Security Incidents mailing list archives
Re: sshd: PAM pam_set_item: NULL pam handle passed
From: Tina Bird <tbird () precision-guesswork com>
Date: Fri, 8 Mar 2002 18:16:23 -0600 (CST)
Matt -- I poked around on Google a bit, and found this: http://archives.neohapsis.com/archives/pam-list/2001-04/0111.html says Ian Macdonald wrote:
I have a couple of boxes here that I've configured to allow ssh log-ins over LDAP. They seem to be identically configured to other boxes that work fine, yet when a user tries to log in, the following error is logged: Apr 19 15:46:21 irc1sj sshd[7466]: PAM pam_set_item: NULL pam handle
passed
Apr 19 15:46:21 irc1sj sshd[7466]: Failed password for illegal user
shelby from 10.160.71.254 port 1016
From: Andrew Morgan (morgan () transmeta com) Date: Fri Apr 20 2001 - 16:26:08 CDT This is an internal error from libpam. It means something did this: pam_set_item(NULL, PAM_<something>, item); The error is that the first argument is NULL. It should have been a non-NULL pam_handle_t object. Buggy code - application or module I guess. -------------------------- I looked through a few more of the Google hits. They all showed programming errors and no evidence of malicious behavior, so barring any other information, I suspect this is more of the same. Maybe there's a new bug in the OpenSSH implementation? Hope that helps -- tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html On Thu, 7 Mar 2002, Matt Zimmerman wrote:
I got these just now, from OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8. There is no user smw on my system, and there never has been. It doesn't look like there was a compromise. Otherwise, it looks like someone connecting to the wrong IP address, but I have not seen this PAM error before. Has anyone else seen this kind of activity? I am aware of the recent OpenSSH advisory (1:3.0.2p1-8 includes the patch), but this doesn't appear to be related, as the activity is before the (failed) authentication. Mar 7 21:50:22 mizar sshd[15396]: PAM pam_set_item: NULL pam handle passed Mar 7 21:50:22 mizar sshd[15396]: Failed rsa for illegal user smw from 132.205.121.51 port 64707 Mar 7 21:50:22 mizar sshd[15396]: Connection closed by 132.205.121.51 Mar 7 21:50:41 mizar sshd[15397]: PAM pam_set_item: NULL pam handle passed Mar 7 21:50:41 mizar sshd[15397]: Failed rsa for illegal user smw from 132.205.121.51 port 64709 Mar 7 21:50:41 mizar sshd[15397]: Connection closed by 132.205.121.51 Mar 7 21:52:57 mizar sshd[15399]: PAM pam_set_item: NULL pam handle passed Mar 7 21:52:57 mizar sshd[15399]: Failed rsa for illegal user smw from 132.205.121.51 port 64711 Mar 7 21:53:10 mizar sshd[15399]: Connection closed by 132.205.121.51 -- - mdz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- sshd: PAM pam_set_item: NULL pam handle passed Matt Zimmerman (Mar 08)
- Re: sshd: PAM pam_set_item: NULL pam handle passed Tina Bird (Mar 10)
- Re: sshd: PAM pam_set_item: NULL pam handle passed Matt Zimmerman (Mar 10)
- Bug#137492: PAM pam_set_item: NULL pam handle passed Matt Zimmerman (Mar 10)
- Re: sshd: PAM pam_set_item: NULL pam handle passed Matt Zimmerman (Mar 10)
- Re: sshd: PAM pam_set_item: NULL pam handle passed Chris Faulhaber (Mar 10)
- Re: sshd: PAM pam_set_item: NULL pam handle passed Matt Zimmerman (Mar 10)
- Re: sshd: PAM pam_set_item: NULL pam handle passed Tina Bird (Mar 10)