Date: Tue, 25 Sep 2007 13:16:45 +0100 From: Mike Bristow <mike@urgle.com> To: Victor Star <freebsd@victorstar.com> Cc: freebsd-stable@freebsd.org Subject: Re: in openpam_load_module(): no pam_unix.so found Message-ID: <20070925121645.GA53716@wafer.urgle.com> In-Reply-To: <63456181.20070924092908@victorstar.com> References: <762964378.20070923221850@victorstar.com> <20070924063127.GB37371@shell.unixguru.nl> <63456181.20070924092908@victorstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 24, 2007 at 09:29:08AM -0400, Victor Star wrote:
> ==- 8< -========================================================================
> fireball# ldd /usr/lib/pam_unix.so
> /usr/lib/pam_unix.so:
> libutil.so.5 => /lib/libutil.so.5 (0x28167000)
> libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000)
> libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000)
> libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000)
> fireball# ldd /usr/lib/pam_unix.so.3
> /usr/lib/pam_unix.so.3:
> libutil.so.5 => /lib/libutil.so.5 (0x28167000)
> libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000)
> libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000)
> libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000)
Hmm. That all looks ok.
The relevant code inside openpam[1] does something like
dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so.3", RTLD_NOW)
and if that fails, tries
dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so", RTLD_NOW)
Both of these must have failed when su ran.
It may be worth compiling the following:
: mike@wafer:~ ; cat dlopentest.c
#include <dlfcn.h>
#include <stdio.h>
int
main (int argc, char **argv) {
void *dlh;
dlh = dlopen(argv[1], RTLD_NOW);
if (dlh) {
printf("dlopen %s worked\n", argv[1]);
} else {
printf("dlopen %s failed: %s\n", argv[1], dlerror());
}
return 0;
}
: mike@wafer:~ ; make dlopentest
cc -O2 -fno-strict-aliasing -pipe -march="pentium3" dlopentest.c -o dlopentest
: mike@wafer:~ ; ./dlopentest /usr/lib/pam_unix.so
dlopen /usr/lib/pam_unix.so worked
: mike@wafer:~ ; ./dlopentest /usr/lib/pam_unix.so.3
dlopen /usr/lib/pam_unix.so.3 worked
: mike@wafer:~ ; ./dlopentest /usr/lib/pam_kasjajsk.so
dlopen /usr/lib/pam_kasjajsk.so failed: Cannot open "/usr/lib/pam_kasjajsk.so"
: mike@wafer:~ ;
this may give you a clue as to why the dlopen failed. If that
doesn't point at a problem, then recompile su with _openpam_debug
= 1, and setup syslog to log LOG_DEBUG messages somewhere and see
what happens.
[1] assuming a version of FreeBSD suitably similar to the one I
have here, of course.
>
> ==- 8< -========================================================================
>
> As for when it stopped working - the first thing I did is trying to recall if I updated any ports.
> I've even went so far as looking for all files in /usr/ modified within the date range, but no,
> nothing.
>
> I did update php5 couple days before that. But it still worked for about two days after that.
> And I don't have apache/php opened to outside anyway. Just mail ports and ssh on high port (closed
> it for now for just in case anyway).
>
> Victor
>
> >> ====- 8< -===================================================
> >> su: in openpam_load_module(): no pam_unix.so found
> >> su: pam_start: system error
> >> ====- 8< -===================================================
> >>
> >> pam_unix.so is in /usr/lib:
> >> ====- 8< -===================================================
> >> # ls -l /usr/lib/pam_unix*
> >> lrwxr-xr-x 1 root wheel 13 Sep 25 2006 /usr/lib/pam_unix.so -> pam_unix.so.3
> >> -r--r--r-- 1 root wheel 10240 Feb 19 2007 /usr/lib/pam_unix.so.3
> >> # file /usr/lib/pam_unix.so
> >> /usr/lib/pam_unix.so: symbolic link to `pam_unix.so.3'
> >> ====- 8< -===================================================
>
> > First, this is how a problem should be described, great work.
>
> > When openpam can't load a module, it also print's the 'not found' message.
> > With 'ldd /usr/lib/pam_unix.so.3' you can see if all the libraries that
> > it needs are in place. On my systems it give's the following output:
>
> > $ ldd /usr/lib/pam_unix.so.3
> > /usr/lib/pam_unix.so.3:
> > libutil.so.5 => /lib/libutil.so.5 (0x28169000)
> > libcrypt.so.3 => /lib/libcrypt.so.3 (0x28175000)
> > libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818d000)
> > libpam.so.3 => /usr/lib/libpam.so.3 (0x28191000)
>
> >> ====- 8< -===================================================
> >> Sep 18 11:11:37 xxxxxx su: BAD SU <myloginname> to root on /dev/ttyp3
> >> Sep 18 11:13:46 xxxxxx sshd[45047]: Bad protocol version identification '\377\364\377\375\006quit' from <some ip here>
> >> Sep 18 11:15:08 xxxxxx sshd[45056]: Received disconnect from <some ip here>: 2: Bad packet length 710099706.
> >> ====- 8< -===================================================
>
> > The first line is probably the result of the broken pam_unix.so, the
> > other two lines look to me as ssh bruteforce attacks.
>
> > But, when did it stopped working. Did you tried to update the world or something like that?
>
>
>
> --
> Best regards,
> Victor
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
--
Shenanigans! Shenanigans! Best of 3!
-- Flash
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070925121645.GA53716>