Issue
The `alt-python311` SSL module linked to `alt-openssl11` broke pam authentication, led to grep pam_unix /var/log/auth.log | tail:
Aug 18 06:29:32 cl8x64 python[1450667]: PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
Aug 18 06:29:32 cl8x64 python[1450667]: PAM adding faulty module: /usr/lib64/security/pam_unix.so
Environment
- Imunify360 v7.3 Stand-Alone
- PAM authentication
- alt-openssl11
Solution
Compatibility issue of our PAM module that uses newer openssl library which is not supported by older kerberos libraries can be resolved as per:
- Update packages:
yum update alt-python311\* alt-openssl\* --enablerepo=imunify360-testingIt is expected to return:
Upgraded:
alt-openssl11-1:1.1.1w-1.el8.x86_64 alt-openssl11-libs-1:1.1.1w-1.el8.x86_64 alt-python311-3.11.5-1.el8.x86_64 alt-python311-libs-3.11.5-1.el8.x86_642. Restart service:
systemctl restart imunify360
If no updates available, a workaround for affected servers (generic pam auth doesn't work and `PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b` in `/var/log/secure`):
mv /opt/alt/openssl11/lib64/libcrypto.so.1.1 /opt/alt/openssl11/lib64/libcrypto.so.1.1.back
Cause
The Kerberos library (libk5crypto.so.3) was built with the older version of OpenSSL (1.1.1k), using the newer version (1.1.1p) might cause an undefined symbol error. The patch is expected to be delivered with ALTPYTH-478.
Comments
0 comments
Please sign in to leave a comment.