From owner-freebsd-stable@FreeBSD.ORG Tue Sep 25 12:16:49 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A11616A4CF for ; Tue, 25 Sep 2007 12:16:49 +0000 (UTC) (envelope-from mike@urgle.com) Received: from anchor-post-36.mail.demon.net (anchor-post-36.mail.demon.net [194.217.242.86]) by mx1.freebsd.org (Postfix) with ESMTP id 3BB1B13C46A for ; Tue, 25 Sep 2007 12:16:49 +0000 (UTC) (envelope-from mike@urgle.com) Received: from wafer.urgle.com ([80.177.40.53]) by anchor-post-36.mail.demon.net with esmtp (Exim 4.67) id 1Ia9LK-0009nU-Lh; Tue, 25 Sep 2007 12:16:46 +0000 Received: from mike by wafer.urgle.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1Ia9LJ-000ECc-BF; Tue, 25 Sep 2007 12:16:45 +0000 Date: Tue, 25 Sep 2007 13:16:45 +0100 From: Mike Bristow To: Victor Star Message-ID: <20070925121645.GA53716@wafer.urgle.com> References: <762964378.20070923221850@victorstar.com> <20070924063127.GB37371@shell.unixguru.nl> <63456181.20070924092908@victorstar.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <63456181.20070924092908@victorstar.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-stable@freebsd.org Subject: Re: in openpam_load_module(): no pam_unix.so found X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2007 12:16:49 -0000 On Mon, Sep 24, 2007 at 09:29:08AM -0400, Victor Star wrote: > ==- 8< -======================================================================== > fireball# ldd /usr/lib/pam_unix.so > /usr/lib/pam_unix.so: > libutil.so.5 => /lib/libutil.so.5 (0x28167000) > libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000) > libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000) > libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000) > fireball# ldd /usr/lib/pam_unix.so.3 > /usr/lib/pam_unix.so.3: > libutil.so.5 => /lib/libutil.so.5 (0x28167000) > libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000) > libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000) > libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000) Hmm. That all looks ok. The relevant code inside openpam[1] does something like dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so.3", RTLD_NOW) and if that fails, tries dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so", RTLD_NOW) Both of these must have failed when su ran. It may be worth compiling the following: : mike@wafer:~ ; cat dlopentest.c #include #include int main (int argc, char **argv) { void *dlh; dlh = dlopen(argv[1], RTLD_NOW); if (dlh) { printf("dlopen %s worked\n", argv[1]); } else { printf("dlopen %s failed: %s\n", argv[1], dlerror()); } return 0; } : mike@wafer:~ ; make dlopentest cc -O2 -fno-strict-aliasing -pipe -march="pentium3" dlopentest.c -o dlopentest : mike@wafer:~ ; ./dlopentest /usr/lib/pam_unix.so dlopen /usr/lib/pam_unix.so worked : mike@wafer:~ ; ./dlopentest /usr/lib/pam_unix.so.3 dlopen /usr/lib/pam_unix.so.3 worked : mike@wafer:~ ; ./dlopentest /usr/lib/pam_kasjajsk.so dlopen /usr/lib/pam_kasjajsk.so failed: Cannot open "/usr/lib/pam_kasjajsk.so" : mike@wafer:~ ; this may give you a clue as to why the dlopen failed. If that doesn't point at a problem, then recompile su with _openpam_debug = 1, and setup syslog to log LOG_DEBUG messages somewhere and see what happens. [1] assuming a version of FreeBSD suitably similar to the one I have here, of course. > > ==- 8< -======================================================================== > > As for when it stopped working - the first thing I did is trying to recall if I updated any ports. > I've even went so far as looking for all files in /usr/ modified within the date range, but no, > nothing. > > I did update php5 couple days before that. But it still worked for about two days after that. > And I don't have apache/php opened to outside anyway. Just mail ports and ssh on high port (closed > it for now for just in case anyway). > > Victor > > >> ====- 8< -=================================================== > >> su: in openpam_load_module(): no pam_unix.so found > >> su: pam_start: system error > >> ====- 8< -=================================================== > >> > >> pam_unix.so is in /usr/lib: > >> ====- 8< -=================================================== > >> # ls -l /usr/lib/pam_unix* > >> lrwxr-xr-x 1 root wheel 13 Sep 25 2006 /usr/lib/pam_unix.so -> pam_unix.so.3 > >> -r--r--r-- 1 root wheel 10240 Feb 19 2007 /usr/lib/pam_unix.so.3 > >> # file /usr/lib/pam_unix.so > >> /usr/lib/pam_unix.so: symbolic link to `pam_unix.so.3' > >> ====- 8< -=================================================== > > > First, this is how a problem should be described, great work. > > > When openpam can't load a module, it also print's the 'not found' message. > > With 'ldd /usr/lib/pam_unix.so.3' you can see if all the libraries that > > it needs are in place. On my systems it give's the following output: > > > $ ldd /usr/lib/pam_unix.so.3 > > /usr/lib/pam_unix.so.3: > > libutil.so.5 => /lib/libutil.so.5 (0x28169000) > > libcrypt.so.3 => /lib/libcrypt.so.3 (0x28175000) > > libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818d000) > > libpam.so.3 => /usr/lib/libpam.so.3 (0x28191000) > > >> ====- 8< -=================================================== > >> Sep 18 11:11:37 xxxxxx su: BAD SU to root on /dev/ttyp3 > >> Sep 18 11:13:46 xxxxxx sshd[45047]: Bad protocol version identification '\377\364\377\375\006quit' from > >> Sep 18 11:15:08 xxxxxx sshd[45056]: Received disconnect from : 2: Bad packet length 710099706. > >> ====- 8< -=================================================== > > > The first line is probably the result of the broken pam_unix.so, the > > other two lines look to me as ssh bruteforce attacks. > > > But, when did it stopped working. Did you tried to update the world or something like that? > > > > -- > Best regards, > Victor > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Shenanigans! Shenanigans! Best of 3! -- Flash