Date: Tue, 8 Aug 2023 11:53:28 +0200 (CEST) From: Ronald Klop <ronald-lists@klop.ws> To: Michael Grimm <trashcan@ellael.org> Cc: freebsd-current@freebsd.org Subject: Re: 14-CURRENT | alternatives for defunct /usr/lib/pam_opie.so? Message-ID: <1361461519.2835.1691488408412@localhost> In-Reply-To: <613E7476-6553-4A74-BF33-EF95D95F25A9@ellael.org> References: <613E7476-6553-4A74-BF33-EF95D95F25A9@ellael.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Van: Michael Grimm <trashcan@ellael.org> Datum: maandag, 7 augustus 2023 22:43 Aan: freebsd-current@freebsd.org Onderwerp: 14-CURRENT | alternatives for defunct /usr/lib/pam_opie.so? > > Hi, > > I'm currently in the process to prepare for upcoming 14-STABLE. Thus, I upgraded one of my sytems from 13-STABLE to 14-CURRENT. > > Everything went fine, except for programs that need /usr/lib/pam_opie.so which are: > > 1) jexec <jailname> /usr/bin/login -u <user> > 2) redis-server > 3) mariadb1011-server > > Error messages: > > su[6371]: in openpam_load_module(): no pam_opie.so found > su[6371]: pam_start: System error > > Well, although it has been reported some time ago that pam_opie and pam_opieaccess.so will become removed in Freebsd 14, there is a port security/opie providing both libraries. Quick workaround. > > But I want to understand why the above mentioned programs do fail although not dynamically linked against /usr/lib/pam_opie.so > > MWN> ldd /usr/bin/login > /usr/bin/login: > libutil.so.9 => /lib/libutil.so.9 (0xd408ecf7000) > libpam.so.6 => /usr/lib/libpam.so.6 (0xd408f6f2000) > libbsm.so.3 => /usr/lib/libbsm.so.3 (0xd4090dab000) > libc.so.7 => /lib/libc.so.7 (0xd408f99d000) > [vdso] (0xd408e18f630) > > MWN> ldd /usr/local/bin/redis-server > /usr/local/bin/redis-server: > libthr.so.3 => /lib/libthr.so.3 (0x89a8847f000) > libm.so.5 => /lib/libm.so.5 (0x89a87beb000) > libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x89a891c7000) > libssl.so.30 => /usr/lib/libssl.so.30 (0x89a8a271000) > libcrypto.so.30 => /lib/libcrypto.so.30 (0x89a8b02b000) > libc.so.7 => /lib/libc.so.7 (0x89a8c7fe000) > libelf.so.2 => /lib/libelf.so.2 (0x89a8949b000) > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x89a8bb85000) > [vdso] (0x89a87323630) > > MWN> ldd /usr/local/libexec/mariadbd > /usr/local/libexec/mariadbd: > libpcre2-8.so.0 => /usr/local/lib/libpcre2-8.so.0 (0x145ae576f000) > libwrap.so.6 => /usr/lib/libwrap.so.6 (0x145ae64a5000) > libcrypt.so.5 => /lib/libcrypt.so.5 (0x145ae74be000) > libz.so.6 => /lib/libz.so.6 (0x145ae7d0b000) > libm.so.5 => /lib/libm.so.5 (0x145ae8b3e000) > libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x145ae6e03000) > libssl.so.30 => /usr/lib/libssl.so.30 (0x145ae9575000) > libcrypto.so.30 => /lib/libcrypto.so.30 (0x145aeafff000) > libc++.so.1 => /lib/libc++.so.1 (0x145ae9e3b000) > libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x145aeaa85000) > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x145aec745000) > libthr.so.3 => /lib/libthr.so.3 (0x145aebf10000) > libc.so.7 => /lib/libc.so.7 (0x145aec7fa000) > libelf.so.2 => /lib/libelf.so.2 (0x145aee867000) > [vdso] (0x145ae5010630) > > Which alternatives to pam_opie should I investigate? > Reason: I want to get rid of security/opie > > Thanks and regards, > Michael > > > > > Hi, Might it be possible that pam_opie is still mentioned in a file in /etc/pam.d/* on your machine? An alternative might be https://www.freshports.org/security/pam_google_authenticator See also: https://lists.freebsd.org/archives/freebsd-security/2022-September/000081.html Regards, Ronald. [-- Attachment #2 --] <html><head></head><body><br> <p><strong>Van:</strong> Michael Grimm <trashcan@ellael.org><br> <strong>Datum:</strong> maandag, 7 augustus 2023 22:43<br> <strong>Aan:</strong> freebsd-current@freebsd.org<br> <strong>Onderwerp:</strong> 14-CURRENT | alternatives for defunct /usr/lib/pam_opie.so?</p> <blockquote style="padding-right: 0px; padding-left: 5px; margin-left: 5px; border-left: #000000 2px solid; margin-right: 0px"> <div class="MessageRFC822Viewer" id="P"> <div class="TextPlainViewer" id="P.P">Hi,<br> <br> I'm currently in the process to prepare for upcoming 14-STABLE. Thus, I upgraded one of my sytems from 13-STABLE to 14-CURRENT.<br> <br> Everything went fine, except for programs that need /usr/lib/pam_opie.so which are:<br> <br> 1) jexec <jailname> /usr/bin/login -u <user><br> 2) redis-server<br> 3) mariadb1011-server<br> <br> Error messages:<br> <br> su[6371]: in openpam_load_module(): no pam_opie.so found<br> su[6371]: pam_start: System error<br> <br> Well, although it has been reported some time ago that pam_opie and pam_opieaccess.so will become removed in Freebsd 14, there is a port security/opie providing both libraries. Quick workaround.<br> <br> But I want to understand why the above mentioned programs do fail although not dynamically linked against /usr/lib/pam_opie.so<br> <br> MWN> ldd /usr/bin/login<br> /usr/bin/login:<br> libutil.so.9 => /lib/libutil.so.9 (0xd408ecf7000)<br> libpam.so.6 => /usr/lib/libpam.so.6 (0xd408f6f2000)<br> libbsm.so.3 => /usr/lib/libbsm.so.3 (0xd4090dab000)<br> libc.so.7 => /lib/libc.so.7 (0xd408f99d000)<br> [vdso] (0xd408e18f630)<br> <br> MWN> ldd /usr/local/bin/redis-server<br> /usr/local/bin/redis-server:<br> libthr.so.3 => /lib/libthr.so.3 (0x89a8847f000)<br> libm.so.5 => /lib/libm.so.5 (0x89a87beb000)<br> libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x89a891c7000)<br> libssl.so.30 => /usr/lib/libssl.so.30 (0x89a8a271000)<br> libcrypto.so.30 => /lib/libcrypto.so.30 (0x89a8b02b000)<br> libc.so.7 => /lib/libc.so.7 (0x89a8c7fe000)<br> libelf.so.2 => /lib/libelf.so.2 (0x89a8949b000)<br> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x89a8bb85000)<br> [vdso] (0x89a87323630)<br> <br> MWN> ldd /usr/local/libexec/mariadbd<br> /usr/local/libexec/mariadbd:<br> libpcre2-8.so.0 => /usr/local/lib/libpcre2-8.so.0 (0x145ae576f000)<br> libwrap.so.6 => /usr/lib/libwrap.so.6 (0x145ae64a5000)<br> libcrypt.so.5 => /lib/libcrypt.so.5 (0x145ae74be000)<br> libz.so.6 => /lib/libz.so.6 (0x145ae7d0b000)<br> libm.so.5 => /lib/libm.so.5 (0x145ae8b3e000)<br> libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x145ae6e03000)<br> libssl.so.30 => /usr/lib/libssl.so.30 (0x145ae9575000)<br> libcrypto.so.30 => /lib/libcrypto.so.30 (0x145aeafff000)<br> libc++.so.1 => /lib/libc++.so.1 (0x145ae9e3b000)<br> libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x145aeaa85000)<br> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x145aec745000)<br> libthr.so.3 => /lib/libthr.so.3 (0x145aebf10000)<br> libc.so.7 => /lib/libc.so.7 (0x145aec7fa000)<br> libelf.so.2 => /lib/libelf.so.2 (0x145aee867000)<br> [vdso] (0x145ae5010630)<br> <br> Which alternatives to pam_opie should I investigate?<br> Reason: I want to get rid of security/opie<br> <br> Thanks and regards,<br> Michael<br> <br> </div> <hr></div> </blockquote> <br> <br> Hi,<br> <br> Might it be possible that pam_opie is still mentioned in a file in /etc/pam.d/* on your machine?<br> An alternative might be <a href="https://www.freshports.org/security/pam_google_authenticator">https://www.freshports.org/security/pam_google_authenticator</a><br>; <br> See also: <a href="https://lists.freebsd.org/archives/freebsd-security/2022-September/000081.html">https://lists.freebsd.org/archives/freebsd-security/2022-September/000081.html</a><br>; <br> Regards,<br> Ronald.<br> </body></html>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1361461519.2835.1691488408412>