Include warning of weak ciphers used by k5srvutil change

author Lizhou Sha <slz@mit.edu>

Wed, 16 Dec 2015 03:43:29 +0000 (22:43 -0500)

committer sipb-www <sipb-www@shining-armor.mit.edu>

Wed, 16 Dec 2015 03:43:29 +0000 (22:43 -0500)
author Lizhou Sha <slz@mit.edu>
Wed, 16 Dec 2015 03:43:29 +0000 (22:43 -0500)
committer sipb-www <sipb-www@shining-armor.mit.edu>
Wed, 16 Dec 2015 03:43:29 +0000 (22:43 -0500)
diff --git a/doc/kerberized-server.mdwn b/doc/kerberized-server.mdwn

index de5879b2ea223bfd6a0598a5fd88e34fcbfb0181..763f8ead7f15b628368e6a1419177a4abbc2c8ec 100644 (file)
--- a/doc/kerberized-server.mdwn
+++ b/doc/kerberized-server.mdwn
@@ -15,6 +15,9 @@ and then **set a new (random) key**.
      # k5srvutil change
      # k5srvutil delold
  
+Note that the `k5srvutil` command will also generate keys for the DES and RC4 ciphers, which are considered weak.
+You are strongly advised to read the "Upgrading cryptographic strength" section below on how to generate only AES keys instead.
+
  If you're using Debathena, you can install the `debathena-ssh-server-config` package to configure Kerberos authentication on the server side. If not, make sure your `/etc/ssh/sshd_config` file includes the lines
  
      GSSAPIAuthentication yes
author	Lizhou Sha <slz@mit.edu>
	Wed, 16 Dec 2015 03:43:29 +0000 (22:43 -0500)
committer	sipb-www <sipb-www@shining-armor.mit.edu>
	Wed, 16 Dec 2015 03:43:29 +0000 (22:43 -0500)