Problem with pam_krb5
stroemi at mail.uni-paderborn.de
Mon May 26 05:23:29 EDT 2014
we have a setup with 10000+ users, using kerberos mostly for ssh
authentication. This works fine for several years now, but we recently
ran into a problem with pam_krb5.
We upgraded our terminal server to debian wheezy (was squeeze before),
and since then sshd sometimes consumes 100% of the CPU when invoking
pam_krb5. This seems to happen if some bot or something tries to log in
as a user who is not found in the LDAP user database but still has a
principle kicking around (this is the case for disabled users).
The process polls a udp socket pointing at the kerberos master's port
88, thus generating this load. Regular, active users get their TGT from
the slaves - this still works fine.
Does anyone have any insights on this?
More information about the Kerberos