doc updates for allow_weak_crypto

Update documentation to be more helpful about allow_weak_crypto.

ticket: 6669
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23750 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 8 insertions, 0 deletions

diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M
index b60836f..9778e81 100644
--- a/src/config-files/krb5.conf.M
+++ b/src/config-files/krb5.conf.M
@@ -128,6 +128,14 @@ types that should be requested by the client, in the same format.
 This relation identifies the permitted list of session key encryption
 types.
 
+.IP allow_weak_crypto
+If this is set to 0 (for false), then weak encryption types will be
+filtered out of the previous three lists.  The default value for this
+tag is false, which may cause authentication failures in existing
+Kerberos infrastructures that do not support strong crypto.  Users in
+affected environments should set this tag to true until their
+infrastructure adopts stronger ciphers.
+
 .IP clockskew 
 This relation sets the maximum allowable amount of clockskew in seconds
 that the library will tolerate before assuming that a Kerberos message