Re: sshd: PAM pam_set_item: NULL pam handle passed

[Tina Bird <tbird () precision-guesswork com>]

Matt --

I poked around on Google a bit, and found this:

http://archives.neohapsis.com/archives/pam-list/2001-04/0111.html says

Ian Macdonald wrote: 
> I have a couple of boxes here that I've configured to allow ssh 
> log-ins over LDAP. 
>
> They seem to be identically configured to other boxes that work fine, 
> yet when a user tries to log in, the following error is logged: 
>
> Apr 19 15:46:21 irc1sj sshd[7466]: PAM pam_set_item: NULL pam handle 
passed 
> Apr 19 15:46:21 irc1sj sshd[7466]: Failed password for illegal user 
shelby from 10.160.71.254 port 1016 
>

From: Andrew Morgan (morgan () transmeta com)
Date: Fri Apr 20 2001 - 16:26:08 CDT 

This is an internal error from libpam. It means something did this: 


   pam_set_item(NULL, PAM_<something>, item); 


The error is that the first argument is NULL. It should have been a 
non-NULL pam_handle_t object. 


Buggy code - application or module I guess. 
--------------------------

I looked through a few more of the Google hits.  They all showed
programming errors and no evidence of malicious behavior, so barring
any other information, I suspect this is more of the same.  Maybe
there's a new bug in the OpenSSH implementation?

Hope that helps -- tbird

"I was being patient, but it took too long." - 
                                Anya, "Buffy the Vampire Slayer"

Log Analysis: http://www.counterpane.com/log-analysis.html
VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html

On Thu, 7 Mar 2002, Matt Zimmerman wrote:

> I got these just now, from OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8.  There is no
> user smw on my system, and there never has been.  It doesn't look like there
> was a compromise.  Otherwise, it looks like someone connecting to the wrong
> IP address, but I have not seen this PAM error before.  Has anyone else seen
> this kind of activity?
>
> I am aware of the recent OpenSSH advisory (1:3.0.2p1-8 includes the patch),
> but this doesn't appear to be related, as the activity is before the
> (failed) authentication.
>
> Mar  7 21:50:22 mizar sshd[15396]: PAM pam_set_item: NULL pam handle passed
> Mar  7 21:50:22 mizar sshd[15396]: Failed rsa for illegal user smw from 132.205.121.51 port 64707
> Mar  7 21:50:22 mizar sshd[15396]: Connection closed by 132.205.121.51
> Mar  7 21:50:41 mizar sshd[15397]: PAM pam_set_item: NULL pam handle passed
> Mar  7 21:50:41 mizar sshd[15397]: Failed rsa for illegal user smw from 132.205.121.51 port 64709
> Mar  7 21:50:41 mizar sshd[15397]: Connection closed by 132.205.121.51
> Mar  7 21:52:57 mizar sshd[15399]: PAM pam_set_item: NULL pam handle passed
> Mar  7 21:52:57 mizar sshd[15399]: Failed rsa for illegal user smw from 132.205.121.51 port 64711
> Mar  7 21:53:10 mizar sshd[15399]: Connection closed by 132.205.121.51
>
> -- 
>  - mdz
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com