Update man pages

25 files changed, 629 insertions, 629 deletions

diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index 7f01e55..4a351c1 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -50,19 +50,19 @@ principal is chosen as the client principal.  The following fields are
 recognized:
 .INDENT 0.0
 .TP
-.B \fBrealm\fP
+\fBrealm\fP
 If the realm of the server principal is known, it is matched
 against \fIvalue\fP, which may be a pattern using shell wildcards.
 For host\-based server principals, the realm will generally only be
-known if there is a \fIdomain_realm\fP section in
-\fIkrb5.conf(5)\fP with a mapping for the hostname.
+known if there is a domain_realm section in
+krb5.conf(5) with a mapping for the hostname.
 .TP
-.B \fBservice\fP
+\fBservice\fP
 If the server principal is a host\-based principal, its service
 component is matched against \fIvalue\fP, which may be a pattern using
 shell wildcards.
 .TP
-.B \fBhost\fP
+\fBhost\fP
 If the server principal is a host\-based principal, its hostname
 component is converted to lower case and matched against \fIvalue\fP,
 which may be a pattern using shell wildcards.
@@ -94,7 +94,7 @@ alice/mail@EXAMPLE.COM  host=mail.example.com service=imap
 .UNINDENT
 .SH SEE ALSO
 .sp
-kerberos(1), \fIkrb5.conf(5)\fP
+kerberos(1), krb5.conf(5)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/k5login.man b/src/man/k5login.man
index c4acdf3..ab1e79a 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -56,7 +56,7 @@ bob@FOOBAR.ORG
 This would allow \fBbob\fP to use Kerberos network applications, such as
 ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
 tickets.  In a default configuration (with \fBk5login_authoritative\fP set
-to true in \fIkrb5.conf(5)\fP), this .k5login file would not let
+to true in krb5.conf(5)), this .k5login file would not let
 \fBalice\fP use those network applications to access her account, since
 she is not listed!  With no .k5login file, or with \fBk5login_authoritative\fP
 set to false, a default rule would permit the principal \fBalice\fP in the
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 98f097f..21c86fa 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -45,11 +45,11 @@ or to delete non\-current keys from a keytab.
 \fIoperation\fP must be one of the following:
 .INDENT 0.0
 .TP
-.B \fBlist\fP
+\fBlist\fP
 Lists the keys in a keytab, showing version number and principal
 name.
 .TP
-.B \fBchange\fP
+\fBchange\fP
 Uses the kadmin protocol to update the keys in the Kerberos
 database to new randomly\-generated keys, and updates the keys in
 the keytab to match.  If a key\(aqs version number doesn\(aqt match the
@@ -63,14 +63,14 @@ option.  Old keys are retained in the keytab so that existing
 tickets continue to work, but \fBdelold\fP should be used after
 such tickets expire, to prevent attacks against the old keys.
 .TP
-.B \fBdelold\fP
+\fBdelold\fP
 Deletes keys that are not the most recent version from the keytab.
 This operation should be used some time after a change operation
 to remove old keys, after existing tickets issued for the service
 have expired.  If the \fB\-i\fP flag is given, then k5srvutil will
 prompt for confirmation for each principal.
 .TP
-.B \fBdelete\fP
+\fBdelete\fP
 Deletes particular keys in the keytab, interactively prompting for
 each key.
 .UNINDENT
@@ -78,11 +78,11 @@ each key.
 In all cases, the default keytab is used unless this is overridden by
 the \fB\-f\fP option.
 .sp
-k5srvutil uses the \fIkadmin(1)\fP program to edit the keytab in
+k5srvutil uses the kadmin(1) program to edit the keytab in
 place.
 .SH SEE ALSO
 .sp
-\fIkadmin(1)\fP, \fIktutil(1)\fP
+kadmin(1), ktutil(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 15a2c4f..f285013 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -32,14 +32,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 ..
 .SH DESCRIPTION
 .sp
-The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List
+The Kerberos kadmind(8) daemon uses an Access Control List
 (ACL) file to manage access rights to the Kerberos database.
 For operations that affect principals, the ACL file also controls
 which principals can operate on which other principals.
 .sp
 The default location of the Kerberos ACL file is
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP  unless this is overridden by the \fIacl_file\fP
-variable in \fIkdc.conf(5)\fP\&.
+variable in kdc.conf(5)\&.
 .SH SYNTAX
 .sp
 Empty lines and lines starting with the sharp sign (\fB#\fP) are
@@ -127,7 +127,7 @@ _
 T{
 p
 T}	T{
-[Dis]allows the propagation of the principal database (used in \fIincr_db_prop\fP)
+[Dis]allows the propagation of the principal database (used in incr_db_prop)
 T}
 _
 T{
@@ -185,7 +185,7 @@ in which \fB*number\fP matches the corresponding wildcard in
 .B {+|\-}\fIflagname\fP
 flag is forced to the indicated value.  The permissible flags
 are the same as those for the \fBdefault_principal_flags\fP
-variable in \fIkdc.conf(5)\fP\&.
+variable in kdc.conf(5)\&.
 .TP
 .B \fI\-clearpolicy\fP
 policy is forced to be empty.
@@ -194,7 +194,7 @@ policy is forced to be empty.
 policy is forced to be \fIpol\fP\&.
 .TP
 .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
-(\fIgetdate\fP string) associated value will be forced to
+(getdate string) associated value will be forced to
 MIN(\fItime\fP, requested value).
 .UNINDENT
 .UNINDENT
@@ -259,7 +259,7 @@ any principal that it creates or modifies will not be able to get
 postdateable tickets or tickets with a life of longer than 9 hours.
 .SH SEE ALSO
 .sp
-\fIkdc.conf(5)\fP, \fIkadmind(8)\fP
+kdc.conf(5), kadmind(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 2fef2f0..41cac15 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -56,7 +56,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
 administration system.  They provide nearly identical functionalities;
 the difference is that kadmin.local directly accesses the KDC
-database, while kadmin performs operations using \fIkadmind(8)\fP\&.
+database, while kadmin performs operations using kadmind(8)\&.
 Except as explicitly noted otherwise, this man page will use "kadmin"
 to refer to both versions.  kadmin provides for the maintenance of
 Kerberos principals, password policies, and service key tables
@@ -80,30 +80,30 @@ kadmin.local can be run on any host which can access the LDAP server.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Use \fIrealm\fP as the default database realm.
 .TP
-.B \fB\-p\fP \fIprincipal\fP
+\fB\-p\fP \fIprincipal\fP
 Use \fIprincipal\fP to authenticate.  Otherwise, kadmin will append
 \fB/admin\fP to the primary principal name of the default ccache,
 the value of the \fBUSER\fP environment variable, or the username as
 obtained with getpwuid, in order of preference.
 .TP
-.B \fB\-k\fP
+\fB\-k\fP
 Use a keytab to decrypt the KDC response instead of prompting for
 a password.  In this case, the default principal will be
 \fBhost/hostname\fP\&.  If there is no keytab specified with the
 \fB\-t\fP option, then the default keytab will be used.
 .TP
-.B \fB\-t\fP \fIkeytab\fP
+\fB\-t\fP \fIkeytab\fP
 Use \fIkeytab\fP to decrypt the KDC response.  This can only be used
 with the \fB\-k\fP option.
 .TP
-.B \fB\-n\fP
+\fB\-n\fP
 Requests anonymous processing.  Two types of anonymous principals
 are supported.  For fully anonymous Kerberos, configure PKINIT on
 the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
-\fIkrb5.conf(5)\fP\&.  Then use the \fB\-n\fP option with a principal
+krb5.conf(5)\&.  Then use the \fB\-n\fP option with a principal
 of the form \fB@REALM\fP (an empty principal name followed by the
 at\-sign and a realm name).  If permitted by the KDC, an anonymous
 ticket will be returned.  A second form of anonymous tickets is
@@ -114,46 +114,46 @@ principal (but not realm) will be replaced by the anonymous
 principal.  As of release 1.8, the MIT Kerberos KDC only supports
 fully anonymous operation.
 .TP
-.B \fB\-c\fP \fIcredentials_cache\fP
+\fB\-c\fP \fIcredentials_cache\fP
 Use \fIcredentials_cache\fP as the credentials cache.  The
 cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
 (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
 server) or \fBkadmin/admin\fP service; it can be acquired with the
-\fIkinit(1)\fP program.  If this option is not specified, kadmin
+kinit(1) program.  If this option is not specified, kadmin
 requests a new service ticket from the KDC, and stores it in its
 own temporary ccache.
 .TP
-.B \fB\-w\fP \fIpassword\fP
+\fB\-w\fP \fIpassword\fP
 Use \fIpassword\fP instead of prompting for one.  Use this option with
 care, as it may expose the password to other users on the system
 via the process list.
 .TP
-.B \fB\-q\fP \fIquery\fP
+\fB\-q\fP \fIquery\fP
 Perform the specified query and then exit.
 .TP
-.B \fB\-d\fP \fIdbname\fP
+\fB\-d\fP \fIdbname\fP
 Specifies the name of the KDC database.  This option does not
 apply to the LDAP database module.
 .TP
-.B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
+\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
 Specifies the admin server which kadmin should contact.
 .TP
-.B \fB\-m\fP
+\fB\-m\fP
 If using kadmin.local, prompt for the database master password
 instead of reading it from a stash file.
 .TP
-.B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
+\fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
 Sets the keysalt list to be used for any new keys created.  See
-\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of possible
+Keysalt_lists in kdc.conf(5) for a list of possible
 values.
 .TP
-.B \fB\-O\fP
+\fB\-O\fP
 Force use of old AUTH_GSSAPI authentication flavor.
 .TP
-.B \fB\-N\fP
+\fB\-N\fP
 Prevent fallback to AUTH_GSSAPI authentication flavor.
 .TP
-.B \fB\-x\fP \fIdb_args\fP
+\fB\-x\fP \fIdb_args\fP
 Specifies the database specific arguments.  See the next section
 for supported options.
 .UNINDENT
@@ -188,10 +188,10 @@ Supported options for the DB2 module are:
 .INDENT 3.5
 .INDENT 0.0
 .TP
-.B \fB\-x dbname=\fP*filename*
+\fB\-x dbname=\fP*filename*
 Specifies the base filename of the DB2 database.
 .TP
-.B \fB\-x lockiter\fP
+\fB\-x lockiter\fP
 Make iteration operations hold the lock for the duration of
 the entire operation, rather than temporarily releasing the
 lock while handling each principal.  This is the default
@@ -199,7 +199,7 @@ behavior, but this option exists to allow command line
 override of a [dbmodules] setting.  First introduced in
 release 1.13.
 .TP
-.B \fB\-x unlockiter\fP
+\fB\-x unlockiter\fP
 Make iteration operations unlock the database for each
 principal, instead of holding the lock for the duration of the
 entire operation.  First introduced in release 1.13.
@@ -212,39 +212,39 @@ Supported options for the LDAP module are:
 .INDENT 3.5
 .INDENT 0.0
 .TP
-.B \fB\-x host=\fP\fIldapuri\fP
+\fB\-x host=\fP\fIldapuri\fP
 Specifies the LDAP server to connect to by a LDAP URI.
 .TP
-.B \fB\-x binddn=\fP\fIbind_dn\fP
+\fB\-x binddn=\fP\fIbind_dn\fP
 Specifies the DN used to bind to the LDAP server.
 .TP
-.B \fB\-x bindpwd=\fP\fIpassword\fP
+\fB\-x bindpwd=\fP\fIpassword\fP
 Specifies the password or SASL secret used to bind to the LDAP
 server.  Using this option may expose the password to other
 users on the system via the process list; to avoid this,
 instead stash the password using the \fBstashsrvpw\fP command of
-\fIkdb5_ldap_util(8)\fP\&.
+kdb5_ldap_util(8)\&.
 .TP
-.B \fB\-x sasl_mech=\fP\fImechanism\fP
+\fB\-x sasl_mech=\fP\fImechanism\fP
 Specifies the SASL mechanism used to bind to the LDAP server.
 The bind DN is ignored if a SASL mechanism is used.  New in
 release 1.13.
 .TP
-.B \fB\-x sasl_authcid=\fP\fIname\fP
+\fB\-x sasl_authcid=\fP\fIname\fP
 Specifies the authentication name used when binding to the
 LDAP server with a SASL mechanism, if the mechanism requires
 one.  New in release 1.13.
 .TP
-.B \fB\-x sasl_authzid=\fP\fIname\fP
+\fB\-x sasl_authzid=\fP\fIname\fP
 Specifies the authorization name used when binding to the LDAP
 server with a SASL mechanism.  New in release 1.13.
 .TP
-.B \fB\-x sasl_realm=\fP\fIrealm\fP
+\fB\-x sasl_realm=\fP\fIrealm\fP
 Specifies the realm used when binding to the LDAP server with
 a SASL mechanism, if the mechanism uses one.  New in release
 1.13.
 .TP
-.B \fB\-x debug=\fP\fIlevel\fP
+\fB\-x debug=\fP\fIlevel\fP
 sets the OpenLDAP client library debug level.  \fIlevel\fP is an
 integer to be interpreted by the library.  Debugging messages
 are printed to standard error.  New in release 1.12.
@@ -254,7 +254,7 @@ are printed to standard error.  New in release 1.12.
 .SH COMMANDS
 .sp
 When using the remote client, available commands may be restricted
-according to the privileges specified in the \fIkadm5.acl(5)\fP file
+according to the privileges specified in the kadm5.acl(5) file
 on the admin server.
 .SS add_principal
 .INDENT 0.0
@@ -277,54 +277,54 @@ Aliases: \fBaddprinc\fP, \fBank\fP
 Options:
 .INDENT 0.0
 .TP
-.B \fB\-expire\fP \fIexpdate\fP
-(\fIgetdate\fP string) The expiration date of the principal.
+\fB\-expire\fP \fIexpdate\fP
+(getdate string) The expiration date of the principal.
 .TP
-.B \fB\-pwexpire\fP \fIpwexpdate\fP
-(\fIgetdate\fP string) The password expiration date.
+\fB\-pwexpire\fP \fIpwexpdate\fP
+(getdate string) The password expiration date.
 .TP
-.B \fB\-maxlife\fP \fImaxlife\fP
-(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life
+\fB\-maxlife\fP \fImaxlife\fP
+(duration or getdate string) The maximum ticket life
 for the principal.
 .TP
-.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-(\fIduration\fP or \fIgetdate\fP string) The maximum renewable
+\fB\-maxrenewlife\fP \fImaxrenewlife\fP
+(duration or getdate string) The maximum renewable
 life of tickets for the principal.
 .TP
-.B \fB\-kvno\fP \fIkvno\fP
+\fB\-kvno\fP \fIkvno\fP
 The initial key version number.
 .TP
-.B \fB\-policy\fP \fIpolicy\fP
+\fB\-policy\fP \fIpolicy\fP
 The password policy used by this principal.  If not specified, the
 policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
 is specified).
 .TP
-.B \fB\-clearpolicy\fP
+\fB\-clearpolicy\fP
 Prevents any policy from being assigned when \fB\-policy\fP is not
 specified.
 .TP
-.B {\-|+}\fBallow_postdated\fP
+{\-|+}\fBallow_postdated\fP
 \fB\-allow_postdated\fP prohibits this principal from obtaining
 postdated tickets.  \fB+allow_postdated\fP clears this flag.
 .TP
-.B {\-|+}\fBallow_forwardable\fP
+{\-|+}\fBallow_forwardable\fP
 \fB\-allow_forwardable\fP prohibits this principal from obtaining
 forwardable tickets.  \fB+allow_forwardable\fP clears this flag.
 .TP
-.B {\-|+}\fBallow_renewable\fP
+{\-|+}\fBallow_renewable\fP
 \fB\-allow_renewable\fP prohibits this principal from obtaining
 renewable tickets.  \fB+allow_renewable\fP clears this flag.
 .TP
-.B {\-|+}\fBallow_proxiable\fP
+{\-|+}\fBallow_proxiable\fP
 \fB\-allow_proxiable\fP prohibits this principal from obtaining
 proxiable tickets.  \fB+allow_proxiable\fP clears this flag.
 .TP
-.B {\-|+}\fBallow_dup_skey\fP
+{\-|+}\fBallow_dup_skey\fP
 \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
 principal by prohibiting this principal from obtaining a session
 key for another user.  \fB+allow_dup_skey\fP clears this flag.
 .TP
-.B {\-|+}\fBrequires_preauth\fP
+{\-|+}\fBrequires_preauth\fP
 \fB+requires_preauth\fP requires this principal to preauthenticate
 before being allowed to kinit.  \fB\-requires_preauth\fP clears this
 flag.  When \fB+requires_preauth\fP is set on a service principal,
@@ -332,7 +332,7 @@ the KDC will only issue service tickets for that service principal
 if the client\(aqs initial authentication was performed using
 preauthentication.
 .TP
-.B {\-|+}\fBrequires_hwauth\fP
+{\-|+}\fBrequires_hwauth\fP
 \fB+requires_hwauth\fP requires this principal to preauthenticate
 using a hardware device before being allowed to kinit.
 \fB\-requires_hwauth\fP clears this flag.  When \fB+requires_hwauth\fP is
@@ -340,45 +340,45 @@ set on a service principal, the KDC will only issue service tickets
 for that service principal if the client\(aqs initial authentication was
 performed using a hardware device to preauthenticate.
 .TP
-.B {\-|+}\fBok_as_delegate\fP
+{\-|+}\fBok_as_delegate\fP
 \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
 issued with this principal as the service.  Clients may use this
 flag as a hint that credentials should be delegated when
 authenticating to the service.  \fB\-ok_as_delegate\fP clears this
 flag.
 .TP
-.B {\-|+}\fBallow_svr\fP
+{\-|+}\fBallow_svr\fP
 \fB\-allow_svr\fP prohibits the issuance of service tickets for this
 principal.  \fB+allow_svr\fP clears this flag.
 .TP
-.B {\-|+}\fBallow_tgs_req\fP
+{\-|+}\fBallow_tgs_req\fP
 \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
 request for a service ticket for this principal is not permitted.
 \fB+allow_tgs_req\fP clears this flag.
 .TP
-.B {\-|+}\fBallow_tix\fP
+{\-|+}\fBallow_tix\fP
 \fB\-allow_tix\fP forbids the issuance of any tickets for this
 principal.  \fB+allow_tix\fP clears this flag.
 .TP
-.B {\-|+}\fBneedchange\fP
+{\-|+}\fBneedchange\fP
 \fB+needchange\fP forces a password change on the next initial
 authentication to this principal.  \fB\-needchange\fP clears this
 flag.
 .TP
-.B {\-|+}\fBpassword_changing_service\fP
+{\-|+}\fBpassword_changing_service\fP
 \fB+password_changing_service\fP marks this principal as a password
 change service principal.
 .TP
-.B {\-|+}\fBok_to_auth_as_delegate\fP
+{\-|+}\fBok_to_auth_as_delegate\fP
 \fB+ok_to_auth_as_delegate\fP allows this principal to acquire
 forwardable tickets to itself from arbitrary users, for use with
 constrained delegation.
 .TP
-.B {\-|+}\fBno_auth_data_required\fP
+{\-|+}\fBno_auth_data_required\fP
 \fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from
 being added to service tickets for the principal.
 .TP
-.B {\-|+}\fBlockdown_keys\fP
+{\-|+}\fBlockdown_keys\fP
 \fB+lockdown_keys\fP prevents keys for this principal from leaving
 the KDC via kadmind.  The chpass and extract operations are denied
 for a principal with this attribute.  The chrand operation is
@@ -389,42 +389,42 @@ krbtgt/* or kadmin/* with new principals without the attribute.
 This attribute can be set via the network protocol, but can only
 be removed using kadmin.local.
 .TP
-.B \fB\-randkey\fP
+\fB\-randkey\fP
 Sets the key of the principal to a random value.
 .TP
-.B \fB\-nokey\fP
+\fB\-nokey\fP
 Causes the principal to be created with no key.  New in release
 1.12.
 .TP
-.B \fB\-pw\fP \fIpassword\fP
+\fB\-pw\fP \fIpassword\fP
 Sets the password of the principal to the specified string and
 does not prompt for a password.  Note: using this option in a
 shell script may expose the password to other users on the system
 via the process list.
 .TP
-.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
+\fB\-e\fP \fIenc\fP:\fIsalt\fP,...
 Uses the specified keysalt list for setting the keys of the
-principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+principal.  See Keysalt_lists in kdc.conf(5) for a
 list of possible values.
 .TP
-.B \fB\-x\fP \fIdb_princ_args\fP
+\fB\-x\fP \fIdb_princ_args\fP
 Indicates database\-specific options.  The options for the LDAP
 database module are:
 .INDENT 7.0
 .TP
-.B \fB\-x dn=\fP\fIdn\fP
+\fB\-x dn=\fP\fIdn\fP
 Specifies the LDAP object that will contain the Kerberos
 principal being created.
 .TP
-.B \fB\-x linkdn=\fP\fIdn\fP
+\fB\-x linkdn=\fP\fIdn\fP
 Specifies the LDAP object to which the newly created Kerberos
 principal object will point.
 .TP
-.B \fB\-x containerdn=\fP\fIcontainer_dn\fP
+\fB\-x containerdn=\fP\fIcontainer_dn\fP
 Specifies the container object under which the Kerberos
 principal is to be created.
 .TP
-.B \fB\-x tktpolicy=\fP\fIpolicy\fP
+\fB\-x tktpolicy=\fP\fIpolicy\fP
 Associates a ticket policy to the Kerberos principal.
 .UNINDENT
 .sp
@@ -484,7 +484,7 @@ Alias: \fBmodprinc\fP
 Options (in addition to the \fBaddprinc\fP options):
 .INDENT 0.0
 .TP
-.B \fB\-unlock\fP
+\fB\-unlock\fP
 Unlocks a locked principal (one which has received too many failed
 authentication attempts without enough time between them according
 to its password policy) so that it can successfully authenticate.
@@ -535,20 +535,20 @@ Alias: \fBcpw\fP
 The following options are available:
 .INDENT 0.0
 .TP
-.B \fB\-randkey\fP
+\fB\-randkey\fP
 Sets the key of the principal to a random value.
 .TP
-.B \fB\-pw\fP \fIpassword\fP
+\fB\-pw\fP \fIpassword\fP
 Set the password to the specified string.  Using this option in a
 script may expose the password to other users on the system via
 the process list.
 .TP
-.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
+\fB\-e\fP \fIenc\fP:\fIsalt\fP,...
 Uses the specified keysalt list for setting the keys of the
-principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+principal.  See Keysalt_lists in kdc.conf(5) for a
 list of possible values.
 .TP
-.B \fB\-keepold\fP
+\fB\-keepold\fP
 Keeps the existing keys in the database.  This flag is usually not
 necessary except perhaps for \fBkrbtgt\fP principals.
 .UNINDENT
@@ -689,19 +689,19 @@ modules.  The following string attribute names are recognized by the
 KDC:
 .INDENT 0.0
 .TP
-.B \fBrequire_auth\fP
+\fBrequire_auth\fP
 Specifies an authentication indicator which is required to
 authenticate to the principal as a service.  Multiple indicators
 can be specified, separated by spaces; in this case any of the
 specified indicators will be accepted.  (New in release 1.14.)
 .TP
-.B \fBsession_enctypes\fP
+\fBsession_enctypes\fP
 Specifies the encryption types supported for session keys when the
 principal is authenticated to as a server.  See
-\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the
+Encryption_types in kdc.conf(5) for a list of the
 accepted values.
 .TP
-.B \fBotp\fP
+\fBotp\fP
 Enables One Time Passwords (OTP) preauthentication for a client
 \fIprincipal\fP\&.  The \fIvalue\fP is a JSON string representing an array
 of objects, each having optional \fBtype\fP and \fBusername\fP fields.
@@ -751,29 +751,29 @@ Alias: \fBaddpol\fP
 The following options are available:
 .INDENT 0.0
 .TP
-.B \fB\-maxlife\fP \fItime\fP
-(\fIduration\fP or \fIgetdate\fP string) Sets the maximum
+\fB\-maxlife\fP \fItime\fP
+(duration or getdate string) Sets the maximum
 lifetime of a password.
 .TP
-.B \fB\-minlife\fP \fItime\fP
-(\fIduration\fP or \fIgetdate\fP string) Sets the minimum
+\fB\-minlife\fP \fItime\fP
+(duration or getdate string) Sets the minimum
 lifetime of a password.
 .TP
-.B \fB\-minlength\fP \fIlength\fP
+\fB\-minlength\fP \fIlength\fP
 Sets the minimum length of a password.
 .TP
-.B \fB\-minclasses\fP \fInumber\fP
+\fB\-minclasses\fP \fInumber\fP
 Sets the minimum number of character classes required in a
 password.  The five character classes are lower case, upper case,
 numbers, punctuation, and whitespace/unprintable characters.
 .TP
-.B \fB\-history\fP \fInumber\fP
+\fB\-history\fP \fInumber\fP
 Sets the number of past keys kept for a principal.  This option is
 not supported with the LDAP KDC database module.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fB\-maxfailure\fP \fImaxnumber\fP
+\fB\-maxfailure\fP \fImaxnumber\fP
 Sets the number of authentication failures before the principal is
 locked.  Authentication failures are only tracked for principals
 which require preauthentication.  The counter of failed attempts
@@ -782,8 +782,8 @@ resets to 0 after a successful attempt to authenticate.  A
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fB\-failurecountinterval\fP \fIfailuretime\fP
-(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time
+\fB\-failurecountinterval\fP \fIfailuretime\fP
+(duration or getdate string) Sets the allowable time
 between authentication failures.  If an authentication failure
 happens after \fIfailuretime\fP has elapsed since the previous
 failure, the number of authentication failures is reset to 1.  A
@@ -791,18 +791,18 @@ failure, the number of authentication failures is reset to 1.  A
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fB\-lockoutduration\fP \fIlockouttime\fP
-(\fIduration\fP or \fIgetdate\fP string) Sets the duration for
+\fB\-lockoutduration\fP \fIlockouttime\fP
+(duration or getdate string) Sets the duration for
 which the principal is locked from authenticating if too many
 authentication failures occur without the specified failure count
 interval elapsing.  A duration of 0 (the default) means the
 principal remains locked out until it is administratively unlocked
 with \fBmodprinc \-unlock\fP\&.
 .TP
-.B \fB\-allowedkeysalts\fP
+\fB\-allowedkeysalts\fP
 Specifies the key/salt tuples supported for long\-term keys when
 setting or changing a principal\(aqs password/keys.  See
-\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of the
+Keysalt_lists in kdc.conf(5) for a list of the
 accepted values, but note that key/salt tuples must be separated
 with commas (\(aq,\(aq) only.  To clear the allowed key/salt policy use
 a value of \(aq\-\(aq.
@@ -962,19 +962,19 @@ With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege.
 The options are:
 .INDENT 0.0
 .TP
-.B \fB\-k[eytab]\fP \fIkeytab\fP
+\fB\-k[eytab]\fP \fIkeytab\fP
 Use \fIkeytab\fP as the keytab file.  Otherwise, the default keytab is
 used.
 .TP
-.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
+\fB\-e\fP \fIenc\fP:\fIsalt\fP,...
 Uses the specified keysalt list for setting the new keys of the
-principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+principal.  See Keysalt_lists in kdc.conf(5) for a
 list of possible values.
 .TP
-.B \fB\-q\fP
+\fB\-q\fP
 Display less verbose information.
 .TP
-.B \fB\-norandkey\fP
+\fB\-norandkey\fP
 Do not randomize the keys. The keys and their version numbers stay
 unchanged.  This option cannot be specified in combination with the
 \fB\-e\fP option.
@@ -1018,11 +1018,11 @@ kvno match that integer are removed.
 The options are:
 .INDENT 0.0
 .TP
-.B \fB\-k[eytab]\fP \fIkeytab\fP
+\fB\-k[eytab]\fP \fIkeytab\fP
 Use \fIkeytab\fP as the keytab file.  Otherwise, the default keytab is
 used.
 .TP
-.B \fB\-q\fP
+\fB\-q\fP
 Display less verbose information.
 .UNINDENT
 .sp
@@ -1063,7 +1063,7 @@ The kadmin program was originally written by Tom Yu at MIT, as an
 interface to the OpenVision Kerberos administration program.
 .SH SEE ALSO
 .sp
-\fIkpasswd(1)\fP, \fIkadmind(8)\fP
+kpasswd(1), kadmind(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 3364e4a..85af672 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -50,24 +50,24 @@ kadmind starts the Kerberos administration server.  kadmind typically
 runs on the master Kerberos server, which stores the KDC database.  If
 the KDC database uses the LDAP module, the administration server and
 the KDC server need not run on the same machine.  kadmind accepts
-remote requests from programs such as \fIkadmin(1)\fP and
-\fIkpasswd(1)\fP to administer the information in these database.
+remote requests from programs such as kadmin(1) and
+kpasswd(1) to administer the information in these database.
 .sp
 kadmind requires a number of configuration files to be set up in order
 for it to work:
 .INDENT 0.0
 .TP
-.B \fIkdc.conf(5)\fP
+.B kdc.conf(5)
 The KDC configuration file contains configuration information for
 the KDC and admin servers.  kadmind uses settings in this file to
 locate the Kerberos database, and is also affected by the
 \fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related
 settings.
 .TP
-.B \fIkadm5.acl(5)\fP
+.B kadm5.acl(5)
 kadmind\(aqs ACL (access control list) tells it which principals are
 allowed to perform administration actions.  The pathname to the
-ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP
+ACL file can be specified with the \fBacl_file\fP kdc.conf(5)
 variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.
 .UNINDENT
 .sp
@@ -77,7 +77,7 @@ disassociates itself from its controlling terminal.
 kadmind can be configured for incremental database propagation.
 Incremental propagation allows slave KDC servers to receive principal
 and policy updates incrementally instead of receiving full dumps of
-the database.  This facility can be enabled in the \fIkdc.conf(5)\fP
+the database.  This facility can be enabled in the kdc.conf(5)
 file with the \fBiprop_enable\fP option.  Incremental propagation
 requires the principal \fBkiprop/MASTER\e@REALM\fP (where MASTER is the
 master KDC\(aqs canonical host name, and REALM the realm name).  In
@@ -86,62 +86,62 @@ into the datebase.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 specifies the realm that kadmind will serve; if it is not
 specified, the default realm of the host is used.
 .TP
-.B \fB\-m\fP
+\fB\-m\fP
 causes the master database password to be fetched from the
 keyboard (before the server puts itself in the background, if not
 invoked with the \fB\-nofork\fP option) rather than from a file on
 disk.
 .TP
-.B \fB\-nofork\fP
+\fB\-nofork\fP
 causes the server to remain in the foreground and remain
 associated to the terminal.  In normal operation, you should allow
 the server to place itself in the background.
 .TP
-.B \fB\-proponly\fP
+\fB\-proponly\fP
 causes the server to only listen and respond to Kerberos slave
 incremental propagation polling requests.  This option can be used
 to set up a hierarchical propagation topology where a slave KDC
 provides incremental updates to other Kerberos slaves.
 .TP
-.B \fB\-port\fP \fIport\-number\fP
+\fB\-port\fP \fIport\-number\fP
 specifies the port on which the administration server listens for
 connections.  The default port is determined by the
-\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP\&.
+\fBkadmind_port\fP configuration variable in kdc.conf(5)\&.
 .TP
-.B \fB\-P\fP \fIpid_file\fP
+\fB\-P\fP \fIpid_file\fP
 specifies the file to which the PID of kadmind process should be
 written after it starts up.  This file can be used to identify
 whether kadmind is still running and to allow init scripts to stop
 the correct process.
 .TP
-.B \fB\-p\fP \fIkdb5_util_path\fP
+\fB\-p\fP \fIkdb5_util_path\fP
 specifies the path to the kdb5_util command to use when dumping the
 KDB in response to full resync requests when iprop is enabled.
 .TP
-.B \fB\-K\fP \fIkprop_path\fP
+\fB\-K\fP \fIkprop_path\fP
 specifies the path to the kprop command to use to send full dumps
 to slaves in response to full resync requests.
 .TP
-.B \fB\-k\fP \fIkprop_port\fP
+\fB\-k\fP \fIkprop_port\fP
 specifies the port by which the kprop process that is spawned by kadmind
 connects to the slave kpropd, in order to transfer the dump file during
 an iprop full resync request.
 .TP
-.B \fB\-F\fP \fIdump_file\fP
+\fB\-F\fP \fIdump_file\fP
 specifies the file path to be used for dumping the KDB in response
 to full resync requests when iprop is enabled.
 .TP
-.B \fB\-x\fP \fIdb_args\fP
-specifies database\-specific arguments.  See \fIDatabase Options\fP in \fIkadmin(1)\fP for supported arguments.
+\fB\-x\fP \fIdb_args\fP
+specifies database\-specific arguments.  See Database Options in kadmin(1) for supported arguments.
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP,
-\fIkdb5_ldap_util(8)\fP, \fIkadm5.acl(5)\fP
+kpasswd(1), kadmin(1), kdb5_util(8),
+kdb5_ldap_util(8), kadm5.acl(5)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index c3733aa..65dd799 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -44,15 +44,15 @@ services and ticket policies.
 .SH COMMAND-LINE OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-D\fP \fIuser_dn\fP
+\fB\-D\fP \fIuser_dn\fP
 Specifies the Distinguished Name (DN) of the user who has
 sufficient rights to perform the operation on the LDAP server.
 .TP
-.B \fB\-w\fP \fIpasswd\fP
+\fB\-w\fP \fIpasswd\fP
 Specifies the password of \fIuser_dn\fP\&.  This option is not
 recommended.
 .TP
-.B \fB\-H\fP \fIldapuri\fP
+\fB\-H\fP \fIldapuri\fP
 Specifies the URI of the LDAP server.  It is recommended to use
 \fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server.
 .UNINDENT
@@ -78,60 +78,60 @@ Specifies the URI of the LDAP server.  It is recommended to use
 Creates realm in directory. Options:
 .INDENT 0.0
 .TP
-.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
+\fB\-subtrees\fP \fIsubtree_dn_list\fP
 Specifies the list of subtrees containing the principals of a
 realm.  The list contains the DNs of the subtree objects separated
 by colon (\fB:\fP).
 .TP
-.B \fB\-sscope\fP \fIsearch_scope\fP
+\fB\-sscope\fP \fIsearch_scope\fP
 Specifies the scope for searching the principals under the
 subtree.  The possible values are 1 or one (one level), 2 or sub
 (subtrees).
 .TP
-.B \fB\-containerref\fP \fIcontainer_reference_dn\fP
+\fB\-containerref\fP \fIcontainer_reference_dn\fP
 Specifies the DN of the container object in which the principals
 of a realm will be created.  If the container reference is not
 configured for a realm, the principals will be created in the
 realm container.
 .TP
-.B \fB\-k\fP \fImkeytype\fP
+\fB\-k\fP \fImkeytype\fP
 Specifies the key type of the master key in the database.  The
 default is given by the \fBmaster_key_type\fP variable in
-\fIkdc.conf(5)\fP\&.
+kdc.conf(5)\&.
 .TP
-.B \fB\-kv\fP \fImkeyVNO\fP
+\fB\-kv\fP \fImkeyVNO\fP
 Specifies the version number of the master key in the database;
 the default is 1.  Note that 0 is not allowed.
 .TP
-.B \fB\-m\fP
+\fB\-m\fP
 Specifies that the master database password should be read from
 the TTY rather than fetched from a file on the disk.
 .TP
-.B \fB\-P\fP \fIpassword\fP
+\fB\-P\fP \fIpassword\fP
 Specifies the master database password. This option is not
 recommended.
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the Kerberos realm of the database.
 .TP
-.B \fB\-sf\fP \fIstashfilename\fP
+\fB\-sf\fP \fIstashfilename\fP
 Specifies the stash file of the master database password.
 .TP
-.B \fB\-s\fP
+\fB\-s\fP
 Specifies that the stash file is to be created.
 .TP
-.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum ticket life for
+\fB\-maxtktlife\fP \fImax_ticket_life\fP
+(getdate string) Specifies maximum ticket life for
 principals in this realm.
 .TP
-.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum renewable life of
+\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+(getdate string) Specifies maximum renewable life of
 tickets for principals in this realm.
 .TP
 .B \fIticket_flags\fP
 Specifies global ticket flags for the realm.  Allowable flags are
 documented in the description of the \fBadd_principal\fP command in
-\fIkadmin(1)\fP\&.
+kadmin(1)\&.
 .UNINDENT
 .sp
 Example:
@@ -169,35 +169,35 @@ Re\-enter KDC database master key to verify:
 Modifies the attributes of a realm.  Options:
 .INDENT 0.0
 .TP
-.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
+\fB\-subtrees\fP \fIsubtree_dn_list\fP
 Specifies the list of subtrees containing the principals of a
 realm.  The list contains the DNs of the subtree objects separated
 by colon (\fB:\fP).  This list replaces the existing list.
 .TP
-.B \fB\-sscope\fP \fIsearch_scope\fP
+\fB\-sscope\fP \fIsearch_scope\fP
 Specifies the scope for searching the principals under the
 subtrees.  The possible values are 1 or one (one level), 2 or sub
 (subtrees).
 .TP
-.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
+\fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
 container object in which the principals of a realm will be
 created.
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the Kerberos realm of the database.
 .TP
-.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum ticket life for
+\fB\-maxtktlife\fP \fImax_ticket_life\fP
+(getdate string) Specifies maximum ticket life for
 principals in this realm.
 .TP
-.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum renewable life of
+\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+(getdate string) Specifies maximum renewable life of
 tickets for principals in this realm.
 .TP
 .B \fIticket_flags\fP
 Specifies global ticket flags for the realm.  Allowable flags are
 documented in the description of the \fBadd_principal\fP command in
-\fIkadmin(1)\fP\&.
+kadmin(1)\&.
 .UNINDENT
 .sp
 Example:
@@ -225,7 +225,7 @@ shell%
 Displays the attributes of a realm.  Options:
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the Kerberos realm of the database.
 .UNINDENT
 .sp
@@ -259,10 +259,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
 Destroys an existing realm. Options:
 .INDENT 0.0
 .TP
-.B \fB\-f\fP
+\fB\-f\fP
 If specified, will not prompt the user for confirmation.
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the Kerberos realm of the database.
 .UNINDENT
 .sp
@@ -323,16 +323,16 @@ file so that KDC and Administration server can use it to authenticate
 to the LDAP server.  Options:
 .INDENT 0.0
 .TP
-.B \fB\-f\fP \fIfilename\fP
+\fB\-f\fP \fIfilename\fP
 Specifies the complete path of the service password file. By
 default, \fB/usr/local/var/service_passwd\fP is used.
 .TP
 .B \fIname\fP
 Specifies the name of the object whose password is to be stored.
-If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for
+If krb5kdc(8) or kadmind(8) are configured for
 simple binding, this should be the distinguished name it will
 use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
-variable in \fIkdc.conf(5)\fP\&.  If the KDC or kadmind is
+variable in kdc.conf(5)\&.  If the KDC or kadmind is
 configured for SASL binding, this should be the authentication
 name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
 \fBldap_kadmind_sasl_authcid\fP variable.
@@ -367,22 +367,22 @@ Re\-enter password for "cn=service\-kdc,o=org":
 Creates a ticket policy in the directory.  Options:
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the Kerberos realm of the database.
 .TP
-.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum ticket life for
+\fB\-maxtktlife\fP \fImax_ticket_life\fP
+(getdate string) Specifies maximum ticket life for
 principals.
 .TP
-.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum renewable life of
+\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+(getdate string) Specifies maximum renewable life of
 tickets for principals.
 .TP
 .B \fIticket_flags\fP
 Specifies the ticket flags.  If this option is not specified, by
 default, no restriction will be set by the policy.  Allowable
 flags are documented in the description of the \fBadd_principal\fP
-command in \fIkadmin(1)\fP\&.
+command in kadmin(1)\&.
 .TP
 .B \fIpolicy_name\fP
 Specifies the name of the ticket policy.
@@ -479,10 +479,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
 Destroys an existing ticket policy.  Options:
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the Kerberos realm of the database.
 .TP
-.B \fB\-force\fP
+\fB\-force\fP
 Forces the deletion of the policy object.  If not specified, the
 user will be prompted for confirmation before deleting the policy.
 .TP
@@ -518,7 +518,7 @@ Lists the ticket policies in realm if specified or in the default
 realm.  Options:
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the Kerberos realm of the database.
 .UNINDENT
 .sp
@@ -540,7 +540,7 @@ userpolicy
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkadmin(1)\fP
+kadmin(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index f4ee62f..7d14e856 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -58,39 +58,39 @@ commands.
 .SH COMMAND-LINE OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 specifies the Kerberos realm of the database.
 .TP
-.B \fB\-d\fP \fIdbname\fP
+\fB\-d\fP \fIdbname\fP
 specifies the name under which the principal database is stored;
-by default the database is that listed in \fIkdc.conf(5)\fP\&.  The
+by default the database is that listed in kdc.conf(5)\&.  The
 password policy database and lock files are also derived from this
 value.
 .TP
-.B \fB\-k\fP \fImkeytype\fP
+\fB\-k\fP \fImkeytype\fP
 specifies the key type of the master key in the database.  The
 default is given by the \fBmaster_key_type\fP variable in
-\fIkdc.conf(5)\fP\&.
+kdc.conf(5)\&.
 .TP
-.B \fB\-kv\fP \fImkeyVNO\fP
+\fB\-kv\fP \fImkeyVNO\fP
 Specifies the version number of the master key in the database;
 the default is 1.  Note that 0 is not allowed.
 .TP
-.B \fB\-M\fP \fImkeyname\fP
+\fB\-M\fP \fImkeyname\fP
 principal name for the master key in the database.  If not
 specified, the name is determined by the \fBmaster_key_name\fP
-variable in \fIkdc.conf(5)\fP\&.
+variable in kdc.conf(5)\&.
 .TP
-.B \fB\-m\fP
+\fB\-m\fP
 specifies that the master database password should be read from
 the keyboard rather than fetched from a file on disk.
 .TP
-.B \fB\-sf\fP \fIstash_file\fP
+\fB\-sf\fP \fIstash_file\fP
 specifies the stash filename of the master database password.  If
 not specified, the filename is determined by the
-\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP\&.
+\fBkey_stash_file\fP variable in kdc.conf(5)\&.
 .TP
-.B \fB\-P\fP \fIpassword\fP
+\fB\-P\fP \fIpassword\fP
 specifies the master database password.  Using this option may
 expose the password to other users on the system via the process
 list.
@@ -126,7 +126,7 @@ the \fB\-f\fP argument, does not prompt the user.
 .sp
 Stores the master principal\(aqs keys in a stash file.  The \fB\-f\fP
 argument can be used to override the \fIkeyfile\fP specified in
-\fIkdc.conf(5)\fP\&.
+kdc.conf(5)\&.
 .SS dump
 .INDENT 0.0
 .INDENT 3.5
@@ -142,43 +142,43 @@ load_dump version 7".  If filename is not specified, or is the string
 "\-", the dump is sent to standard output.  Options:
 .INDENT 0.0
 .TP
-.B \fB\-b7\fP
+\fB\-b7\fP
 causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
 load_dump version 4").  This was the dump format produced on
 releases prior to 1.2.2.
 .TP
-.B \fB\-ov\fP
+\fB\-ov\fP
 causes the dump to be in "ovsec_adm_export" format.
 .TP
-.B \fB\-r13\fP
+\fB\-r13\fP
 causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
 load_dump version 5").  This was the dump format produced on
 releases prior to 1.8.
 .TP
-.B \fB\-r18\fP
+\fB\-r18\fP
 causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
 load_dump version 6").  This was the dump format produced on
 releases prior to 1.11.
 .TP
-.B \fB\-verbose\fP
+\fB\-verbose\fP
 causes the name of each principal and policy to be printed as it
 is dumped.
 .TP
-.B \fB\-mkey_convert\fP
+\fB\-mkey_convert\fP
 prompts for a new master key.  This new master key will be used to
 re\-encrypt principal key data in the dumpfile.  The principal keys
 themselves will not be changed.
 .TP
-.B \fB\-new_mkey_file\fP \fImkey_file\fP
+\fB\-new_mkey_file\fP \fImkey_file\fP
 the filename of a stash file.  The master key in this stash file
 will be used to re\-encrypt the key data in the dumpfile.  The key
 data in the database will not be changed.
 .TP
-.B \fB\-rev\fP
+\fB\-rev\fP
 dumps in reverse order.  This may recover principals that do not
 dump normally, in cases where database corruption has occurred.
 .TP
-.B \fB\-recurse\fP
+\fB\-recurse\fP
 causes the dump to walk the database recursively (btree only).
 This may recover principals that do not dump normally, in cases
 where database corruption has occurred.  In cases of such
@@ -212,36 +212,36 @@ database module, the \fB\-update\fP flag is required.
 Options:
 .INDENT 0.0
 .TP
-.B \fB\-b7\fP
+\fB\-b7\fP
 requires the database to be in the Kerberos 5 Beta 7 format
 ("kdb5_util load_dump version 4").  This was the dump format
 produced on releases prior to 1.2.2.
 .TP
-.B \fB\-ov\fP
+\fB\-ov\fP
 requires the database to be in "ovsec_adm_import" format.  Must be
 used with the \fB\-update\fP option.
 .TP
-.B \fB\-r13\fP
+\fB\-r13\fP
 requires the database to be in Kerberos 5 1.3 format ("kdb5_util
 load_dump version 5").  This was the dump format produced on
 releases prior to 1.8.
 .TP
-.B \fB\-r18\fP
+\fB\-r18\fP
 requires the database to be in Kerberos 5 1.8 format ("kdb5_util
 load_dump version 6").  This was the dump format produced on
 releases prior to 1.11.
 .TP
-.B \fB\-hash\fP
+\fB\-hash\fP
 requires the database to be stored as a hash.  If this option is
 not specified, the database will be stored as a btree.  This
 option is not recommended, as databases stored in hash format are
 known to corrupt data and lose principals.
 .TP
-.B \fB\-verbose\fP
+\fB\-verbose\fP
 causes the name of each principal and policy to be printed as it
 is dumped.
 .TP
-.B \fB\-update\fP
+\fB\-update\fP
 records from the dump file are added to or updated in the existing
 database.  Otherwise, a new database is created containing only
 what is in the dump file and the old one destroyed upon successful
@@ -271,12 +271,12 @@ salt types to be used for the new keys.
 Adds a new master key to the master key principal, but does not mark
 it as active.  Existing master keys will remain.  The \fB\-e\fP option
 specifies the encryption type of the new master key; see
-\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of possible
+Encryption_types in kdc.conf(5) for a list of possible
 values.  The \fB\-s\fP option stashes the new master key in the stash
 file, which will be created if it doesn\(aqt already exist.
 .sp
 After a new master key is added, it should be propagated to slave
-servers via a manual or periodic invocation of \fIkprop(8)\fP\&.  Then,
+servers via a manual or periodic invocation of kprop(8)\&.  Then,
 the stash files on the slave servers should be updated with the
 kdb5_util \fBstash\fP command.  Once those steps are complete, the key
 is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
@@ -291,7 +291,7 @@ Sets the activation time of the master key specified by \fImkeyVNO\fP\&.
 Once a master key becomes active, it will be used to encrypt newly
 created principal keys.  If no \fItime\fP argument is given, the current
 time is used, causing the specified master key version to become
-active immediately.  The format for \fItime\fP is \fIgetdate\fP string.
+active immediately.  The format for \fItime\fP is getdate string.
 .sp
 After a new master key becomes active, the kdb5_util
 \fBupdate_princ_encryption\fP command can be used to update all
@@ -305,7 +305,7 @@ principal keys to be encrypted in the new master key.
 .sp
 List all master keys, from most recent to earliest, in the master key
 principal.  The output will show the kvno, enctype, and salt type for
-each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP\&.  A
+each mkey, similar to the output of kadmin(1) \fBgetprinc\fP\&.  A
 \fB*\fP following an mkey denotes the currently active master key.
 .SS purge_mkeys
 .INDENT 0.0
@@ -319,14 +319,14 @@ protect any principals.  This command can be used to remove old master
 keys all principal keys are protected by a newer master key.
 .INDENT 0.0
 .TP
-.B \fB\-f\fP
+\fB\-f\fP
 does not prompt for confirmation.
 .TP
-.B \fB\-n\fP
+\fB\-n\fP
 performs a dry run, showing master keys that would be purged, but
 not actually purging any keys.
 .TP
-.B \fB\-v\fP
+\fB\-v\fP
 gives more verbose output.
 .UNINDENT
 .SS update_princ_encryption
@@ -367,23 +367,23 @@ below).
 Options:
 .INDENT 0.0
 .TP
-.B \fB\-H\fP
+\fB\-H\fP
 suppress writing the field names in a header line
 .TP
-.B \fB\-c\fP
+\fB\-c\fP
 use comma separated values (CSV) format, with minimal quoting,
 instead of the default tab\-separated (unquoted, unescaped) format
 .TP
-.B \fB\-e\fP
+\fB\-e\fP
 write empty hexadecimal string fields as empty fields instead of
 as "\-1".
 .TP
-.B \fB\-n\fP
+\fB\-n\fP
 produce numeric output for fields that normally have symbolic
 output, such as enctypes and flag names.  Also requests output of
 time stamps as decimal POSIX time_t values.
 .TP
-.B \fB\-o\fP \fIoutfile\fP
+\fB\-o\fP \fIoutfile\fP
 write the dump to the specified output file instead of to standard
 output
 .UNINDENT
@@ -391,38 +391,38 @@ output
 Dump types:
 .INDENT 0.0
 .TP
-.B \fBkeydata\fP
+\fBkeydata\fP
 principal encryption key information, including actual key data
 (which is still encrypted in the master key)
 .INDENT 7.0
 .TP
-.B \fBname\fP
+\fBname\fP
 principal name
 .TP
-.B \fBkeyindex\fP
+\fBkeyindex\fP
 index of this key in the principal\(aqs key list
 .TP
-.B \fBkvno\fP
+\fBkvno\fP
 key version number
 .TP
-.B \fBenctype\fP
+\fBenctype\fP
 encryption type
 .TP
-.B \fBkey\fP
+\fBkey\fP
 key data as a hexadecimal string
 .TP
-.B \fBsalttype\fP
+\fBsalttype\fP
 salt type
 .TP
-.B \fBsalt\fP
+\fBsalt\fP
 salt data as a hexadecimal string
 .UNINDENT
 .TP
-.B \fBkeyinfo\fP
+\fBkeyinfo\fP
 principal encryption key information (as in \fBkeydata\fP above),
 excluding actual key data
 .TP
-.B \fBprinc_flags\fP
+\fBprinc_flags\fP
 principal boolean attributes.  Flag names print as hexadecimal
 numbers if the \fB\-n\fP option is specified, and all flag positions
 are printed regardless of whether or not they are set.  If \fB\-n\fP
@@ -431,93 +431,93 @@ but only print hexadecimal flag names if the corresponding flag is
 set.
 .INDENT 7.0
 .TP
-.B \fBname\fP
+\fBname\fP
 principal name
 .TP
-.B \fBflag\fP
+\fBflag\fP
 flag name
 .TP
-.B \fBvalue\fP
+\fBvalue\fP
 boolean value (0 for clear, or 1 for set)
 .UNINDENT
 .TP
-.B \fBprinc_lockout\fP
+\fBprinc_lockout\fP
 state information used for tracking repeated password failures
 .INDENT 7.0
 .TP
-.B \fBname\fP
+\fBname\fP
 principal name
 .TP
-.B \fBlast_success\fP
+\fBlast_success\fP
 time stamp of most recent successful authentication
 .TP
-.B \fBlast_failed\fP
+\fBlast_failed\fP
 time stamp of most recent failed authentication
 .TP
-.B \fBfail_count\fP
+\fBfail_count\fP
 count of failed attempts
 .UNINDENT
 .TP
-.B \fBprinc_meta\fP
+\fBprinc_meta\fP
 principal metadata
 .INDENT 7.0
 .TP
-.B \fBname\fP
+\fBname\fP
 principal name
 .TP
-.B \fBmodby\fP
+\fBmodby\fP
 name of last principal to modify this principal
 .TP
-.B \fBmodtime\fP
+\fBmodtime\fP
 timestamp of last modification
 .TP
-.B \fBlastpwd\fP
+\fBlastpwd\fP
 timestamp of last password change
 .TP
-.B \fBpolicy\fP
+\fBpolicy\fP
 policy object name
 .TP
-.B \fBmkvno\fP
+\fBmkvno\fP
 key version number of the master key that encrypts this
 principal\(aqs key data
 .TP
-.B \fBhist_kvno\fP
+\fBhist_kvno\fP
 key version number of the history key that encrypts the key
 history data for this principal
 .UNINDENT
 .TP
-.B \fBprinc_stringattrs\fP
+\fBprinc_stringattrs\fP
 string attributes (key/value pairs)
 .INDENT 7.0
 .TP
-.B \fBname\fP
+\fBname\fP
 principal name
 .TP
-.B \fBkey\fP
+\fBkey\fP
 attribute name
 .TP
-.B \fBvalue\fP
+\fBvalue\fP
 attribute value
 .UNINDENT
 .TP
-.B \fBprinc_tktpolicy\fP
+\fBprinc_tktpolicy\fP
 per\-principal ticket policy data, including maximum ticket
 lifetimes
 .INDENT 7.0
 .TP
-.B \fBname\fP
+\fBname\fP
 principal name
 .TP
-.B \fBexpiration\fP
+\fBexpiration\fP
 principal expiration date
 .TP
-.B \fBpw_expiration\fP
+\fBpw_expiration\fP
 password expiration date
 .TP
-.B \fBmax_life\fP
+\fBmax_life\fP
 maximum ticket lifetime
 .TP
-.B \fBmax_renew_life\fP
+\fBmax_renew_life\fP
 maximum renewable ticket lifetime
 .UNINDENT
 .UNINDENT
@@ -548,7 +548,7 @@ bar@EXAMPLE.COM     1       1       des\-cbc\-crc     normal  \-1
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkadmin(1)\fP
+kadmin(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index b6a9476..3420527 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -31,9 +31,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
 .sp
-The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
-are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and
-\fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program.
+The kdc.conf file supplements krb5.conf(5) for programs which
+are typically only used on a KDC, such as the krb5kdc(8) and
+kadmind(8) daemons and the kdb5_util(8) program.
 Relations documented here may also be specified in krb5.conf; for the
 KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
 single configuration profile.
@@ -47,7 +47,7 @@ changes to take effect.
 .SH STRUCTURE
 .sp
 The kdc.conf file is set up in the same format as the
-\fIkrb5.conf(5)\fP file.
+krb5.conf(5) file.
 .SH SECTIONS
 .sp
 The kdc.conf file may contain the following sections:
@@ -110,11 +110,11 @@ subsection does not contain a relation for the tag.  See the
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fBkdc_max_dgram_reply_size\fP
+\fBkdc_max_dgram_reply_size\fP
 Specifies the maximum packet size that can be sent over UDP.  The
 default value is 4096 bytes.
 .TP
-.B \fBkdc_tcp_listen_backlog\fP
+\fBkdc_tcp_listen_backlog\fP
 (Integer.)  Set the size of the listen queue length for the KDC
 daemon.  The value may be limited by OS settings.  The default
 value is 5.
@@ -142,32 +142,32 @@ to define one parameter for the ATHENA.MIT.EDU realm:
 The following tags may be specified in a [realms] subsection:
 .INDENT 0.0
 .TP
-.B \fBacl_file\fP
+\fBacl_file\fP
 (String.)  Location of the access control list file that
-\fIkadmind(8)\fP uses to determine which principals are allowed
+kadmind(8) uses to determine which principals are allowed
 which permissions on the Kerberos database.  The default value is
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.  For more information on Kerberos ACL
-file see \fIkadm5.acl(5)\fP\&.
+file see kadm5.acl(5)\&.
 .TP
-.B \fBdatabase_module\fP
+\fBdatabase_module\fP
 (String.)  This relation indicates the name of the configuration
 section under \fI\%[dbmodules]\fP for database\-specific parameters
 used by the loadable database library.  The default value is the
 realm name.  If this configuration section does not exist, default
 values will be used for all database parameters.
 .TP
-.B \fBdatabase_name\fP
+\fBdatabase_name\fP
 (String, deprecated.)  This relation specifies the location of the
 Kerberos database for this realm, if the DB2 module is being used
 and the \fI\%[dbmodules]\fP configuration section does not specify a
 database name.  The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
 .TP
-.B \fBdefault_principal_expiration\fP
-(\fIabstime\fP string.)  Specifies the default expiration date of
+\fBdefault_principal_expiration\fP
+(abstime string.)  Specifies the default expiration date of
 principals created in this realm.  The default value is 0, which
 means no expiration date.
 .TP
-.B \fBdefault_principal_flags\fP
+\fBdefault_principal_flags\fP
 (Flag string.)  Specifies the default attributes of principals
 created in this realm.  The format for this string is a
 comma\-separated list of flags, with \(aq+\(aq before each flag that
@@ -179,42 +179,42 @@ disabled.  The \fBpostdateable\fP, \fBforwardable\fP, \fBtgt\-based\fP,
 There are a number of possible flags:
 .INDENT 7.0
 .TP
-.B \fBallow\-tickets\fP
+\fBallow\-tickets\fP
 Enabling this flag means that the KDC will issue tickets for
 this principal.  Disabling this flag essentially deactivates
 the principal within this realm.
 .TP
-.B \fBdup\-skey\fP
+\fBdup\-skey\fP
 Enabling this flag allows the principal to obtain a session
 key for another user, permitting user\-to\-user authentication
 for this principal.
 .TP
-.B \fBforwardable\fP
+\fBforwardable\fP
 Enabling this flag allows the principal to obtain forwardable
 tickets.
 .TP
-.B \fBhwauth\fP
+\fBhwauth\fP
 If this flag is enabled, then the principal is required to
 preauthenticate using a hardware device before receiving any
 tickets.
 .TP
-.B \fBno\-auth\-data\-required\fP
+\fBno\-auth\-data\-required\fP
 Enabling this flag prevents PAC or AD\-SIGNEDPATH data from
 being added to service tickets for the principal.
 .TP
-.B \fBok\-as\-delegate\fP
+\fBok\-as\-delegate\fP
 If this flag is enabled, it hints the client that credentials
 can and should be delegated when authenticating to the
 service.
 .TP
-.B \fBok\-to\-auth\-as\-delegate\fP
+\fBok\-to\-auth\-as\-delegate\fP
 Enabling this flag allows the principal to use S4USelf tickets.
 .TP
-.B \fBpostdateable\fP
+\fBpostdateable\fP
 Enabling this flag allows the principal to obtain postdateable
 tickets.
 .TP
-.B \fBpreauth\fP
+\fBpreauth\fP
 If this flag is enabled on a client principal, then that
 principal is required to preauthenticate to the KDC before
 receiving any tickets.  On a service principal, enabling this
@@ -222,15 +222,15 @@ flag means that service tickets for this principal will only
 be issued to clients with a TGT that has the preauthenticated
 bit set.
 .TP
-.B \fBproxiable\fP
+\fBproxiable\fP
 Enabling this flag allows the principal to obtain proxy
 tickets.
 .TP
-.B \fBpwchange\fP
+\fBpwchange\fP
 Enabling this flag forces a password change for this
 principal.
 .TP
-.B \fBpwservice\fP
+\fBpwservice\fP
 If this flag is enabled, it marks this principal as a password
 change service.  This should only be used in special cases,
 for example, if a user\(aqs password has expired, then the user
@@ -238,49 +238,49 @@ has to get tickets for that principal without going through
 the normal password authentication in order to be able to
 change the password.
 .TP
-.B \fBrenewable\fP
+\fBrenewable\fP
 Enabling this flag allows the principal to obtain renewable
 tickets.
 .TP
-.B \fBservice\fP
+\fBservice\fP
 Enabling this flag allows the the KDC to issue service tickets
 for this principal.
 .TP
-.B \fBtgt\-based\fP
+\fBtgt\-based\fP
 Enabling this flag allows a principal to obtain tickets based
 on a ticket\-granting\-ticket, rather than repeating the
 authentication process that was used to obtain the TGT.
 .UNINDENT
 .TP
-.B \fBdict_file\fP
+\fBdict_file\fP
 (String.)  Location of the dictionary file containing strings that
 are not allowed as passwords.  The file should contain one string
 per line, with no additional whitespace.  If none is specified or
 if there is no policy assigned to the principal, no dictionary
 checks of passwords will be performed.
 .TP
-.B \fBhost_based_services\fP
+\fBhost_based_services\fP
 (Whitespace\- or comma\-separated list.)  Lists services which will
 get host\-based referral processing even if the server principal is
 not marked as host\-based by the client.
 .TP
-.B \fBiprop_enable\fP
+\fBiprop_enable\fP
 (Boolean value.)  Specifies whether incremental database
 propagation is enabled.  The default value is false.
 .TP
-.B \fBiprop_master_ulogsize\fP
+\fBiprop_master_ulogsize\fP
 (Integer.)  Specifies the maximum number of log entries to be
 retained for incremental propagation.  The default value is 1000.
 Prior to release 1.11, the maximum value was 2500.
 .TP
-.B \fBiprop_slave_poll\fP
+\fBiprop_slave_poll\fP
 (Delta time string.)  Specifies how often the slave KDC polls for
 new updates from the master.  The default value is \fB2m\fP (that
 is, two minutes).
 .TP
-.B \fBiprop_listen\fP
+\fBiprop_listen\fP
 (Whitespace\- or comma\-separated list.)  Specifies the iprop RPC
-listening addresses and/or ports for the \fIkadmind(8)\fP daemon.
+listening addresses and/or ports for the kadmind(8) daemon.
 Each entry may be an interface address, a port number, or an
 address and port number separated by a colon.  If the address
 contains colons, enclose it in square brackets.  If no address is
@@ -290,22 +290,22 @@ default (when \fBiprop_enable\fP is true) is to bind to the wildcard
 address at the port specified in \fBiprop_port\fP\&.  New in release
 1.15.
 .TP
-.B \fBiprop_port\fP
+\fBiprop_port\fP
 (Port number.)  Specifies the port number to be used for
 incremental propagation.  When \fBiprop_enable\fP is true, this
 relation is required in the slave configuration file, and this
 relation or \fBiprop_listen\fP is required in the master
 configuration file, as there is no default port number.  Port
 numbers specified in \fBiprop_listen\fP entries will override this
-port number for the \fIkadmind(8)\fP daemon.
+port number for the kadmind(8) daemon.
 .TP
-.B \fBiprop_resync_timeout\fP
+\fBiprop_resync_timeout\fP
 (Delta time string.)  Specifies the amount of time to wait for a
 full propagation to complete.  This is optional in configuration
 files, and is used by slave KDCs only.  The default value is 5
 minutes (\fB5m\fP).  New in release 1.11.
 .TP
-.B \fBiprop_logfile\fP
+\fBiprop_logfile\fP
 (File name.)  Specifies where the update log file for the realm
 database is to be stored.  The default is to use the
 \fBdatabase_name\fP entry from the realms section of the krb5 config
@@ -316,9 +316,9 @@ back end is being used, or the file name is specified in the
 \fBdatabase_name\fP is used.  Determination of the \fBiprop_logfile\fP
 default value will not use values from the [dbmodules] section.)
 .TP
-.B \fBkadmind_listen\fP
+\fBkadmind_listen\fP
 (Whitespace\- or comma\-separated list.)  Specifies the kadmin RPC
-listening addresses and/or ports for the \fIkadmind(8)\fP daemon.
+listening addresses and/or ports for the kadmind(8) daemon.
 Each entry may be an interface address, a port number, or an
 address and port number separated by a colon.  If the address
 contains colons, enclose it in square brackets.  If no address is
@@ -328,19 +328,19 @@ default is to bind to the wildcard address at the port specified
 in \fBkadmind_port\fP, or the standard kadmin port (749).  New in
 release 1.15.
 .TP
-.B \fBkadmind_port\fP
-(Port number.)  Specifies the port on which the \fIkadmind(8)\fP
+\fBkadmind_port\fP
+(Port number.)  Specifies the port on which the kadmind(8)
 daemon is to listen for this realm.  Port numbers specified in
 \fBkadmind_listen\fP entries will override this port number.  The
 assigned port for kadmind is 749, which is used by default.
 .TP
-.B \fBkey_stash_file\fP
+\fBkey_stash_file\fP
 (String.)  Specifies the location where the master key has been
 stored (via kdb5_util stash).  The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
 .TP
-.B \fBkdc_listen\fP
+\fBkdc_listen\fP
 (Whitespace\- or comma\-separated list.)  Specifies the UDP
-listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon.
+listening addresses and/or ports for the krb5kdc(8) daemon.
 Each entry may be an interface address, a port number, or an
 address and port number separated by a colon.  If the address
 contains colons, enclose it in square brackets.  If no address is
@@ -350,16 +350,16 @@ to any of the specified addresses, it will fail to start.  The
 default is to bind to the wildcard address on the standard port.
 New in release 1.15.
 .TP
-.B \fBkdc_ports\fP
+\fBkdc_ports\fP
 (Whitespace\- or comma\-separated list, deprecated.)  Prior to
 release 1.15, this relation lists the ports for the
-\fIkrb5kdc(8)\fP daemon to listen on for UDP requests.  In
+krb5kdc(8) daemon to listen on for UDP requests.  In
 release 1.15 and later, it has the same meaning as \fBkdc_listen\fP
 if that relation is not defined.
 .TP
-.B \fBkdc_tcp_listen\fP
+\fBkdc_tcp_listen\fP
 (Whitespace\- or comma\-separated list.)  Specifies the TCP
-listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon.
+listening addresses and/or ports for the krb5kdc(8) daemon.
 Each entry may be an interface address, a port number, or an
 address and port number separated by a colon.  If the address
 contains colons, enclose it in square brackets.  If no address is
@@ -370,16 +370,16 @@ If the KDC daemon fails to bind to any of the specified addresses,
 it will fail to start.  The default is to bind to the wildcard
 address on the standard port.  New in release 1.15.
 .TP
-.B \fBkdc_tcp_ports\fP
+\fBkdc_tcp_ports\fP
 (Whitespace\- or comma\-separated list, deprecated.)  Prior to
 release 1.15, this relation lists the ports for the
-\fIkrb5kdc(8)\fP daemon to listen on for UDP requests.  In
+krb5kdc(8) daemon to listen on for UDP requests.  In
 release 1.15 and later, it has the same meaning as
 \fBkdc_tcp_listen\fP if that relation is not defined.
 .TP
-.B \fBkpasswd_listen\fP
+\fBkpasswd_listen\fP
 (Comma\-separated list.)  Specifies the kpasswd listening addresses
-and/or ports for the \fIkadmind(8)\fP daemon.  Each entry may be
+and/or ports for the kadmind(8) daemon.  Each entry may be
 an interface address, a port number, or an address and port number
 separated by a colon.  If the address contains colons, enclose it
 in square brackets.  If no address is specified, the wildcard
@@ -388,51 +388,51 @@ addresses, it will fail to start.  The default is to bind to the
 wildcard address at the port specified in \fBkpasswd_port\fP, or the
 standard kpasswd port (464).  New in release 1.15.
 .TP
-.B \fBkpasswd_port\fP
-(Port number.)  Specifies the port on which the \fIkadmind(8)\fP
+\fBkpasswd_port\fP
+(Port number.)  Specifies the port on which the kadmind(8)
 daemon is to listen for password change requests for this realm.
 Port numbers specified in \fBkpasswd_listen\fP entries will override
 this port number.  The assigned port for password change requests
 is 464, which is used by default.
 .TP
-.B \fBmaster_key_name\fP
+\fBmaster_key_name\fP
 (String.)  Specifies the name of the principal associated with the
 master key.  The default is \fBK/M\fP\&.
 .TP
-.B \fBmaster_key_type\fP
+\fBmaster_key_type\fP
 (Key type string.)  Specifies the master key\(aqs key type.  The
 default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&.  For a list of all possible
 values, see \fI\%Encryption types\fP\&.
 .TP
-.B \fBmax_life\fP
-(\fIduration\fP string.)  Specifies the maximum time period for
+\fBmax_life\fP
+(duration string.)  Specifies the maximum time period for
 which a ticket may be valid in this realm.  The default value is
 24 hours.
 .TP
-.B \fBmax_renewable_life\fP
-(\fIduration\fP string.)  Specifies the maximum time period
+\fBmax_renewable_life\fP
+(duration string.)  Specifies the maximum time period
 during which a valid ticket may be renewed in this realm.
 The default value is 0.
 .TP
-.B \fBno_host_referral\fP
+\fBno_host_referral\fP
 (Whitespace\- or comma\-separated list.)  Lists services to block
 from getting host\-based referral processing, even if the client
 marks the server principal as host\-based or the service is also
 listed in \fBhost_based_services\fP\&.  \fBno_host_referral = *\fP will
 disable referral processing altogether.
 .TP
-.B \fBdes_crc_session_supported\fP
+\fBdes_crc_session_supported\fP
 (Boolean value).  If set to true, the KDC will assume that service
 principals support des\-cbc\-crc for session key enctype negotiation
-purposes.  If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is
+purposes.  If \fBallow_weak_crypto\fP in libdefaults is
 false, or if des\-cbc\-crc is not a permitted enctype, then this
 variable has no effect.  Defaults to true.  New in release 1.11.
 .TP
-.B \fBreject_bad_transit\fP
+\fBreject_bad_transit\fP
 (Boolean value.)  If set to true, the KDC will check the list of
 transited realms for cross\-realm tickets against the transit path
 computed from the realm names and the capaths section of its
-\fIkrb5.conf(5)\fP file; if the path in the ticket to be issued
+krb5.conf(5) file; if the path in the ticket to be issued
 contains any realms not in the computed path, the ticket will not
 be issued, and an error will be returned to the client instead.
 If this value is set to false, such tickets will be issued
@@ -449,7 +449,7 @@ only to TGS requests.
 .sp
 The default value is true.
 .TP
-.B \fBrestrict_anonymous_to_tgt\fP
+\fBrestrict_anonymous_to_tgt\fP
 (Boolean value.)  If set to true, the KDC will reject ticket
 requests from anonymous principals to service principals other
 than the realm\(aqs ticket\-granting service.  This option allows
@@ -457,10 +457,10 @@ anonymous PKINIT to be enabled for use as FAST armor tickets
 without allowing anonymous authentication to services.  The
 default value is false.  New in release 1.9.
 .TP
-.B \fBsupported_enctypes\fP
+\fBsupported_enctypes\fP
 (List of \fIkey\fP:\fIsalt\fP strings.)  Specifies the default key/salt
 combinations of principals for this realm.  Any principals created
-through \fIkadmin(1)\fP will have keys of these types.  The
+through kadmin(1) will have keys of these types.  The
 default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP\&.  For lists of
 possible values, see \fI\%Keysalt lists\fP\&.
 .UNINDENT
@@ -524,16 +524,16 @@ define one database parameter for the ATHENA.MIT.EDU realm:
 The following tags may be specified in a [dbmodules] subsection:
 .INDENT 0.0
 .TP
-.B \fBdatabase_name\fP
+\fBdatabase_name\fP
 This DB2\-specific tag indicates the location of the database in
 the filesystem.  The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
 .TP
-.B \fBdb_library\fP
+\fBdb_library\fP
 This tag indicates the name of the loadable database module.  The
 value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the
 LDAP module.
 .TP
-.B \fBdisable_last_success\fP
+\fBdisable_last_success\fP
 If set to \fBtrue\fP, suppresses KDC updates to the "Last successful
 authentication" field of principal entries requiring
 preauthentication.  Setting this flag may improve performance.
@@ -541,21 +541,21 @@ preauthentication.  Setting this flag may improve performance.
 update the "Last successful authentication" field.).  First
 introduced in release 1.9.
 .TP
-.B \fBdisable_lockout\fP
+\fBdisable_lockout\fP
 If set to \fBtrue\fP, suppresses KDC updates to the "Last failed
 authentication" and "Failed password attempts" fields of principal
 entries requiring preauthentication.  Setting this flag may
 improve performance, but also disables account lockout.  First
 introduced in release 1.9.
 .TP
-.B \fBldap_conns_per_server\fP
+\fBldap_conns_per_server\fP
 This LDAP\-specific tag indicates the number of connections to be
 maintained per LDAP server.
 .TP
-.B \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP
+\fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP
 These LDAP\-specific tags indicate the default DN for binding to
-the LDAP server.  The \fIkrb5kdc(8)\fP daemon uses
-\fBldap_kdc_dn\fP, while the \fIkadmind(8)\fP daemon and other
+the LDAP server.  The krb5kdc(8) daemon uses
+\fBldap_kdc_dn\fP, while the kadmind(8) daemon and other
 administrative programs use \fBldap_kadmind_dn\fP\&.  The kadmind DN
 must have the rights to read and write the Kerberos data in the
 LDAP database.  The KDC DN must have the same rights, unless
@@ -564,12 +564,12 @@ which case it only needs to have rights to read the Kerberos data.
 These tags are ignored if a SASL mechanism is set with
 \fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&.
 .TP
-.B \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP
+\fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP
 These LDAP\-specific tags specify the SASL mechanism (such as
 \fBEXTERNAL\fP) to use when binding to the LDAP server.  New in
 release 1.13.
 .TP
-.B \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP
+\fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP
 These LDAP\-specific tags specify the SASL authentication identity
 to use when binding to the LDAP server.  Not all SASL mechanisms
 require an authentication identity.  If the SASL mechanism
@@ -578,35 +578,35 @@ tags also determine the name within the
 \fBldap_service_password_file\fP where the secret is stashed.  New
 in release 1.13.
 .TP
-.B \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP
+\fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP
 These LDAP\-specific tags specify the SASL authorization identity
 to use when binding to the LDAP server.  In most circumstances
 they do not need to be specified.  New in release 1.13.
 .TP
-.B \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP
+\fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP
 These LDAP\-specific tags specify the SASL realm to use when
 binding to the LDAP server.  In most circumstances they do not
 need to be set.  New in release 1.13.
 .TP
-.B \fBldap_kerberos_container_dn\fP
+\fBldap_kerberos_container_dn\fP
 This LDAP\-specific tag indicates the DN of the container object
 where the realm objects will be located.
 .TP
-.B \fBldap_servers\fP
+\fBldap_servers\fP
 This LDAP\-specific tag indicates the list of LDAP servers that the
 Kerberos servers can connect to.  The list of LDAP servers is
 whitespace\-separated.  The LDAP server is specified by a LDAP URI.
 It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect
 to the LDAP server.
 .TP
-.B \fBldap_service_password_file\fP
+\fBldap_service_password_file\fP
 This LDAP\-specific tag indicates the file containing the stashed
 passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
 \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the
 \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names
 for SASL authentication.  This file must be kept secure.
 .TP
-.B \fBunlockiter\fP
+\fBunlockiter\fP
 If set to \fBtrue\fP, this DB2\-specific tag causes iteration
 operations to release the database lock while processing each
 principal.  Setting this flag to \fBtrue\fP can prevent extended
@@ -618,28 +618,28 @@ The following tag may be specified directly in the [dbmodules]
 section to control where database modules are loaded from:
 .INDENT 0.0
 .TP
-.B \fBdb_module_dir\fP
+\fBdb_module_dir\fP
 This tag controls where the plugin system looks for database
 modules.  The value should be an absolute path.
 .UNINDENT
 .SS [logging]
 .sp
-The [logging] section indicates how \fIkrb5kdc(8)\fP and
-\fIkadmind(8)\fP perform logging.  It may contain the following
+The [logging] section indicates how krb5kdc(8) and
+kadmind(8) perform logging.  It may contain the following
 relations:
 .INDENT 0.0
 .TP
-.B \fBadmin_server\fP
-Specifies how \fIkadmind(8)\fP performs logging.
+\fBadmin_server\fP
+Specifies how kadmind(8) performs logging.
 .TP
-.B \fBkdc\fP
-Specifies how \fIkrb5kdc(8)\fP performs logging.
+\fBkdc\fP
+Specifies how krb5kdc(8) performs logging.
 .TP
-.B \fBdefault\fP
+\fBdefault\fP
 Specifies how either daemon performs logging in the absence of
 relations specific to the daemon.
 .TP
-.B \fBdebug\fP
+\fBdebug\fP
 (Boolean value.)  Specifies whether debugging messages are
 included in log outputs other than SYSLOG.  Debugging messages are
 always included in the system log output because syslog performs
@@ -650,24 +650,24 @@ release 1.15.
 Logging specifications may have the following forms:
 .INDENT 0.0
 .TP
-.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
+\fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
 This value causes the daemon\(aqs logging messages to go to the
 \fIfilename\fP\&.  If the \fB=\fP form is used, the file is overwritten.
 If the \fB:\fP form is used, the file is appended to.
 .TP
-.B \fBSTDERR\fP
+\fBSTDERR\fP
 This value causes the daemon\(aqs logging messages to go to its
 standard error stream.
 .TP
-.B \fBCONSOLE\fP
+\fBCONSOLE\fP
 This value causes the daemon\(aqs logging messages to go to the
 console, if the system supports it.
 .TP
-.B \fBDEVICE=\fP\fI<devicename>\fP
+\fBDEVICE=\fP\fI<devicename>\fP
 This causes the daemon\(aqs logging messages to go to the specified
 device.
 .TP
-.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
+\fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
 This causes the daemon\(aqs logging messages to go to the system log.
 .sp
 The severity argument specifies the default severity of system log
@@ -714,13 +714,13 @@ One Time Password request to a RADIUS server.
 For each token type, the following tags may be specified:
 .INDENT 0.0
 .TP
-.B \fBserver\fP
+\fBserver\fP
 This is the server to send the RADIUS request to.  It can be a
 hostname with optional port, an ip address with optional port, or
 a Unix domain socket address.  The default is
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP\&.
 .TP
-.B \fBsecret\fP
+\fBsecret\fP
 This tag indicates a filename (which may be relative to \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP)
 containing the secret used to encrypt the RADIUS packets.  The
 secret should appear in the first line of the file by itself;
@@ -729,22 +729,22 @@ the value of \fBserver\fP is a Unix domain socket address, this tag
 is optional, and an empty secret will be used if it is not
 specified.  Otherwise, this tag is required.
 .TP
-.B \fBtimeout\fP
+\fBtimeout\fP
 An integer which specifies the time in seconds during which the
 KDC should attempt to contact the RADIUS server.  This tag is the
 total time across all retries and should be less than the time
 which an OTP value remains valid for.  The default is 5 seconds.
 .TP
-.B \fBretries\fP
+\fBretries\fP
 This tag specifies the number of retries to make to the RADIUS
 server.  The default is 3 retries (4 tries).
 .TP
-.B \fBstrip_realm\fP
+\fBstrip_realm\fP
 If this tag is \fBtrue\fP, the principal without the realm will be
 passed to the RADIUS server.  Otherwise, the realm will be
 included.  The default value is \fBtrue\fP\&.
 .TP
-.B \fBindicator\fP
+\fBindicator\fP
 This tag specifies an authentication indicator to be included in
 the ticket if this token type is used to authenticate.  This
 option may be specified multiple times.  (New in release 1.14.)
@@ -830,21 +830,21 @@ generic value in the [kdcdefaults] section:
 .UNINDENT
 .sp
 For information about the syntax of some of these options, see
-\fISpecifying PKINIT identity information\fP in
-\fIkrb5.conf(5)\fP\&.
+Specifying PKINIT identity information in
+krb5.conf(5)\&.
 .INDENT 0.0
 .TP
-.B \fBpkinit_anchors\fP
+\fBpkinit_anchors\fP
 Specifies the location of trusted anchor (root) certificates which
 the KDC trusts to sign client certificates.  This option is
 required if pkinit is to be supported by the KDC.  This option may
 be specified multiple times.
 .TP
-.B \fBpkinit_dh_min_bits\fP
+\fBpkinit_dh_min_bits\fP
 Specifies the minimum number of bits the KDC is willing to accept
 for a client\(aqs Diffie\-Hellman key.  The default is 2048.
 .TP
-.B \fBpkinit_allow_upn\fP
+\fBpkinit_allow_upn\fP
 Specifies that the KDC is willing to accept client certificates
 with the Microsoft UserPrincipalName (UPN) Subject Alternative
 Name (SAN).  This means the KDC accepts the binding of the UPN in
@@ -855,52 +855,52 @@ Without this option, the KDC will only accept certificates with
 the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&.  There is currently
 no option to disable SAN checking in the KDC.
 .TP
-.B \fBpkinit_eku_checking\fP
+\fBpkinit_eku_checking\fP
 This option specifies what Extended Key Usage (EKU) values the KDC
 is willing to accept in client certificates.  The values
 recognized in the kdc.conf file are:
 .INDENT 7.0
 .TP
-.B \fBkpClientAuth\fP
+\fBkpClientAuth\fP
 This is the default value and specifies that client
 certificates must have the id\-pkinit\-KPClientAuth EKU as
 defined in \fI\%RFC 4556\fP\&.
 .TP
-.B \fBscLogin\fP
+\fBscLogin\fP
 If scLogin is specified, client certificates with the
 Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be
 accepted.
 .TP
-.B \fBnone\fP
+\fBnone\fP
 If none is specified, then client certificates will not be
 checked to verify they have an acceptable EKU.  The use of
 this option is not recommended.
 .UNINDENT
 .TP
-.B \fBpkinit_identity\fP
+\fBpkinit_identity\fP
 Specifies the location of the KDC\(aqs X.509 identity information.
 This option is required if pkinit is to be supported by the KDC.
 .TP
-.B \fBpkinit_indicator\fP
+\fBpkinit_indicator\fP
 Specifies an authentication indicator to include in the ticket if
 pkinit is used to authenticate.  This option may be specified
 multiple times.  (New in release 1.14.)
 .TP
-.B \fBpkinit_kdc_ocsp\fP
+\fBpkinit_kdc_ocsp\fP
 Specifies the location of the KDC\(aqs OCSP.
 .TP
-.B \fBpkinit_pool\fP
+\fBpkinit_pool\fP
 Specifies the location of intermediate certificates which may be
 used by the KDC to complete the trust chain between a client\(aqs
 certificate and a trusted anchor.  This option may be specified
 multiple times.
 .TP
-.B \fBpkinit_revoke\fP
+\fBpkinit_revoke\fP
 Specifies the location of Certificate Revocation List (CRL)
 information to be used by the KDC when verifying the validity of
 client certificates.  This option may be specified multiple times.
 .TP
-.B \fBpkinit_require_crl_checking\fP
+\fBpkinit_require_crl_checking\fP
 The default certificate verification process will always check the
 available revocation information to see if a certificate has been
 revoked.  If a match is found for the certificate in a CRL,
@@ -1187,7 +1187,7 @@ Here\(aqs an example of a kdc.conf file:
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP
 .SH SEE ALSO
 .sp
-\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP
+krb5.conf(5), krb5kdc(8), kadm5.acl(5)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 7632e79..0ee8e94 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -45,15 +45,15 @@ credentials cache is destroyed.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-A\fP
+\fB\-A\fP
 Destroys all caches in the collection, if a cache collection is
 available.
 .TP
-.B \fB\-q\fP
+\fB\-q\fP
 Run quietly.  Normally kdestroy beeps if it fails to destroy the
 user\(aqs tickets.  The \fB\-q\fP flag suppresses this behavior.
 .TP
-.B \fB\-c\fP \fIcache_name\fP
+\fB\-c\fP \fIcache_name\fP
 Use \fIcache_name\fP as the credentials (ticket) cache name and
 location; if this option is not used, the default cache name and
 location are used.
@@ -72,7 +72,7 @@ when you log out.
 kdestroy uses the following environment variable:
 .INDENT 0.0
 .TP
-.B \fBKRB5CCNAME\fP
+\fBKRB5CCNAME\fP
 Location of the default Kerberos 5 credentials (ticket) cache, in
 the form \fItype\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
@@ -88,7 +88,7 @@ Default location of Kerberos 5 credentials cache
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkinit(1)\fP, \fIklist(1)\fP
+kinit(1), klist(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 4929802..8fcc9eb 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -63,11 +63,11 @@ choice of principal name.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-V\fP
+\fB\-V\fP
 display verbose output.
 .TP
-.B \fB\-l\fP \fIlifetime\fP
-(\fIduration\fP string.)  Requests a ticket with the lifetime
+\fB\-l\fP \fIlifetime\fP
+(duration string.)  Requests a ticket with the lifetime
 \fIlifetime\fP\&.
 .sp
 For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&.
@@ -77,62 +77,62 @@ If the \fB\-l\fP option is not specified, the default ticket lifetime
 longer than the maximum ticket lifetime (configured by each site)
 will not override the configured maximum ticket lifetime.
 .TP
-.B \fB\-s\fP \fIstart_time\fP
-(\fIduration\fP string.)  Requests a postdated ticket.  Postdated
+\fB\-s\fP \fIstart_time\fP
+(duration string.)  Requests a postdated ticket.  Postdated
 tickets are issued with the \fBinvalid\fP flag set, and need to be
 resubmitted to the KDC for validation before use.
 .sp
 \fIstart_time\fP specifies the duration of the delay before the ticket
 can become valid.
 .TP
-.B \fB\-r\fP \fIrenewable_life\fP
-(\fIduration\fP string.)  Requests renewable tickets, with a total
+\fB\-r\fP \fIrenewable_life\fP
+(duration string.)  Requests renewable tickets, with a total
 lifetime of \fIrenewable_life\fP\&.
 .TP
-.B \fB\-f\fP
+\fB\-f\fP
 requests forwardable tickets.
 .TP
-.B \fB\-F\fP
+\fB\-F\fP
 requests non\-forwardable tickets.
 .TP
-.B \fB\-p\fP
+\fB\-p\fP
 requests proxiable tickets.
 .TP
-.B \fB\-P\fP
+\fB\-P\fP
 requests non\-proxiable tickets.
 .TP
-.B \fB\-a\fP
+\fB\-a\fP
 requests tickets restricted to the host\(aqs local address[es].
 .TP
-.B \fB\-A\fP
+\fB\-A\fP
 requests tickets not restricted by address.
 .TP
-.B \fB\-C\fP
+\fB\-C\fP
 requests canonicalization of the principal name, and allows the
 KDC to reply with a different client principal from the one
 requested.
 .TP
-.B \fB\-E\fP
+\fB\-E\fP
 treats the principal name as an enterprise name (implies the
 \fB\-C\fP option).
 .TP
-.B \fB\-v\fP
+\fB\-v\fP
 requests that the ticket\-granting ticket in the cache (with the
 \fBinvalid\fP flag set) be passed to the KDC for validation.  If the
 ticket is within its requested time range, the cache is replaced
 with the validated ticket.
 .TP
-.B \fB\-R\fP
+\fB\-R\fP
 requests renewal of the ticket\-granting ticket.  Note that an
 expired ticket cannot be renewed, even if the ticket is still
 within its renewable life.
 .sp
 Note that renewable tickets that have expired as reported by
-\fIklist(1)\fP may sometimes be renewed using this option,
+klist(1) may sometimes be renewed using this option,
 because the KDC applies a grace period to account for client\-KDC
-clock skew.  See \fIkrb5.conf(5)\fP \fBclockskew\fP setting.
+clock skew.  See krb5.conf(5) \fBclockskew\fP setting.
 .TP
-.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
+\fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
 requests a ticket, obtained from a key in the local host\(aqs keytab.
 The location of the keytab may be specified with the \fB\-t\fP
 \fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use
@@ -144,12 +144,12 @@ the KDC database and look up the key directly.  This permits an
 administrator to obtain tickets as any principal that supports
 authentication based on the key.
 .TP
-.B \fB\-n\fP
+\fB\-n\fP
 Requests anonymous processing.  Two types of anonymous principals
 are supported.
 .sp
 For fully anonymous Kerberos, configure pkinit on the KDC and
-configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP\&.
+configure \fBpkinit_anchors\fP in the client\(aqs krb5.conf(5)\&.
 Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP
 (an empty principal name followed by the at\-sign and a realm
 name).  If permitted by the KDC, an anonymous ticket will be
@@ -177,7 +177,7 @@ preselecting the same methods of authenticating to the KDC.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fB\-T\fP \fIarmor_ccache\fP
+\fB\-T\fP \fIarmor_ccache\fP
 Specifies the name of a credentials cache that already contains a
 ticket.  If supported by the KDC, this cache will be used to armor
 the request, preventing offline dictionary attacks and allowing
@@ -185,7 +185,7 @@ the use of additional preauthentication mechanisms.  Armoring also
 makes sure that the response from the KDC is not modified in
 transit.
 .TP
-.B \fB\-c\fP \fIcache_name\fP
+\fB\-c\fP \fIcache_name\fP
 use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache
 location.  If this option is not used, the default cache location
 is used.
@@ -199,11 +199,11 @@ principal is selected or a new one is created and becomes the new
 primary cache.  Otherwise, any existing contents of the default
 cache are destroyed by kinit.
 .TP
-.B \fB\-S\fP \fIservice_name\fP
+\fB\-S\fP \fIservice_name\fP
 specify an alternate service name to use when getting initial
 tickets.
 .TP
-.B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
+\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
 specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be
 interpreted by pre\-authentication modules.  The acceptable
 attribute and value values vary from module to module.  This
@@ -214,13 +214,13 @@ The following attributes are recognized by the PKINIT
 pre\-authentication mechanism:
 .INDENT 7.0
 .TP
-.B \fBX509_user_identity\fP=\fIvalue\fP
+\fBX509_user_identity\fP=\fIvalue\fP
 specify where to find user\(aqs X509 identity information
 .TP
-.B \fBX509_anchors\fP=\fIvalue\fP
+\fBX509_anchors\fP=\fIvalue\fP
 specify where to find trusted X509 anchor information
 .TP
-.B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
+\fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
 specify use of RSA, rather than the default Diffie\-Hellman
 protocol
 .UNINDENT
@@ -230,7 +230,7 @@ protocol
 kinit uses the following environment variables:
 .INDENT 0.0
 .TP
-.B \fBKRB5CCNAME\fP
+\fBKRB5CCNAME\fP
 Location of the default Kerberos 5 credentials cache, in the form
 \fItype\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the \fBFILE\fP
 type is assumed.  The type of the default cache may determine the
@@ -249,7 +249,7 @@ default location for the local host\(aqs keytab.
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIklist(1)\fP, \fIkdestroy(1)\fP, kerberos(1)
+klist(1), kdestroy(1), kerberos(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/klist.man b/src/man/klist.man
index 863d221..edde6ce 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -46,24 +46,24 @@ credentials cache, or the keys held in a keytab file.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-e\fP
+\fB\-e\fP
 Displays the encryption types of the session key and the ticket
 for each credential in the credential cache, or each key in the
 keytab file.
 .TP
-.B \fB\-l\fP
+\fB\-l\fP
 If a cache collection is available, displays a table summarizing
 the caches present in the collection.
 .TP
-.B \fB\-A\fP
+\fB\-A\fP
 If a cache collection is available, displays the contents of all
 of the caches in the collection.
 .TP
-.B \fB\-c\fP
+\fB\-c\fP
 List tickets held in a credentials cache. This is the default if
 neither \fB\-c\fP nor \fB\-k\fP is specified.
 .TP
-.B \fB\-f\fP
+\fB\-f\fP
 Shows the flags present in the credentials, using the following
 abbreviations:
 .INDENT 7.0
@@ -90,39 +90,39 @@ a    anonymous
 .UNINDENT
 .UNINDENT
 .TP
-.B \fB\-s\fP
+\fB\-s\fP
 Causes klist to run silently (produce no output).  klist will exit
 with status 1 if the credentials cache cannot be read or is
 expired, and with status 0 otherwise.
 .TP
-.B \fB\-a\fP
+\fB\-a\fP
 Display list of addresses in credentials.
 .TP
-.B \fB\-n\fP
+\fB\-n\fP
 Show numeric addresses instead of reverse\-resolving addresses.
 .TP
-.B \fB\-C\fP
+\fB\-C\fP
 List configuration data that has been stored in the credentials
 cache when klist encounters it.  By default, configuration data
 is not listed.
 .TP
-.B \fB\-k\fP
+\fB\-k\fP
 List keys held in a keytab file.
 .TP
-.B \fB\-i\fP
+\fB\-i\fP
 In combination with \fB\-k\fP, defaults to using the default client
 keytab instead of the default acceptor keytab, if no name is
 given.
 .TP
-.B \fB\-t\fP
+\fB\-t\fP
 Display the time entry timestamps for each keytab entry in the
 keytab file.
 .TP
-.B \fB\-K\fP
+\fB\-K\fP
 Display the value of the encryption key in each keytab entry in
 the keytab file.
 .TP
-.B \fB\-V\fP
+\fB\-V\fP
 Display the Kerberos version number and exit.
 .UNINDENT
 .sp
@@ -135,7 +135,7 @@ value is used to locate the default ticket cache.
 klist uses the following environment variable:
 .INDENT 0.0
 .TP
-.B \fBKRB5CCNAME\fP
+\fBKRB5CCNAME\fP
 Location of the default Kerberos 5 credentials (ticket) cache, in
 the form \fItype\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
@@ -154,7 +154,7 @@ Default location for the local host\(aqs keytab file.
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkinit(1)\fP, \fIkdestroy(1)\fP
+kinit(1), kdestroy(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 63c986e..a0895fc 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -55,7 +55,7 @@ identity of the user invoking the kpasswd command.
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkadmin(1)\fP, \fIkadmind(8)\fP
+kadmin(1), kadmind(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 1e960db..9e161f4 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -44,26 +44,26 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 kprop is used to securely propagate a Kerberos V5 database dump file
 from the master Kerberos server to a slave Kerberos server, which is
 specified by \fIslave_host\fP\&.  The dump file must be created by
-\fIkdb5_util(8)\fP\&.
+kdb5_util(8)\&.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the realm of the master server.
 .TP
-.B \fB\-f\fP \fIfile\fP
+\fB\-f\fP \fIfile\fP
 Specifies the filename where the dumped principal database file is
 to be found; by default the dumped database file is normally
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&.
 .TP
-.B \fB\-P\fP \fIport\fP
-Specifies the port to use to contact the \fIkpropd(8)\fP server
+\fB\-P\fP \fIport\fP
+Specifies the port to use to contact the kpropd(8) server
 on the remote host.
 .TP
-.B \fB\-d\fP
+\fB\-d\fP
 Prints debugging information.
 .TP
-.B \fB\-s\fP \fIkeytab\fP
+\fB\-s\fP \fIkeytab\fP
 Specifies the location of the keytab file.
 .UNINDENT
 .SH ENVIRONMENT
@@ -75,7 +75,7 @@ Specifies the location of the keytab file.
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkpropd(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP
+kpropd(8), kdb5_util(8), krb5kdc(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index af9a676..36aa9f7 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -45,15 +45,15 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .SH DESCRIPTION
 .sp
 The \fIkpropd\fP command runs on the slave KDC server.  It listens for
-update requests made by the \fIkprop(8)\fP program.  If incremental
+update requests made by the kprop(8) program.  If incremental
 propagation is enabled, it periodically requests incremental updates
 from the master KDC.
 .sp
 When the slave receives a kprop request from the master, kpropd
 accepts the dumped KDC database and places it in a file, and then runs
-\fIkdb5_util(8)\fP to load the dumped database into the active
-database which is used by \fIkrb5kdc(8)\fP\&.  This allows the master
-Kerberos server to use \fIkprop(8)\fP to propagate its database to
+kdb5_util(8) to load the dumped database into the active
+database which is used by krb5kdc(8)\&.  This allows the master
+Kerberos server to use kprop(8) to propagate its database to
 the slave servers.  Upon a successful download of the KDC database
 file, the slave Kerberos server will have an up\-to\-date KDC database.
 .sp
@@ -81,54 +81,54 @@ kpropd in standalone mode; this option is now accepted for backward
 compatibility but does nothing.
 .sp
 Incremental propagation may be enabled with the \fBiprop_enable\fP
-variable in \fIkdc.conf(5)\fP\&.  If incremental propagation is
+variable in kdc.conf(5)\&.  If incremental propagation is
 enabled, the slave periodically polls the master KDC for updates, at
 an interval determined by the \fBiprop_slave_poll\fP variable.  If the
 slave receives updates, kpropd updates its log file with any updates
-from the master.  \fIkproplog(8)\fP can be used to view a summary of
+from the master.  kproplog(8) can be used to view a summary of
 the update entry log on the slave KDC.  If incremental propagation is
 enabled, the principal \fBkiprop/slavehostname@REALM\fP (where
 \fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the
 name of the Kerberos realm) must be present in the slave\(aqs keytab
 file.
 .sp
-\fIkproplog(8)\fP can be used to force full replication when iprop is
+kproplog(8) can be used to force full replication when iprop is
 enabled.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
 Specifies the realm of the master server.
 .TP
-.B \fB\-A\fP \fIadmin_server\fP
+\fB\-A\fP \fIadmin_server\fP
 Specifies the server to be contacted for incremental updates; by
 default, the master admin server is contacted.
 .TP
-.B \fB\-f\fP \fIfile\fP
+\fB\-f\fP \fIfile\fP
 Specifies the filename where the dumped principal database file is
 to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&.
 .TP
-.B \fB\-p\fP
-Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
+\fB\-p\fP
+Allows the user to specify the pathname to the kdb5_util(8)
 program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP\&.
 .TP
-.B \fB\-d\fP
+\fB\-d\fP
 Turn on debug mode.  In this mode, kpropd will not detach
 itself from the current job and run in the background.  Instead,
 it will run in the foreground and print out debugging messages
 during the database propagation.
 .TP
-.B \fB\-t\fP
+\fB\-t\fP
 In standalone mode without incremental propagation, exit after one
 dump file is received.  In incremental propagation mode, exit as
 soon as the database is up to date, or if the master returns an
 error.
 .TP
-.B \fB\-P\fP
+\fB\-P\fP
 Allow for an alternate port number for kpropd to listen on.  This
 is only useful in combination with the \fB\-S\fP option.
 .TP
-.B \fB\-a\fP \fIacl_file\fP
+\fB\-a\fP \fIacl_file\fP
 Allows the user to specify the path to the kpropd.acl file; by
 default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&.
 .UNINDENT
@@ -148,11 +148,11 @@ kpropd uses the following environment variables:
 Access file for kpropd; the default location is
 \fB/usr/local/var/krb5kdc/kpropd.acl\fP\&.  Each entry is a line
 containing the principal of a host from which the local machine
-will allow Kerberos database propagation via \fIkprop(8)\fP\&.
+will allow Kerberos database propagation via kprop(8)\&.
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkprop(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP, inetd(8)
+kprop(8), kdb5_util(8), krb5kdc(8), inetd(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 6341b5f..e0b200b 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -39,8 +39,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 The kproplog command displays the contents of the KDC database update
 log to standard output.  It can be used to keep track of incremental
 updates to the principal database.  The update log file contains the
-update log maintained by the \fIkadmind(8)\fP process on the master
-KDC server and the \fIkpropd(8)\fP process on the slave KDC servers.
+update log maintained by the kadmind(8) process on the master
+KDC server and the kpropd(8) process on the slave KDC servers.
 When updates occur, they are logged to this file.  Subsequently any
 KDC slave configured for incremental updates will request the current
 data from the master KDC and update their log file with any updates
@@ -57,22 +57,22 @@ last update received and the associated time stamp of the last update.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-R\fP
+\fB\-R\fP
 Reset the update log.  This forces full resynchronization.  If used
 on a slave then that slave will request a full resync.  If used on
 the master then all slaves will request full resyncs.
 .TP
-.B \fB\-h\fP
+\fB\-h\fP
 Display a summary of the update log.  This information includes
 the database version number, state of the database, the number of
 updates in the log, the time stamp of the first and last update,
 and the version number of the first and last update entry.
 .TP
-.B \fB\-e\fP \fInum\fP
+\fB\-e\fP \fInum\fP
 Display the last \fInum\fP update entries in the log.  This is useful
 when debugging synchronization between KDC servers.
 .TP
-.B \fB\-v\fP
+\fB\-v\fP
 Display individual attributes per update.  An example of the
 output generated for one entry:
 .INDENT 7.0
@@ -108,7 +108,7 @@ kproplog uses the following environment variables:
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkpropd(8)\fP
+kpropd(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index a40ba3e..370cbd1 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -41,39 +41,39 @@ and link programs against the installed Kerberos libraries.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-\fP\fB\-help\fP
+\fB\-\fP\fB\-help\fP
 prints a usage message.  This is the default behavior when no options
 are specified.
 .TP
-.B \fB\-\fP\fB\-all\fP
+\fB\-\fP\fB\-all\fP
 prints the version, vendor, prefix, and exec\-prefix.
 .TP
-.B \fB\-\fP\fB\-version\fP
+\fB\-\fP\fB\-version\fP
 prints the version number of the Kerberos installation.
 .TP
-.B \fB\-\fP\fB\-vendor\fP
+\fB\-\fP\fB\-vendor\fP
 prints the name of the vendor of the Kerberos installation.
 .TP
-.B \fB\-\fP\fB\-prefix\fP
+\fB\-\fP\fB\-prefix\fP
 prints the prefix for which the Kerberos installation was built.
 .TP
-.B \fB\-\fP\fB\-exec\-prefix\fP
+\fB\-\fP\fB\-exec\-prefix\fP
 prints the prefix for executables for which the Kerberos installation
 was built.
 .TP
-.B \fB\-\fP\fB\-defccname\fP
+\fB\-\fP\fB\-defccname\fP
 prints the built\-in default credentials cache location.
 .TP
-.B \fB\-\fP\fB\-defktname\fP
+\fB\-\fP\fB\-defktname\fP
 prints the built\-in default keytab location.
 .TP
-.B \fB\-\fP\fB\-defcktname\fP
+\fB\-\fP\fB\-defcktname\fP
 prints the built\-in default client (initiator) keytab location.
 .TP
-.B \fB\-\fP\fB\-cflags\fP
+\fB\-\fP\fB\-cflags\fP
 prints the compilation flags used to build the Kerberos installation.
 .TP
-.B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP]
+\fB\-\fP\fB\-libs\fP [\fIlibrary\fP]
 prints the compiler options needed to link against \fIlibrary\fP\&.
 Allowed values for \fIlibrary\fP are:
 .TS
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index b240885..e7f1b46 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -135,7 +135,7 @@ module MODULEPATH:RESIDUAL
 \fIMODULEPATH\fP may be relative to the library path of the krb5
 installation, or it may be an absolute path.  \fIRESIDUAL\fP is provided
 to the module at initialization time.  If krb5.conf uses a module
-directive, \fIkdc.conf(5)\fP should also use one if it exists.
+directive, kdc.conf(5) should also use one if it exists.
 .SH SECTIONS
 .sp
 The krb5.conf file may contain the following sections:
@@ -182,15 +182,15 @@ _
 .TE
 .sp
 Additionally, krb5.conf may include any of the relations described in
-\fIkdc.conf(5)\fP, but it is not a recommended practice.
+kdc.conf(5), but it is not a recommended practice.
 .SS [libdefaults]
 .sp
 The libdefaults section may contain any of the following relations:
 .INDENT 0.0
 .TP
-.B \fBallow_weak_crypto\fP
+\fBallow_weak_crypto\fP
 If this flag is set to false, then weak encryption types (as noted
-in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered
+in Encryption_types in kdc.conf(5)) will be filtered
 out of the lists \fBdefault_tgs_enctypes\fP,
 \fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&.  The default
 value for this tag is false, which may cause authentication
@@ -198,7 +198,7 @@ failures in existing Kerberos infrastructures that do not support
 strong crypto.  Users in affected environments should set this tag
 to true until their infrastructure adopts stronger ciphers.
 .TP
-.B \fBap_req_checksum_type\fP
+\fBap_req_checksum_type\fP
 An integer which specifies the type of AP\-REQ checksum to use in
 authenticators.  This variable should be unset so the appropriate
 checksum for the encryption key in use will be used.  This can be
@@ -206,20 +206,20 @@ set if backward compatibility requires a specific checksum type.
 See the \fBkdc_req_checksum_type\fP configuration option for the
 possible values and their meanings.
 .TP
-.B \fBcanonicalize\fP
+\fBcanonicalize\fP
 If this flag is set to true, initial ticket requests to the KDC
 will request canonicalization of the client principal name, and
 answers with different client principals than the requested
 principal will be accepted.  The default value is false.
 .TP
-.B \fBccache_type\fP
+\fBccache_type\fP
 This parameter determines the format of credential cache types
-created by \fIkinit(1)\fP or other programs.  The default value
+created by kinit(1) or other programs.  The default value
 is 4, which represents the most current format.  Smaller values
 can be used for compatibility with very old implementations of
 Kerberos which interact with credential caches on the same host.
 .TP
-.B \fBclockskew\fP
+\fBclockskew\fP
 Sets the maximum allowable amount of clockskew in seconds that the
 library will tolerate before assuming that a Kerberos message is
 invalid.  The default value is 300 seconds, or five minutes.
@@ -230,34 +230,34 @@ their expiration time can still be used (and renewed if they are
 renewable tickets) if they have been expired for a shorter
 duration than the \fBclockskew\fP setting.
 .TP
-.B \fBdefault_ccache_name\fP
+\fBdefault_ccache_name\fP
 This relation specifies the name of the default credential cache.
 The default is \fB@CCNAME@\fP\&.  This relation is subject to parameter
 expansion (see below).  New in release 1.11.
 .TP
-.B \fBdefault_client_keytab_name\fP
+\fBdefault_client_keytab_name\fP
 This relation specifies the name of the default keytab for
 obtaining client credentials.  The default is \fB@CKTNAME@\fP\&.  This
 relation is subject to parameter expansion (see below).
 New in release 1.11.
 .TP
-.B \fBdefault_keytab_name\fP
+\fBdefault_keytab_name\fP
 This relation specifies the default keytab name to be used by
 application servers such as sshd.  The default is \fB@KTNAME@\fP\&.  This
 relation is subject to parameter expansion (see below).
 .TP
-.B \fBdefault_realm\fP
+\fBdefault_realm\fP
 Identifies the default Kerberos realm for the client.  Set its
 value to your Kerberos realm.  If this value is not set, then a
 realm must be specified with every Kerberos principal when
-invoking programs such as \fIkinit(1)\fP\&.
+invoking programs such as kinit(1)\&.
 .TP
-.B \fBdefault_tgs_enctypes\fP
+\fBdefault_tgs_enctypes\fP
 Identifies the supported list of session key encryption types that
 the client should request when making a TGS\-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
-commas or whitespace.  See \fIEncryption_types\fP in
-\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
+commas or whitespace.  See Encryption_types in
+kdc.conf(5) for a list of the accepted values for this tag.
 The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
 will be implicitly removed from this list if the value of
 \fBallow_weak_crypto\fP is false.
@@ -267,7 +267,7 @@ compatibility purposes; stale values of this setting can prevent
 clients from taking advantage of new stronger enctypes when the
 libraries are upgraded.
 .TP
-.B \fBdefault_tkt_enctypes\fP
+\fBdefault_tkt_enctypes\fP
 Identifies the supported list of session key encryption types that
 the client should request when making an AS\-REQ, in order of
 preference from highest to lowest.  The format is the same as for
@@ -281,14 +281,14 @@ compatibility purposes; stale values of this setting can prevent
 clients from taking advantage of new stronger enctypes when the
 libraries are upgraded.
 .TP
-.B \fBdns_canonicalize_hostname\fP
+\fBdns_canonicalize_hostname\fP
 Indicate whether name lookups will be used to canonicalize
 hostnames for use in service principal names.  Setting this flag
 to false can improve security by reducing reliance on DNS, but
 means that short hostnames will not be canonicalized to
 fully\-qualified hostnames.  The default value is true.
 .TP
-.B \fBdns_lookup_kdc\fP
+\fBdns_lookup_kdc\fP
 Indicate whether DNS SRV records should be used to locate the KDCs
 and other servers for a realm, if they are not listed in the
 krb5.conf information for the realm.  (Note that the admin_server
@@ -304,30 +304,30 @@ it (besides the initial ticket request, which has no encrypted
 data), and anything the fake KDC sends will not be trusted without
 verification using some secret that it won\(aqt know.
 .TP
-.B \fBdns_uri_lookup\fP
+\fBdns_uri_lookup\fP
 Indicate whether DNS URI records should be used to locate the KDCs
 and other servers for a realm, if they are not listed in the
 krb5.conf information for the realm.  SRV records are used as a
 fallback if no URI records were found.  The default value is true.
 New in release 1.15.
 .TP
-.B \fBerr_fmt\fP
+\fBerr_fmt\fP
 This relation allows for custom error message formatting.  If a
 value is set, error messages will be formatted by substituting a
 normal error message for %M and an error code for %C in the value.
 .TP
-.B \fBextra_addresses\fP
+\fBextra_addresses\fP
 This allows a computer to use multiple local addresses, in order
 to allow Kerberos to work in a network that uses NATs while still
 using address\-restricted tickets.  The addresses should be in a
 comma\-separated list.  This option has no effect if
 \fBnoaddresses\fP is true.
 .TP
-.B \fBforwardable\fP
+\fBforwardable\fP
 If this flag is true, initial tickets will be forwardable by
 default, if allowed by the KDC.  The default value is false.
 .TP
-.B \fBignore_acceptor_hostname\fP
+\fBignore_acceptor_hostname\fP
 When accepting GSSAPI or krb5 security contexts for host\-based
 service principals, ignore any hostname passed by the calling
 application, and allow clients to authenticate to any service
@@ -337,15 +337,15 @@ flexibility of server applications on multihomed hosts, but could
 compromise the security of virtual hosting environments.  The
 default value is false.  New in release 1.10.
 .TP
-.B \fBk5login_authoritative\fP
+\fBk5login_authoritative\fP
 If this flag is true, principals must be listed in a local user\(aqs
-k5login file to be granted login access, if a \fI\&.k5login(5)\fP
+k5login file to be granted login access, if a \&.k5login(5)
 file exists.  If this flag is false, a principal may still be
 granted login access through other mechanisms even if a k5login
 file exists but does not list the principal.  The default value is
 true.
 .TP
-.B \fBk5login_directory\fP
+\fBk5login_directory\fP
 If set, the library will look for a local user\(aqs k5login file
 within the named directory, with a filename corresponding to the
 local username.  If not set, the library will look for k5login
@@ -353,25 +353,25 @@ files in the user\(aqs home directory, with the filename .k5login.
 For security reasons, .k5login files must be owned by
 the local user or by root.
 .TP
-.B \fBkcm_mach_service\fP
+\fBkcm_mach_service\fP
 On OS X only, determines the name of the bootstrap service used to
 contact the KCM daemon for the KCM credential cache type.  If the
 value is \fB\-\fP, Mach RPC will not be used to contact the KCM
 daemon.  The default value is \fBorg.h5l.kcm\fP\&.
 .TP
-.B \fBkcm_socket\fP
+\fBkcm_socket\fP
 Determines the path to the Unix domain socket used to access the
 KCM daemon for the KCM credential cache type.  If the value is
 \fB\-\fP, Unix domain sockets will not be used to contact the KCM
 daemon.  The default value is
 \fB/var/run/.heim_org.h5l.kcm\-socket\fP\&.
 .TP
-.B \fBkdc_default_options\fP
+\fBkdc_default_options\fP
 Default KDC options (Xored for multiple values) when requesting
 initial tickets.  By default it is set to 0x00000010
 (KDC_OPT_RENEWABLE_OK).
 .TP
-.B \fBkdc_timesync\fP
+\fBkdc_timesync\fP
 Accepted values for this relation are 1 or 0.  If it is nonzero,
 client machines will compute the difference between their time and
 the time returned by the KDC in the timestamps in the tickets and
@@ -380,7 +380,7 @@ requesting service tickets or authenticating to services.  This
 corrective factor is only used by the Kerberos library; it is not
 used to change the system clock.  The default value is 1.
 .TP
-.B \fBkdc_req_checksum_type\fP
+\fBkdc_req_checksum_type\fP
 An integer which specifies the type of checksum to use for the KDC
 requests, for compatibility with very old KDC implementations.
 This value is only used for DES keys; other keys use the preferred
@@ -447,40 +447,40 @@ T}
 _
 .TE
 .TP
-.B \fBnoaddresses\fP
+\fBnoaddresses\fP
 If this flag is true, requests for initial tickets will not be
 made with address restrictions set, allowing the tickets to be
 used across NATs.  The default value is true.
 .TP
-.B \fBpermitted_enctypes\fP
+\fBpermitted_enctypes\fP
 Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
 \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
 removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .TP
-.B \fBplugin_base_dir\fP
+\fBplugin_base_dir\fP
 If set, determines the base directory where krb5 plugins are
 located.  The default value is the \fBkrb5/plugins\fP subdirectory
 of the krb5 library directory.
 .TP
-.B \fBpreferred_preauth_types\fP
+\fBpreferred_preauth_types\fP
 This allows you to set the preferred preauthentication types which
 the client will attempt before others which may be advertised by a
 KDC.  The default value for this setting is "17, 16, 15, 14",
 which forces libkrb5 to attempt to use PKINIT if it is supported.
 .TP
-.B \fBproxiable\fP
+\fBproxiable\fP
 If this flag is true, initial tickets will be proxiable by
 default, if allowed by the KDC.  The default value is false.
 .TP
-.B \fBrdns\fP
+\fBrdns\fP
 If this flag is true, reverse name lookup will be used in addition
 to forward name lookup to canonicalizing hostnames for use in
 service principal names.  If \fBdns_canonicalize_hostname\fP is set
 to false, this flag has no effect.  The default value is true.
 .TP
-.B \fBrealm_try_domains\fP
+\fBrealm_try_domains\fP
 Indicate whether a host\(aqs domain components should be used to
 determine the Kerberos realm of the host.  The value of this
 variable is an integer: \-1 means not to search, 0 means to try the
@@ -490,11 +490,11 @@ Kerberos realms is used to determine whether a domain is a valid
 realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
 set.  The default is not to search domain components.
 .TP
-.B \fBrenew_lifetime\fP
-(\fIduration\fP string.)  Sets the default renewable lifetime
+\fBrenew_lifetime\fP
+(duration string.)  Sets the default renewable lifetime
 for initial ticket requests.  The default value is 0.
 .TP
-.B \fBsafe_checksum_type\fP
+\fBsafe_checksum_type\fP
 An integer which specifies the type of checksum to use for the
 KRB\-SAFE requests.  By default it is set to 8 (RSA MD5 DES).  For
 compatibility with applications linked against DCE version 1.1 or
@@ -503,11 +503,11 @@ DES instead.  This field is ignored when its value is incompatible
 with the session key type.  See the \fBkdc_req_checksum_type\fP
 configuration option for the possible values and their meanings.
 .TP
-.B \fBticket_lifetime\fP
-(\fIduration\fP string.)  Sets the default lifetime for initial
+\fBticket_lifetime\fP
+(duration string.)  Sets the default lifetime for initial
 ticket requests.  The default value is 1 day.
 .TP
-.B \fBudp_preference_limit\fP
+\fBudp_preference_limit\fP
 When sending a message to the KDC, the library will try using TCP
 before UDP if the size of the message is above
 \fBudp_preference_limit\fP\&.  If the message is smaller than
@@ -515,7 +515,7 @@ before UDP if the size of the message is above
 Regardless of the size, both protocols will be tried if the first
 attempt fails.
 .TP
-.B \fBverify_ap_req_nofail\fP
+\fBverify_ap_req_nofail\fP
 If this flag is true, then an attempt to verify initial
 credentials will fail if the client machine does not have a
 keytab.  The default value is false.
@@ -528,20 +528,20 @@ define the properties of that particular realm.  For each realm, the
 following tags may be specified in the realm\(aqs subsection:
 .INDENT 0.0
 .TP
-.B \fBadmin_server\fP
+\fBadmin_server\fP
 Identifies the host where the administration server is running.
 Typically, this is the master Kerberos server.  This tag must be
-given a value in order to communicate with the \fIkadmind(8)\fP
+given a value in order to communicate with the kadmind(8)
 server for the realm.
 .TP
-.B \fBauth_to_local\fP
+\fBauth_to_local\fP
 This tag allows you to set a general rule for mapping principal
 names to local user names.  It will be used if there is not an
 explicit mapping for the principal name that is being
 translated. The possible values are:
 .INDENT 7.0
 .TP
-.B \fBRULE:\fP\fIexp\fP
+\fBRULE:\fP\fIexp\fP
 The local name will be formulated from \fIexp\fP\&.
 .sp
 The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&.
@@ -557,7 +557,7 @@ string.  The optional \fBg\fP will cause the substitution to be
 global over the \fIstring\fP, instead of replacing only the first
 match in the \fIstring\fP\&.
 .TP
-.B \fBDEFAULT\fP
+\fBDEFAULT\fP
 The principal name will be used as the local user name.  If
 the principal has more than one component or is not in the
 default realm, this rule is not applicable and the conversion
@@ -590,18 +590,18 @@ principal with a second component of \fBroot\fP\&.  The exception to
 these two rules are any principals \fBjohndoe/*\fP, which will
 always get the local name \fBguest\fP\&.
 .TP
-.B \fBauth_to_local_names\fP
+\fBauth_to_local_names\fP
 This subsection allows you to set explicit mappings from principal
 names to local user names.  The tag is the mapping name, and the
 value is the corresponding local user name.
 .TP
-.B \fBdefault_domain\fP
+\fBdefault_domain\fP
 This tag specifies the domain used to expand hostnames when
 translating Kerberos 4 service principals to Kerberos 5 principals
 (for example, when converting \fBrcmd.hostname\fP to
 \fBhost/hostname.domain\fP).
 .TP
-.B \fBhttp_anchors\fP
+\fBhttp_anchors\fP
 When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
 can be used to specify the location of the CA certificate which should be
 trusted to issue the certificate for a proxy server.  If left unspecified,
@@ -627,7 +627,7 @@ to a value conforming to one of the previous values.  For example,
 \fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has
 been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
 .TP
-.B \fBkdc\fP
+\fBkdc\fP
 The name or address of a host running a KDC for that realm.  An
 optional port number, separated from the hostname by a colon, may
 be included.  If the name or address contains colons (for example,
@@ -637,12 +637,12 @@ be able to communicate with the KDC for each realm, this tag must
 be given a value in each realm subsection in the configuration
 file, or there must be DNS SRV records specifying the KDCs.
 .TP
-.B \fBkpasswd_server\fP
+\fBkpasswd_server\fP
 Points to the server where all the password changes are performed.
 If there is no such entry, the port 464 on the \fBadmin_server\fP
 host will be tried.
 .TP
-.B \fBmaster_kdc\fP
+\fBmaster_kdc\fP
 Identifies the master KDC(s).  Currently, this tag is used in only
 one case: If an attempt to get credentials fails because of an
 invalid password, the client software will attempt to contact the
@@ -650,14 +650,14 @@ master KDC, in case the user\(aqs password has just been changed, and
 the updated database has not been propagated to the slave servers
 yet.
 .TP
-.B \fBv4_instance_convert\fP
+\fBv4_instance_convert\fP
 This subsection allows the administrator to configure exceptions
 to the \fBdefault_domain\fP mapping rule.  It contains V4 instances
 (the tag name) which should be translated to some specific
 hostname (the tag value) as the second component in a Kerberos V5
 principal name.
 .TP
-.B \fBv4_realm\fP
+\fBv4_realm\fP
 This relation is used by the krb524 library routines when
 converting a V5 principal name to a V4 principal name.  It is used
 when the V4 realm name and the V5 realm name are not the same, but
@@ -867,17 +867,17 @@ Each pluggable interface corresponds to a subsection of [plugins].
 All subsections support the same tags:
 .INDENT 0.0
 .TP
-.B \fBdisable\fP
+\fBdisable\fP
 This tag may have multiple values. If there are values for this
 tag, then the named modules will be disabled for the pluggable
 interface.
 .TP
-.B \fBenable_only\fP
+\fBenable_only\fP
 This tag may have multiple values. If there are values for this
 tag, then only the named modules will be enabled for the pluggable
 interface.
 .TP
-.B \fBmodule\fP
+\fBmodule\fP
 This tag may have multiple values.  Each value is a string of the
 form \fBmodulename:pathname\fP, which causes the shared object
 located at \fIpathname\fP to be registered as a dynamic module named
@@ -902,11 +902,11 @@ dynamic modules, the following built\-in modules exist (and may be
 disabled with the disable tag):
 .INDENT 0.0
 .TP
-.B \fBk5identity\fP
+\fBk5identity\fP
 Uses a .k5identity file in the user\(aqs home directory to select a
 client principal
 .TP
-.B \fBrealm\fP
+\fBrealm\fP
 Uses the service realm to guess an appropriate cache from the
 collection
 .UNINDENT
@@ -917,17 +917,17 @@ interface, which is used to reject weak passwords when passwords are
 changed.  The following built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
-.B \fBdict\fP
+\fBdict\fP
 Checks against the realm dictionary file
 .TP
-.B \fBempty\fP
+\fBempty\fP
 Rejects empty passwords
 .TP
-.B \fBhesiod\fP
+\fBhesiod\fP
 Checks against user information stored in Hesiod (only if Kerberos
 was built with Hesiod support)
 .TP
-.B \fBprinc\fP
+\fBprinc\fP
 Checks against components of the principal name
 .UNINDENT
 .SS kadm5_hook interface
@@ -944,13 +944,13 @@ provide client and KDC preauthentication mechanisms.  The following
 built\-in modules exist for these interfaces:
 .INDENT 0.0
 .TP
-.B \fBpkinit\fP
+\fBpkinit\fP
 This module implements the PKINIT preauthentication mechanism.
 .TP
-.B \fBencrypted_challenge\fP
+\fBencrypted_challenge\fP
 This module implements the encrypted challenge FAST factor.
 .TP
-.B \fBencrypted_timestamp\fP
+\fBencrypted_timestamp\fP
 This module implements the encrypted timestamp mechanism.
 .UNINDENT
 .SS hostrealm interface
@@ -961,17 +961,17 @@ hostnames to realm names and the choice of default realm.  The following
 built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
-.B \fBprofile\fP
+\fBprofile\fP
 This module consults the [domain_realm] section of the profile for
 authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP
 variable for the default realm.
 .TP
-.B \fBdns\fP
+\fBdns\fP
 This module looks for DNS records for fallback host\-to\-realm
 mappings and the default realm.  It only operates if the
 \fBdns_lookup_realm\fP variable is set to true.
 .TP
-.B \fBdomain\fP
+\fBdomain\fP
 This module applies heuristics for fallback host\-to\-realm
 mappings.  It implements the \fBrealm_try_domains\fP variable, and
 uses the uppercased parent domain of the hostname if that does not
@@ -985,28 +985,28 @@ between Kerberos principals and local system accounts.  The following
 built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
-.B \fBdefault\fP
+\fBdefault\fP
 This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP
 values.
 .TP
-.B \fBrule\fP
+\fBrule\fP
 This module implements the \fBRULE\fP type for \fBauth_to_local\fP
 values.
 .TP
-.B \fBnames\fP
+\fBnames\fP
 This module looks for an \fBauth_to_local_names\fP mapping for the
 principal name.
 .TP
-.B \fBauth_to_local\fP
+\fBauth_to_local\fP
 This module processes \fBauth_to_local\fP values in the default
 realm\(aqs section, and applies the default method if no
 \fBauth_to_local\fP values exist.
 .TP
-.B \fBk5login\fP
+\fBk5login\fP
 This module authorizes a principal to a local account according to
-the account\(aqs \fI\&.k5login(5)\fP file.
+the account\(aqs \&.k5login(5) file.
 .TP
-.B \fBan2ln\fP
+\fBan2ln\fP
 This module authorizes a principal to a local account if the
 principal name maps to the local account name.
 .UNINDENT
@@ -1074,7 +1074,7 @@ The syntax for specifying Public Key identity, trust, and revocation
 information for PKINIT is as follows:
 .INDENT 0.0
 .TP
-.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
+\fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
 This option has context\-specific behavior.
 .sp
 In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
@@ -1086,7 +1086,7 @@ private key is expected to be in \fIfilename\fP as well.  Otherwise,
 In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
 be the name of an OpenSSL\-style ca\-bundle file.
 .TP
-.B \fBDIR:\fP\fIdirname\fP
+\fBDIR:\fP\fIdirname\fP
 This option has context\-specific behavior.
 .sp
 In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
@@ -1109,11 +1109,11 @@ named \fBhash\-of\-ca\-cert.r#\fP\&.  This infrastructure is encouraged,
 but all files in the directory will be examined and if they
 contain a revocation list (in PEM format), they will be used.
 .TP
-.B \fBPKCS12:\fP\fIfilename\fP
+\fBPKCS12:\fP\fIfilename\fP
 \fIfilename\fP is the name of a PKCS #12 format file, containing the
 user\(aqs certificate and private key.
 .TP
-.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
+\fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
 All keyword/values are optional.  \fImodname\fP specifies the location
 of a library implementing PKCS #11.  If a value is encountered
 with no keyword, it is assumed to be the \fImodname\fP\&.  If no
@@ -1125,7 +1125,7 @@ force the selection of a particular certificate on the device.
 See the \fBpkinit_cert_match\fP configuration option for more ways
 to select a particular certificate to use for PKINIT.
 .TP
-.B \fBENV:\fP\fIenvvar\fP
+\fBENV:\fP\fIenvvar\fP
 \fIenvvar\fP specifies the name of an environment variable which has
 been set to a value conforming to one of the previous values.  For
 example, \fBENV:X509_PROXY\fP, where environment variable
@@ -1134,13 +1134,13 @@ example, \fBENV:X509_PROXY\fP, where environment variable
 .SS PKINIT krb5.conf options
 .INDENT 0.0
 .TP
-.B \fBpkinit_anchors\fP
+\fBpkinit_anchors\fP
 Specifies the location of trusted anchor (root) certificates which
 the client trusts to sign KDC certificates.  This option may be
 specified multiple times.  These values from the config file are
 not used if the user specifies X509_anchors on the command line.
 .TP
-.B \fBpkinit_cert_match\fP
+\fBpkinit_cert_match\fP
 Specifies matching rules that the client certificate must match
 before it is used to attempt PKINIT authentication.  If a user has
 multiple certificates available (on a smart card, or via other
@@ -1225,7 +1225,7 @@ pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
 .UNINDENT
 .UNINDENT
 .TP
-.B \fBpkinit_eku_checking\fP
+\fBpkinit_eku_checking\fP
 This option specifies what Extended Key Usage value the KDC
 certificate presented to the client must contain.  (Note that if
 the KDC certificate has the pkinit SubjectAlternativeName encoded
@@ -1234,27 +1234,27 @@ issuing CA has certified this as a KDC certificate.)  The values
 recognized in the krb5.conf file are:
 .INDENT 7.0
 .TP
-.B \fBkpKDC\fP
+\fBkpKDC\fP
 This is the default value and specifies that the KDC must have
 the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&.
 .TP
-.B \fBkpServerAuth\fP
+\fBkpServerAuth\fP
 If \fBkpServerAuth\fP is specified, a KDC certificate with the
 id\-kp\-serverAuth EKU will be accepted.  This key usage value
 is used in most commercially issued server certificates.
 .TP
-.B \fBnone\fP
+\fBnone\fP
 If \fBnone\fP is specified, then the KDC certificate will not be
 checked to verify it has an acceptable EKU.  The use of this
 option is not recommended.
 .UNINDENT
 .TP
-.B \fBpkinit_dh_min_bits\fP
+\fBpkinit_dh_min_bits\fP
 Specifies the size of the Diffie\-Hellman key the client will
 attempt to use.  The acceptable values are 1024, 2048, and 4096.
 The default is 2048.
 .TP
-.B \fBpkinit_identities\fP
+\fBpkinit_identities\fP
 Specifies the location(s) to be used to find the user\(aqs X.509
 identity information.  This option may be specified multiple
 times.  Each value is attempted in order until identity
@@ -1262,7 +1262,7 @@ information is found and authentication is attempted.  Note that
 these values are not used if the user specifies
 \fBX509_user_identity\fP on the command line.
 .TP
-.B \fBpkinit_kdc_hostname\fP
+\fBpkinit_kdc_hostname\fP
 The presense of this option indicates that the client is willing
 to accept a KDC certificate with a dNSName SAN (Subject
 Alternative Name) rather than requiring the id\-pkinit\-san as
@@ -1270,13 +1270,13 @@ defined in \fI\%RFC 4556\fP\&.  This option may be specified multiple
 times.  Its value should contain the acceptable hostname for the
 KDC (as contained in its certificate).
 .TP
-.B \fBpkinit_pool\fP
+\fBpkinit_pool\fP
 Specifies the location of intermediate certificates which may be
 used by the client to complete the trust chain between a KDC
 certificate and a trusted anchor.  This option may be specified
 multiple times.
 .TP
-.B \fBpkinit_require_crl_checking\fP
+\fBpkinit_require_crl_checking\fP
 The default certificate verification process will always check the
 available revocation information to see if a certificate has been
 revoked.  If a match is found for the certificate in a CRL,
@@ -1292,7 +1292,7 @@ fails.
 \fBpkinit_require_crl_checking\fP should be set to true if the
 policy is such that up\-to\-date CRLs must be present for every CA.
 .TP
-.B \fBpkinit_revoke\fP
+\fBpkinit_revoke\fP
 Specifies the location of Certificate Revocation List (CRL)
 information to be used by the client when verifying the validity
 of the KDC certificate presented.  This option may be specified
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index cff7cd2..1f69491 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -80,7 +80,7 @@ process.
 The \fB\-p\fP \fIportnum\fP option specifies the default UDP port numbers
 which the KDC should listen on for Kerberos version 5 requests, as a
 comma\-separated list.  This value overrides the UDP port numbers
-specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but
+specified in the kdcdefaults section of kdc.conf(5), but
 may be overridden by realm\-specific values.  If no value is given from
 any source, the default port is 88.
 .sp
@@ -103,7 +103,7 @@ starts.
 .UNINDENT
 .sp
 The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments.
-See \fIDatabase Options\fP in \fIkadmin(1)\fP for
+See Database Options in kadmin(1) for
 supported arguments.
 .sp
 The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which
@@ -129,10 +129,10 @@ krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3
 .sp
 specifies that the KDC listen on port 2001 for REALM1 and on port 2002
 for REALM2 and REALM3.  Additionally, per\-realm parameters may be
-specified in the \fIkdc.conf(5)\fP file.  The location of this file
+specified in the kdc.conf(5) file.  The location of this file
 may be specified by the \fBKRB5_KDC_PROFILE\fP environment variable.
 Per\-realm parameters specified in this file take precedence over
-options specified on the command line.  See the \fIkdc.conf(5)\fP
+options specified on the command line.  See the kdc.conf(5)
 description for further details.
 .SH ENVIRONMENT
 .sp
@@ -145,8 +145,8 @@ krb5kdc uses the following environment variables:
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkdb5_util(8)\fP, \fIkdc.conf(5)\fP, \fIkrb5.conf(5)\fP,
-\fIkdb5_ldap_util(8)\fP
+kdb5_util(8), kdc.conf(5), krb5.conf(5),
+kdb5_ldap_util(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 42d9f9f..05549f4 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -99,7 +99,7 @@ option, see the OPTIONS section.
 Upon successful authentication, ksu checks whether the target
 principal is authorized to access the target account.  In the target
 user\(aqs home directory, ksu attempts to access two authorization files:
-\fI\&.k5login(5)\fP and .k5users.  In the .k5login file each line
+\&.k5login(5) and .k5users.  In the .k5login file each line
 contains the name of a principal that is authorized to access the
 account.
 .sp
@@ -182,7 +182,7 @@ source cache.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-n\fP \fItarget_principal_name\fP
+\fB\-n\fP \fItarget_principal_name\fP
 Specify a Kerberos target principal name.  Used in authentication
 and authorization phases of ksu.
 .sp
@@ -263,33 +263,33 @@ krb5cc_1984.2
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fB\-k\fP
+\fB\-k\fP
 Do not delete the target cache upon termination of the target
 shell or a command (\fB\-e\fP command).  Without \fB\-k\fP, ksu deletes
 the target cache.
 .TP
-.B \fB\-z\fP
+\fB\-z\fP
 Restrict the copy of tickets from the source cache to the target
 cache to only the tickets where client == the target principal
 name.  Use the \fB\-n\fP option if you want the tickets for other then
 the default principal.  Note that the \fB\-z\fP option is mutually
 exclusive with the \fB\-Z\fP option.
 .TP
-.B \fB\-Z\fP
+\fB\-Z\fP
 Don\(aqt copy any tickets from the source cache to the target cache.
 Just create a fresh target cache, where the default principal name
 of the cache is initialized to the target principal name.  Note
 that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP
 option.
 .TP
-.B \fB\-q\fP
+\fB\-q\fP
 Suppress the printing of status messages.
 .UNINDENT
 .sp
 Ticket granting ticket options:
 .INDENT 0.0
 .TP
-.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP
+\fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP
 The ticket granting ticket options only apply to the case where
 there are no appropriate tickets in the cache to authenticate the
 source user.  In this case if ksu is configured to prompt users
@@ -297,25 +297,25 @@ for a Kerberos password (\fBGET_TGT_VIA_PASSWD\fP is defined), the
 ticket granting ticket options that are specified will be used
 when getting a ticket granting ticket from the Kerberos server.
 .TP
-.B \fB\-l\fP \fIlifetime\fP
-(\fIduration\fP string.)  Specifies the lifetime to be requested
+\fB\-l\fP \fIlifetime\fP
+(duration string.)  Specifies the lifetime to be requested
 for the ticket; if this option is not specified, the default ticket
 lifetime (12 hours) is used instead.
 .TP
-.B \fB\-r\fP \fItime\fP
-(\fIduration\fP string.)  Specifies that the \fBrenewable\fP option
+\fB\-r\fP \fItime\fP
+(duration string.)  Specifies that the \fBrenewable\fP option
 should be requested for the ticket, and specifies the desired
 total lifetime of the ticket.
 .TP
-.B \fB\-p\fP
+\fB\-p\fP
 specifies that the \fBproxiable\fP option should be requested for
 the ticket.
 .TP
-.B \fB\-f\fP
+\fB\-f\fP
 option specifies that the \fBforwardable\fP option should be
 requested for the ticket.
 .TP
-.B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...]
+\fB\-e\fP \fIcommand\fP [\fIargs\fP ...]
 ksu proceeds exactly the same as if it was invoked without the
 \fB\-e\fP option, except instead of executing the target shell, ksu
 executes the specified command. Example of usage:
@@ -379,7 +379,7 @@ then command can be either a full or a relative path leading to
 the target program.  Otherwise, the user must specify either a
 full path or just the program name.
 .TP
-.B \fB\-a\fP \fIargs\fP
+\fB\-a\fP \fIargs\fP
 Specify arguments to be passed to the target shell.  Note that all
 flags and parameters following \-a will be passed to the shell,
 thus all options intended for ksu must precede \fB\-a\fP\&.
@@ -404,7 +404,7 @@ used as follows:
 ksu can be compiled with the following four flags:
 .INDENT 0.0
 .TP
-.B \fBGET_TGT_VIA_PASSWD\fP
+\fBGET_TGT_VIA_PASSWD\fP
 In case no appropriate tickets are found in the source cache, the
 user will be prompted for a Kerberos password.  The password is
 then used to get a ticket granting ticket from the Kerberos
@@ -412,17 +412,17 @@ server.  The danger of configuring ksu with this macro is if the
 source user is logged in remotely and does not have a secure
 channel, the password may get exposed.
 .TP
-.B \fBPRINC_LOOK_AHEAD\fP
+\fBPRINC_LOOK_AHEAD\fP
 During the resolution of the default principal name,
 \fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in
 the .k5users file as described in the OPTIONS section
 (see \fB\-n\fP option).
 .TP
-.B \fBCMD_PATH\fP
+\fBCMD_PATH\fP
 Specifies a list of directories containing programs that users are
 authorized to execute (via .k5users file).
 .TP
-.B \fBHAVE_GETUSERSHELL\fP
+\fBHAVE_GETUSERSHELL\fP
 If the source user is non\-root, ksu insists that the target user\(aqs
 shell to be invoked is a "legal shell".  \fIgetusershell(3)\fP is
 called to obtain the names of "legal shells".  Note that the
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index b762789..75fe17d 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -41,10 +41,10 @@ collection, if a cache collection is available.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-c\fP \fIcachename\fP
+\fB\-c\fP \fIcachename\fP
 Directly specifies the credential cache to be made primary.
 .TP
-.B \fB\-p\fP \fIprincipal\fP
+\fB\-p\fP \fIprincipal\fP
 Causes the cache collection to be searched for a cache containing
 credentials for \fIprincipal\fP\&.  If one is found, that collection is
 made primary.
@@ -54,7 +54,7 @@ made primary.
 kswitch uses the following environment variables:
 .INDENT 0.0
 .TP
-.B \fBKRB5CCNAME\fP
+\fBKRB5CCNAME\fP
 Location of the default Kerberos 5 credentials (ticket) cache, in
 the form \fItype\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
@@ -70,7 +70,7 @@ Default location of Kerberos 5 credentials cache
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkinit(1)\fP, \fIkdestroy(1)\fP, \fIklist(1)\fP), kerberos(1)
+kinit(1), kdestroy(1), klist(1)), kerberos(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 97ff6a5..d0a040b 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -164,7 +164,7 @@ ktutil:
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkadmin(1)\fP, \fIkdb5_util(8)\fP
+kadmin(1), kdb5_util(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 7bbc10f..57be7da 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -48,37 +48,37 @@ and prints out the key version numbers of each.
 .SH OPTIONS
 .INDENT 0.0
 .TP
-.B \fB\-c\fP \fIccache\fP
+\fB\-c\fP \fIccache\fP
 Specifies the name of a credentials cache to use (if not the
 default)
 .TP
-.B \fB\-e\fP \fIetype\fP
+\fB\-e\fP \fIetype\fP
 Specifies the enctype which will be requested for the session key
 of all the services named on the command line.  This is useful in
 certain backward compatibility situations.
 .TP
-.B \fB\-q\fP
+\fB\-q\fP
 Suppress printing output when successful.  If a service ticket
 cannot be obtained, an error message will still be printed and
 kvno will exit with nonzero status.
 .TP
-.B \fB\-h\fP
+\fB\-h\fP
 Prints a usage statement and exits.
 .TP
-.B \fB\-P\fP
+\fB\-P\fP
 Specifies that the \fIservice1 service2\fP ...  arguments are to be
 treated as services for which credentials should be acquired using
 constrained delegation.  This option is only valid when used in
 conjunction with protocol transition.
 .TP
-.B \fB\-S\fP \fIsname\fP
+\fB\-S\fP \fIsname\fP
 Specifies that the \fIservice1 service2\fP ... arguments are
 interpreted as hostnames, and the service principals are to be
 constructed from those hostnames and the service name \fIsname\fP\&.
 The service hostnames will be canonicalized according to the usual
 rules for constructing service principals.
 .TP
-.B \fB\-U\fP \fIfor_user\fP
+\fB\-U\fP \fIfor_user\fP
 Specifies that protocol transition (S4U2Self) is to be used to
 acquire a ticket on behalf of \fIfor_user\fP\&.  If constrained
 delegation is not requested, the service name must match the
@@ -89,7 +89,7 @@ credentials cache client principal.
 kvno uses the following environment variable:
 .INDENT 0.0
 .TP
-.B \fBKRB5CCNAME\fP
+\fBKRB5CCNAME\fP
 Location of the credentials (ticket) cache.
 .UNINDENT
 .SH FILES
@@ -100,7 +100,7 @@ Default location of the credentials cache
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIkinit(1)\fP, \fIkdestroy(1)\fP
+kinit(1), kdestroy(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/sclient.man b/src/man/sclient.man
index a5c7066..2f4fb6e 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -36,12 +36,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .SH DESCRIPTION
 .sp
 sclient is a sample application, primarily useful for testing
-purposes.  It contacts a sample server \fIsserver(8)\fP and
+purposes.  It contacts a sample server sserver(8) and
 authenticates to it using Kerberos version 5 tickets, then displays
 the server\(aqs response.
 .SH SEE ALSO
 .sp
-\fIkinit(1)\fP, \fIsserver(8)\fP
+kinit(1), sserver(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 350550f..f6f4562 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -38,7 +38,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [ \fIserver_port\fP ]
 .SH DESCRIPTION
 .sp
-sserver and \fIsclient(1)\fP are a simple demonstration client/server
+sserver and sclient(1) are a simple demonstration client/server
 application.  When sclient connects to sserver, it performs a Kerberos
 authentication, and then sserver returns to sclient the Kerberos
 principal which was used for the Kerberos authentication.  It makes a
@@ -47,7 +47,7 @@ good test that Kerberos has been successfully installed on a machine.
 The service name used by sserver and sclient is sample.  Hence,
 sserver will require that there be a keytab entry for the service
 \fBsample/hostname.domain.name@REALM.NAME\fP\&.  This keytab is generated
-using the \fIkadmin(1)\fP program.  The keytab file is usually
+using the kadmin(1) program.  The keytab file is usually
 installed as \fB@KTNAME@\fP\&.
 .sp
 The \fB\-S\fP option allows for a different keytab than the default.
@@ -80,8 +80,8 @@ sample          13135/tcp
 .UNINDENT
 .sp
 When using sclient, you will first have to have an entry in the
-Kerberos database, by using \fIkadmin(1)\fP, and then you have to get
-Kerberos tickets, by using \fIkinit(1)\fP\&.  Also, if you are running
+Kerberos database, by using kadmin(1), and then you have to get
+Kerberos tickets, by using kinit(1)\&.  Also, if you are running
 the sclient program on a different host than the sserver it will be
 connecting to, be sure that both hosts have an entry in /etc/services
 for the sample tcp port, and that the same port number is in both
@@ -164,7 +164,7 @@ sclient: Server not found in Kerberos database while using
 .sp
 This means that the \fBsample/hostname@LOCAL.REALM\fP service was not
 defined in the Kerberos database; it should be created using
-\fIkadmin(1)\fP, and a keytab file needs to be generated to make
+kadmin(1), and a keytab file needs to be generated to make
 the key for that service principal available for sclient.
 .IP 5. 3
 sclient returns the error:
@@ -185,7 +185,7 @@ probably not installed in the proper directory.
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fIsclient(1)\fP, services(5), inetd(8)
+sclient(1), services(5), inetd(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT