Index: crypto/heimdal/kuser/kinit.1
===================================================================
--- crypto/heimdal/kuser/kinit.1
+++ crypto/heimdal/kuser/kinit.1
@@ -31,7 +31,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd April 25, 2006
+.Dd February 11, 2025
 .Dt KINIT 1
 .Os HEIMDAL
 .Sh NAME
@@ -96,12 +96,20 @@
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Fl c Ar cachename Fl Fl cache= Ns Ar cachename
+.It Fl c Ar cachename , Fl Fl cache= Ns Ar cachename
 The credentials cache to put the acquired ticket in, if other than
 default.
-.It Fl f Fl Fl no-forwardable
-Get ticket that can be forwarded to another host, or if the negative
-flags use, don't get a forwardable flag.
+.It Fl f, Fl Fl forwardable
+Request a forwardable ticket-granting ticket (TGT) from the KDC.
+A forwardable TGT allows credentials to be transferred to another
+system and used to obtain service tickets without
+requiring reauthentication.
+This is commonly used for single sign-on (SSO) scenarios,
+Kerberized SSH authentication, and web services.
+Forwardable tickets should be used with caution, as they can be
+exploited if intercepted by an attacker.
+.It Fl Fl no-forwardable
+Request a non-forwardable ticket-granting ticket (TGT) from the KDC.
 .It Fl t Ar keytabname , Fl Fl keytab= Ns Ar keytabname
 Don't ask for a password, but instead get the key from the specified
 keytab.
@@ -141,13 +149,11 @@
 .It Fl e , Fl Fl enctypes= Ns Ar enctypes
 Request tickets with this particular enctype.
 .It Fl Fl password-file= Ns Ar filename
-read the password from the first line of
+Read the password from the first line of
 .Ar filename .
-If the
+If
 .Ar filename
-is
-.Ar STDIN ,
-the password will be read from the standard input.
+is STDIN, the password will be read from standard input.
 .It Fl Fl fcache-version= Ns Ar version-number
 Create a credentials cache of version
 .Ar version-number .
@@ -181,6 +187,54 @@
 Gets AFS tickets, converts them to version 4 format, and stores them
 in the kernel.
 Only useful if you have AFS.
+.It Fl Fl request-pac
+Request a Windows Privilege Attribute Certificate (PAC) from the KDC.
+A PAC is a Microsoft-specific Kerberos authorization structure
+embedded in tickets issued by a Windows KDC.
+It contains user privilege information, including security
+identifiers (SIDs), group memberships, and access rights.
+Requesting a PAC is necessary for interoperability with Windows
+services that rely on PAC data for authentication and
+authorization decisions.
+.It Fl Fl canonicalize
+Request canonicalization of the client principal name by the KDC.
+This process resolves aliases, standardizes casing, and applies
+KDC referrals for cross-realm resolution, ensuring the principal
+name is correctly formatted and recognized.
+.It Fl Fl pk-enterprise
+Use enterprise name from certificate.
+.It Fl C Ar identifier, Fl Fl pk-user= Ns Ar identifier
+Specify the principal's public/private/certificate
+.Ar identifier .
+.It Fl D , Fl Fl x509-anchors= Ns Ar directory
+Specify the location where certificate authority certificates are stored as
+.Ar directory .
+.It Fl Fl pk-use-enckey
+Use RSA key exchange instead of the default Diffie-Hellman (DH)
+key exchange for PKINIT authentication.
+This option forces the use of RSA encryption for key exchange,
+which may be required by certain KDCs or smart card implementations.
+Unlike DH, RSA key exchange does not provide forward secrecy.
+.It Fl Fl ntlm-domain= Ns Ar domain
+Specify the NTLM domain as
+.Ar domain .
+.It Fl Fl no-change-default
+By default,
+.Nm
+will switch the default cache to the new credentials cache.
+This option disables the cache switch.
+.It Fl Fl ok-as-delegate
+Honor ok-as-delegate on tickets. The service receiving the ticket
+is allowed to use the ticket to authenticate as the original client
+to other services. This is disabled by default.
+.It Fl Fl use-referrals
+Obtain a Kerberos ticket-granting ticket using referrals instead of
+relying on DNS-based realm discovery. DNS-based realm discovery is
+enabled by default.
+.It Fl Fl windows
+Enable compatibility with Windows 2000. Disabled by default.
+.It Fl Fl version
+Display the current version information.
 .El
 .Pp
 The