From 49ff8baae410d1f5606f008dea992c2946751693 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Tue, 11 Nov 2025 22:40:15 -0600
Subject: [PATCH] hdb: Change default_keytypes[] to drop weak enctypes

---
 lib/hdb/keys.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/hdb/keys.c b/lib/hdb/keys.c
index 457e5daf7..d6814e636 100644
--- a/lib/hdb/keys.c
+++ b/lib/hdb/keys.c
@@ -673,8 +673,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
     char **config_ktypes = NULL;
     static const char *default_keytypes[] = {
 	"aes256-cts-hmac-sha1-96:pw-salt",
-	"des3-cbc-sha1:pw-salt",
-	"arcfour-hmac-md5:pw-salt",
+	"aes256-cts-hmac-sha384-192:pw-salt",
 	NULL
     };