10:02:10 @jcluvlow when booting from disk (i guess you mean piadm) does that work with all pool layouts ? 13:48:57 @mgt576 --> not piadm(8), that's SmartOS-specific. 19:08:37 Is anyone here using duo_unix 2FA software on an illumos distro? 19:09:08 It seems recent versions fail to compile and I'm trying to figure out if it's a me problem, an Illumos problem, or a duo problem. 19:09:34 (FTR: I am suspecting me, followed by duo) 20:52:49 nomad that depends on the nature of errors>( 21:05:28 give me a moment, I'll post a paste 21:08:59 https://pastebin.com/rKtN5y45 (sorry 'bout the noise. I keep forgetting where the good paste services are.) 21:10:51 I'm having to compile with gcc-10. Even older code of theirs doesn't work with gcc-14. 21:14:02 hey jclulow, is there anything I can do to help push https://www.illumos.org/issues/2947 ? 21:14:03 → BUG 2947: PAM should support per-service config in /etc/pam.d (New) 21:15:23 nomad: that all seems like just openssl deprecations? 21:15:35 richlowe, the warnings are, yes. 21:15:49 the error is *probably* related to it but is new in their 2.2.x branch. 21:16:08 which has existed for a while which implies others aren't having problems compiling it. 21:16:51 I'm able to compile 2.1.0 and have it run, even with the warnings. 21:17:38 nomad: Wow, I haven't thought about that one in a long time haha 21:18:36 jclulow, duo_unix needs pam hooks. I have to have ansible do a blockinfile edit to add the sshd-kbdint requirement to get it to work. 21:18:43 I'd *really* prefer pam.d structure :) 21:18:58 Yeah, I can see how that would be better 21:21:42 richlowe, so I guess the question is, is this an error with Illumos's openssl includes or something else? 21:22:03 or am I just once again proving brainrot... 21:23:29 nomad error is about missing function declaration. the function is used at line 419 and defined at 534. 21:24:09 but also based on warnings, I guess that thing is ugly... 21:24:16 ok, yeah, so far I follow you. I was thinking they were expecting it to be defined in an include file or something. 21:24:41 * nomad touches C about once a year or so... probably even a lot less. 21:28:01 https://github.com/duosecurity/duo_unix/issues/351 21:28:20 Which doesn't tell you anything useful other than that someone else hit the same bug 21:29:54 ok, well... the reason is few lines up from https://github.com/duosecurity/duo_unix/blob/master/lib/https.c#L419 21:30:07 #ifndef HAVE_GETADDRINFO 21:31:19 I'm glad to know I'm not alone. 21:31:24 so, configure fails to detect getaddrinfo and the buggy code path is taken - missing declaration is not OS fault. 21:31:42 Yep, you need to add LIBS="-lsocket -lnsl" to the configure invocation to help it out 21:31:43 so the suggestion in that ticket is just lame 21:32:18 and it was working in 11.4 because oracle did move things into libc 21:32:46 re-running my config with the LIBS= setting worked. 21:32:52 so that's good news. 21:33:18 I'm not sure if that code is actually safe to use:) 21:33:44 well, I can at least test if it will do what I expect it to do :) 21:33:46 I use 2FA with the PAM module from oath-toolkit in some places. 21:34:17 That's all local but it seems to work well 21:34:27 still getting some warnings that mostly seem to be incompatible pointer type. 21:34:38 duo is what UW IT is requiring. 21:35:53 incompatible pointers may be both ways, recent gcc are getting more strict there. 21:36:11 this is gcc10. How recent is that? 21:36:29 relatively. I think, current is 15? 21:37:25 we have 14.3 for latest 21:38:22 Commented on the duo issue, even if they don't fix it then if someone finds the issue it might help them. 21:38:37 danke 21:44:33 well... it works. 21:44:41 Can't speak to the quality but it DTRT. 21:45:25 https://www.illumos.org/issues/2832 :) 21:45:26 → FEATURE 2832: libsocket should go the way of libpthread (In Progress) 21:45:54 on the other hand, my PAM config must be broken. You can just keep saying no to the duo prompt and it'll eventually just let you in. 21:45:58 that's... really bad. 21:46:43 You want something like https://paste.omnios.org/?8a5dca5cd98f0f7e#CF4FFVohyLnmGHQoYV2gUYSMSUf6RxFNwnUWJrDfzJvq at the end of /etc/pam.conf, I reckon. 21:48:51 The only diff from what you show is my last line: sshd-kbdint auth required pam_duo.so 21:49:04 but I don't put it at the very end of the pam.conf so maybe I need to move it. 21:50:01 nope, still letting me in after mulitple tries. 21:53:59 ugh. looks like that behavior shows up in my 'working' installs on other OmniOS hosts. 21:54:06 not on my leenux hosts, though. 21:54:15 * nomad goes back to the (failing) googles. 22:31:22 nomad - it is probably switching to sshd-password after several failed sshd-kbdint attempts 22:31:38 I'd start up a copy of sshd in debug on a different port and check the output while you run a test 22:31:56 Something like: /usr/sbin/sshd -p 2222 -dddd 22:32:06 and look for `PAM service is ` 22:32:19 I'll make a note of that for next week. I'm already over hours for this week (the not-joy of being 57% FTE). 22:33:02 The fix will be to make sure you have "PasswordAuthentication no" in /etc/ssh/sshd_config 22:37:41 Remember my comment about /etc/pam.d? that also applies to /etc/ssh/sshd_config.d :) 22:37:57 lucky me, I can have ansible edit /etc/ssh/sshd_config to add an include line and create that directory. 22:38:28 (though it should already be there, IMHO.) 22:50:25 andyf, thanks for the pointers. I've updated my ticket. 22:50:43 and now, hopefully, I can stop thinking about this for my unpaid days.