Thanks for the suggestions. I finally am trying per your suggestion.

As I’m a total novice using GNU tools, I built a new Solaris 11.3 x86 virtual machine in VirtualBox and configured it for FIPS 140-2. I then installed the “developer-gnu” package (GNU Development Tools for Oracle Solaris) using the Package Manager and did not install the Oracle Solaris Studio compilers. I then changed the path to add /usr/gnu/bin as the first entry for both a normal user and for root. I also added a user sshd with UID of 200 (Solaris reserves UID <100 for system use).

After that, ./configure and make seem to work without error (two warnings about defined but not used). However, after becoming root, the “make install” issues an error:

root@vb-solaris11:/export/home/stu/c/duo/duo_unix-1.9.19# make install > make_install.out.txt
cp: cannot access duo.crt
libtool: install: warning: relinking `pam_duo.la’

The log (make_install.out.txt) indicates that duo.crt was created in /etc/duo but the directory contains only login_duo.conf and pam_duo.conf. I do not know if a missing duo.crt will cause an issue.

I then tried the same sequence (install developer-gnu, change PATH, attempt ./configure and make as a normal user and make install as root) on the production machine and got the same error about duo.crt. I have entered the keys in the pam_duo.conf file on the production machine but I’m leery about attempting to complete the setup without understanding the error.

I will contact support early next week. Comments/suggestions welcome.

Stuart

With the new path (/usr/gnu/bin first), the ./configure and make steps appear to work. However, as root, the make install issues an error (cut and paste a bit of the make install output):

libtool: install: chmod 644 /usr/lib/libduo.a
libtool: install: ranlib /usr/lib/libduo.a
/usr/gnu/bin/mkdir -p /etc/duo
cp: cannot stat ‘duo.crt’: No such file or directory
Created /etc/duo/duo.crt
/usr/gnu/bin/mkdir -p ‘/usr/include’

and there is no duo.crt in the /etc/duo directory after the install completes:

root@vb-solaris11:/etc/duo# ls -al
total 10
drwxr-xr-x 2 root root 4 Oct 14 06:55 .
drwxr-xr-x 98 root sys 194 Oct 25 05:02 …
-rw------- 1 sshd root 144 Oct 14 06:55 login_duo.conf
-rw------- 1 root root 144 Oct 14 06:55 pam_duo.conf
root@vb-solaris11:/etc/duo#

This happens on the virtual test box and on the production machine. Should I ignore the error and attempt to configure the production box?

Thanks,

Stuart

Are you able to authenticate with Duo two factor on your Solaris test VM?

No - I’m not familiar with how to modify the configure script and subsequent make to create both 32-bit and 64-bit versions of the pam_duo libraries, etc.

For Solaris 11.3 there is a Note in a document about Authentication Services (Chapter 1 - Using Pluggable Authentication Modules) that says: “You must install a 32-bit version and a 64-bit version of the PAM service module.” So I’m trying to figure out how to build and install both - so far I’m trying the brute force method of editing all the Makefiles and adding -m64 to the CFLAGS line. That gets me 64-bit .o files so I’m hoping a “make install” will create the appropriate 64-bit libraries that I can move into the appropriate places with appropriate permissions/ownership along with the 32-bit versions. Then I’ll try configuring PAM.

Stuart

Hey Stuart, notwithstanding the Oracle doc, you shouldn’t need to build a 32-bit PAM module if your system is 64-bit. I have a Solaris 11.2 VM and Duo is protecting my ssh logins after going through the documented install process.

At this point I’d suggest you contact Duo support (if you haven’t already) so they can troubleshoot the build with you in depth.