=== src/appl/bsd/klogind.M
==================================================================
--- src/appl/bsd/klogind.M	(revision 2260)
+++ src/appl/bsd/klogind.M	(local)
@@ -27,7 +27,7 @@
 the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
 configuration line for \fIklogind\fP might be:
 
-klogin stream tcp nowait root /usr/sbin/klogind klogind -e5c
+klogin stream tcp nowait root /usr/sbin/klogind klogind \-e5c
 
 When a service request is received, the following protocol is initiated:
 
@@ -74,7 +74,7 @@
 
 .IP \fB\-P\fP
 Prompt the user for a password.
-If the -P option is passed, then the password is verified in addition
+If the \-P option is passed, then the password is verified in addition
 to all other checks.
 
 .IP \fB\-e\fP
@@ -107,8 +107,8 @@
 ignore authenticator checksusm presented by current Kerberos clients
 to protect initial connection information; it is the opposite of
 \fB-c\fP.  This option is provided because some older
-clients--particularly clients predating the release of Kerberos V5
-Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+clients -- particularly clients predating the release of Kerberos V5
+Beta5 (May 1995) -- present bogus checksums that prevent Kerberos
 authentication from succeeding in the default mode.
 
 .PP
=== src/appl/bsd/kshd.M
==================================================================
--- src/appl/bsd/kshd.M	(revision 2260)
+++ src/appl/bsd/kshd.M	(local)
@@ -30,7 +30,7 @@
 on the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
 configuration line for \fIkrshd\fP might be:
 
-kshell	stream	tcp	nowait	root	/usr/sbin/kshd	kshd -5c
+kshell	stream	tcp	nowait	root	/usr/sbin/kshd	kshd \-5c
 
 When a service request is received, the following protocol is initiated:
 
@@ -107,8 +107,8 @@
 ignore authenticator checksusm presented by current Kerberos clients
 to protect initial connection information; it is the opposite of
 \fB-c\fP.  This option is provided because some older
-clients--particularly clients predating the release of Kerberos V5
-Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+clients -- particularly clients predating the release of Kerberos V5
+Beta5 (May 1995) -- present bogus checksums that prevent Kerberos
 authentication from succeeding in the default mode.
 
 
=== src/appl/gssftp/ftp/ftp.M
==================================================================
--- src/appl/gssftp/ftp/ftp.M	(revision 2260)
+++ src/appl/gssftp/ftp/ftp.M	(local)
@@ -951,7 +951,7 @@
 .IR popen (3)
 with the argument supplied, and reads from (writes to) stdout (stdin).
 If the shell command includes spaces, the argument must be quoted; e.g.
-``" ls -lt"''.  A particularly useful example of this mechanism is:
+``" ls \-lt"''.  A particularly useful example of this mechanism is:
 ``dir more''.
 .TP
 3.
=== src/appl/gssftp/ftpd/ftpd.M
==================================================================
--- src/appl/gssftp/ftpd/ftpd.M	(revision 2260)
+++ src/appl/gssftp/ftpd/ftpd.M	(local)
@@ -36,7 +36,7 @@
 ftpd \- DARPA Internet File Transfer Protocol server
 .SH SYNOPSIS
 .B ftpd
-[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
+[\fB\-A \fP|\fB\-a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB\-E\fP]
 [\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
 [\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
 [\fB\-r\fP \fIrealm-file\fP] [\fB\-s\fP \fIsrvtab\fP]
@@ -75,7 +75,7 @@
 less secure connections, and should probably only be used when debugging.
 .TP
 .B \-d
-Debugging information is written to the syslog.  (Identical to -v)
+Debugging information is written to the syslog.  (Identical to \-v)
 .TP
 .B \-E
 Don't allow passwords to be typed across unencrypted connections.
@@ -90,7 +90,7 @@
 syslog as well.
 .TP
 .B \-v
-Debugging information is written to the syslog.  (Identical to -d)
+Debugging information is written to the syslog.  (Identical to \-d)
 .TP
 \fB\-T\fP \fImaxtimeout\fP
 A client may request a maximum timeout period allowed set to
@@ -203,7 +203,7 @@
 .sp -1
 .TP
 LIST
-give list files in a directory (``ls -lgA'')
+give list files in a directory (``ls \-lgA'')
 .sp -1
 .TP
 MIC
=== src/clients/kinit/kinit.M
==================================================================
--- src/clients/kinit/kinit.M	(revision 2260)
+++ src/clients/kinit/kinit.M	(local)
@@ -87,7 +87,7 @@
 .in -.3i
 .fi
 .sp
-as in "kinit -l 90m".  You cannot mix units; a value of `3h30m' will
+as in "kinit \-l 90m".  You cannot mix units; a value of `3h30m' will
 result in an error.
 .sp
 If the
=== src/clients/ksu/ksu.M
==================================================================
--- src/clients/ksu/ksu.M	(revision 2260)
+++ src/clients/ksu/ksu.M	(local)
@@ -175,28 +175,28 @@
 .PP
 Ksu can be used to create a new security context for the
 target program (either the target
-shell, or command specified via the -e option).
+shell, or command specified via the \-e option).
 The target program inherits a set
 of credentials from the source user.
 By default, this set includes all of the credentials
 in the source cache plus any
 additional credentials obtained during authentication.
 The source user is able to limit the credentials in this set
-by using -z or -Z option.
--z restricts the copy of tickets from the source cache
+by using \-z or \-Z option.
+\-z restricts the copy of tickets from the source cache
 to the target cache to only the tickets where client ==
-the target principal name.  The -Z option
+the target principal name.  The \-Z option
 provides the target user with a fresh target cache
 (no creds in the cache). Note that for security reasons,
 when the source user is root and target user is non-root,
--z option is the default mode of operation. 
+\-z option is the default mode of operation. 
 
 While no authentication takes place if the source user
 is root or is the same as the target user, additional
 tickets can still be obtained for the target cache.
-If -n is specified and no credentials can be copied to the target
+If \-n is specified and no credentials can be copied to the target
 cache,  the  source user is prompted for a Kerberos password
-(unless -Z specified or GET_TGT_VIA_PASSWD is undefined). If
+(unless \-Z specified or GET_TGT_VIA_PASSWD is undefined). If
 successful,  a  TGT is obtained from the Kerberos server and
 stored in the target cache.  Otherwise,
 if a password is not provided (user hit return)
@@ -301,7 +301,7 @@
 \fB\-D
 turn on debug mode.
 .TP 10
-\fITicket granting ticket options: -l lifetime -r time -pf\fP
+\fITicket granting ticket options: \-l lifetime \-r time \-pf\fP
 The ticket granting ticket options only apply to the
 case where there are no appropriate tickets in
 the cache to authenticate the source user. In this case
@@ -341,7 +341,7 @@
 principal. Note that the
 .B \-z 
 option is mutually
-exclusive with the -Z option.
+exclusive with the \-Z option.
 .TP 10
 \fB\-Z
 Don't copy any tickets from the source cache to the
@@ -350,7 +350,7 @@
 initialized to the target principal name.  Note that
 .B \-Z
 option is mutually
-exclusive with the -z option.
+exclusive with the \-z option.
 .TP 10
 \fB\-q
 suppress the printing of status messages.
@@ -365,7 +365,7 @@
 ls
 .B \-lag).
 
-\fIThe authorization algorithm for -e is as follows:\fP
+\fIThe authorization algorithm for \-e is as follows:\fP
 
 If the source user is root or source user == target user,
 no authorization takes place and             
@@ -418,7 +418,7 @@
 .TP 10
 \fB\-a \fIargs
 specify arguments to be passed to the target shell.
-Note: that all flags and parameters following -a
+Note: that all flags and parameters following \-a
 will be passed to the shell, thus all options
 intended for ksu must precede
 .B \-a.
@@ -449,7 +449,7 @@
 during the resolution of the default principal name,
 PRINC_LOOK_AHEAD enables ksu to find principal names          
 in the .k5users file as described in the OPTIONS section
-(see -n option).      
+(see \-n option).      
 .TP 10
 \fICMD_PATH\fP
 specifies a list of directories containing programs
@@ -463,8 +463,8 @@
 shell is obtained from the passwd file.
 .TP 10
 SAMPLE CONFIGURATION:
-KSU_OPTS = -DGET_TGT_VIA_PASSWD 
--DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
+KSU_OPTS = \-DGET_TGT_VIA_PASSWD 
+\-DPRINC_LOOK_AHEAD \-DCMD_PATH='"/bin /usr/ucb /local/bin"
 .TP 10
 PERMISSIONS FOR KSU
 ksu should be owned by root and have the set user id  bit turned on.   
=== src/config-files/krb5.conf.M
==================================================================
--- src/config-files/krb5.conf.M	(revision 2260)
+++ src/config-files/krb5.conf.M	(local)
@@ -438,7 +438,7 @@
 In the following example, the logging messages from the KDC will go to
 the console and to the system log under the facility LOG_DAEMON with
 default severity of LOG_INFO; and the logging messages from the
-administrative server will be appended to the file /var/adm/kadmin.log
+administrative server will be appended to the file /var/log/kadmin.log
 and sent to the device /dev/tty04.
 .sp
 .nf
@@ -446,7 +446,7 @@
 [logging]
 	kdc = CONSOLE
 	kdc = SYSLOG:INFO:DAEMON
-	admin_server = FILE:/var/adm/kadmin.log
+	admin_server = FILE:/var/log/kadmin.log
 	admin_server = DEVICE=/dev/tty04
 .in -1i
 .fi
=== src/kadmin/cli/kadmin.M
==================================================================
--- src/kadmin/cli/kadmin.M	(revision 2260)
+++ src/kadmin/cli/kadmin.M	(local)
@@ -212,7 +212,7 @@
 .TP
 \fB\-policy\fP \fIpolicy\fP
 policy used by this principal.  If no policy is supplied, then if the
-policy "default" exists and the -clearpolicy is not also specified,
+policy "default" exists and the \-clearpolicy is not also specified,
 then the policy "default" is used; otherwise, the principal 
 will have no policy, and a warning message will be printed.
 .TP
@@ -509,7 +509,7 @@
 Key: vno 1, DES cbc mode with CRC-32, Version 4
 Attributes:
 Policy: [none]
-kadmin: getprinc -terse systest
+kadmin: getprinc \-terse systest
 systest@BLEEP.COM	3	86400	604800	1
 785926535	753241234	785900000
 tlyu/admin@BLEEP.COM	786100034	0	0
@@ -639,7 +639,7 @@
 Minimum number of password character classes: 2
 Number of old keys kept: 5
 Reference count: 17
-kadmin: get_policy -terse admin
+kadmin: get_policy \-terse admin
 admin	15552000	0	6	2	5	17
 kadmin:
 .TP
@@ -712,7 +712,7 @@
 .RS
 .TP
 EXAMPLE:
-kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
+kadmin: ktadd \-k /tmp/foo-new-keytab host/foo.mit.edu
 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
 	kvno 3, encryption type DES-CBC-CRC added to keytab
 	WRFILE:/tmp/foo-new-keytab
@@ -739,7 +739,7 @@
 .RS
 .TP
 EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove \-k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
 Entry for principal kadmin/admin with kvno 3 removed
 	from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
 kadmin:
=== src/kadmin/server/kadmind.M
==================================================================
--- src/kadmin/server/kadmind.M	(revision 2260)
+++ src/kadmin/server/kadmind.M	(local)
@@ -66,7 +66,7 @@
 specifies that the master database password should be fetched from the
 keyboard rather than from a file on disk.  Note that the server gets the
 password prior to putting itself in the background; in combination with
-the -nofork option, you must place it in the background by hand.
+the \-nofork option, you must place it in the background by hand.
 .TP
 .B \-nofork
 specifies that the server does not put itself in the background and does
=== src/kdc/fakeka.M
==================================================================
--- src/kdc/fakeka.M	(revision 2260)
+++ src/kdc/fakeka.M	(local)
@@ -102,7 +102,7 @@
 Handle requests for a local cell whose name matches the local realm,
 accepting forwarded queries from afs1.example.com and afs2.example.com:
 .IP "" 4
-fakeka -m -f afs1.example.com -f afs2.example.com
+fakeka \-m \-f afs1.example.com \-f afs2.example.com
 .PP
 If the cell name doesn't match the realm name,
 .B \-c
=== src/krb5-config.M
==================================================================
--- src/krb5-config.M	(revision 2260)
+++ src/krb5-config.M	(local)
@@ -26,37 +26,38 @@
 krb5-config \- tool for linking against MIT Kerberos libraries
 .SH SYNOPSIS
 .B krb5-config
-[ \fB--help\fP | \fB--all\fP | \fB--version\fP | \fB--vendor\fP | \fB--prefix\fP | 
-\fB--exec-prefix\fP | \fB--cflags\fP | \fB--libs\fP libraries ]
+[ \fB\-\-help\fP | \fB\-\-all\fP | \fB\-\-version\fP | \fB\-\-vendor\fP
+| \fB\-\-prefix\fP | \fB\-\-exec\-prefix\fP | \fB\-\-cflags\fP
+| \fB\-\-libs\fP libraries ]
 .br
 .SH DESCRIPTION
-.I krb5-config
+.I krb5\-config
 tells the application programmer what special flags to use to compile
 and link programs against the installed Kerberos libraries.
 .SH OPTIONS
 .TP
-\fB\--help\fP
+\fB\-\-help\fP
 print usage message.  This is the default.
 .TP
-\fB\--all\fP
+\fB\-\-all\fP
 prints version, vendor, prefix and exec-prefix.
 .TP
-\fB\--version\fP
+\fB\-\-version\fP
 prints the version of the installed Kerberos implementation.
 .TP
-\fB\--vendor\fP
+\fB\-\-vendor\fP
 prints the vendor of the installed Kerberos implementation.
 .TP
-\fB\--prefix\fP 
+\fB\-\-prefix\fP 
 prints the prefix with which Kerberos was built.
 .TP
-\fB\--exec-prefix\fP 
+\fB\-\-exec\-prefix\fP 
 prints the exec-prefix with which Kerberos was built.
 .TP
-\fB\--cflags\fP 
+\fB\-\-cflags\fP 
 prints the compiler flags with which Kerberos was built.
 .TP
-\fB\--libs\fP \fIlibraries\fP 
+\fB\-\-libs\fP \fIlibraries\fP 
 list compiler options required to link with \fIlibraries\fP.  Possible 
 values for \fIlibraries\fP are:
 .sp
