Bug 167537

Summary: Undefined symbol "krb5_init_ets" with MIT Kerberos v1.4
Product: Red Hat Enterprise Linux 4 Reporter: Dax Kelson <dkelson>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0Keywords: FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-06 09:11:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dax Kelson 2005-09-04 20:32:20 UTC 
Description of problem:

OpenSSH in RHEL4 calls krb5_init_ets(). That function is no longer part of the
public API and hasn't been for many many years. In Kerberos v1.3 shipped with
RHEL4 the function just returns true without doing anything. The OpenSSH in
RHEL4 is still calling the function anyway.

In Kerberos v1.4 the function was removed entirely. The soname wasn't changed as
krb5_init_ets() isn't part of the public API.

Security policy in our environment dictates that must use Kerberos v1.4 on
RHEL4. Since OpenSSH sshd is calling that function it crashes.

It would be very helpful if the next errata release of OpenSSH for RHEL4 didn't
call krb5_init_ets().
Comment 1 Tomas Mraz 2005-09-05 08:11:55 UTC 
Please use the Support Issue tracker to report such feature requests for Red Hat
Enterprise Linux.

When you report it, mention this bugzilla bug number.
Comment 2 Dax Kelson 2005-09-06 02:22:53 UTC 
We have purchased RHEL4 ES. I don't believe the support issue tracker is
available to us.
Comment 3 Tomas Mraz 2005-09-06 09:11:51 UTC 
With Standard Edition subscription type you should have access to it (probably
not with the Basic Edition).

I'm sorry but we don't support installing newer MIT Kerberos on existing RHEL
releases. Removing the function call would be probably trivial however all
updates done in RHEL must be properly requested, justified and tested by QE. If
you are installing a different/unsupported krb5 packages anyway it shouldn't be
a too big difference for you if you patched the openssh packages as well.