Heads Up: elfsign verification errors
Date: Mon, 9 Apr 2007 15:06:11 -0700 (PDT)
From: Valerie Anne Bubb <Valerie.Bubb at Sun dot COM>
To: onnv-gate at onnv dot eng dot sun dot com
Subject: Heads Up: elfsign verification errors
If you are seeing errors like:
Apr 9 14:57:23 elpaso kcfd[100148]: [ID 821307 user.error] kcfd: unable to find a certificate for DN: O=Sun Microsystems Inc, OU=Solaris Cryptographic Framework, CN=SunOS 5.10
Apr 9 14:57:23 elpaso ssh[648350]: [ID 290454 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken_extra.so unexpected failure in ELF signature verification. System may have been tampered with. See cryptoadm(1M). Skipping this plug-in.
Apr 9 14:57:23 elpaso ssh[648350]: [ID 530472 user.error] Kerberos mechanism library initialization error: krb5 conf file not configured.
in /var/adm/messages file, or find that you cannot run commands like
digest or encrypt, you likely have an old certificate hanging around
on your machine. The recent changes to elfsign to use libkmf
("6246343 elfsign should not depend on libike") trigered an unexpected
side effect on some machines.
Simply logging in as root and removing /etc/crypto/certs/SUNW_SunOS_5.10.1
will resolve this issue for you.
sorry for the hassle,
Valerie
~--
Valerie Bubb, http://blogs.sun.com/bubbva
Solaris Security Technologies, Developer, Sun Microsystems, Inc.
17 Network Circle, Menlo Park, CA, 94025. 650-786-0461
on 2009/11/20 23:47