[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Server causing panic *New Question* [Fixed]
I dont know what the cause was in the first place but I feel better now
because I am error free and upgraded from 0.9.6b (nice rhyme!)
I went ahead and downloaded the tgz from openssl.org. We had version
0.9.6b installed (via rpm) and I just downloaded 0.9.6e.
I Unpacked it, ./config'ed it, maked it, make installed it.
It went into /usr/local/ssl. I needed the libraries out of /usr/local/ssl/lib
to put in /lib. But all I could find were some measly .a files. I went
back and found that I had to run "./config shared" to get the .so files.
Ok, done.
Now I had some nice perty .so in /usr/local/ssl/lib.
[root@betamax /]# ls -l /usr/local/ssl/lib/
total 2764
-rw-r--r-- 1 root root 1422326 Aug 1 13:17 libcrypto.a
lrwxrwxrwx 1 root root 14 Aug 1 13:17 libcrypto.so -> libcrypto.so.0
lrwxrwxrwx 1 root root 18 Aug 1 13:17 libcrypto.so.0 -> libcrypto.so.0.9.6
-r-xr-xr-x 1 root root 900773 Aug 1 13:17 libcrypto.so.0.9.6
-rw-r--r-- 1 root root 269614 Aug 1 13:17 libssl.a
lrwxrwxrwx 1 root root 11 Aug 1 13:17 libssl.so -> libssl.so.0
lrwxrwxrwx 1 root root 15 Aug 1 13:17 libssl.so.0 -> libssl.so.0.9.6
-r-xr-xr-x 1 root root 213806 Aug 1 13:17 libssl.so.0.9.6
I copied over (cp *.so.* /lib) the libraries and I had to tweak them to look like this.
[root@betamax /]# ls -l /lib/ | grep libcrypto
lrwxrwxrwx 1 root root 24 Aug 1 13:26 libcrypto.so.0.9.6 -> /lib/libcrypto.so.0.9.6e
-r-xr-xr-x 1 root root 900773 Aug 1 13:20 libcrypto.so.0.9.6e
lrwxrwxrwx 1 root root 24 Aug 1 13:24 libcrypto.so.2 -> /lib/libcrypto.so.0.9.6e
[root@betamax /]# ls -l /lib/ | grep libssl
lrwxrwxrwx 1 root root 21 Aug 1 13:28 libssl.so.0.9.6 -> /lib/libssl.so.0.9.6e
-r-xr-xr-x 1 root root 213806 Aug 1 13:20 libssl.so.0.9.6e
lrwxrwxrwx 1 root root 21 Aug 1 13:22 libssl.so.2 -> /lib/libssl.so.0.9.6e
I did not use the ".a" files at all.
Please note that there is still an rpm of libssl installed in /usr/share.
I do not know if it is safe to uninstall it, or unsafe to leave it
(because of the vulns... :( )
Any ideas?
Caylan Van Larson
On Thu, 1 Aug 2002, Alan Sparks wrote:
> Since Red Hat released a new set of OpenSSL updates in the last couple of
> days, this might have affected you. The OpenSSL advisories suggest you
> recompile any binaries using OpenSSL. Don't know if you have. You might
> want to try that.
> HTH
> -Alan
>
> Caylan Van Larson said:
> > Ian,
> >
> > [root@betamax /]# ldd /lib/security/pam_ldap.so
> > libldap.so.2 => /usr/lib/libldap.so.2 (0x40018000)
> > liblber.so.2 => /usr/lib/liblber.so.2 (0x4003d000)
> > libcrypt.so.1 => /lib/libcrypt.so.1 (0x40047000)
> > libcrypto.so.2 => /lib/libcrypto.so.2 (0x40074000)
> > libresolv.so.2 => /lib/libresolv.so.2 (0x4013a000)
> > libpam.so.0 => /lib/libpam.so.0 (0x4014a000)
> > libdl.so.2 => /lib/libdl.so.2 (0x40152000)
> > libc.so.6 => /lib/libc.so.6 (0x40156000)
> > libssl.so.2 => /lib/libssl.so.2 (0x4027d000)
> > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
> > [root@betamax /]# ldd /lib/libssl.so.2
> > libcrypto.so.2 => /lib/libcrypto.so.2 (0x4003b000)
> > libdl.so.2 => /lib/libdl.so.2 (0x40102000)
> > libc.so.6 => /lib/libc.so.6 (0x40105000)
> > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
> >
> > Thats what I dont get, shouldnt the error...
> > [dlerror: /lib/libssl.so.2: undefined symbol: OpenSSLDie]
> > ... be present on an 'ldd'? I should see something...
> >
> > By the way, these are non-fatal errors. Users are still able to ssh in.
> >
> > openldap was compiled from source. Everything was working fine until
> > last night. The only 2 things I did was do a "rpm -Fvh *" on the
> > 7.3-updates from updates.redhat.com and tweak my pam.d config files
> > (changing the order of pam_ldap.so/pam_unix.so). Needless to say I
> > reverted back to my old sshd files in pam.d.
> >
> > Thanks for your help,
> >
> >
> > Caylan Van Larson
> >
> > ps: heres the list of 7.3 updates, I added a * for possible culprits:
> >
> > apache-1.3.23-14.i386.rpm
> > apache-devel-1.3.23-14.i386.rpm
> > apache-manual-1.3.23-14.i386.rpm
> > bind-9.2.1-0.7x.i386.rpm
> > bind-devel-9.2.1-0.7x.i386.rpm
> > bind-utils-9.2.1-0.7x.i386.rpm
> > cpp-2.96-112.i386.rpm
> > dateconfig-0.7.5-7.i386.rpm
> > ethereal-0.9.4-0.7.3.0.i386.rpm
> > ethereal-gnome-0.9.4-0.7.3.0.i386.rpm
.
.
. Cut from original Message
.
.
> > openssh-server-3.1p1-6.i386.rpm
> > openssl095a-0.9.5a-14.i386.rpm
> > openssl096-0.9.6-9.i386.rpm
> > openssl-0.9.6b-24.i386.rpm
> > openssl-devel-0.9.6b-24.i386.rpm
> > openssl-perl-0.9.6b-24.i386.rpm
> > perl-Digest-MD5-2.20-1.i386.rpm
> > psmisc-20.2-3.73.i386.rpm
> > sane-backends-1.0.7-6.1.i386.rpm
> > sane-backends-devel-1.0.7-6.1.i386.rpm
> > squid-2.4.STABLE6-6.7.3.i386.rpm
> > ucd-snmp-4.2.5-7.73.0.i386.rpm
> > ucd-snmp-devel-4.2.5-7.73.0.i386.rpm
> > ucd-snmp-utils-4.2.5-7.73.0.i386.rpm
> > util-linux-2.11n-12.7.3.i386.rpm
> > xchat-1.8.9-1.73.0.i386.rpm
> >
> >
> > However, some of those would not have been touched:
> >
> > [root@betamax 7.3-updates]# rpm -qa | grep nss
> > mozilla-nss-0.9.9-12.7.3
> > openssh-askpass-gnome-3.1p1-6
> > openssh-askpass-3.1p1-6
> > openssh-clients-3.1p1-6
> > openssl-0.9.6b-24
> > mozilla-nss-devel-0.9.9-12.7.3
> > openssh-3.1p1-6
> > openssh-server-3.1p1-6
> >
> > [root@betamax 7.3-updates]# rpm -qa | grep open
> > openmotif-2.2.2-5
> > openssh-askpass-gnome-3.1p1-6
> > openjade-1.3.1-4
> > openssh-askpass-3.1p1-6
> > openssh-clients-3.1p1-6
> > openssl-0.9.6b-24
> > openmotif-devel-2.2.2-5
> > openssh-3.1p1-6
> > openssh-server-3.1p1-6
> >
> >
> > Thanks (again)
> >
> >
> > Caylan
> >
> >
> >
> >
> > On Thu, 1 Aug 2002, Ian Ballantyne wrote:
> >
> >> Hi Caylan,
> >>
> >> First I am assuming your /lib/security/pam_ldap.so and
> >> /lib/libssl.so.2 are there and ok. If they are, then it looks like
> >> something in PAM has been compiled against a different version of one
> >> of these system libraries, although you should also check your ldap
> >> server (did you compile from source of install from a rpm?) You
> >> should check the dependencies in the pam_ldap module with "ldd
> >> pam_ldap.so". This will give you more information and hopefully some
> >> better idea of what is happening.
> >>
> >> Ian
> >>
> >>
> >> On Thursday 01 August 2002 19:06, you wrote:
> >> > The client system is a 2-proc Dell Poweredge running RedHat 7.3. I
> >> am running NSCD. When I say Crash/Lockup I mean any authentication
> >> just hangs indefinately. Users logged in are still able to do work.
> >> >
> >> > But here is another one, anyone know what the heck this is???
> >> >
> >> > --SNIP
> >> > Aug 1 11:17:26 betamax sshd[8101]: PAM unable to
> >> > dlopen(/lib/security/pam_ldap.so)
> >> > Aug 1 11:17:26 betamax sshd[8101]: PAM [dlerror: /lib/libssl.so.2:
> >> undefined symbol: OpenSSLDie] Aug 1 11:17:26
> >> > betamax sshd[8101]: PAM adding faulty module:
> >> /lib/security/pam_ldap.so
> >> Aug 1 11:25:39 betamax sshd[8538]: PAM unable to
> >> dlopen(/lib/security/pam_ldap.so)
> >> Aug 1 11:25:39 betamax sshd[8538]: PAM
> >> > [dlerror: /lib/libssl.so.2: undefined symbol: OpenSSLDie] Aug 1
> >> 11:25:39 betamax sshd[8538]: PAM adding faulty module:
> >> /lib/security/pam_ldap.so Aug
> >> > 1 11:32:31 betamax sshd[8873]: PAM unable to
> >> > dlopen(/lib/security/pam_ldap.so) Aug 1 11:32:31 betamax
> >> sshd[8873]: PAM [dlerror: /lib/libssl.so.2: undefined symbol:
> >> OpenSSLDie] Aug 1 11:32:31 betamax sshd[8873]: PAM adding faulty
> >> module: /lib/security/pam_ldap.so Aug
> >> > 1 11:32:48 betamax sshd[8887]: PAM unable to
> >> > dlopen(/lib/security/pam_ldap.so) Aug 1 11:32:48 betamax
> >> sshd[8887]: PAM [dlerror: /lib/libssl.so.2: undefined symbol:
> >> OpenSSLDie] Aug 1 11:32:48 betamax sshd[8887]: PAM adding faulty
> >> module: /lib/security/pam_ldap.so --SNAP
> >> >
> >> > Help, this week has been a bad one.
> >>
>
>
> ===========
> Alan Sparks, UNIX/Linux Systems Administrator
> <asparks@doublesparks.net>
>
>