From owner-freebsd-stable@FreeBSD.ORG  Mon Sep 24 13:40:45 2007
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2087016A419
	for <freebsd-stable@freebsd.org>; Mon, 24 Sep 2007 13:40:45 +0000 (UTC)
	(envelope-from freebsd@victorstar.com)
Received: from mail.umbra.com (toronto-hs-216-138-236-105.s-ip.magma.ca
	[216.138.236.105])
	by mx1.freebsd.org (Postfix) with ESMTP id BA0B413C4B8
	for <freebsd-stable@freebsd.org>; Mon, 24 Sep 2007 13:40:44 +0000 (UTC)
	(envelope-from freebsd@victorstar.com)
Received: from umbexch1.umbra.com ([10.0.0.70]) by mail.umbra.com with
	Microsoft SMTPSVC(6.0.3790.3959); Mon, 24 Sep 2007 09:29:09 -0400
Received: from victors.umbra.com ([10.0.0.45]) by umbexch1.umbra.com with
	Microsoft SMTPSVC(6.0.3790.3959); Mon, 24 Sep 2007 09:29:09 -0400
Date: Mon, 24 Sep 2007 09:29:08 -0400
From: Victor Star <freebsd@victorstar.com>
X-Priority: 3 (Normal)
Message-ID: <63456181.20070924092908@victorstar.com>
To: Richard Arends <richard@unixguru.nl>
In-Reply-To: <20070924063127.GB37371@shell.unixguru.nl>
References: <762964378.20070923221850@victorstar.com>
	<20070924063127.GB37371@shell.unixguru.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 24 Sep 2007 13:29:09.0687 (UTC)
	FILETIME=[E36FD470:01C7FEAE]
Cc: freebsd-stable@freebsd.org
Subject: Re: in openpam_load_module(): no pam_unix.so found
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2007 13:40:45 -0000

Hi Richard,

First of all thank you guys for replying!
Here is the output of ldd:
==- 8< -========================================================================
fireball# ldd /usr/lib/pam_unix.so
/usr/lib/pam_unix.so:
        libutil.so.5 => /lib/libutil.so.5 (0x28167000)
        libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000)
        libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000)
        libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000)
fireball# ldd /usr/lib/pam_unix.so.3
/usr/lib/pam_unix.so.3:
        libutil.so.5 => /lib/libutil.so.5 (0x28167000)
        libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000)
        libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000)
        libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000)

==- 8< -========================================================================

As for when it stopped working - the first thing I did is trying to recall if I updated any ports.
I've even went so far as looking for all files in /usr/ modified within the date range, but no,
nothing.

I did update php5 couple days before that. But it still worked for about two days after that.
And I don't have apache/php opened to outside anyway. Just mail ports and ssh on high port (closed
it for now for just in case anyway).

Victor

>> ====- 8< -===================================================
>> su: in openpam_load_module(): no pam_unix.so found
>> su: pam_start: system error
>> ====- 8< -===================================================
>> 
>> pam_unix.so is in /usr/lib:
>> ====- 8< -===================================================
>> # ls -l /usr/lib/pam_unix*
>> lrwxr-xr-x  1 root  wheel     13 Sep 25  2006 /usr/lib/pam_unix.so -> pam_unix.so.3
>> -r--r--r--  1 root  wheel  10240 Feb 19  2007 /usr/lib/pam_unix.so.3
>> # file /usr/lib/pam_unix.so
>> /usr/lib/pam_unix.so: symbolic link to `pam_unix.so.3'
>> ====- 8< -===================================================

> First, this is how a problem should be described, great work.

> When openpam can't load a module, it also print's the 'not found' message.
> With 'ldd /usr/lib/pam_unix.so.3' you can see if all the libraries that
> it needs are in place. On my systems it give's the following output:

> $ ldd /usr/lib/pam_unix.so.3 
> /usr/lib/pam_unix.so.3:
>         libutil.so.5 => /lib/libutil.so.5 (0x28169000)
>         libcrypt.so.3 => /lib/libcrypt.so.3 (0x28175000)
>         libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818d000)
>         libpam.so.3 => /usr/lib/libpam.so.3 (0x28191000)

>> ====- 8< -===================================================
>> Sep 18 11:11:37 xxxxxx su: BAD SU <myloginname> to root on /dev/ttyp3
>> Sep 18 11:13:46 xxxxxx sshd[45047]: Bad protocol version identification '\377\364\377\375\006quit' from <some ip here>
>> Sep 18 11:15:08 xxxxxx sshd[45056]: Received disconnect from <some ip here>: 2: Bad packet length 710099706.
>> ====- 8< -===================================================

> The first line is probably the result of the broken pam_unix.so, the
> other two lines look to me as ssh bruteforce attacks.

> But, when did it stopped working. Did you tried to update the world or something like that?



-- 
Best regards,
 Victor