Better document the verification behavior of klogind and kshd when
.k5login is missing and remove the remaining traces of information about
.rhosts authentication from their man pages.

Kerberos RT #2577
Debian bug #250966

=== krb5/src/appl/bsd/klogind.M
==================================================================
--- krb5/src/appl/bsd/klogind.M	(revision 2042)
+++ krb5/src/appl/bsd/klogind.M	(local)
@@ -34,22 +34,26 @@
 .IP 1)
 Check authentication.
 .IP 2)
-Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP 
-and \fI.rhosts\fP in the user's home directory.
+Check authorization via the access-control files \fI.k5login\fP and
+\fI.klogin\fP in the user's home directory.
 .IP 3)
 Prompt for password if any checks fail and the \fI-p\fP option was supplied.
 .PP
 If the authentication succeeds, login the user by calling the accompanying 
 login.krb5 or /bin/login, according to the definition of 
-DO_NOT_USE_K_LOGIN.  
+DO_NOT_USE_K_LOGIN.
 .PP 
 The configuration of \fIklogind\fP is done
 by command line arguments passed by inetd.  The options are:
 .IP \fB\-5\fP 10
 Allow Kerberos V5 authentication with the \fI.k5login\fP access control
 file to be trusted.  If this authentication system is used by the client
-and the authorization check is passed, then the user is allowed to log
-in.
+and the authorization check is passed, then the user is allowed to log in.
+If the user has no \fI.k5login\fP file, the login will be authorized if
+the results of krb5_aname_to_localname conversion matches the account
+name.  Unless special rules are configured, this will be true if and only
+if the Kerberos principal of the connecting user is in the default local
+realm and the principal portion matches the account name.
 
 .IP \fB\-4\fP 
 Allow Kerberos V4 authentication with the \fI.klogin\fP access control
@@ -107,13 +111,7 @@
 Beta5 (May 1995)--present bogus checksums that prevent Kerberos
 authentication from succeeding in the default mode.
 
-
 .PP
-If the
-~/.rhosts check is to be used, then the program verifies that the
-client is connecting from a privileged port, before allowing login.
-
-.PP
 The parent of the login process manipulates the master side of the
 pseduo terminal, operating as an intermediary between the login
 process and the client instance of the
=== krb5/src/appl/bsd/kshd.M
==================================================================
--- krb5/src/appl/bsd/kshd.M	(revision 2042)
+++ krb5/src/appl/bsd/kshd.M	(local)
@@ -37,8 +37,8 @@
 .IP 1) 
 Authentication is checked
 .IP 2)
-Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP 
-and \fI.rhosts\fP in the user's home directory.
+Check authorization via the access-control files \fI.k5login\fP and
+\fI.klogin\fP in the user's home directory.
 .IP 3)
 A null byte is returned on the initial socket
 and the command line is passed to the normal login
@@ -53,8 +53,13 @@
 
 .IP \fB\-5\fP 10
 Allow Kerberos5 authentication with the \fI.k5login\fP access control file
-to be trusted.  If this authentication system is used by the client and the
-authorization check is passed, then the user is allowed to log in.
+to be trusted.  If this authentication system is used by the client and
+the authorization check is passed, then the user is allowed to log in.  If
+the user has no \fI.k5login\fP file, the login will be authorized if the
+results of krb5_aname_to_localname conversion matches the account name.
+Unless special rules are configured, this will be true if and only if the
+Kerberos principal of the connecting user is in the default local realm
+and the principal portion matches the account name.
 
 .IP \fB\-4\fP 
 Allow Kerberos4 authentication with the \fI.klogin\fP access control file
@@ -108,9 +113,6 @@
 
 
 .PP
-If the \fB\-r\fP or \fB\-R\fP options are used, the client must
-connect from a privileged port.
-.PP
 \fIKrshd\fP supports six options which may be used for testing:
 
 .IP \fB\-S\ keytab\fP 10
