improving kadmind change-password performance
Booker Bense
bbense at gmail.com
Tue Nov 13 16:50:59 EST 2012
On Sun, Nov 11, 2012 at 8:50 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 11/11/2012 04:40 PM, Danny Thomas wrote:
> > kadmind hits 100% CPU when load-testing with <100 simulated clients.
>
> For password changes, kadmind has to run the string-to-key algorithm on
> the new password for each enctype in supported_enctypes (which defaults
> to AES-256, AES-128, DES3, and RC4). The string-to-key algorithm for
> the AES enctypes is deliberately slow in order to make dictionary
> attacks harder. I believe this operation is swamping any other
> performance bottlenecks.
>
>
I would want to see the profile data before I made any recommendation.
" premature optimization is the root of all evil "
In my experience even when you know the code base extremely well, you can
often
be quite wrong about where the time is actually spent.
- Booker C. Bense
More information about the Kerberos
mailing list