diff --git a/ocaml/auth/dune b/ocaml/auth/dune
index b2bdfd78b1d..0cbeb9156db 100644
--- a/ocaml/auth/dune
+++ b/ocaml/auth/dune
@@ -4,7 +4,7 @@
     (names xa_auth xa_auth_stubs)
   )
   (name pam)
-  (c_library_flags -lpam)
+  (c_library_flags -lpam -lcrypt)
   (libraries threads.posix)
   (wrapped false)
 )
\ No newline at end of file
diff --git a/ocaml/auth/pam.ml b/ocaml/auth/pam.ml
index 963f155e580..6650d9453c6 100644
--- a/ocaml/auth/pam.ml
+++ b/ocaml/auth/pam.ml
@@ -50,3 +50,5 @@ let authorize_stop t =
 let authorize_run t username password =
   let handle = check_handle t in
   authorize_run handle username password
+
+external workaround : unit -> unit = "stub_XA_workaround"
diff --git a/ocaml/auth/xa_auth_stubs.c b/ocaml/auth/xa_auth_stubs.c
index 86850e181b8..ba8673646c9 100644
--- a/ocaml/auth/xa_auth_stubs.c
+++ b/ocaml/auth/xa_auth_stubs.c
@@ -11,8 +11,9 @@
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Lesser General Public License for more details.
  */
-/*
- */
+
+/* must be at the beginning, it affects defines in other headers that cannot be reenabled later */
+#define _GNU_SOURCE
 
 #include <unistd.h>
 #include <stdlib.h>
@@ -142,6 +143,23 @@ CAMLprim value stub_XA_mh_authorize_run(value ml_handle, value username, value p
         caml_failwith(error ? error : "Unknown error");
     CAMLreturn(ret);
 }
+
+#include <crypt.h>
+CAMLprim value stub_XA_workaround(value u)
+{
+  CAMLparam1(u);
+  struct crypt_data data;
+  memset(&data, 0, sizeof(data));
+
+  /* When called with '$6$' it will call sha512_crypt_r which will call NSSLOW_Init, which initializes the library,
+     and avoids the sleep() call that would otherwise happen when the library is initialized in parallel.
+     We don't want to link with libfreebl3 directly, because in the future we might switch to using libxcrypt.
+   */
+  crypt_r("", "$6$", &data);
+  
+  CAMLreturn(Val_unit);
+}
+
 /*
  * Local variables:
  * mode: C
diff --git a/ocaml/tests/bench/pam/bench_pam.ml b/ocaml/tests/bench/pam/bench_pam.ml
index 0a440b50b4f..db5775b7b21 100644
--- a/ocaml/tests/bench/pam/bench_pam.ml
+++ b/ocaml/tests/bench/pam/bench_pam.ml
@@ -38,15 +38,12 @@ let pam_run h =
   Pam.authorize_run h username password
 
 let sleepfix_start () =
+  (* FIXME: this adds a 5s pause on startup, any way to initialize the code but not incurr the fail delay? *)
   (* To avoid the sleep(1) in the libgcrypt/NSS initialization code that gets called from Pam.authorize_run create and run a fake auth command,
      and keep the handle open
  *)
+  Pam.workaround ();
   let h = Pam.authorize_start ()  in
-  let () =
-    try Pam.authorize_run h "" ""
-    with Failure _ -> ()
-  in
-  (* h is not valid to use anymore! *)
   h
 
 let sleepfix_stop = Pam.authorize_stop