From nobody Fri Jan 06 06:57:45 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NpDgQ3xMCz2r4tZ; Fri, 6 Jan 2023 06:57:54 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "anubis.delphij.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NpDgP21xcz3KxD; Fri, 6 Jan 2023 06:57:53 +0000 (UTC) (envelope-from delphij@delphij.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=delphij.net header.s=m7e2 header.b=esl2CHK9; spf=pass (mx1.freebsd.org: domain of delphij@delphij.net designates 64.62.153.212 as permitted sender) smtp.mailfrom=delphij@delphij.net; dmarc=pass (policy=reject) header.from=delphij.net Received: from odin.corp.delphij.net (c-141-193-140-184.rev.sailinternet.net [141.193.140.184]) by anubis.delphij.net (Postfix) with ESMTPSA id AC38F3B41A; Thu, 5 Jan 2023 22:57:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=m7e2; t=1672988265; x=1673002665; bh=L9D4PF4c8ykSXWDxi56gFia95kyFNk+j+g5eAbPHAMI=; h=Date:Reply-To:To:Cc:References:From:Subject:In-Reply-To; b=esl2CHK9Zg3UJnl9qrDjaaX3MZmP65Dd2ElrkYnZI2Pr/lAdSi2O/c+tOyJhw2qCu dPwu24meMdqT7rRZSbsYC0Ap9bayTwk8mM6W6OquLm/27tTBl3+WuydMM4RTI5wALB iYb77sJXLqIqKS5JOJLNeU5zbss86QMa2N9qNJdQ2TDMIgx/CenXiivJxRHkRnIl9J 9AThPbd5l7lhhm2ysBjNezfw8uXVsrudoBdFz4MUEX79dkMmaBWND0sbwhP+0wSxnd iSkmEF9bOXi2dTPVKsfwxCJQnkca52jW0ArWktYMiMT+sFvIx6rYKUTKlSgf3Px5Nh b34og+a3kkVMw== Message-ID: <44346488-85be-825c-4a42-1de3f701c3f4@delphij.net> Date: Thu, 5 Jan 2023 22:57:45 -0800 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Thunderbird Reply-To: d@delphij.net To: grarpamp , freebsd-current@freebsd.org Cc: freebsd-security@freebsd.org References: Content-Language: en-US From: Xin Li Subject: Re: cant login after make installworld: pam_opie.so.6 not found In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[delphij.net,reject]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[delphij.net:s=m7e2]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[delphij]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; REPLYTO_DOM_EQ_FROM_DOM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-security@freebsd.org]; HAS_REPLYTO(0.00)[d@delphij.net]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[delphij.net:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:6939, ipnet:64.62.128.0/18, country:US]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4NpDgP21xcz3KxD X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On 2023-01-04 6:59 PM, grarpamp wrote: >>> looks like the "make delete-old-libs" has deleted that lib pam_opie.so.6 >>> and now I cannot pass the login prompt >>> says the error "pam_opie.so: not found > >>> how can I get it back? I tried everything and nothing brought it back > >> commit 0aa2700123e22c2b0a977375e087dc2759b8e980 >> Differential Revision: https://reviews.freebsd.org/D36592 > > This appeared as perhaps an arbitrary deletion change for some > unknown non-discussed reason. Someone else posted the problems, > user features, and alternatives that would preserve and update use of > OPIE options for FreeBSD users, but again, no one discussed. Security team has discussed this a decade ago. See https://www.miknet.net/security/skey-dungeon-attack/ for technical details. And this could have been avoided if user have followed source upgrade instructions by performing mergemaster or etcupdate *before* make delete-old{-libs}, which is well documented in /usr/src/UPDATING and I quote it here: To upgrade in-place from stable to current ---------------------------------------------- make buildworld [9] make buildkernel KERNCONF=YOUR_KERNEL_HERE [8] make installkernel KERNCONF=YOUR_KERNEL_HERE [1] [3] etcupdate -p [5] make installworld etcupdate -B [4] make delete-old [6] The order here is very important. Cheers,