Issue
The `alt-python311` SSL module linked to `alt-openssl11` broke pam authentication, led to grep pam_unix /var/log/auth.log | tail:
Aug 18 06:29:32 cl8x64 python[1450667]: PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
Aug 18 06:29:32 cl8x64 python[1450667]: PAM adding faulty module: /usr/lib64/security/pam_unix.so
Environment
- Imunify360 v7.3 Stand-Alone
- PAM authentication
- alt-openssl11
Solution
Compatibility issue of our PAM module that uses newer openssl library which is not supported by older kerberos libraries can be resolved as per:
- Update packages:
yum update alt-python311\* alt-openssl\* --enablerepo=imunify360-testing
It is expected to return:
Upgraded:
alt-openssl11-1:1.1.1w-1.el8.x86_64 alt-openssl11-libs-1:1.1.1w-1.el8.x86_64 alt-python311-3.11.5-1.el8.x86_64 alt-python311-libs-3.11.5-1.el8.x86_64
2. Restart service:
systemctl restart imunify360
If no updates available, a workaround for affected servers (generic pam auth doesn't work and `PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b` in `/var/log/secure`):
mv /opt/alt/openssl11/lib64/libcrypto.so.1.1 /opt/alt/openssl11/lib64/libcrypto.so.1.1.back
Cause
The Kerberos library (libk5crypto.so.3
) was built with the older version of OpenSSL (1.1.1k
), using the newer version (1.1.1p
) might cause an undefined symbol error. The patch is expected to be delivered with ALTPYTH-478.
Comments
0 comments
Please sign in to leave a comment.