h of those conditions are true, the authentication and password calls
 will silently fail (allowing that status to be ignored via a control of
-\&\f(CW\*(C`optional\*(C'\fR or \f(CW\*(C`sufficient\*(C'\fR), and the account and session calls
-(including pam_setcred) will return PAM_IGNORE, telling the PAM library to
-proceed as if they weren't mentioned in the PAM configuration.
-.Sp
-Using this option is highly recommended if you don't need to use Kerberos
-to authenticate password logins to the root account (which isn't
-recommended since Kerberos requires a network connection).  It provides
-some defense in depth against user principals that happen to match a
-system account incorrectly authenticating as that system account.
-.Sp
-This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR.
-.IP only_alt_auth 4
-.IX Item "only_alt_auth"
-[3.12] This option is used with \fIalt_auth_map\fR and forces the use of the
-mapped principal for authentication.  It disables fallback to normal
-authentication in all cases and overrides \fIsearch_k5login\fR and
-\&\fIforce_alt_auth\fR.  If \fIalt_auth_map\fR is not set, it has no effect and
-the standard authentication behavior is used.
-.Sp
-This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
-applicable to the auth group.
-.IP search_k5login 4
-.IX Item "search_k5login"
+.Qo Li optional Qc
+or
+.Qo Li sufficient Qc Ns ),
+and the account and session calls (including pam_setcred) will return
+PAM_IGNORE, telling the PAM library to proceed as if they weren't
+mentioned in the PAM configuration.
+.Pp
+Using this option is highly recommended if you don't need to use
+Kerberos to authenticate password logins to the root account (which
+isn't recommended since Kerberos requires a network connection).
+It provides some defense in depth against user principals that happen to
+match a system account incorrectly authenticating as that system
+account.
+.Pp
+This option can be set in
+.Qo Li [appdefaults] Qc
+in
+.Pa krb5.conf .
+.It only_alt_auth
+[3.12] This option is used with
+.Em alt_auth_map
+and forces the use of the mapped principal for authentication.
+It disables fallback to normal authentication in all cases and overrides
+.Em search_k5login
+and
+.Em force_alt_auth .
+If
+.Em alt_auth_map
+is not set, it has no effect and the standard authentication behavior is
+used.
+.Pp
+This option can be set in
+.Qo Li [appdefaults] Qc
+in
+.Pa krb5.conf
+and is only applicable to the auth group.
+.It search_k5login
 [2.0] Normally, the Kerberos implementation of pam_authenticate attempts
-to obtain tickets for the authenticating username in the local realm.  If
-this option is set and the local user has a \fI.k5login\fR file in their home
-directory, the module will instead open and read that \fI.k5login\fR file,
-attempting to use the supplied password to authenticate as each principal
-listed there in turn.  If any of those authentications succeed, the user
-will be successfully authenticated; otherwise, authentication will fail.
-This option is useful for allowing password authentication (via console or
-\&\fBsshd\fR without GSS-API support) to shared accounts.  If there is no
-\&\fI.k5login\fR file, the behavior is the same as normal.  Using this option
-requires that the user's \fI.k5login\fR file be readable at the time of
-authentication.
-.Sp
-This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
-applicable to the auth group.
-.SS "Kerberos Behavior"
-.IX Subsection "Kerberos Behavior"
-.IP anon_fast 4
-.IX Item "anon_fast"
+to obtain tickets for the authenticating username in the local realm.
+If this option is set and the local user has a
+.Pa .k5login
+file in their home directory, the module will instead open and read that
+.Pa .k5login
+file, attempting to use the supplied password to authenticate as each
+principal listed there in turn.
+If any of those authentications succeed, the user will be successfully
+authenticated; otherwise, authentication will fail.
+This option is useful for allowing password authentication (via console
+or
+.Sy sshd
+without GSS-API support) to shared accounts.
+If there is no
+.Pa .k5login
+file, the behavior is the same as normal.
+Using this option requires that the user's
+.Pa .k5login
+file be readable at the time of authentication.
+.Pp
+This option can be set in
+.Qo Li [appdefaults] Qc
+in
+.Pa krb5.conf
+and is only applicable to the auth group.
+.El
+.Ss Kerberos Behavior
+.Bl -tag -width Ds
+.It anon_fast
 [4.6] Attempt to use Flexible Authentication Secure Tunneling (FAST) by
-first authenticating as the anonymous user (WELLKNOWN/ANONYMOUS) and using
-its credentials as the FAST armor.  This requires anonymous PKINIT be
-enabled for the local realm, that PKINIT be configured on the local
-system, and that the Kerberos library support FAST and anonymous PKINIT.
-.Sp
-FAST is a mechanism to protect Kerberos against password guessing attacks
-and provide other security improvements.  To work, FAST requires that a
-ticket be obtained with a strong key to protect exchanges with potentially
-weaker user passwords.  This option uses anonymous authentication to
-obtain that key and then uses it to protect the subsequent authentication.
-.Sp
+first authenticating as the anonymous user (WELLKNOWN/ANONYMOUS) and
+using its credentials as the FAST armor.
+This requires anonymous PKINIT be enabled for the local realm, that
+PKINIT be configured on the local system, and that the Kerberos library
+support FAST and anonymous PKINIT.
+.Pp
+FAST is a mechanism to protect Kerberos against password guessing
+attacks and provide other security improvements.
+To work, FAST requires that a ticket be obtained with a strong key to
+protect exchanges with potentially weaker user passwords.
+This option uses anonymous authentication to obtain that key and then
+uses it to protect the subsequent authentication.
+.Pp
 If anonymous PKINIT is not available or fails, FAST will not be used and
 the authentication will proceed as normal.
-.Sp
+.Pp
 To instead use an existing ticket cache for the FAST credentials, use
-\&\fIfast_ccache\fR instead of this option.  If both \fIfast_ccache\fR and
-\&\fIanon_fast\fR are set, the ticket cache named by \fIfast_ccache\fR will be
-tried first, and the Kerberos PAM module will fall back on attempting
-anonymous PKINIT if that cache could not be used.
-.Sp
-This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
-applicable to the auth and password groups.
-.Sp
-The operation is the same as if using the \fIfast_ccache\fR option, but the
-cache is created and destroyed automatically.  If both \fIfast_ccache\fR and
-\&\fIanon_fast\fR options are used, the \fIfast_ccache\fR takes precedent and no
-anonymous authentication is done.
-.IP fast_ccache=<ccache_name> 4
-.IX Item "fast_ccache=<ccache_name>"
-[4.3] The same as \fIanon_fast\fR, but use an existing Kerberos ticket cache
-rather than anonymous PKINIT.  This allows use of FAST with a realm that
-doesn't support PKINIT or doesn't support anonymous authentication.
-.Sp
+.Em fast_ccache
+instead of this option.
+If both
+.Em fast_ccache
+and
+.Em anon_fast
+are set, the ticket cache named by
+.Em fast_ccache
+will be tried first, and the Kerberos PAM module will fall back on
+attempting anonymous PKINIT if that cache could not be used.
+.Pp
+This option can be set in
+.Qo Li [appdefaults] Qc
+in
+.Pa krb5.conf
+and is only applicable to the auth and password groups.
+.Pp
+The operation is the same as if using the
+.Em fast_ccache
+option, but the cache is created and destroyed automatically.
+If both
*** 1391 LINES SKIPPED ***