Error Message from Crypto Library when Logging in

On some systems we have recently encountered syslog error messages when logging in with ssh (or also with /bin/su) of the following type:

Mar 15 10:43:47 aix01 auth|security:err|error sshd[14024884]: Crypto library (CLiC) error: Wrong object type

Mar 15 11:08:42 aix01 auth|security:err|error su: Crypto library (CLiC) error: Wrong signature

Login and also the su command worked  without problems. However, the many error messages, one with each login, were annoying.

The reference to the Crypto Library (CLiC), which is actually needed only when using EFS, was already an indication in the investigation. EFS is not in use on these systems. A check with the command “efskeymgr -V” resulted in the following:

$ efskeymgr -V
There is no key loaded in the current process.
$

Here an error message should have resulted, with the hint that EFS is not activated. A look into the directory /var revealed that the directory /var/efs (in which the EFS keys are stored) exists:

$ ls -l /var/efs
total 24
drwx------    2 root     system          256 Apr 25 2017  efs_admin/
-rw-r--r--    1 root     system            0 Apr 25 2017  efsenabled
drwx------   51 root     system         4096 Mar 17 10:40 groups/
drwx------  123 root     system         8192 Mar 17 05:15 users/
$

So EFS was activated, even though it is not used. To disable EFS, a reboot is actually necessary. However, as it is not really used in our case, and probably turned on only because of an oversight or error, we use the following workaround to rename the /var/efs directory:

$ mv /var/efs /var/efs.orig
$

A short test with the command “efskeymgr -V” shows, that EFS is not currently active from view of AIX:

$ efskeymgr -V
Problem initializing EFS framework.
Please check EFS is installed and enabled (see efsenable) on you system.
Error was: (EFS was not configured)
$

A test login via ssh confirms that no error message is logged any more when logging in.

Note: Please make sure that EFS is not used!

 

%d bloggers like this: