diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 1539dc81d..828b09cd1 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -261,10 +261,8 @@ If set to "ignore", the framework will ignore any the server input to
 this is very useful when the GSS-API server input the
 wrong server name into the gss_accept_sec_context call.
 .It Li k5login_directory = Va directory
-Alternative location for user .k5login files. Tokens in the form of
-%{luser} are expanded to the name of the user whose .k5login file is
-needed. This option is provided for compatibility with MIT krb5
-configuration files.
+Alternative location for user .k5login files. This option is provided
+for compatibility with MIT krb5 configuration files.
 .It Li k5login_authoritative = Va boolean
 If true then if a principal is not found in k5login files then
 .Xr krb5_userok 3
@@ -297,12 +295,6 @@ argument to
 .Xr krb5_userok 3
 in the given directory or in
 .Pa /etc/k5login.d/ .
-If a directory is given
-then tokens will be expanded; the %{luser} token will be replaced with
-the
-.Va luser
-argument to
-.Xr krb5_userok 3 .
 K5login files are text files, with each line containing just a principal
 name; principals apearing in a user's k5login file are permitted access
 to the user's account. Note: this rule performs no ownership nor
diff --git a/lib/krb5/kuserok.c b/lib/krb5/kuserok.c
index ace47da0b..70e5f6170 100644
--- a/lib/krb5/kuserok.c
+++ b/lib/krb5/kuserok.c
@@ -325,6 +325,7 @@ check_directory(krb5_context context,
     DIR *d;
     struct dirent *dent;
     char filename[MAXPATHLEN];
+    size_t len;
     krb5_error_code ret = 0;
     struct stat st;
 
@@ -348,16 +349,25 @@ check_directory(krb5_context context,
 	goto out;
 
     while ((dent = readdir(d)) != NULL) {
+	/*
+	 * XXX: Should we also skip files whose names start with "."?
+	 * Vim ".filename.swp" files are also good candidates to skip.
+	 * Once we ignore "#*" and "*~", it is not clear what other
+	 * heuristics to apply.
+	 */
 	if (strcmp(dent->d_name, ".") == 0 ||
 	   strcmp(dent->d_name, "..") == 0 ||
 	   dent->d_name[0] == '#' ||			  /* emacs autosave */
 	   dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */
 	    continue;
-	snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name);
-	ret = check_one_file(context, filename, owner, is_system_location,
-			     principal, result);
-	if (ret == 0 && *result == TRUE)
-	    break;
+	len = snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name);
+	/* Skip too-long filenames that got truncated by snprintf() */
+	if (len < sizeof(filename)) {
+	    ret = check_one_file(context, filename, owner, is_system_location,
+				 principal, result);
+	    if (ret == 0 && *result == TRUE)
+		break;
+	}
 	ret = 0; /* don't propagate errors upstream */
     }
 
@@ -552,7 +562,8 @@ kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context,
 			   const char *k5login_dir, const char *luser,
 			   krb5_const_principal principal, krb5_boolean *result)
 {
-    char *path = NULL;
+    char filename[MAXPATHLEN];
+    size_t len;
     const char *profile_dir = NULL;
     krb5_error_code ret;
 
@@ -568,17 +579,14 @@ kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context,
     else
 	profile_dir++;
 
-    ret = _krb5_expand_path_tokensv(context, profile_dir, &path,
-				    "luser", luser, NULL);
-    if (ret)
-	return ret;
+    len = snprintf(filename, sizeof(filename), "%s/%s", profile_dir, luser);
+    if (len < sizeof(filename)) {
+	ret = check_one_file(context, filename, NULL, TRUE, principal, result);
 
-    ret = check_one_file(context, path, NULL, TRUE, principal, result);
-    free(path);
-
-    if (ret == 0 &&
-	((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE))
-	return 0;
+	if (ret == 0 &&
+	    ((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE))
+	    return 0;
+    }
 
     *result = FALSE;
     return KRB5_PLUGIN_NO_HANDLE;
diff --git a/tests/kdc/krb5-authz.conf.in b/tests/kdc/krb5-authz.conf.in
index f6c6d4ad4..ea4cc5f83 100644
--- a/tests/kdc/krb5-authz.conf.in
+++ b/tests/kdc/krb5-authz.conf.in
@@ -1,7 +1,7 @@
 [libdefaults]
 	default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
 	no-addresses = TRUE
-	kuserok = SYSTEM-K5LOGIN:@srcdir@/k5login/%{luser}
+	kuserok = SYSTEM-K5LOGIN:@srcdir@/k5login
 	kuserok = USER-K5LOGIN
 	kuserok = SIMPLE
 
diff --git a/tests/kdc/krb5-authz2.conf.in b/tests/kdc/krb5-authz2.conf.in
index 06a815d5f..bc4a9b220 100644
--- a/tests/kdc/krb5-authz2.conf.in
+++ b/tests/kdc/krb5-authz2.conf.in
@@ -2,7 +2,7 @@
 	default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
 	no-addresses = TRUE
 	k5login_authoritative = TRUE
-	k5login_directory = @srcdir@/k5login/%{luser}
+	k5login_directory = @srcdir@/k5login
 	kuserok = SYSTEM-K5LOGIN
 	kuserok = SIMPLE