improving kadmind change-password performance

Booker Bense bbense at
Tue Nov 13 16:50:59 EST 2012

On Sun, Nov 11, 2012 at 8:50 PM, Greg Hudson <ghudson at> wrote:

> On 11/11/2012 04:40 PM, Danny Thomas wrote:
> > kadmind hits 100% CPU when load-testing with <100 simulated clients.
> For password changes, kadmind has to run the string-to-key algorithm on
> the new password for each enctype in supported_enctypes (which defaults
> to AES-256, AES-128, DES3, and RC4).  The string-to-key algorithm for
> the AES enctypes is deliberately slow in order to make dictionary
> attacks harder.  I believe this operation is swamping any other
> performance bottlenecks.
I would want to see the profile data before I made any recommendation.

" premature optimization is the root of all evil "

In my experience even when you know the code base extremely well, you can
be quite wrong about where the time is actually spent.

- Booker C. Bense

More information about the Kerberos mailing list