From the man page for krb5_cc_retrieve_cred:
The match credentials. Fields from these credentials are
matched with fields in the cache entries based on the
search flags. The client and server principals must always
be set in the match credentials, no matter what search flags
Pam_krb5 doesn't set the client principal which leads to
crashes of openssh on AMD64 architectures if linked
against MIT Kerberos 1.4. The attached patch fixes that.