krb5 commit [krb5-1.13]: Document that newer AFS supports stronger crypto

[Tom Yu]

https://github.com/krb5/krb5/commit/fe19aa61a8193dc8add1d85b13a80ece3b8b3ced
commit fe19aa61a8193dc8add1d85b13a80ece3b8b3ced
Author: Tom Yu <tlyu at mit.edu>
Date:   Mon Oct 6 14:32:21 2014 -0400

    Document that newer AFS supports stronger crypto
    
    Modern OpenAFS releases support using encryption stronger than single
    DES with Kerberos.  Update the documentation accordingly.
    
    (cherry picked from commit 9b51ffb0c55a6c4c44501d86eb207acc79403c5c)
    
    ticket: 7761
    version_fixed: 1.13
    status: resolved

 doc/admin/advanced/retiring-des.rst |   31 ++++++++++++++++---------------
 1 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst
index 2b80f3c..8bcf83d 100644
--- a/doc/admin/advanced/retiring-des.rst
+++ b/doc/admin/advanced/retiring-des.rst
@@ -380,21 +380,22 @@ Support for legacy services
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If there remain legacy services which do not support non-DES enctypes
-(such as AFS), **allow_weak_crypto** must remain enabled on the KDC.
-Client machines need not have this setting, though---applications
-which require DES can use API calls to allow weak crypto on a per-request
-basis, overriding the system krb5.conf.  However, having **allow_weak_crypto**
-set on the KDC means that any principals which have a DES key in the database
-could still use those keys.  To minimize the use of DES in the realm and
-restrict it to just legacy services which require DES, it is necessary
-to remove all other DES keys.  The realm has been configured such that
-at password and keytab change, no DES keys will be generated by default.
-The task then reduces to requiring user password changes and having
-server administrators update their service keytabs.  Administrative
-outreach will be necessary, and if the desire to eliminate DES is
-sufficiently strong, the KDC administrators may choose to randkey
-any principals which have not been rekeyed after some timeout period,
-forcing the user to contact the helpdesk for access.
+(such as older versions of AFS), **allow_weak_crypto** must remain
+enabled on the KDC.  Client machines need not have this setting,
+though---applications which require DES can use API calls to allow
+weak crypto on a per-request basis, overriding the system krb5.conf.
+However, having **allow_weak_crypto** set on the KDC means that any
+principals which have a DES key in the database could still use those
+keys.  To minimize the use of DES in the realm and restrict it to just
+legacy services which require DES, it is necessary to remove all other
+DES keys.  The realm has been configured such that at password and
+keytab change, no DES keys will be generated by default.  The task
+then reduces to requiring user password changes and having server
+administrators update their service keytabs.  Administrative outreach
+will be necessary, and if the desire to eliminate DES is sufficiently
+strong, the KDC administrators may choose to randkey any principals
+which have not been rekeyed after some timeout period, forcing the
+user to contact the helpdesk for access.
 
 The Database Master Key
 -----------------------