5.1.19 Ensure SSH PAM is enabled

Information

UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types

When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

UsePAM yes

Impact:

If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user.

See Also

https://workbench.cisecurity.org/benchmarks/12218