[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Server causing panic *New Question* [Fixed]



I dont know what the cause was in the first place but I feel better now 
because I am error free and upgraded from 0.9.6b (nice rhyme!)

I went ahead and downloaded the tgz from openssl.org.  We had version
0.9.6b installed (via rpm) and I just downloaded 0.9.6e.

I Unpacked it, ./config'ed it, maked it, make installed it.

It went into /usr/local/ssl.  I needed the libraries out of /usr/local/ssl/lib
to put in /lib.  But all I could find were some measly .a files.  I went
back and found that I had to run "./config shared" to get the .so files.

Ok, done.

Now I had some nice perty .so in /usr/local/ssl/lib.

[root@betamax /]# ls -l /usr/local/ssl/lib/
total 2764
-rw-r--r--    1 root     root      1422326 Aug  1 13:17 libcrypto.a
lrwxrwxrwx    1 root     root           14 Aug  1 13:17 libcrypto.so -> libcrypto.so.0
lrwxrwxrwx    1 root     root           18 Aug  1 13:17 libcrypto.so.0 -> libcrypto.so.0.9.6
-r-xr-xr-x    1 root     root       900773 Aug  1 13:17 libcrypto.so.0.9.6
-rw-r--r--    1 root     root       269614 Aug  1 13:17 libssl.a
lrwxrwxrwx    1 root     root           11 Aug  1 13:17 libssl.so -> libssl.so.0
lrwxrwxrwx    1 root     root           15 Aug  1 13:17 libssl.so.0 -> libssl.so.0.9.6
-r-xr-xr-x    1 root     root       213806 Aug  1 13:17 libssl.so.0.9.6

I copied over (cp *.so.* /lib) the libraries and I had to tweak them to look like this.

[root@betamax /]# ls -l /lib/ | grep libcrypto
lrwxrwxrwx    1 root     root           24 Aug  1 13:26 libcrypto.so.0.9.6 -> /lib/libcrypto.so.0.9.6e
-r-xr-xr-x    1 root     root       900773 Aug  1 13:20 libcrypto.so.0.9.6e
lrwxrwxrwx    1 root     root           24 Aug  1 13:24 libcrypto.so.2 -> /lib/libcrypto.so.0.9.6e

[root@betamax /]# ls -l /lib/ | grep libssl
lrwxrwxrwx    1 root     root           21 Aug  1 13:28 libssl.so.0.9.6 -> /lib/libssl.so.0.9.6e
-r-xr-xr-x    1 root     root       213806 Aug  1 13:20 libssl.so.0.9.6e
lrwxrwxrwx    1 root     root           21 Aug  1 13:22 libssl.so.2 -> /lib/libssl.so.0.9.6e

I did not use the ".a" files at all.

Please note that there is still an rpm of libssl installed in /usr/share. 
I do not know if it is safe to uninstall it, or unsafe to leave it 
(because of the vulns... :(   )

Any ideas?


Caylan Van Larson



On Thu, 1 Aug 2002, Alan Sparks wrote:

> Since Red Hat released a new set of OpenSSL updates in the last couple of
> days, this might have affected you.  The OpenSSL advisories suggest you
> recompile any binaries using OpenSSL.  Don't know if you have.  You might
> want to try that.
> HTH
> -Alan
> 
> Caylan Van Larson said:
> > Ian,
> >
> > [root@betamax /]# ldd /lib/security/pam_ldap.so
> >         libldap.so.2 => /usr/lib/libldap.so.2 (0x40018000)
> >         liblber.so.2 => /usr/lib/liblber.so.2 (0x4003d000)
> >         libcrypt.so.1 => /lib/libcrypt.so.1 (0x40047000)
> >         libcrypto.so.2 => /lib/libcrypto.so.2 (0x40074000)
> >         libresolv.so.2 => /lib/libresolv.so.2 (0x4013a000)
> >         libpam.so.0 => /lib/libpam.so.0 (0x4014a000)
> >         libdl.so.2 => /lib/libdl.so.2 (0x40152000)
> >         libc.so.6 => /lib/libc.so.6 (0x40156000)
> >         libssl.so.2 => /lib/libssl.so.2 (0x4027d000)
> >         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
> > [root@betamax /]# ldd /lib/libssl.so.2
> >         libcrypto.so.2 => /lib/libcrypto.so.2 (0x4003b000)
> >         libdl.so.2 => /lib/libdl.so.2 (0x40102000)
> >         libc.so.6 => /lib/libc.so.6 (0x40105000)
> >         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
> >
> > Thats what I dont get, shouldnt the error...
> > [dlerror: /lib/libssl.so.2: undefined symbol: OpenSSLDie]
> > ... be present on an 'ldd'?  I should see something...
> >
> > By the way, these are non-fatal errors.  Users are still able to ssh in.
> >
> > openldap was compiled from source.  Everything was working fine until
> > last  night.  The only 2 things I did was do a "rpm -Fvh *" on the
> > 7.3-updates  from updates.redhat.com and tweak my pam.d config files
> > (changing the  order of pam_ldap.so/pam_unix.so).  Needless to say I
> > reverted back to my  old sshd files in pam.d.
> >
> > Thanks for your help,
> >
> >
> > Caylan Van Larson
> >
> > ps: heres the list of 7.3 updates, I added a * for possible culprits:
> >
> > apache-1.3.23-14.i386.rpm
> > apache-devel-1.3.23-14.i386.rpm
> > apache-manual-1.3.23-14.i386.rpm
> > bind-9.2.1-0.7x.i386.rpm
> > bind-devel-9.2.1-0.7x.i386.rpm
> > bind-utils-9.2.1-0.7x.i386.rpm
> > cpp-2.96-112.i386.rpm
> > dateconfig-0.7.5-7.i386.rpm
> > ethereal-0.9.4-0.7.3.0.i386.rpm
> > ethereal-gnome-0.9.4-0.7.3.0.i386.rpm

.
.
. Cut from original Message
.
.

> > openssh-server-3.1p1-6.i386.rpm
> > openssl095a-0.9.5a-14.i386.rpm
> > openssl096-0.9.6-9.i386.rpm
> > openssl-0.9.6b-24.i386.rpm
> > openssl-devel-0.9.6b-24.i386.rpm
> > openssl-perl-0.9.6b-24.i386.rpm
> > perl-Digest-MD5-2.20-1.i386.rpm
> > psmisc-20.2-3.73.i386.rpm
> > sane-backends-1.0.7-6.1.i386.rpm
> > sane-backends-devel-1.0.7-6.1.i386.rpm
> > squid-2.4.STABLE6-6.7.3.i386.rpm
> > ucd-snmp-4.2.5-7.73.0.i386.rpm
> > ucd-snmp-devel-4.2.5-7.73.0.i386.rpm
> > ucd-snmp-utils-4.2.5-7.73.0.i386.rpm
> > util-linux-2.11n-12.7.3.i386.rpm
> > xchat-1.8.9-1.73.0.i386.rpm
> >
> >
> > However, some of those would not have been touched:
> >
> > [root@betamax 7.3-updates]# rpm -qa | grep nss
> > mozilla-nss-0.9.9-12.7.3
> > openssh-askpass-gnome-3.1p1-6
> > openssh-askpass-3.1p1-6
> > openssh-clients-3.1p1-6
> > openssl-0.9.6b-24
> > mozilla-nss-devel-0.9.9-12.7.3
> > openssh-3.1p1-6
> > openssh-server-3.1p1-6
> >
> > [root@betamax 7.3-updates]# rpm -qa | grep open
> > openmotif-2.2.2-5
> > openssh-askpass-gnome-3.1p1-6
> > openjade-1.3.1-4
> > openssh-askpass-3.1p1-6
> > openssh-clients-3.1p1-6
> > openssl-0.9.6b-24
> > openmotif-devel-2.2.2-5
> > openssh-3.1p1-6
> > openssh-server-3.1p1-6
> >
> >
> > Thanks (again)
> >
> >
> > Caylan
> >
> >
> >
> >
> > On Thu, 1 Aug 2002, Ian Ballantyne wrote:
> >
> >> Hi Caylan,
> >>
> >> First I am assuming your /lib/security/pam_ldap.so and
> >> /lib/libssl.so.2 are  there and ok.  If they are, then it looks like
> >> something in PAM has been  compiled against a different version of one
> >> of these system libraries,  although you should also check your ldap
> >> server (did you compile from source  of install from a rpm?)  You
> >> should check the dependencies in the pam_ldap  module with "ldd
> >> pam_ldap.so".  This will give you more information and  hopefully some
> >> better idea of what is happening.
> >>
> >> Ian
> >>
> >>
> >> On Thursday 01 August 2002 19:06, you wrote:
> >> > The client system is a 2-proc Dell Poweredge running RedHat 7.3.  I
> >> am running NSCD.  When I say Crash/Lockup I mean any authentication
> >> just hangs indefinately.  Users logged in are still able to do work.
> >> >
> >> > But here is another one, anyone know what the heck this is???
> >> >
> >> > --SNIP
> >> > Aug  1 11:17:26 betamax sshd[8101]: PAM unable to
> >> > dlopen(/lib/security/pam_ldap.so)
> >> > Aug  1 11:17:26 betamax sshd[8101]: PAM [dlerror: /lib/libssl.so.2:
> >> undefined symbol: OpenSSLDie] Aug  1 11:17:26
> >> > betamax sshd[8101]: PAM adding faulty module:
> >> /lib/security/pam_ldap.so
> >> Aug 1 11:25:39 betamax sshd[8538]: PAM unable to
> >> dlopen(/lib/security/pam_ldap.so)
> >> Aug  1 11:25:39 betamax sshd[8538]: PAM
> >> > [dlerror: /lib/libssl.so.2: undefined symbol: OpenSSLDie] Aug  1
> >> 11:25:39 betamax sshd[8538]: PAM adding faulty module:
> >> /lib/security/pam_ldap.so Aug
> >> >  1 11:32:31 betamax sshd[8873]: PAM unable to
> >> > dlopen(/lib/security/pam_ldap.so) Aug  1 11:32:31 betamax
> >> sshd[8873]: PAM [dlerror: /lib/libssl.so.2: undefined symbol:
> >> OpenSSLDie] Aug  1 11:32:31 betamax sshd[8873]: PAM adding faulty
> >> module: /lib/security/pam_ldap.so Aug
> >> >  1 11:32:48 betamax sshd[8887]: PAM unable to
> >> > dlopen(/lib/security/pam_ldap.so) Aug  1 11:32:48 betamax
> >> sshd[8887]: PAM [dlerror: /lib/libssl.so.2: undefined symbol:
> >> OpenSSLDie] Aug  1 11:32:48 betamax sshd[8887]: PAM adding faulty
> >> module: /lib/security/pam_ldap.so --SNAP
> >> >
> >> > Help, this week has been a bad one.
> >>
> 
> 
> ===========
> Alan Sparks, UNIX/Linux Systems Administrator
> <asparks@doublesparks.net>
> 
>