_VIA_PASSWD is defined),
-the ticket granting
-ticket options that are specified will be used
-when getting a ticket granting ticket from the Kerberos
-server.
-.TP 10
-\fB\-l \fIlifetime
-option specifies the lifetime to be
-requested for the ticket; if this option is not
-specified, the  default ticket lifetime
-(configured by each site) is used instead.
-.TP 10
-\fB\-r \fItime
-option  specifies  that  the  RENEWABLE  option
-should be requested for the ticket, and specifies
-the desired total lifetime of the ticket.
-.TP 10
-\fB\-p
-option specifies that the PROXIABLE option should  be
-requested for the ticket.
-.TP 10
-\fB\-f
-option specifies that the FORWARDABLE  option  should
-be requested for the ticket.
-.TP 10
-\fB\-z
-restrict the copy of tickets from the source cache
-to the target cache to only the tickets where client ==
-the target principal name. Use the
-.B \-n
-option
-if you want the tickets for other then the default
-principal. Note that the
-.B \-z 
-option is mutually
-exclusive with the -Z option.
-.TP 10
-\fB\-Z
-Don't copy any tickets from the source cache to the
-target cache. Just create a fresh target cache,
-where the default principal name of the cache is
-initialized to the target principal name.  Note that
-.B \-Z
-option is mutually
-exclusive with the -z option.
-.TP 10
-\fB\-q
-suppress the printing of status messages.
-.TP 10
-\fB\-e \fIcommand [args ...]
-ksu proceeds exactly the same as if it was invoked without the
-.B \-e
-option,
-except instead of executing the target shell, ksu executes the
-specified command (Example of usage: ksu bob
-.B \-e
-ls
-.B \-lag).
-
-\fIThe authorization algorithm for -e is as follows:\fP
-
-If the source user is root or source user == target user,
-no authorization takes place and             
-the command is executed.  If source user id != 0, and ~target_user/.k5users
-file does not exist, authorization fails.
-Otherwise, ~target_user/.k5users file must have an
-appropriate entry for target principal
-to get authorized.
-
-\fIThe .k5users file format:\fP
-
-A single principal entry on each line
-that may be followed by a list of commands that
-the principal is authorized to execute.
-A principal name followed by a '*' means
-that the user is authorized to execute
-any command. Thus, in the following example:
-
-jqpublic@USC.EDU ls mail /local/kerberos/klist
-.br
-jqpublic/secure@USC.EDU *
-.br
-jqpublic/admin@USC.EDU
-
-jqpublic@USC.EDU is only authorized to execute ls, mail
-and klist commands. jqpublic/secure@USC.EDU is authorized
-to execute any command. jqpublic/admin@USC.EDU is not
-authorized to execute any command.  Note, that
-jqpublic/admin@USC.EDU is authorized to execute
-the target shell (regular ksu, without the
-.B \-e
-option) but jqpublic@USC.EDU is not.
-
-The commands listed after the principal name must
-be either a full path names or just the program name.
-In the second case, CMD_PATH specifying the location
-of authorized programs must be defined at the
-compilation time of ksu.               
-
-\fIWhich command gets executed ?\fP
-
-If the source user is root or
-the target user is the source user or 
-the user
-is authorized to execute any command ('*' entry)
-then command can be either a full or a relative
-path leading to the target program.
-Otherwise, the user must specify either a full
-path or just the program name.
-.TP 10
-\fB\-a \fIargs
-specify arguments to be passed to the target shell.
-Note: that all flags and parameters following -a
-will be passed to the shell, thus all options
-intended for ksu must precede
-.B \-a.
-The
-.B \-a
-option can be used to simulate the
-.B \-e
-option if used as follows:
-.B \-a
-.B \-c
-[command [arguments]].
-.B \-c
-is interpreted by the c-shell to execute the command.
-.PP
-.SH INSTALLATION INSTRUCTIONS
-ksu can be compiled with the following 4 flags (see the Imakefile):
-.TP 10
-\fIGET_TGT_VIA_PASSWD\fP 
-in case no appropriate tickets are found in the source
-cache, the user will be prompted for a Kerberos
-password.  The password is then used to get a
-ticket granting ticket from the Kerberos server.
-The danger of configuring ksu with this macro is
-if the source user is logged in remotely and does not
-have a secure channel, the password may get exposed.
-.TP 10
-\fIPRINC_LOOK_AHEAD\fP
-during the resolution of the default principal name,
-PRINC_LOOK_AHEAD enables ksu to find principal names          
-in the .k5users file as described in the OPTIONS section
-(see -n option).      
-.TP 10
-\fICMD_PATH\fP
-specifies a list of directories containing programs
-that users are authorized to execute (via .k5users file). 
-.TP 10
-\fIHAS_GETUSERSHELL\fP
-If the source user is non-root, ksu insists that
-the target user's shell to be invoked
-is a "legal shell". getusershell(3) is called to obtain
-the names of "legal shells".  Note that the target user's    
-shell is obtained from the passwd file.
-.TP 10
-SAMPLE CONFIGURATION:
-KSU_OPTS = -DGET_TGT_VIA_PASSWD 
--DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
-.TP 10
-PERMISSIONS FOR KSU
-ksu should be owned by root and have the set user id  bit turned on.   
-.TP 10
-END-SERVER ENTRY     
-
-ksu attempts to get a ticket for the end server just as Kerberized
-telnet and rlogin.  Thus, there must be an entry for the server in the
-Kerberos database (e.g. host/nii.isi.edu@ISI.EDU).  The keytab file must
-be in an appropriate location.
-
-.SH SIDE EFFECTS
-ksu deletes all expired tickets from the source cache. 
-.SH AUTHOR OF KSU:	GENNADY (ARI) MEDVINSKY
diff --git a/src/clients/kswitch/kswitch.M b/src/clients/kswitch/kswitch.M
deleted file mode 100644
index 407697551..000000000
--- a/src/clients/kswitch/kswitch.M
+++ /dev/null
@@ -1,61 +0,0 @@
-.\" clients/kswitch/kswitch.M
-.\"
-.\" Copyright 2011 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KSWITCH 1
-.SH NAME
-kswitch \- switch primary credential cache
-.SH SYNOPSIS
-\fBkswitch\fP {\fB\-c\fP \fIcachename\fP | \fB\-p\fP \fIprincipal\fP}
-.SH DESCRIPTION
-.I kswitch
-makes the specified credential cache the primary cache for the
-collection, if a cache collection is available.
-.SH OPTIONS
-.TP
-.B \-c
-.I cachename
-directly specifies the credential cache to be made primary.
-.TP
-.B \-p
-.I principal
-causes the cache collection to be searched for a cache containing
-credentials for \fIprincipal\fP.  If one is found, that collection is
-made primary.
-.SH ENVIRONMENT
-.B kswitch
-uses the following environment variables:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the default Kerberos 5 credentials (ticket) cache, in the
-form \fItype\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed.  The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory to
-be present in the collection.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of Kerberos 5 credentials cache 
-([uid] is the decimal UID of the user).
-.SH SEE ALSO
-kinit(1), kdestroy(1), klist(1), kerberos(1)
diff --git a/src/clients/kvno/kvno.M b/src/clients/kvno/kvno.M
deleted file mode 100644
index ce88a8d63..000000000
--- a/src/clients/kvno/kvno.M
+++ /dev/null
@@ -1,88 +0,0 @@
-.\" Copyright (C) 1998 by the FundsXpress, INC.
-.\" 
-.\" All rights reserved.
-.\" 
-.\" Export of this software from the United States of America may require
-.\" a specific license from the United States Government.  It is the
-.\" responsibility of any person or organization contemplating export to
-.\" obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of FundsXpress. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  FundsXpress makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" 
-.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-.\"
-.\" clients/kvnol/kvno.M
-.\" "
-.TH KVNO 1
-.SH NAME
-kvno \- print key version numbers of Kerberos principals
-.SH SYNOPSIS
-\fBkvno\fP [\fB\-q\fP] [\fB\-h\fP] [\fB-c ccache\fP]\ [\fB\-e etype\fP]
-\fBservice1\fP \fBservice2\fP \fB...\fP
-.br
-.SH DESCRIPTION
-.I Kvno
-acquires a service ticket for the specified Kerberos principals and
-prints out the key version numbers of each.  
-.SH OPTIONS
-.TP
-.B \-c ccache
-specifies the name of a credentials cache to use (if not the default)
-.TP
-.B \-e etype
-specifies the enctype which will be requested for the session key of
-all the services named on the command line.  This is useful in certain
-backward compatibility situations.
-.TP
-.B \-q
-suppress printing
-.TP
-.B \-h
-prints a usage statement and exits
-.TP
-.B \-P
-specifies that the
-.B service1 service2 ...
-arguments are to be treated as services for which credentials should
-be acquired using constrained delegation. This option is only valid
-when used in conjunction with protocol transition.
-.TP
-.B \-S sname
-specifies that krb5_sname_to_principal() will be used to build
-principal names.  If this flag is specified, the
-.B service1 service2 ...
-arguments are interpreted as hostnames (rather than principal names),
-and
-.B sname
-is interpreted as the service name.
-.TP
-.B \-U for_user
-specifies that protocol transition (S4U2Self) is to be used to acquire
-a ticket on behalf of
-.B for_user.
-If constrained delegation is not requested, the service name
-must match the credentials cache client principal.
-.SH ENVIRONMENT
-.B Kvno
-uses the following environment variable:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the credentials (ticket) cache.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of the credentials cache ([uid] is the decimal UID of
-the user).
-.SH SEE ALSO
-kinit(1), kdestroy(1), krb5(3)