Re: sshd: PAM pam_set_item: NULL pam handle passed

From: Tina Bird (tbird@precision-guesswork.com)
Date: 03/09/02


Date: Fri, 8 Mar 2002 18:16:23 -0600 (CST)
From: Tina Bird <tbird@precision-guesswork.com>
To: Matt Zimmerman <mdz@csh.rit.edu>

Matt --

I poked around on Google a bit, and found this:

http://archives.neohapsis.com/archives/pam-list/2001-04/0111.html says

Ian Macdonald wrote:
>
> I have a couple of boxes here that I've configured to allow ssh
> log-ins over LDAP.
>
> They seem to be identically configured to other boxes that work fine,
> yet when a user tries to log in, the following error is logged:
>
> Apr 19 15:46:21 irc1sj sshd[7466]: PAM pam_set_item: NULL pam handle
passed
> Apr 19 15:46:21 irc1sj sshd[7466]: Failed password for illegal user
shelby from 10.160.71.254 port 1016
>
>

From: Andrew Morgan (morgan@transmeta.com)
Date: Fri Apr 20 2001 - 16:26:08 CDT

This is an internal error from libpam. It means something did this:

   pam_set_item(NULL, PAM_<something>, item);

The error is that the first argument is NULL. It should have been a
non-NULL pam_handle_t object.

Buggy code - application or module I guess.
--------------------------

I looked through a few more of the Google hits. They all showed
programming errors and no evidence of malicious behavior, so barring
any other information, I suspect this is more of the same. Maybe
there's a new bug in the OpenSSH implementation?

Hope that helps -- tbird

"I was being patient, but it took too long." -
                                Anya, "Buffy the Vampire Slayer"

Log Analysis: http://www.counterpane.com/log-analysis.html
VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html

On Thu, 7 Mar 2002, Matt Zimmerman wrote:

> I got these just now, from OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8. There is no
> user smw on my system, and there never has been. It doesn't look like there
> was a compromise. Otherwise, it looks like someone connecting to the wrong
> IP address, but I have not seen this PAM error before. Has anyone else seen
> this kind of activity?
>
> I am aware of the recent OpenSSH advisory (1:3.0.2p1-8 includes the patch),
> but this doesn't appear to be related, as the activity is before the
> (failed) authentication.
>
> Mar 7 21:50:22 mizar sshd[15396]: PAM pam_set_item: NULL pam handle passed
> Mar 7 21:50:22 mizar sshd[15396]: Failed rsa for illegal user smw from 132.205.121.51 port 64707
> Mar 7 21:50:22 mizar sshd[15396]: Connection closed by 132.205.121.51
> Mar 7 21:50:41 mizar sshd[15397]: PAM pam_set_item: NULL pam handle passed
> Mar 7 21:50:41 mizar sshd[15397]: Failed rsa for illegal user smw from 132.205.121.51 port 64709
> Mar 7 21:50:41 mizar sshd[15397]: Connection closed by 132.205.121.51
> Mar 7 21:52:57 mizar sshd[15399]: PAM pam_set_item: NULL pam handle passed
> Mar 7 21:52:57 mizar sshd[15399]: Failed rsa for illegal user smw from 132.205.121.51 port 64711
> Mar 7 21:53:10 mizar sshd[15399]: Connection closed by 132.205.121.51
>
> --
> - mdz
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com