Source: krb5
Version: 1.20-1
Severity: normal
X-Debbugs-Cc: s...@robots.org.uk
When using a container image that has an older version of some of the
binary packages from krb5 in it, installing krb5-user results in binary
packages being installed that are a mix of the newer and older version.
The practical problem with this is:
$ podman run -ti docker.io/library/r-base:latest bash -l
.. at this time, the following packages are installed (i.e., they're
part of the container image).
ii libgssapi-krb5-2:amd64 1.19.2-2+b2 amd64MIT Kerberos runtime
libraries - krb5 GSS-API Mechanism
ii libk5crypto3:amd64 1.19.2-2+b2 amd64MIT Kerberos runtime
libraries - Crypto Library
ii libkrb5-3:amd641.19.2-2+b2 amd64MIT Kerberos runtime
libraries
ii libkrb5support0:amd64 1.19.2-2+b2 amd64MIT Kerberos runtime
libraries - Support library
Now, I'll install kinit and try to use it:
root@d6ed10d8dfac:/# apt -qq update && apt install krb5-user
[...]
root@d6ed10d8dfac:/# kinit u...@example.com
kinit: Random number generator could not be seeded while getting initial
credentials
This error message comes from libk5crypto.so.3. At this point,
libk5crypto3 is still at the old version, other binary packages have
been upgraded:
ii krb5-user1.20-1 amd64basic programs to
authenticate using MIT Kerberos
ii libgssapi-krb5-2:amd64 1.20-1 amd64MIT Kerberos runtime
libraries - krb5 GSS-API Mechanism
ii libgssrpc4:amd64 1.20-1 amd64MIT Kerberos runtime
libraries - GSS enabled ONCRPC
ii libk5crypto3:amd64 1.19.2-2+b2 amd64MIT Kerberos runtime
libraries - Crypto Library
ii libkadm5clnt-mit12:amd64 1.20-1 amd64MIT Kerberos runtime
libraries - Administration Clients
ii libkadm5srv-mit12:amd64 1.20-1 amd64MIT Kerberos runtime
libraries - KDC and Admin Server
ii libkdb5-10:amd64 1.20-1 amd64MIT Kerberos runtime
libraries - Kerberos database
ii libkrb5-3:amd64 1.20-1 amd64MIT Kerberos runtime
libraries
ii libkrb5support0:amd641.20-1 amd64MIT Kerberos runtime
libraries - Support library
After 'apt-get install libk5crypto3', version 1.20-1 is installed & the
kinit command works.
I think this is related to the removal of the embedded PRNG in 1.19 and
earlier versions. The code from 1.20 is calling
krb5_c_random_make_octets (which is provided by libk5crypto3) in a way
that the older implementation isn't happy with, and it throws this
error.
Maybe there's a missing Breaks or Conflicts somewhere; or maybe
versioned dependencies need to be added somewhere to ensure that all the
binary packages from krb5 are upgraded in lockstep.
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (570, 'stable-updates'), (570, 'stable-security'), (570,
'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'),
(530, 'unstable-debug'), (530, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.0-3-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_DIE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default