@jcluvlow when booting from disk (i guess you mean piadm) does that work with all pool layouts ?

@mgt576 --> not piadm(8), that's SmartOS-specific.

Is anyone here using duo_unix 2FA software on an illumos distro?

It seems recent versions fail to compile and I'm trying to figure out if it's a me problem, an Illumos problem, or a duo problem.

(FTR: I am suspecting me, followed by duo)

nomad that depends on the nature of errors>(

give me a moment, I'll post a paste

pastebin.com/rKtN5y45 (sorry 'bout the noise. I keep forgetting where the good paste services are.)

I'm having to compile with gcc-10. Even older code of theirs doesn't work with gcc-14.

hey jclulow, is there anything I can do to help push illumos.org/issues/2947 ?

→ BUG 2947: PAM should support per-service config in /etc/pam.d (New)

nomad: that all seems like just openssl deprecations?

richlowe, the warnings are, yes.

the error is *probably* related to it but is new in their 2.2.x branch.

which has existed for a while which implies others aren't having problems compiling it.

I'm able to compile 2.1.0 and have it run, even with the warnings.

nomad: Wow, I haven't thought about that one in a long time haha

jclulow, duo_unix needs pam hooks. I have to have ansible do a blockinfile edit to add the sshd-kbdint requirement to get it to work.

I'd *really* prefer pam.d structure :)

Yeah, I can see how that would be better

richlowe, so I guess the question is, is this an error with Illumos's openssl includes or something else?

or am I just once again proving brainrot... <sigh>

nomad error is about missing function declaration. the function is used at line 419 and defined at 534.

but also based on warnings, I guess that thing is ugly...

ok, yeah, so far I follow you. I was thinking they were expecting it to be defined in an include file or something.

Which doesn't tell you anything useful other than that someone else hit the same bug

ok, well... the reason is few lines up from github.com/duosecurity/duo_unix/blob/master/lib/https.c#L419

#ifndef HAVE_GETADDRINFO

I'm glad to know I'm not alone.

so, configure fails to detect getaddrinfo and the buggy code path is taken - missing declaration is not OS fault.

Yep, you need to add LIBS="-lsocket -lnsl" to the configure invocation to help it out

so the suggestion in that ticket is just lame

and it was working in 11.4 because oracle did move things into libc

re-running my config with the LIBS= setting worked.

so that's good news.

I'm not sure if that code is actually safe to use:)

well, I can at least test if it will do what I expect it to do :)

I use 2FA with the PAM module from oath-toolkit in some places.

That's all local but it seems to work well

still getting some warnings that mostly seem to be incompatible pointer type.

duo is what UW IT is requiring.

incompatible pointers may be both ways, recent gcc are getting more strict there.

this is gcc10. How recent is that?

relatively. I think, current is 15?

we have 14.3 for latest

Commented on the duo issue, even if they don't fix it then if someone finds the issue it might help them.

danke

well... it works.

Can't speak to the quality but it DTRT.

illumos.org/issues/2832 :)

→ FEATURE 2832: libsocket should go the way of libpthread (In Progress)

on the other hand, my PAM config must be broken. You can just keep saying no to the duo prompt and it'll eventually just let you in.

that's... really bad.

You want something like paste.omnios.org/?8a5dca5cd98f0f7e#…LnmGHQoYV2gUYSMSUf6RxFNwnUWJrDfzJvq at the end of /etc/pam.conf, I reckon.

The only diff from what you show is my last line: sshd-kbdint auth required pam_duo.so

but I don't put it at the very end of the pam.conf so maybe I need to move it.

nope, still letting me in after mulitple tries.

ugh. looks like that behavior shows up in my 'working' installs on other OmniOS hosts.

not on my leenux hosts, though.

nomad - it is probably switching to sshd-password after several failed sshd-kbdint attempts

I'd start up a copy of sshd in debug on a different port and check the output while you run a test

Something like: /usr/sbin/sshd -p 2222 -dddd

and look for `PAM service is <xxx>`

I'll make a note of that for next week. I'm already over hours for this week (the not-joy of being 57% FTE).

The fix will be to make sure you have "PasswordAuthentication no" in /etc/ssh/sshd_config

Remember my comment about /etc/pam.d? that also applies to /etc/ssh/sshd_config.d :)

lucky me, I can have ansible edit /etc/ssh/sshd_config to add an include line and create that directory.

(though it should already be there, IMHO.)

andyf, thanks for the pointers. I've updated my ticket.

and now, hopefully, I can stop thinking about this for my unpaid days.