From 83038ab3f26a53b81b01f408ac38d49905cb12e9 Mon Sep 17 00:00:00 2001
From: Lizhou Sha <slz@mit.edu>
Date: Tue, 15 Dec 2015 22:43:29 -0500
Subject: [PATCH] Include warning of weak ciphers used by k5srvutil change

---
 doc/kerberized-server.mdwn | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/kerberized-server.mdwn b/doc/kerberized-server.mdwn
index de5879b..763f8ea 100644
--- a/doc/kerberized-server.mdwn
+++ b/doc/kerberized-server.mdwn
@@ -15,6 +15,9 @@ and then **set a new (random) key**.
     # k5srvutil change
     # k5srvutil delold
 
+Note that the `k5srvutil` command will also generate keys for the DES and RC4 ciphers, which are considered weak.
+You are strongly advised to read the "Upgrading cryptographic strength" section below on how to generate only AES keys instead.
+
 If you're using Debathena, you can install the `debathena-ssh-server-config` package to configure Kerberos authentication on the server side. If not, make sure your `/etc/ssh/sshd_config` file includes the lines
 
     GSSAPIAuthentication yes
-- 
2.45.0