Bugzilla – Bug 604
AUTHENTICATION ERROR MESSAGES COULD BE FOUND IN /VAR/ADM/MESSAGES
Last modified: 2013-06-16 05:01:19 MDT
Automatic installation of sudo was enabled during update installation, sudo was updated to version 1.7.4p6. Since this update sudo complains about the missing symbol in the module pam_login_limit.so.1 " Oct 8 03:13:55 fxsnsrm1n1 sudo: [ID 702911 auth.notice] rtp99 : TTY=unknown ; PWD=/export/home/rtp99 ; USER=root ; COMMAND=/opt/SUNWstkcam/bin/sscs list alarm Oct 8 03:13:55 fxsnsrm1n1 sudo[23909]: [ID 401707 auth.error] open_module: /usr/lib/security/pam_login_limit.so.1 failed: ld.so.1: sudo: fatal: relocation error: file /usr/lib/security/pam_login_limit.so.1: symbol main: referenced symbol not found Oct 8 03:13:55 fxsnsrm1n1 sudo[23909]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_login_limit.so.1 " The check of the file /usr/lib/security/pam_login_limit.so.1 which was noted as incompatible for the start of sudo, is existing and has the correct permission set. This problem was neutralised by disabling this module in pam.conf: (These lines were commented out from /etc/pam_conf other auth requisite pam_login_limit.so.1 execute_first timeout_account=30 count_limit=5 other auth required pam_login_limit.so.1 timeout_account=30 count_limit=5) The problem is reproducible: Used command: LD_DEBUG=all,output=sudo-linker.out /usr/local/bin/sudo /opt/SUNWstkcam/bin/sscs list alarm Using the account rtp99 did not produce a sudo-linker.out. As user “root” the alarm output was generated. Taken from /var/log/authlog: May 14 11:25:36 fxsnsrm1n1 sudo: [ID 702911 auth.notice] root : TTY=pts/5 ; PWD=/dump/Indizien/N25186 ; USER=root ; COMMAND=/opt/SUNWstkcam/bin/sscs list alarm May 14 11:25:36 fxsnsrm1n1 sudo[22674]: [ID 401707 auth.error] open_module: /usr/lib/security/pam_login_limit.so.1 failed: ld.so.1: sudo: fatal: relocation error: file /usr/lib/security/pam_login_limit.so.1: symbol main: referenced symbol not found May 14 11:25:36 fxsnsrm1n1 sudo[22674]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_login_limit.so.1 They switched off the workaround and had been activated pam_login_limit, while a couple of messages became obviously: May 14 11:25:15 fxsnsrm1n1 sshd[21720]: [ID 342432 auth.error] pam_login_limit(auth): unknown option '#N25186' The unknown option seems to be configured in pam.conf, where they have entered a comment why they deactivate pam_login_limit.so.1 other auth requisite pam_login_limit.so.1 execute_first timeout_account=30 count_limit=5 #N25186 other auth required pam_login_limit.so.1 timeout_account=30 count_limit=5 #N25186 But it is really a special problem of sudo, because sshd has not a problem with pam_login_limit Note: The problem can be reproduced with the latest sudo versions as well: 1.8.1p2-sol10 and sudo-1.8.6p8
Created attachment 369 [details] 'sudo -V' output
Created attachment 370 [details] truss output
Created attachment 371 [details] LD_DEBUG Hello, please find some symptoms about the issue. Thank you. Best regards, Gyorgy
This sounds like a problem with pam_login_limit.so, not sudo. If you run: nm -o /usr/lib/security/pam_login_limit.so.1|grep main do you see a reference to main? If so, then pam_login_limit.so.1 is the problem. The pam_login_limit.so module is not shipped as a standard part of Solaris as far as I can tell. I've seen this exact problem when a shared module is built with gcc but the final linking is done without using the -shared flag.
Hello Todd, first of all thank you for your feedback. This could be the reason, because both sudo and pam_login_limit.so.1 were installed during the same installation procedure, not only sudo. According to the output the pam_login_limit.so.1 contains a reference to main. $ /usr/ccs/bin/nm -o ./pam_login_limit.so.1 | grep main [88] |000000000000|000000000000|NOTY |GLOB |0 |UNDEF |main Just a question remained unanswered for me. $ ls -l /usr/local/bin/sudo.1.* ---s--x--x 1 root root 205396 Jun 7 08:36 /usr/local/bin/sudo.1.7.4p4 ---s--x--x 1 root root 207090 Feb 4 2011 /usr/local/bin/sudo.1.7.4p6 If ran the following two commands on a test machine for the same pam_login_limit.so.1, I have the following output: 1. Using the older sudo version. $ /usr/local/bin/sudo.1.7.4p4 vi /etc/passwd Password: Sorry, try again. Password: sudo.1.7.4p4: 1 incorrect password attempt Note: The correct password is not accepted 2. Using sudo installed during the latest update $ /usr/local/bin/sudo.1.7.4p6 vi /etc/passwd sudo.1.7.4p6: pam_authenticate: Dlopen failure $ tail /var/adm/messages Jun 10 15:39:10 blnfce066 sudo: [ID 702911 auth.alert] rtp99 : 1 incorrect password attempt ; TTY=pts/42 ; PWD=/usr/local/bin ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd Jun 10 15:39:36 blnfce066 sudo.1.7.4p6[1597]: [ID 401707 auth.error] open_module: /usr/lib/security/pam_login_limit.so.1 failed: ld.so.1: sudo.1.7.4p6: fatal: relocation error: file /usr/lib/security/pam_login_limit.so.1: symbol main: referenced symbol not found Jun 10 15:39:36 blnfce066 sudo.1.7.4p6[1597]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_login_limit.so.1 Jun 10 15:39:36 blnfce066 sudo: [ID 702911 auth.alert] rtp99 : pam_authenticate: Dlopen failure ; TTY=pts/42 ; PWD=/usr/local/bin ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd [rtp99@blnfce066:/usr/local/bin] $ date Monday, June 10, 2013 3:40:03 PM MEST I am confused, why the behaviour of two sudo versions are different with the same pam_login_limit.so.1. Regards, Gyorgy
Hello, my colleague found that the build script is using gcc –G option: gcc -G ../CR0096243/PAM/pam_login_limit.c -lpam -lc -o ../CR0096243/PAM/pam_login_limit.so.1 The recompiled pam_login_limit.so.1 with 'gcc -shared -DPIC -fPIC -G pam_login_limit.c -lpam -lc -o pam_login_limit.so.1' seems to be solved the problem. Thank you once again your help. Regards, Gyorgy
Submitter confirmed that pam_login_limit.so was the problem.