Problem with pam_krb5

Christian Stroehmeier stroemi at
Mon May 26 05:23:29 EDT 2014

Hi everyone,

we have a setup with 10000+ users, using kerberos mostly for ssh 
authentication. This works fine for several years now, but we recently 
ran into a problem with pam_krb5.

We upgraded our terminal server to debian wheezy (was squeeze before), 
and since then sshd sometimes consumes 100% of the CPU when invoking 
pam_krb5. This seems to happen if some bot or something tries to log in 
as a user who is not found in the LDAP user database but still has a 
principle kicking around (this is the case for disabled users).
The process polls a udp socket pointing at the kerberos master's port 
88, thus generating this load. Regular, active users get their TGT from 
the slaves - this still works fine.
Does anyone have any insights on this?


More information about the Kerberos mailing list