Re: sshd: PAM pam_set_item: NULL pam handle passed

From: Tina Bird (tbird@precision-guesswork.com)
Date: 03/09/02


Date: Fri, 8 Mar 2002 18:16:23 -0600 (CST)
From: Tina Bird <tbird@precision-guesswork.com>
To: Matt Zimmerman <mdz@csh.rit.edu>

Matt --

I poked around on Google a bit, and found this:

http://archives.neohapsis.com/archives/pam-list/2001-04/0111.html says

Ian Macdonald wrote:
>
> I have a couple of boxes here that I've configured to allow ssh
> log-ins over LDAP.
>
> They seem to be identically configured to other boxes that work fine,
> yet when a user tries to log in, the following error is logged:
>
> Apr 19 15:46:21 irc1sj sshd[7466]: PAM pam_set_item: NULL pam handle
passed
> Apr 19 15:46:21 irc1sj sshd[7466]: Failed password for illegal user
shelby from 10.160.71.254 port 1016
>
>

From: Andrew Morgan (morgan@transmeta.com)
Date: Fri Apr 20 2001 - 16:26:08 CDT

This is an internal error from libpam. It means something did this:

   pam_set_item(NULL, PAM_<something>, item);

The error is that the first argument is NULL. It should have been a
non-NULL pam_handle_t object.

Buggy code - application or module I guess.
--------------------------

I looked through a few more of the Google hits. They all showed
programming errors and no evidence of malicious behavior, so barring
any other information, I suspect this is more of the same. Maybe
there's a new bug in the OpenSSH implementation?

Hope that helps -- tbird

"I was being patient, but it took too long." -
                                Anya, "Buffy the Vampire Slayer"

Log Analysis: http://www.counterpane.com/log-analysis.html
VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html

On Thu, 7 Mar 2002, Matt Zimmerman wrote:

> I got these just now, from OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8. There is no
> user smw on my system, and there never has been. It doesn't look like there
> was a compromise. Otherwise, it looks like someone connecting to the wrong
> IP address, but I have not seen this PAM error before. Has anyone else seen
> this kind of activity?
>
> I am aware of the recent OpenSSH advisory (1:3.0.2p1-8 includes the patch),
> but this doesn't appear to be related, as the activity is before the
> (failed) authentication.
>
> Mar 7 21:50:22 mizar sshd[15396]: PAM pam_set_item: NULL pam handle passed
> Mar 7 21:50:22 mizar sshd[15396]: Failed rsa for illegal user smw from 132.205.121.51 port 64707
> Mar 7 21:50:22 mizar sshd[15396]: Connection closed by 132.205.121.51
> Mar 7 21:50:41 mizar sshd[15397]: PAM pam_set_item: NULL pam handle passed
> Mar 7 21:50:41 mizar sshd[15397]: Failed rsa for illegal user smw from 132.205.121.51 port 64709
> Mar 7 21:50:41 mizar sshd[15397]: Connection closed by 132.205.121.51
> Mar 7 21:52:57 mizar sshd[15399]: PAM pam_set_item: NULL pam handle passed
> Mar 7 21:52:57 mizar sshd[15399]: Failed rsa for illegal user smw from 132.205.121.51 port 64711
> Mar 7 21:53:10 mizar sshd[15399]: Connection closed by 132.205.121.51
>
> --
> - mdz
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Wave of Nimda-like hits this morning?
    ... I've had multiple clients' Solaris boxes crashing this morning from ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • EUREKA! I HAVE THE SOLUTION!
    ... have to save the file as an XML worksheet. ... I saved it as an XML worksheet and immediately had functionality ... Perhaps the Microsoft Tech Support people should use Google as a resource ... It's actually text boxes I'm having trouble with, ...
    (microsoft.public.excel.newusers)
  • Re: Google Computers - Hardware Coming to Town
    ... >>If Google hardware staff is as good as their html staff - you are right. ... Maybe these new machines are a response to that. ... Google could possibly pay customers and then borrow some resources (net- ... their boxes for virtually a pittance (enough to ensure people don't buy ...
    (alt.internet.search-engines)
  • Re: Where buy Clear Plastic Bags for Dust Collector?
    ... "trs80" wrote: ... > All I found on google were commercial quantity size boxes with 100s of ...
    (rec.woodworking)
  • Re: Two Ethernet Jacks & Two Networked Boxes
    ... > the world of modems and google hasn't settled the following issue. ... > I have a space with two ethernet jacks and two mandrake boxes. ... > I know that a linux box can serve as a dedicated router. ...
    (comp.os.linux.networking)