username can log in to that local account. (One option to avoid this is
to create a `.k5login` file in `/etc/skel` so that new accounts you
later add get this file by default.)
+
+## Upgrading cryptographic strength
+
+You may wish to change the encryption algorithms (*enctypes*) included in your keytab. With server principals (like `daemon/servername.mit.edu` or `host/servername.mit.edu`) it is particularly important to support *only* strong algorithms. If you support a weak algorithm, an attacker can request a service ticket encrypted with that key, allowing them to do an offline attack and potentially extract your secret key.
+
+To change the supported enctypes, run `kadmin`:
+
+ kadmin -p daemon/kronborg.mit.edu -k -t daemon.kronborg.keytab
+
+Then, create new keys:
+
+ ktadd -k daemon.kronborg.keytab -e aes256-cts:normal -e aes128-cts:normal daemon/kronborg.mit.edu
+
+After all tickets currently issued against your service expire (which will happen after at most one day), you should remove the old keys from your keytab:
+
+ ktremove -k daemon.kronborg.keytab daemon/kronborg.mit.edu old
+
+Before exiting, you may wish to verify in a separate terminal that the correct updated key has been written to the keytab:
+
+ kinit -k -t daemon.kronborg.keytab daemon/kronborg.mit.edu
+ kvno daemon/kronborg.mit.edu@ATHENA.MIT.EDU