Matt -- I poked around on Google a bit, and found this: http://archives.neohapsis.com/archives/pam-list/2001-04/0111.html says Ian Macdonald wrote: > > I have a couple of boxes here that I've configured to allow ssh > log-ins over LDAP. > > They seem to be identically configured to other boxes that work fine, > yet when a user tries to log in, the following error is logged: > > Apr 19 15:46:21 irc1sj sshd[7466]: PAM pam_set_item: NULL pam handle passed > Apr 19 15:46:21 irc1sj sshd[7466]: Failed password for illegal user shelby from 10.160.71.254 port 1016 > > From: Andrew Morgan (morganat_private) Date: Fri Apr 20 2001 - 16:26:08 CDT This is an internal error from libpam. It means something did this: pam_set_item(NULL, PAM_<something>, item); The error is that the first argument is NULL. It should have been a non-NULL pam_handle_t object. Buggy code - application or module I guess. -------------------------- I looked through a few more of the Google hits. They all showed programming errors and no evidence of malicious behavior, so barring any other information, I suspect this is more of the same. Maybe there's a new bug in the OpenSSH implementation? Hope that helps -- tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html On Thu, 7 Mar 2002, Matt Zimmerman wrote: > I got these just now, from OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8. There is no > user smw on my system, and there never has been. It doesn't look like there > was a compromise. Otherwise, it looks like someone connecting to the wrong > IP address, but I have not seen this PAM error before. Has anyone else seen > this kind of activity? > > I am aware of the recent OpenSSH advisory (1:3.0.2p1-8 includes the patch), > but this doesn't appear to be related, as the activity is before the > (failed) authentication. > > Mar 7 21:50:22 mizar sshd[15396]: PAM pam_set_item: NULL pam handle passed > Mar 7 21:50:22 mizar sshd[15396]: Failed rsa for illegal user smw from 132.205.121.51 port 64707 > Mar 7 21:50:22 mizar sshd[15396]: Connection closed by 132.205.121.51 > Mar 7 21:50:41 mizar sshd[15397]: PAM pam_set_item: NULL pam handle passed > Mar 7 21:50:41 mizar sshd[15397]: Failed rsa for illegal user smw from 132.205.121.51 port 64709 > Mar 7 21:50:41 mizar sshd[15397]: Connection closed by 132.205.121.51 > Mar 7 21:52:57 mizar sshd[15399]: PAM pam_set_item: NULL pam handle passed > Mar 7 21:52:57 mizar sshd[15399]: Failed rsa for illegal user smw from 132.205.121.51 port 64711 > Mar 7 21:53:10 mizar sshd[15399]: Connection closed by 132.205.121.51 > > -- > - mdz > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 10 2002 - 16:52:37 PST