Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1

Charles Slivkoff · ‎03-10-2010

I am attempting to configure SSH to use Kerberos on 11.23 (rp3440, so PA, not IPF).

There seems to be a problem with sshd loading libpam_krb5.so.1.

In syslog, I found:
Mar 10 16:21:29 ren sshd[8097]: load_modules: /usr/lib/security/pa20_64/libpam_hpsec.so.1
Mar 10 16:21:29 ren sshd[8097]: load_function: successful load of pam_sm_authenticate
Mar 10 16:21:29 ren sshd[8097]: load_modules: /usr/lib/security/pa20_64/libpam_krb5.so.1
Mar 10 16:21:29 ren sshd[8097]: open_module: /usr/lib/security/pa20_64/libpam_krb5.so.1 failed: Error 0
Mar 10 16:21:29 ren sshd[8097]: load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
Mar 10 16:21:29 ren sshd[8097]: pam_authenticate: load_modules failed

Running sshd in debug mode, I noticed:
debug1: PAM: password authentication failed for casl: Shared object load failure

Behavior is the same with sshd from A.05.10.007 and A.05.30.008 (latest).

If I use "login username", I see that libpam_krb5.so.1 *does* load correctly.

This was working briefly, prior to updating the Kerberos Client bits to D.1.6.2.05.

I've also looked at the "tusc" output from sshd, and I can see the open() call succeeding, so I'm guessing there may be some other dependency.

Any suggestions?

Dennis Handly · ‎03-10-2010

>I've also looked at the "tusc" output from sshd, and I can see the open() call succeeding,

Can you attach the tusc output from a window around the open of libpam_krb5.so.1 for a bunch of lines?

Is sshd a 64 bit app?

Charles Slivkoff · ‎03-11-2010

Hi Dennis,

Yes, sshd is 64-bit. I also tried the 32-bit version which I found in

/opt/ssh/pa20_32/sbin/sshd

I have not yet tried the other 2 versions, though, which I just discovered. There are 4 versions, each with different magic.

/opt/ssh/PA-RISC1.1/sbin/sshd: PA-RISC1.1 shared executable dynamically linked -not stripped dynamically linked
/opt/ssh/PA-RISC2.0/sbin/sshd: PA-RISC2.0 shared executable dynamically linked -not stripped
/opt/ssh/pa20_32/sbin/sshd: PA-RISC2.0 shared executable dynamically linked
/opt/ssh/pa20_64/sbin/sshd: ELF-64 executable object file - PA-RISC 2.0 (LP64)

Hmm...

A section of the tusc output is attached. I cut from the reading of pam.conf down to the error being written to syslog.

Dennis Handly · ‎03-11-2010

>sshd is 64-bit.

Then that should go with pa20_64/libpam_krb5.so.1.

>A section of the tusc output is attached.

That's missing.

Charles Slivkoff · ‎03-11-2010

It *was* there.

Let's try again.

BTW, I tested 32-bit and it seems to be working now. No luck with 64-bit, still.

Dennis Handly · ‎03-11-2010

>Let's try again.

It seems to open/mmap it correctly. About the only problems dld could get is missing symbols.

Do you have the correct version of libpam_krb5.so.1?
Do you have the recommended linker patches?

Charles Slivkoff · ‎03-12-2010

>It seems to open/mmap it correctly.

Yep.

>About the only problems dld could get is missing symbols.

That's what I was thinking, but I'm not sure why I'm not getting a decent error message.

>Do you have the correct version of libpam_krb5.so.1?

I don't see any patches for this. swverify on PAM-Kerberos comes back clean.

>Do you have the recommended linker patches?

PHSS_38134 is installed. I see PHSS_40537 as the latest recommend, but there's little to indicate any related changes in the patch text.

PHCO_38273 for libc, btw.

I switched the link in /opt/ssh/sbin/sshd to point to the 32-bit version instead of the 64-bit version. I think this will be an acceptable workaround.

This server will be out of production in a few months, so I might be able to poke at this some more later.

Dennis Handly · ‎03-12-2010

>I'm not sure why I'm not getting a decent error message.

If PAM doesn't work hard, it doesn't get any detailed error messages from dld. I.e. it would have to call shl_load(,...|BIND_VERBOSE)
If using dlopen, it would have to call dlerror(3) and print the string.

There might be some environment variables you can export to give more details? From dld.sl(5):
export _HP_DLDOPTS="-warnings"
export DLD_VERBOSE_ERR=true

Charles Slivkoff · ‎03-15-2010

> export _HP_DLDOPTS="-warnings"

With this defined, I received an immediate error:

dld.sl: Invalid dld option '-warnings'
Killed

> export DLD_VERBOSE_ERR=true

This pointed to an undefined reference to "errno" in the sshd output:

debug2: input_userauth_request: try method none
Unsatisfied data symbol 'errno' in load module '/usr/lib/security/pa20_64/libpam_krb5.so.1'.
debug1: PAM: password authentication failed for [user]: Shared object load failure

I haven't researched for a possible patch for this. Running the 32-bit sshd seems to be working out just fine.

Thanks again, Dennis.

Don Isler · ‎03-15-2010

Are you on the latest PAM Kerberos. It should be 1.26. If not, you can download latest version from https://h20293.www2.hp.com/portal/swdepot/try.do?productNumber=J5849AA.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1

PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1