[36144] in Kerberos
Problem with pam_krb5
daemon@ATHENA.MIT.EDU (Christian Stroehmeier)
Mon May 26 05:27:50 2014
Message-ID: <53830811.6090608@mail.uni-paderborn.de>
Date: Mon, 26 May 2014 11:23:29 +0200
From: Christian Stroehmeier <stroemi@mail.uni-paderborn.de>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi everyone,
we have a setup with 10000+ users, using kerberos mostly for ssh
authentication. This works fine for several years now, but we recently
ran into a problem with pam_krb5.
We upgraded our terminal server to debian wheezy (was squeeze before),
and since then sshd sometimes consumes 100% of the CPU when invoking
pam_krb5. This seems to happen if some bot or something tries to log in
as a user who is not found in the LDAP user database but still has a
principle kicking around (this is the case for disabled users).
The process polls a udp socket pointing at the kerberos master's port
88, thus generating this load. Regular, active users get their TGT from
the slaves - this still works fine.
Does anyone have any insights on this?
Thanks,
Chris
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
