Revise markup.

1 files changed, 38 insertions, 19 deletions

diff --git a/usr.sbin/ntp/doc/ntp-keygen.8 b/usr.sbin/ntp/doc/ntp-keygen.8
index bf08692..8266129 100644
--- a/usr.sbin/ntp/doc/ntp-keygen.8
+++ b/usr.sbin/ntp/doc/ntp-keygen.8
@@ -2,7 +2,7 @@
 .\" $FreeBSD$
 .\"
 .Dd May 17, 2006
-.Dt NTP-KEYGEN. 8
+.Dt NTP-KEYGEN 8
 .Os
 .Sh NAME
 .Nm ntp-keygen
@@ -10,27 +10,28 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl deGgHIMnPT
-.Op Fl c Oo Cm RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 Oc
+.Op Fl c Ar scheme
 .Op Fl i Ar name
 .Op Fl p Ar password
-.Op Fl S Oo Cm RSA | DSA Oc
+.Op Fl S Op Cm RSA | DSA
 .Op Fl s Ar name
 .Op Fl v Ar nkeys
-
 .Sh DESCRIPTION
 This program generates cryptographic data files used by the NTPv4
 authentication and identification schemes.
 It generates MD5 key files used in symmetric key cryptography.
 In addition, if the OpenSSL software library has been installed,
 it generates keys, certificate and identity files used in public key
-cryptography. These files are used for cookie encryption,
+cryptography.
+These files are used for cookie encryption,
 digital signature and challenge/response identification algorithms
 compatible with the Internet standard security infrastructure.
 .Pp
 All files are in PEM-encoded printable ASCII format,
 so they can be embedded as MIME attachments in mail to other sites
 and certificate authorities.
-By default, files are not encrypted. The
+By default, files are not encrypted.
+The
 .Fl p Ar password
 option specifies the write password and
 .Fl q Ar password
@@ -82,7 +83,8 @@ and generation date and time as comments.
 All files are installed by default in the keys directory
 .Pa /usr/local/etc ,
 which is normally in a shared filesystem
-in NFS-mounted networks. The actual location of the keys directory
+in NFS-mounted networks.
+The actual location of the keys directory
 and each file can be overridden by configuration commands,
 but this is not recommended.
 Normally, the files for each host are generated by that host
@@ -112,7 +114,8 @@ If a link is not present,
 .Xr ntpd 8
 extracts the filestamp from the file itself.
 This allows clients to verify that the file and generation times
-are always current. The
+are always current.
+The
 .Nm
 program uses the same timestamp extension for all files generated
 at one time, so each generation is distinct and can be readily
@@ -124,7 +127,8 @@ program is logged in directly as root.
 The recommended procedure is change to the keys directory,
 usually
 .Pa /ust/local/etc ,
-then run the program. When run for the first time,
+then run the program.
+When run for the first time,
 or if all
 .Cm ntpkey
 files have been removed,
@@ -205,7 +209,8 @@ The default cryptotype uses RSA encryption, MD5 message digest
 and TC identification.
 First, configure a NTP subnet including one or more low-stratum
 trusted hosts from which all other hosts derive synchronization
-directly or indirectly. Trusted hosts have trusted certificates;
+directly or indirectly.
+Trusted hosts have trusted certificates;
 all other hosts have nontrusted certificates.
 These hosts will automatically and dynamically build authoritative
 certificate trails to one or more trusted hosts.
@@ -295,7 +300,8 @@ A server can also be a client of another server,
 but a client can never be a server for another client.
 In general, trusted hosts and nontrusted hosts that operate
 as both server and client have parameter files that contain
-both server and client keys. Hosts that operate
+both server and client keys.
+Hosts that operate
 only as clients have key files that contain only client keys.
 .Pp
 The PC scheme supports only one trusted host in the group.
@@ -315,7 +321,8 @@ to the host key file and soft link
 .Pa ntpkey_cert_ Ns Ar bob
 to the private certificate file.
 Note the generic links are on bob, but point to files generated
-by trusted host alice. In this scheme it is not possible to refresh
+by trusted host alice.
+In this scheme it is not possible to refresh
 either the keys or certificates without copying them
 to all other hosts in the group.
 .Pp
@@ -335,7 +342,8 @@ and clients and install a soft link from the generic
 .Pa ntpkey_iff_ Ns Ar alice
 to this file.
 If there are no hosts restricted to operate only as clients,
-there is nothing further to do. As the IFF scheme is independent
+there is nothing further to do.
+As the IFF scheme is independent
 of keys and certificates, these files can be refreshed as needed.
 .Pp
 If a rogue client has the parameter file, it could masquerade
@@ -349,7 +357,8 @@ and pipe the output to a file or mail program.
 Copy or mail this file to all restricted clients.
 On these clients install a soft link from the generic
 .Pa ntpkey_iff_ Ns Ar alice
-to this file. To further protect the integrity of the keys,
+to this file.
+To further protect the integrity of the keys,
 each file can be encrypted with a secret password.
 .Pp
 For the GQ scheme proceed as in the TC scheme to generate keys
@@ -377,7 +386,8 @@ at the same time, keys and certificates can be regenerated as needed.
 For the MV scheme, proceed as in the TC scheme to generate keys
 and certificates for all group hosts.
 For illustration assume trish is the TA, alice one of several trusted hosts
-and bob one of her clients. On TA trish run
+and bob one of her clients.
+On TA trish run
 .Nm
 .Fl V Ar n
 .Fl p Ar password ,
@@ -410,8 +420,14 @@ As the MV scheme is independent of keys and certificates,
 these files can be refreshed as needed.
 .Ss Command Line Options
 .Bl -tag -width indent
-.It Fl c Oo Cm RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 Oc
+.It Fl c Ar scheme
 Select certificate message digest/signature encryption scheme.
+The
+.Ar scheme
+can be one of the following:
+. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
+or
+.Cm DSA-SHA1 .
 Note that RSA schemes must be used with a RSA sign key and DSA
 schemes must be used with a DSA sign key.
 The default without this option is
@@ -473,7 +489,8 @@ by the library routines.
 The OpenSSL library uses a designated random seed file for this purpose.
 The file must be available when starting the NTP daemon and
 .Nm
-program. If a site supports OpenSSL or its companion OpenSSH,
+program.
+If a site supports OpenSSL or its companion OpenSSH,
 it is very likely that means to do this are already available.
 .Pp
 It is important to understand that entropy must be evolved
@@ -490,7 +507,8 @@ usually called
 which must be available when starting the NTP daemon
 or the
 .Nm
-program. The NTP daemon will first look for the file
+program.
+The NTP daemon will first look for the file
 using the path specified by the
 .Ic randfile
 subcommand of the
@@ -530,7 +548,8 @@ printable ASCII format preceded and followed by MIME content identifier lines.
 The format of the symmetric keys file is somewhat different
 than the other files in the interest of backward compatibility.
 Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings. Following hte heard the keys are
+is MD5 alphanumeric strings.
+Following hte heard the keys are
 entered one per line in the format
 .D1 Ar keyno type key
 where