Re: in openpam_load_module(): no pam_unix.so found
- From: Victor Star <freebsd@xxxxxxxxxxxxxx>
- Date: Tue, 25 Sep 2007 14:06:29 -0400
Hi Mike,
Now, before I got a chance to try it out it suddenly works again.
As good of a new as it is, I don't really like things fixing themselves without my knowledge of
what's going on... Looks like a good time to start learning about rootkits. Of course there is a
possibility of some resource-related issue, but I would expect at least to see something in
messages, or other log files....
I'll keep this email for future in case it happens again.
Thank you for your help!
Victor
On Mon, Sep 24, 2007 at 09:29:08AM -0400, Victor Star wrote:
==- 8< -========================================================================
fireball# ldd /usr/lib/pam_unix.so
/usr/lib/pam_unix.so:
libutil.so.5 => /lib/libutil.so.5 (0x28167000)
libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000)
libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000)
libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000)
fireball# ldd /usr/lib/pam_unix.so.3
/usr/lib/pam_unix.so.3:
libutil.so.5 => /lib/libutil.so.5 (0x28167000)
libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000)
libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000)
libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000)
Hmm. That all looks ok.
The relevant code inside openpam[1] does something like
dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so.3", RTLD_NOW)
and if that fails, tries
dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so", RTLD_NOW)
Both of these must have failed when su ran.
It may be worth compiling the following:
: mike@wafer:~ ; cat dlopentest.c
#include <dlfcn.h>
#include <stdio.h>
int
main (int argc, char **argv) {
void *dlh;
dlh = dlopen(argv[1], RTLD_NOW);
if (dlh) {
printf("dlopen %s worked\n", argv[1]);
} else {
printf("dlopen %s failed: %s\n", argv[1], dlerror());
}
return 0;
}
: mike@wafer:~ ; make dlopentest
cc -O2 -fno-strict-aliasing -pipe -march="pentium3" dlopentest.c -o dlopentest
: mike@wafer:~ ; ./dlopentest /usr/lib/pam_unix.so
dlopen /usr/lib/pam_unix.so worked
: mike@wafer:~ ; ./dlopentest /usr/lib/pam_unix.so.3
dlopen /usr/lib/pam_unix.so.3 worked
: mike@wafer:~ ; ./dlopentest /usr/lib/pam_kasjajsk.so
dlopen /usr/lib/pam_kasjajsk.so failed: Cannot open "/usr/lib/pam_kasjajsk.so"
: mike@wafer:~ ;
this may give you a clue as to why the dlopen failed. If that
doesn't point at a problem, then recompile su with _openpam_debug
= 1, and setup syslog to log LOG_DEBUG messages somewhere and see
what happens.
[1] assuming a version of FreeBSD suitably similar to the one I
have here, of course.
==- 8< -========================================================================
As for when it stopped working - the first thing I did is trying to recall if I updated any ports.
I've even went so far as looking for all files in /usr/ modified within the date range, but no,
nothing.
I did update php5 couple days before that. But it still worked for about two days after that.
And I don't have apache/php opened to outside anyway. Just mail ports and ssh on high port (closed
it for now for just in case anyway).
Victor
====- 8< -===================================================
su: in openpam_load_module(): no pam_unix.so found
su: pam_start: system error
====- 8< -===================================================
pam_unix.so is in /usr/lib:
====- 8< -===================================================
# ls -l /usr/lib/pam_unix*
lrwxr-xr-x 1 root wheel 13 Sep 25 2006 /usr/lib/pam_unix.so -> pam_unix.so.3
-r--r--r-- 1 root wheel 10240 Feb 19 2007 /usr/lib/pam_unix.so.3
# file /usr/lib/pam_unix.so
/usr/lib/pam_unix.so: symbolic link to `pam_unix.so.3'
====- 8< -===================================================
First, this is how a problem should be described, great work.
When openpam can't load a module, it also print's the 'not found' message.
With 'ldd /usr/lib/pam_unix.so.3' you can see if all the libraries that
it needs are in place. On my systems it give's the following output:
$ ldd /usr/lib/pam_unix.so.3
/usr/lib/pam_unix.so.3:
libutil.so.5 => /lib/libutil.so.5 (0x28169000)
libcrypt.so.3 => /lib/libcrypt.so.3 (0x28175000)
libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818d000)
libpam.so.3 => /usr/lib/libpam.so.3 (0x28191000)
====- 8< -===================================================
Sep 18 11:11:37 xxxxxx su: BAD SU <myloginname> to root on /dev/ttyp3
Sep 18 11:13:46 xxxxxx sshd[45047]: Bad protocol version identification '\377\364\377\375\006quit' from <some ip here>
Sep 18 11:15:08 xxxxxx sshd[45056]: Received disconnect from <some ip here>: 2: Bad packet length 710099706.
====- 8< -===================================================
The first line is probably the result of the broken pam_unix.so, the
other two lines look to me as ssh bruteforce attacks.
But, when did it stopped working. Did you tried to update the world or something like that?
--
Best regards,
Victor
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"
--
Best regards,
Victor
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"
- References:
- in openpam_load_module(): no pam_unix.so found
- From: Victor Star
- Re: in openpam_load_module(): no pam_unix.so found
- From: Richard Arends
- Re: in openpam_load_module(): no pam_unix.so found
- From: Victor Star
- Re: in openpam_load_module(): no pam_unix.so found
- From: Mike Bristow
- in openpam_load_module(): no pam_unix.so found
- Prev by Date: Re: rm(1) bug, possibly serious
- Next by Date: Re: device polling and weird timer interrupt count from vmstat
- Previous by thread: Re: in openpam_load_module(): no pam_unix.so found
- Next by thread: Re: in openpam_load_module(): no pam_unix.so found
- Index(es):
Relevant Pages
|
|
