Build duo unix on Solaris 11.3 (x86) configured for FIPS 140-2


#1

Has anyone built duo unix on a Solaris 11.3 system configured for FIPS 140-2? I am not a real system admin or programmer but rather a science user who writes/uses old-school c language code for data collection/analysis on Solaris systems. We are now being pushed to use 2-factor for authentication on all systems that might contain controlled unclassified information.

I have a Duo Unix build failure on a production 11.3 (Intel version) box. I built a clean 11.3 large server installation in Virtual Box, configured the install for FIPS, installed GNU system (package from Oracle) including the c compiler and utilities, and get the same link error on the virtual system as on the production system. The error appears to be in an invocation of libtool to link code that compiled OK. I am not familiar with libtool.

I can provide details via email if someone wishes to help this novice.

Thanks

Stuart


#2

We’ve head of issues building Duo Unix (pam_duo) on Solaris systems when the build commands use the Sun version of nm instead of the GNU version. Verify you have the GNU version of nm and that the GNU bin directory is in your $PATH ahead of /usr/bin.

If installing GNU nm doesn’t resolve your build issue, then I encourage you to contact Duo Support with the exact error output and other details about your system.


#3

Thanks for the suggestions. I finally am trying per your suggestion.

As I’m a total novice using GNU tools, I built a new Solaris 11.3 x86 virtual machine in VirtualBox and configured it for FIPS 140-2. I then installed the “developer-gnu” package (GNU Development Tools for Oracle Solaris) using the Package Manager and did not install the Oracle Solaris Studio compilers. I then changed the path to add /usr/gnu/bin as the first entry for both a normal user and for root. I also added a user sshd with UID of 200 (Solaris reserves UID <100 for system use).

After that, ./configure and make seem to work without error (two warnings about defined but not used). However, after becoming root, the “make install” issues an error:

root@vb-solaris11:/export/home/stu/c/duo/duo_unix-1.9.19# make install > make_install.out.txt
cp: cannot access duo.crt
libtool: install: warning: relinking `pam_duo.la’

The log (make_install.out.txt) indicates that duo.crt was created in /etc/duo but the directory contains only login_duo.conf and pam_duo.conf. I do not know if a missing duo.crt will cause an issue.

I then tried the same sequence (install developer-gnu, change PATH, attempt ./configure and make as a normal user and make install as root) on the production machine and got the same error about duo.crt. I have entered the keys in the pam_duo.conf file on the production machine but I’m leery about attempting to complete the setup without understanding the error.

I will contact support early next week. Comments/suggestions welcome.

Stuart


#4

With the new path (/usr/gnu/bin first), the ./configure and make steps appear to work. However, as root, the make install issues an error (cut and paste a bit of the make install output):

libtool: install: chmod 644 /usr/lib/libduo.a
libtool: install: ranlib /usr/lib/libduo.a
/usr/gnu/bin/mkdir -p /etc/duo
cp: cannot stat ‘duo.crt’: No such file or directory
Created /etc/duo/duo.crt
/usr/gnu/bin/mkdir -p ‘/usr/include’

and there is no duo.crt in the /etc/duo directory after the install completes:

root@vb-solaris11:/etc/duo# ls -al
total 10
drwxr-xr-x 2 root root 4 Oct 14 06:55 .
drwxr-xr-x 98 root sys 194 Oct 25 05:02 …
-rw------- 1 sshd root 144 Oct 14 06:55 login_duo.conf
-rw------- 1 root root 144 Oct 14 06:55 pam_duo.conf
root@vb-solaris11:/etc/duo#

This happens on the virtual test box and on the production machine. Should I ignore the error and attempt to configure the production box?

Thanks,

Stuart


#5

Are you able to authenticate with Duo two factor on your Solaris test VM?


#6

No - I’m not familiar with how to modify the configure script and subsequent make to create both 32-bit and 64-bit versions of the pam_duo libraries, etc.

For Solaris 11.3 there is a Note in a document about Authentication Services (Chapter 1 - Using Pluggable Authentication Modules) that says: “You must install a 32-bit version and a 64-bit version of the PAM service module.” So I’m trying to figure out how to build and install both - so far I’m trying the brute force method of editing all the Makefiles and adding -m64 to the CFLAGS line. That gets me 64-bit .o files so I’m hoping a “make install” will create the appropriate 64-bit libraries that I can move into the appropriate places with appropriate permissions/ownership along with the 32-bit versions. Then I’ll try configuring PAM.

Stuart


#7

Hey Stuart, notwithstanding the Oracle doc, you shouldn’t need to build a 32-bit PAM module if your system is 64-bit. I have a Solaris 11.2 VM and Duo is protecting my ssh logins after going through the documented install process.

At this point I’d suggest you contact Duo support (if you haven’t already) so they can troubleshoot the build with you in depth.