1 files changed, 99 insertions, 99 deletions

diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index b240885..e7f1b46 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -135,7 +135,7 @@ module MODULEPATH:RESIDUAL
 \fIMODULEPATH\fP may be relative to the library path of the krb5
 installation, or it may be an absolute path.  \fIRESIDUAL\fP is provided
 to the module at initialization time.  If krb5.conf uses a module
-directive, \fIkdc.conf(5)\fP should also use one if it exists.
+directive, kdc.conf(5) should also use one if it exists.
 .SH SECTIONS
 .sp
 The krb5.conf file may contain the following sections:
@@ -182,15 +182,15 @@ _
 .TE
 .sp
 Additionally, krb5.conf may include any of the relations described in
-\fIkdc.conf(5)\fP, but it is not a recommended practice.
+kdc.conf(5), but it is not a recommended practice.
 .SS [libdefaults]
 .sp
 The libdefaults section may contain any of the following relations:
 .INDENT 0.0
 .TP
-.B \fBallow_weak_crypto\fP
+\fBallow_weak_crypto\fP
 If this flag is set to false, then weak encryption types (as noted
-in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered
+in Encryption_types in kdc.conf(5)) will be filtered
 out of the lists \fBdefault_tgs_enctypes\fP,
 \fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&.  The default
 value for this tag is false, which may cause authentication
@@ -198,7 +198,7 @@ failures in existing Kerberos infrastructures that do not support
 strong crypto.  Users in affected environments should set this tag
 to true until their infrastructure adopts stronger ciphers.
 .TP
-.B \fBap_req_checksum_type\fP
+\fBap_req_checksum_type\fP
 An integer which specifies the type of AP\-REQ checksum to use in
 authenticators.  This variable should be unset so the appropriate
 checksum for the encryption key in use will be used.  This can be
@@ -206,20 +206,20 @@ set if backward compatibility requires a specific checksum type.
 See the \fBkdc_req_checksum_type\fP configuration option for the
 possible values and their meanings.
 .TP
-.B \fBcanonicalize\fP
+\fBcanonicalize\fP
 If this flag is set to true, initial ticket requests to the KDC
 will request canonicalization of the client principal name, and
 answers with different client principals than the requested
 principal will be accepted.  The default value is false.
 .TP
-.B \fBccache_type\fP
+\fBccache_type\fP
 This parameter determines the format of credential cache types
-created by \fIkinit(1)\fP or other programs.  The default value
+created by kinit(1) or other programs.  The default value
 is 4, which represents the most current format.  Smaller values
 can be used for compatibility with very old implementations of
 Kerberos which interact with credential caches on the same host.
 .TP
-.B \fBclockskew\fP
+\fBclockskew\fP
 Sets the maximum allowable amount of clockskew in seconds that the
 library will tolerate before assuming that a Kerberos message is
 invalid.  The default value is 300 seconds, or five minutes.
@@ -230,34 +230,34 @@ their expiration time can still be used (and renewed if they are
 renewable tickets) if they have been expired for a shorter
 duration than the \fBclockskew\fP setting.
 .TP
-.B \fBdefault_ccache_name\fP
+\fBdefault_ccache_name\fP
 This relation specifies the name of the default credential cache.
 The default is \fB@CCNAME@\fP\&.  This relation is subject to parameter
 expansion (see below).  New in release 1.11.
 .TP
-.B \fBdefault_client_keytab_name\fP
+\fBdefault_client_keytab_name\fP
 This relation specifies the name of the default keytab for
 obtaining client credentials.  The default is \fB@CKTNAME@\fP\&.  This
 relation is subject to parameter expansion (see below).
 New in release 1.11.
 .TP
-.B \fBdefault_keytab_name\fP
+\fBdefault_keytab_name\fP
 This relation specifies the default keytab name to be used by
 application servers such as sshd.  The default is \fB@KTNAME@\fP\&.  This
 relation is subject to parameter expansion (see below).
 .TP
-.B \fBdefault_realm\fP
+\fBdefault_realm\fP
 Identifies the default Kerberos realm for the client.  Set its
 value to your Kerberos realm.  If this value is not set, then a
 realm must be specified with every Kerberos principal when
-invoking programs such as \fIkinit(1)\fP\&.
+invoking programs such as kinit(1)\&.
 .TP
-.B \fBdefault_tgs_enctypes\fP
+\fBdefault_tgs_enctypes\fP
 Identifies the supported list of session key encryption types that
 the client should request when making a TGS\-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
-commas or whitespace.  See \fIEncryption_types\fP in
-\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
+commas or whitespace.  See Encryption_types in
+kdc.conf(5) for a list of the accepted values for this tag.
 The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
 will be implicitly removed from this list if the value of
 \fBallow_weak_crypto\fP is false.
@@ -267,7 +267,7 @@ compatibility purposes; stale values of this setting can prevent
 clients from taking advantage of new stronger enctypes when the
 libraries are upgraded.
 .TP
-.B \fBdefault_tkt_enctypes\fP
+\fBdefault_tkt_enctypes\fP
 Identifies the supported list of session key encryption types that
 the client should request when making an AS\-REQ, in order of
 preference from highest to lowest.  The format is the same as for
@@ -281,14 +281,14 @@ compatibility purposes; stale values of this setting can prevent
 clients from taking advantage of new stronger enctypes when the
 libraries are upgraded.
 .TP
-.B \fBdns_canonicalize_hostname\fP
+\fBdns_canonicalize_hostname\fP
 Indicate whether name lookups will be used to canonicalize
 hostnames for use in service principal names.  Setting this flag
 to false can improve security by reducing reliance on DNS, but
 means that short hostnames will not be canonicalized to
 fully\-qualified hostnames.  The default value is true.
 .TP
-.B \fBdns_lookup_kdc\fP
+\fBdns_lookup_kdc\fP
 Indicate whether DNS SRV records should be used to locate the KDCs
 and other servers for a realm, if they are not listed in the
 krb5.conf information for the realm.  (Note that the admin_server
@@ -304,30 +304,30 @@ it (besides the initial ticket request, which has no encrypted
 data), and anything the fake KDC sends will not be trusted without
 verification using some secret that it won\(aqt know.
 .TP
-.B \fBdns_uri_lookup\fP
+\fBdns_uri_lookup\fP
 Indicate whether DNS URI records should be used to locate the KDCs
 and other servers for a realm, if they are not listed in the
 krb5.conf information for the realm.  SRV records are used as a
 fallback if no URI records were found.  The default value is true.
 New in release 1.15.
 .TP
-.B \fBerr_fmt\fP
+\fBerr_fmt\fP
 This relation allows for custom error message formatting.  If a
 value is set, error messages will be formatted by substituting a
 normal error message for %M and an error code for %C in the value.
 .TP
-.B \fBextra_addresses\fP
+\fBextra_addresses\fP
 This allows a computer to use multiple local addresses, in order
 to allow Kerberos to work in a network that uses NATs while still
 using address\-restricted tickets.  The addresses should be in a
 comma\-separated list.  This option has no effect if
 \fBnoaddresses\fP is true.
 .TP
-.B \fBforwardable\fP
+\fBforwardable\fP
 If this flag is true, initial tickets will be forwardable by
 default, if allowed by the KDC.  The default value is false.
 .TP
-.B \fBignore_acceptor_hostname\fP
+\fBignore_acceptor_hostname\fP
 When accepting GSSAPI or krb5 security contexts for host\-based
 service principals, ignore any hostname passed by the calling
 application, and allow clients to authenticate to any service
@@ -337,15 +337,15 @@ flexibility of server applications on multihomed hosts, but could
 compromise the security of virtual hosting environments.  The
 default value is false.  New in release 1.10.
 .TP
-.B \fBk5login_authoritative\fP
+\fBk5login_authoritative\fP
 If this flag is true, principals must be listed in a local user\(aqs
-k5login file to be granted login access, if a \fI\&.k5login(5)\fP
+k5login file to be granted login access, if a \&.k5login(5)
 file exists.  If this flag is false, a principal may still be
 granted login access through other mechanisms even if a k5login
 file exists but does not list the principal.  The default value is
 true.
 .TP
-.B \fBk5login_directory\fP
+\fBk5login_directory\fP
 If set, the library will look for a local user\(aqs k5login file
 within the named directory, with a filename corresponding to the
 local username.  If not set, the library will look for k5login
@@ -353,25 +353,25 @@ files in the user\(aqs home directory, with the filename .k5login.
 For security reasons, .k5login files must be owned by
 the local user or by root.
 .TP
-.B \fBkcm_mach_service\fP
+\fBkcm_mach_service\fP
 On OS X only, determines the name of the bootstrap service used to
 contact the KCM daemon for the KCM credential cache type.  If the
 value is \fB\-\fP, Mach RPC will not be used to contact the KCM
 daemon.  The default value is \fBorg.h5l.kcm\fP\&.
 .TP
-.B \fBkcm_socket\fP
+\fBkcm_socket\fP
 Determines the path to the Unix domain socket used to access the
 KCM daemon for the KCM credential cache type.  If the value is
 \fB\-\fP, Unix domain sockets will not be used to contact the KCM
 daemon.  The default value is
 \fB/var/run/.heim_org.h5l.kcm\-socket\fP\&.
 .TP
-.B \fBkdc_default_options\fP
+\fBkdc_default_options\fP
 Default KDC options (Xored for multiple values) when requesting
 initial tickets.  By default it is set to 0x00000010
 (KDC_OPT_RENEWABLE_OK).
 .TP
-.B \fBkdc_timesync\fP
+\fBkdc_timesync\fP
 Accepted values for this relation are 1 or 0.  If it is nonzero,
 client machines will compute the difference between their time and
 the time returned by the KDC in the timestamps in the tickets and
@@ -380,7 +380,7 @@ requesting service tickets or authenticating to services.  This
 corrective factor is only used by the Kerberos library; it is not
 used to change the system clock.  The default value is 1.
 .TP
-.B \fBkdc_req_checksum_type\fP
+\fBkdc_req_checksum_type\fP
 An integer which specifies the type of checksum to use for the KDC
 requests, for compatibility with very old KDC implementations.
 This value is only used for DES keys; other keys use the preferred
@@ -447,40 +447,40 @@ T}
 _
 .TE
 .TP
-.B \fBnoaddresses\fP
+\fBnoaddresses\fP
 If this flag is true, requests for initial tickets will not be
 made with address restrictions set, allowing the tickets to be
 used across NATs.  The default value is true.
 .TP
-.B \fBpermitted_enctypes\fP
+\fBpermitted_enctypes\fP
 Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
 \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
 removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .TP
-.B \fBplugin_base_dir\fP
+\fBplugin_base_dir\fP
 If set, determines the base directory where krb5 plugins are
 located.  The default value is the \fBkrb5/plugins\fP subdirectory
 of the krb5 library directory.
 .TP
-.B \fBpreferred_preauth_types\fP
+\fBpreferred_preauth_types\fP
 This allows you to set the preferred preauthentication types which
 the client will attempt before others which may be advertised by a
 KDC.  The default value for this setting is "17, 16, 15, 14",
 which forces libkrb5 to attempt to use PKINIT if it is supported.
 .TP
-.B \fBproxiable\fP
+\fBproxiable\fP
 If this flag is true, initial tickets will be proxiable by
 default, if allowed by the KDC.  The default value is false.
 .TP
-.B \fBrdns\fP
+\fBrdns\fP
 If this flag is true, reverse name lookup will be used in addition
 to forward name lookup to canonicalizing hostnames for use in
 service principal names.  If \fBdns_canonicalize_hostname\fP is set
 to false, this flag has no effect.  The default value is true.
 .TP
-.B \fBrealm_try_domains\fP
+\fBrealm_try_domains\fP
 Indicate whether a host\(aqs domain components should be used to
 determine the Kerberos realm of the host.  The value of this
 variable is an integer: \-1 means not to search, 0 means to try the
@@ -490,11 +490,11 @@ Kerberos realms is used to determine whether a domain is a valid
 realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
 set.  The default is not to search domain components.
 .TP
-.B \fBrenew_lifetime\fP
-(\fIduration\fP string.)  Sets the default renewable lifetime
+\fBrenew_lifetime\fP
+(duration string.)  Sets the default renewable lifetime
 for initial ticket requests.  The default value is 0.
 .TP
-.B \fBsafe_checksum_type\fP
+\fBsafe_checksum_type\fP
 An integer which specifies the type of checksum to use for the
 KRB\-SAFE requests.  By default it is set to 8 (RSA MD5 DES).  For
 compatibility with applications linked against DCE version 1.1 or
@@ -503,11 +503,11 @@ DES instead.  This field is ignored when its value is incompatible
 with the session key type.  See the \fBkdc_req_checksum_type\fP
 configuration option for the possible values and their meanings.
 .TP
-.B \fBticket_lifetime\fP
-(\fIduration\fP string.)  Sets the default lifetime for initial
+\fBticket_lifetime\fP
+(duration string.)  Sets the default lifetime for initial
 ticket requests.  The default value is 1 day.
 .TP
-.B \fBudp_preference_limit\fP
+\fBudp_preference_limit\fP
 When sending a message to the KDC, the library will try using TCP
 before UDP if the size of the message is above
 \fBudp_preference_limit\fP\&.  If the message is smaller than
@@ -515,7 +515,7 @@ before UDP if the size of the message is above
 Regardless of the size, both protocols will be tried if the first
 attempt fails.
 .TP
-.B \fBverify_ap_req_nofail\fP
+\fBverify_ap_req_nofail\fP
 If this flag is true, then an attempt to verify initial
 credentials will fail if the client machine does not have a
 keytab.  The default value is false.
@@ -528,20 +528,20 @@ define the properties of that particular realm.  For each realm, the
 following tags may be specified in the realm\(aqs subsection:
 .INDENT 0.0
 .TP
-.B \fBadmin_server\fP
+\fBadmin_server\fP
 Identifies the host where the administration server is running.
 Typically, this is the master Kerberos server.  This tag must be
-given a value in order to communicate with the \fIkadmind(8)\fP
+given a value in order to communicate with the kadmind(8)
 server for the realm.
 .TP
-.B \fBauth_to_local\fP
+\fBauth_to_local\fP
 This tag allows you to set a general rule for mapping principal
 names to local user names.  It will be used if there is not an
 explicit mapping for the principal name that is being
 translated. The possible values are:
 .INDENT 7.0
 .TP
-.B \fBRULE:\fP\fIexp\fP
+\fBRULE:\fP\fIexp\fP
 The local name will be formulated from \fIexp\fP\&.
 .sp
 The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&.
@@ -557,7 +557,7 @@ string.  The optional \fBg\fP will cause the substitution to be
 global over the \fIstring\fP, instead of replacing only the first
 match in the \fIstring\fP\&.
 .TP
-.B \fBDEFAULT\fP
+\fBDEFAULT\fP
 The principal name will be used as the local user name.  If
 the principal has more than one component or is not in the
 default realm, this rule is not applicable and the conversion
@@ -590,18 +590,18 @@ principal with a second component of \fBroot\fP\&.  The exception to
 these two rules are any principals \fBjohndoe/*\fP, which will
 always get the local name \fBguest\fP\&.
 .TP
-.B \fBauth_to_local_names\fP
+\fBauth_to_local_names\fP
 This subsection allows you to set explicit mappings from principal
 names to local user names.  The tag is the mapping name, and the
 value is the corresponding local user name.
 .TP
-.B \fBdefault_domain\fP
+\fBdefault_domain\fP
 This tag specifies the domain used to expand hostnames when
 translating Kerberos 4 service principals to Kerberos 5 principals
 (for example, when converting \fBrcmd.hostname\fP to
 \fBhost/hostname.domain\fP).
 .TP
-.B \fBhttp_anchors\fP
+\fBhttp_anchors\fP
 When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
 can be used to specify the location of the CA certificate which should be
 trusted to issue the certificate for a proxy server.  If left unspecified,
@@ -627,7 +627,7 @@ to a value conforming to one of the previous values.  For example,
 \fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has
 been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
 .TP
-.B \fBkdc\fP
+\fBkdc\fP
 The name or address of a host running a KDC for that realm.  An
 optional port number, separated from the hostname by a colon, may
 be included.  If the name or address contains colons (for example,
@@ -637,12 +637,12 @@ be able to communicate with the KDC for each realm, this tag must
 be given a value in each realm subsection in the configuration
 file, or there must be DNS SRV records specifying the KDCs.
 .TP
-.B \fBkpasswd_server\fP
+\fBkpasswd_server\fP
 Points to the server where all the password changes are performed.
 If there is no such entry, the port 464 on the \fBadmin_server\fP
 host will be tried.
 .TP
-.B \fBmaster_kdc\fP
+\fBmaster_kdc\fP
 Identifies the master KDC(s).  Currently, this tag is used in only
 one case: If an attempt to get credentials fails because of an
 invalid password, the client software will attempt to contact the
@@ -650,14 +650,14 @@ master KDC, in case the user\(aqs password has just been changed, and
 the updated database has not been propagated to the slave servers
 yet.
 .TP
-.B \fBv4_instance_convert\fP
+\fBv4_instance_convert\fP
 This subsection allows the administrator to configure exceptions
 to the \fBdefault_domain\fP mapping rule.  It contains V4 instances
 (the tag name) which should be translated to some specific
 hostname (the tag value) as the second component in a Kerberos V5
 principal name.
 .TP
-.B \fBv4_realm\fP
+\fBv4_realm\fP
 This relation is used by the krb524 library routines when
 converting a V5 principal name to a V4 principal name.  It is used
 when the V4 realm name and the V5 realm name are not the same, but
@@ -867,17 +867,17 @@ Each pluggable interface corresponds to a subsection of [plugins].
 All subsections support the same tags:
 .INDENT 0.0
 .TP
-.B \fBdisable\fP
+\fBdisable\fP
 This tag may have multiple values. If there are values for this
 tag, then the named modules will be disabled for the pluggable
 interface.
 .TP
-.B \fBenable_only\fP
+\fBenable_only\fP
 This tag may have multiple values. If there are values for this
 tag, then only the named modules will be enabled for the pluggable
 interface.
 .TP
-.B \fBmodule\fP
+\fBmodule\fP
 This tag may have multiple values.  Each value is a string of the
 form \fBmodulename:pathname\fP, which causes the shared object
 located at \fIpathname\fP to be registered as a dynamic module named
@@ -902,11 +902,11 @@ dynamic modules, the following built\-in modules exist (and may be
 disabled with the disable tag):
 .INDENT 0.0
 .TP
-.B \fBk5identity\fP
+\fBk5identity\fP
 Uses a .k5identity file in the user\(aqs home directory to select a
 client principal
 .TP
-.B \fBrealm\fP
+\fBrealm\fP
 Uses the service realm to guess an appropriate cache from the
 collection
 .UNINDENT
@@ -917,17 +917,17 @@ interface, which is used to reject weak passwords when passwords are
 changed.  The following built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
-.B \fBdict\fP
+\fBdict\fP
 Checks against the realm dictionary file
 .TP
-.B \fBempty\fP
+\fBempty\fP
 Rejects empty passwords
 .TP
-.B \fBhesiod\fP
+\fBhesiod\fP
 Checks against user information stored in Hesiod (only if Kerberos
 was built with Hesiod support)
 .TP
-.B \fBprinc\fP
+\fBprinc\fP
 Checks against components of the principal name
 .UNINDENT
 .SS kadm5_hook interface
@@ -944,13 +944,13 @@ provide client and KDC preauthentication mechanisms.  The following
 built\-in modules exist for these interfaces:
 .INDENT 0.0
 .TP
-.B \fBpkinit\fP
+\fBpkinit\fP
 This module implements the PKINIT preauthentication mechanism.
 .TP
-.B \fBencrypted_challenge\fP
+\fBencrypted_challenge\fP
 This module implements the encrypted challenge FAST factor.
 .TP
-.B \fBencrypted_timestamp\fP
+\fBencrypted_timestamp\fP
 This module implements the encrypted timestamp mechanism.
 .UNINDENT
 .SS hostrealm interface
@@ -961,17 +961,17 @@ hostnames to realm names and the choice of default realm.  The following
 built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
-.B \fBprofile\fP
+\fBprofile\fP
 This module consults the [domain_realm] section of the profile for
 authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP
 variable for the default realm.
 .TP
-.B \fBdns\fP
+\fBdns\fP
 This module looks for DNS records for fallback host\-to\-realm
 mappings and the default realm.  It only operates if the
 \fBdns_lookup_realm\fP variable is set to true.
 .TP
-.B \fBdomain\fP
+\fBdomain\fP
 This module applies heuristics for fallback host\-to\-realm
 mappings.  It implements the \fBrealm_try_domains\fP variable, and
 uses the uppercased parent domain of the hostname if that does not
@@ -985,28 +985,28 @@ between Kerberos principals and local system accounts.  The following
 built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
-.B \fBdefault\fP
+\fBdefault\fP
 This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP
 values.
 .TP
-.B \fBrule\fP
+\fBrule\fP
 This module implements the \fBRULE\fP type for \fBauth_to_local\fP
 values.
 .TP
-.B \fBnames\fP
+\fBnames\fP
 This module looks for an \fBauth_to_local_names\fP mapping for the
 principal name.
 .TP
-.B \fBauth_to_local\fP
+\fBauth_to_local\fP
 This module processes \fBauth_to_local\fP values in the default
 realm\(aqs section, and applies the default method if no
 \fBauth_to_local\fP values exist.
 .TP
-.B \fBk5login\fP
+\fBk5login\fP
 This module authorizes a principal to a local account according to
-the account\(aqs \fI\&.k5login(5)\fP file.
+the account\(aqs \&.k5login(5) file.
 .TP
-.B \fBan2ln\fP
+\fBan2ln\fP
 This module authorizes a principal to a local account if the
 principal name maps to the local account name.
 .UNINDENT
@@ -1074,7 +1074,7 @@ The syntax for specifying Public Key identity, trust, and revocation
 information for PKINIT is as follows:
 .INDENT 0.0
 .TP
-.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
+\fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
 This option has context\-specific behavior.
 .sp
 In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
@@ -1086,7 +1086,7 @@ private key is expected to be in \fIfilename\fP as well.  Otherwise,
 In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
 be the name of an OpenSSL\-style ca\-bundle file.
 .TP
-.B \fBDIR:\fP\fIdirname\fP
+\fBDIR:\fP\fIdirname\fP
 This option has context\-specific behavior.
 .sp
 In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
@@ -1109,11 +1109,11 @@ named \fBhash\-of\-ca\-cert.r#\fP\&.  This infrastructure is encouraged,
 but all files in the directory will be examined and if they
 contain a revocation list (in PEM format), they will be used.
 .TP
-.B \fBPKCS12:\fP\fIfilename\fP
+\fBPKCS12:\fP\fIfilename\fP
 \fIfilename\fP is the name of a PKCS #12 format file, containing the
 user\(aqs certificate and private key.
 .TP
-.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
+\fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
 All keyword/values are optional.  \fImodname\fP specifies the location
 of a library implementing PKCS #11.  If a value is encountered
 with no keyword, it is assumed to be the \fImodname\fP\&.  If no
@@ -1125,7 +1125,7 @@ force the selection of a particular certificate on the device.
 See the \fBpkinit_cert_match\fP configuration option for more ways
 to select a particular certificate to use for PKINIT.
 .TP
-.B \fBENV:\fP\fIenvvar\fP
+\fBENV:\fP\fIenvvar\fP
 \fIenvvar\fP specifies the name of an environment variable which has
 been set to a value conforming to one of the previous values.  For
 example, \fBENV:X509_PROXY\fP, where environment variable
@@ -1134,13 +1134,13 @@ example, \fBENV:X509_PROXY\fP, where environment variable
 .SS PKINIT krb5.conf options
 .INDENT 0.0
 .TP
-.B \fBpkinit_anchors\fP
+\fBpkinit_anchors\fP
 Specifies the location of trusted anchor (root) certificates which
 the client trusts to sign KDC certificates.  This option may be
 specified multiple times.  These values from the config file are
 not used if the user specifies X509_anchors on the command line.
 .TP
-.B \fBpkinit_cert_match\fP
+\fBpkinit_cert_match\fP
 Specifies matching rules that the client certificate must match
 before it is used to attempt PKINIT authentication.  If a user has
 multiple certificates available (on a smart card, or via other
@@ -1225,7 +1225,7 @@ pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
 .UNINDENT
 .UNINDENT
 .TP
-.B \fBpkinit_eku_checking\fP
+\fBpkinit_eku_checking\fP
 This option specifies what Extended Key Usage value the KDC
 certificate presented to the client must contain.  (Note that if
 the KDC certificate has the pkinit SubjectAlternativeName encoded
@@ -1234,27 +1234,27 @@ issuing CA has certified this as a KDC certificate.)  The values
 recognized in the krb5.conf file are:
 .INDENT 7.0
 .TP
-.B \fBkpKDC\fP
+\fBkpKDC\fP
 This is the default value and specifies that the KDC must have
 the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&.
 .TP
-.B \fBkpServerAuth\fP
+\fBkpServerAuth\fP
 If \fBkpServerAuth\fP is specified, a KDC certificate with the
 id\-kp\-serverAuth EKU will be accepted.  This key usage value
 is used in most commercially issued server certificates.
 .TP
-.B \fBnone\fP
+\fBnone\fP
 If \fBnone\fP is specified, then the KDC certificate will not be
 checked to verify it has an acceptable EKU.  The use of this
 option is not recommended.
 .UNINDENT
 .TP
-.B \fBpkinit_dh_min_bits\fP
+\fBpkinit_dh_min_bits\fP
 Specifies the size of the Diffie\-Hellman key the client will
 attempt to use.  The acceptable values are 1024, 2048, and 4096.
 The default is 2048.
 .TP
-.B \fBpkinit_identities\fP
+\fBpkinit_identities\fP
 Specifies the location(s) to be used to find the user\(aqs X.509
 identity information.  This option may be specified multiple
 times.  Each value is attempted in order until identity
@@ -1262,7 +1262,7 @@ information is found and authentication is attempted.  Note that
 these values are not used if the user specifies
 \fBX509_user_identity\fP on the command line.
 .TP
-.B \fBpkinit_kdc_hostname\fP
+\fBpkinit_kdc_hostname\fP
 The presense of this option indicates that the client is willing
 to accept a KDC certificate with a dNSName SAN (Subject
 Alternative Name) rather than requiring the id\-pkinit\-san as
@@ -1270,13 +1270,13 @@ defined in \fI\%RFC 4556\fP\&.  This option may be specified multiple
 times.  Its value should contain the acceptable hostname for the
 KDC (as contained in its certificate).
 .TP
-.B \fBpkinit_pool\fP
+\fBpkinit_pool\fP
 Specifies the location of intermediate certificates which may be
 used by the client to complete the trust chain between a KDC
 certificate and a trusted anchor.  This option may be specified
 multiple times.
 .TP
-.B \fBpkinit_require_crl_checking\fP
+\fBpkinit_require_crl_checking\fP
 The default certificate verification process will always check the
 available revocation information to see if a certificate has been
 revoked.  If a match is found for the certificate in a CRL,
@@ -1292,7 +1292,7 @@ fails.
 \fBpkinit_require_crl_checking\fP should be set to true if the
 policy is such that up\-to\-date CRLs must be present for every CA.
 .TP
-.B \fBpkinit_revoke\fP
+\fBpkinit_revoke\fP
 Specifies the location of Certificate Revocation List (CRL)
 information to be used by the client when verifying the validity
 of the KDC certificate presented.  This option may be specified