14 files changed, 158 insertions, 90 deletions
diff --git a/man/man1/9p.1 b/man/man1/9p.1
index 12fc5f06..c7000fba 100644
--- a/man/man1/9p.1
+++ b/man/man1/9p.1
@@ -44,6 +44,10 @@
 ]
 .B stat
 .I path
+.PP
+.B 9p
+.B rdwr
+.I path
 .SH DESCRIPTION
 .I 9p
 is a trivial 9P client that can access a single file on a 9P server.
@@ -85,6 +89,18 @@ execute
 on 
 .I path
 and print the result
+.TP
+.B rdwr
+Open
+.I path
+for reading and writing.
+Then repeat until end-of-file on standard input:
+copy a line from the file to standard output,
+copy a line from standard input to the file.
+Print errors, but don't give up.
+.B Rdwr
+is useful for interacting with servers like
+.IR factotum (4).
 .PD
 .PP
 .I 9p
diff --git a/man/man1/INDEX b/man/man1/INDEX
index 489bb07e..366206dd 100644
--- a/man/man1/INDEX
+++ b/man/man1/INDEX
@@ -114,12 +114,16 @@ ndbmkdb ndb.1
 ndbmkhash ndb.1
 ndbmkhosts ndb.1
 ndbquery ndb.1
-netkey netkey.1
 news news.1
 p p.1
 img page.1
 page page.1
 psv page.1
+netkey passwd.1
+passwd passwd.1
+pem pem.1
+pemdecode pem.1
+pemencode pem.1
 pic pic.1
 tpic pic.1
 plot plot.1
@@ -144,8 +148,21 @@ shift rc.1
 wait rc.1
 whatis rc.1
 ~ rc.1
+readcons readcons.1
 rio rio.1
 rm rm.1
+asn12dsa rsa.1
+asn12rsa rsa.1
+dsa2pub rsa.1
+dsa2ssh rsa.1
+dsagen rsa.1
+rsa rsa.1
+rsa2csr rsa.1
+rsa2pub rsa.1
+rsa2ssh rsa.1
+rsa2x509 rsa.1
+rsafill rsa.1
+rsagen rsa.1
 B sam.1
 E sam.1
 sam sam.1
@@ -154,6 +171,7 @@ samsave sam.1
 samterm sam.1
 scat scat.1
 aescbc secstore.1
+ipso secstore.1
 secstore secstore.1
 secstored secstored.1
 secuser secstored.1
@@ -165,6 +183,7 @@ spell spell.1
 sprog spell.1
 split split.1
 src src.1
+ssh-agent ssh-agent.1
 auxstats stats.1
 stats stats.1
 strings strings.1
diff --git a/man/man1/netkey.1 b/man/man1/netkey.1
deleted file mode 100644
index 60f17bbb..00000000
--- a/man/man1/netkey.1
+++ /dev/null
@@ -1,20 +0,0 @@
-.TH NETKEY 1
-.SH NAME
-netkey \- challenge-response authentication
-.SH SYNOPSIS
-.PP
-.B netkey
-.SH DESCRIPTION
-.PP
-.I Netkey
-prompts for a password to encrypt network challenges.
-It is a substitute for a SecureNet box.
-.SH SOURCE
-.B \*9/src/cmd/netkey.c
-.SH "SEE ALSO"
-.IR encrypt (3)
-.PP
-Robert Morris and Ken Thompson,
-``UNIX Password Security,''
-.I AT&T Bell Laboratories Technical Journal
-Vol 63 (1984), pp. 1649-1672
diff --git a/man/man1/pem.1 b/man/man1/pem.1
index 2002ae11..391cd5cc 100644
--- a/man/man1/pem.1
+++ b/man/man1/pem.1
@@ -1,4 +1,4 @@
-.TH PEM 8
+.TH PEM 1
 .SH NAME
 pemdecode, pemencode \- encode files in Privacy Enhanced Mail (PEM) format
 .SH SYNOPSIS
@@ -20,7 +20,7 @@ Privacy Enhanced Mail program but now commonly used for
 other applications, notably TLS.
 PEM encodes data in base 64
 (see
-.IR encode (2))
+.IR encode (3))
 between lines of the form:
 .IP
 .EX
@@ -33,7 +33,7 @@ where
 may be any string describing the encoded data.
 The most common use of PEM format on Plan 9 is for encoding
 X.509 certificates; see
-.IR rsa (8).
+.IR rsa (1).
 .PP
 .I Pemdecode
 extracts the named
diff --git a/man/man1/readcons.1 b/man/man1/readcons.1
new file mode 100644
index 00000000..8fa1c392
--- /dev/null
+++ b/man/man1/readcons.1
@@ -0,0 +1,30 @@
+.TH READCONS 1
+.SH NAME
+readcons \- prompt console for input
+.SH SYNOPSIS
+.B readcons 
+[
+.B -d
+.I default
+]
+[
+.B -s
+]
+.I prompt
+.SH DESCRIPTION
+.I Readcons
+prompts at the console for input, copying the typed string
+to standard output.
+If the
+.B -s
+flag is given, the input is not displayed (secret).
+If the user types an empty string (just a newline) and
+the
+.B -d
+option is given, then
+.I default
+is printed instead of an empty string.
+.SH SOURCE
+.B \*9/src/cmd/readcons.c
+.SH SEE ALSO
+.IR readcons (3)
diff --git a/man/man1/rsa.1 b/man/man1/rsa.1
index 42a2ae7f..b01c979d 100644
--- a/man/man1/rsa.1
+++ b/man/man1/rsa.1
@@ -1,4 +1,4 @@
-.TH RSA 8
+.TH RSA 1
 .SH NAME
 dsagen, rsagen, rsafill, asn12dsa, asn12rsa, dsa2pub, rsa2csr, rsa2pub, dsa2ssh, rsa2ssh, rsa2x509 \- generate and format dsa and rsa keys
 .SH SYNOPSIS
@@ -305,9 +305,9 @@ load them into factotum,
 and configure a remote Unix system to allow those keys for logins:
 .IP
 .EX
-rsagen -t 'service=ssh' >rsa1
-rsagen -t 'service=ssh-rsa' >rsa2
-dsagen -t 'service=ssh-dss' >dsa2
+rsagen -t 'service=ssh role=decrypt' >rsa1
+rsagen -t 'service=ssh-rsa role=sign' >rsa2
+dsagen -t 'service=ssh-dss role=sign' >dsa2
 .EE
 .PP
 Convert existing Unix SSH version 2 keys instead of generating new ones:
diff --git a/man/man1/secstore.1 b/man/man1/secstore.1
index ee35fb60..01c7903b 100644
--- a/man/man1/secstore.1
+++ b/man/man1/secstore.1
@@ -188,7 +188,9 @@ newly created files are ignored.
 encrypts and decrypts using AES (Rijndael) in cipher
 block chaining (CBC) mode.
 .SH SOURCE
-.B \*9/src/cmd/secstore
+.B \*9/bin/ipso
+.br
+.B \*9/src/cmd/auth/secstore
 .SH SEE ALSO
 .IR factotum (4),
 .IR secstored (1)
diff --git a/man/man1/secstored.1 b/man/man1/secstored.1
index b43e1c48..3eee78be 100644
--- a/man/man1/secstored.1
+++ b/man/man1/secstored.1
@@ -59,6 +59,6 @@ users' files
 .B \*9/ndb/auth
 for mapping local userid to RADIUS userid
 .SH SOURCE
-.B \*9/src/cmd/secstore
+.B \*9/src/cmd/auth/secstore
 .SH SEE ALSO
 .IR secstore (1)
diff --git a/man/man3/INDEX b/man/man3/INDEX
index b64cc21e..86c5369f 100644
--- a/man/man3/INDEX
+++ b/man/man3/INDEX
@@ -282,6 +282,8 @@ accept dial.3
 announce dial.3
 dial dial.3
 dialparse dial.3
+freenetconninfo dial.3
+getnetconninfo dial.3
 listen dial.3
 netmkaddr dial.3
 reject dial.3
@@ -340,6 +342,7 @@ stringnbg draw.3
 stringnbgop draw.3
 stringnop draw.3
 stringop draw.3
+asn1toDSApriv dsa.3
 dsa dsa.3
 dsagen dsa.3
 dsaprivalloc dsa.3
diff --git a/man/man3/authsrv.3 b/man/man3/authsrv.3
index 6b64ed8e..a0b68578 100644
--- a/man/man3/authsrv.3
+++ b/man/man3/authsrv.3
@@ -212,7 +212,7 @@ to recieve an answer.
 .SH SOURCE
 .B \*9/src/libauthsrv
 .SH SEE ALSO
-.IR netkey (1),
+.IR passwd (1),
 .IR dial (3),
 Plan 9's
 \fIauthsrv\fR(6).
diff --git a/man/man3/dial.3 b/man/man3/dial.3
index 0c8c96ad..7177e53e 100644
--- a/man/man3/dial.3
+++ b/man/man3/dial.3
@@ -1,6 +1,6 @@
 .TH DIAL 3
 .SH NAME
-dial, announce, listen, accept, reject, netmkaddr, dialparse \- make and break network connections
+dial, announce, listen, accept, reject, netmkaddr, getnetconninfo, freenetconninfo, dialparse \- make and break network connections
 .SH SYNOPSIS
 .B #include <u.h>
 .br
@@ -26,12 +26,12 @@ char* netmkaddr(char *addr, char *defnet, char *defservice)
 .\" .PP
 .\" .B
 .\" void  setnetmtpt(char *to, int tolen, char *from)
-.\" .PP
-.\" .B
-.\" NetConnInfo*  getnetconninfo(char *conndir, int fd)
-.\" .PP
-.\" .B
-.\" void freenetconninfo(NetConnINfo*)
+.PP
+.B
+NetConnInfo*  getnetconninfo(char *dir, int fd)
+.PP
+.B
+void freenetconninfo(NetConnINfo*)
 .PP
 .B
 int   dialparse(char *addr, char **net, char **unix,
@@ -94,19 +94,19 @@ will try in succession all
 networks in common between source and destination
 until a call succeeds.
 It returns a file descriptor open for reading and writing the
-.B data
-file in the line directory.
-The
-.B addr
-file in the line directory contains the address called.
-.\" If the network allows the local address to be set,
-.\" as is the case with UDP and TCP port numbers, and
-.\" .IR local
-.\" is non-zero, the local address will be set to
-.\" .IR local .
+call.
+.\" .B data
+.\" file in the line directory.
+.\" The
+.\" .B addr
+.\" file in the line directory contains the address called.
+If the network allows the local address to be set,
+as is the case with UDP and TCP port numbers, and
+.IR local
+is non-zero, the local address will be set to
+.IR local .
 .IR Dial 's
-.IR local ,
-.IR dir ,
+.IR dir 
 and
 .I cfdp
 arguments
@@ -166,39 +166,41 @@ It returns a pointer to static data holding the actual address to use.
 parses a network address as described above
 into a network name, a Unix domain socket address,
 an IPv4 host address, and an IPv4 port number.
-.\" .PP
-.\" .I Getnetconninfo
-.\" returns a structure containing information about a
-.\" network connection.  The structure is:
-.\" .EX
-.\"   typedef struct NetConnInfo NetConnInfo;
-.\"   struct NetConnInfo
-.\"   {
-.\" 	char	*dir;		/* connection directory */
-.\" 	char	*root;		/* network root */
-.\" 	char	*spec;		/* binding spec */
-.\" 	char	*lsys;		/* local system */
-.\" 	char	*lserv;		/* local service */
-.\" 	char	*rsys;		/* remote system */
-.\" 	char	*rserv;		/* remote service */
-.\"   };
-.\" .EE
-.\" .PP
-.\" The information is obtained from the connection directory,
-.\" .IR conndir .
-.\" If
-.\" .I conndir
-.\" is nil, the directory is obtained by performing
-.\" .IR fd2path (3)
-.\" on
-.\" .IR fd .
-.\" .I Getnetconninfo
-.\" returns either a completely specified structure, or
-.\" nil if either the structure can't be allocated or the
-.\" network directory can't be determined.
-.\" The structure
-.\" is freed using
-.\" .IR freenetconninfo .
+.PP
+.I Getnetconninfo
+returns a structure containing information about a
+network connection.  The structure is:
+.PP
+.EX
+  typedef struct NetConnInfo NetConnInfo;
+  struct NetConnInfo
+  {
+	char	*dir;		/* connection directory */
+	char	*root;		/* network root */
+	char	*spec;		/* binding spec */
+	char	*lsys;		/* local system */
+	char	*lserv;		/* local service */
+	char	*rsys;		/* remote system */
+	char	*rserv;		/* remote service */
+	char *laddr;		/* local address */
+	char *raddr;		/* remote address */
+  };
+.EE
+.PP
+The information is obtained from the
+`line directory'
+.IR dir ,
+or if
+.I dir
+is nil, from the connection file descriptor
+.IR fd .
+.I Getnetconninfo
+returns either a completely specified structure, or
+nil if either the structure can't be allocated or the
+network directory can't be determined.
+The structure
+is freed using
+.IR freenetconninfo .
 .\" .PP
 .\" .I Setnetmtpt
 .\" copies the name of the network mount point into
@@ -307,6 +309,8 @@ bekremvax(void)
 .B \*9/src/lib9/announce.c
 .br
 .B \*9/src/lib9/_p9dialparse.c
+.br
+.B \*9/src/lib9/getnetconn.c
 .SH DIAGNOSTICS
 .IR Dial ,
 .IR announce ,
diff --git a/man/man3/dsa.3 b/man/man3/dsa.3
index c29d2875..41532b89 100644
--- a/man/man3/dsa.3
+++ b/man/man3/dsa.3
@@ -1,6 +1,6 @@
 .TH DSA 3
 .SH NAME
-dsagen, dsasign, dsaverify, dsapuballoc, dsapubfree, dsaprivalloc, dsaprivfree, dsasigalloc, dsasigfree, dsaprivtopub - digital signature algorithm
+asn1toDSApriv, dsagen, dsasign, dsaverify, dsapuballoc, dsapubfree, dsaprivalloc, dsaprivfree, dsasigalloc, dsasigfree, dsaprivtopub - digital signature algorithm
 .SH SYNOPSIS
 .B #include <u.h>
 .br
@@ -39,6 +39,9 @@ void		dsasigfree(DSAsig*)
 .PP
 .B
 DSApub*	dsaprivtopub(DSApriv*)
+.PP
+.B
+DSApriv*	asn1toDSApriv(uchar *priv, int npriv)
 .SH DESCRIPTION
 .PP
 DSA is the NIST approved digital signature algorithm.  The owner of a key publishes
@@ -120,6 +123,13 @@ The routines
 and
 .I dsasigfree
 are provided to manage signature storage.
+.PP
+.I Asn1toDSApriv
+converts an ASN1 formatted DSA private key into the corresponding
+.B DSApriv
+structure; see 
+.IR rsa (3)
+for other ASN1 routines.
 .SH SOURCE
 .B \*9/src/libsec
 .SH SEE ALSO
diff --git a/man/man3/readcons.3 b/man/man3/readcons.3
index 1f5d9865..dd284b97 100644
--- a/man/man3/readcons.3
+++ b/man/man3/readcons.3
@@ -29,7 +29,9 @@ If
 is non-zero, the input is not echoed to the screen.
 .SH EXAMPLE
 A stripped-down version of
-.IR netkey (1):
+.I netkey
+(see
+.IR passwd (1)):
 .IP
 .EX
 pass = readcons("password", nil, 1);
diff --git a/man/man4/factotum.4 b/man/man4/factotum.4
index 148f649b..3a2d3d7c 100644
--- a/man/man4/factotum.4
+++ b/man/man4/factotum.4
@@ -704,10 +704,10 @@ are intended to be proxied via
 .I auth_proxy
 (see
 .IR auth (3)).
-The protocols follow
-.IR p9any (7)
-and
-.IR p9sk1 (7).
+.\" The protocols follow
+.\" .IR p9any (7)
+.\" and
+.\" .IR p9sk1 (7).
 .\" XXX - write about how server keys are selected and used
 .\" XXX - write about protocol itself
 .\" XXX - write about server ai
@@ -1017,4 +1017,6 @@ parseable with
 .IR tokenize .
 The response is a hexadecimal string of length 32.
 .SH SOURCE
-.B \*9/src/cmd/factotum
+.B \*9/src/cmd/auth/factotum
+.SH SEE ALSO
+.IR ssh-agent (1)