5.3.20 Ensure SSH PAM is enabled

Information

UsePAM Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types

Rationale:

When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server

Impact:

If UsePAM is enabled, you will not be able to run sshd(5) as a non-root user.

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

UsePAM yes

Default Value:

usePAM yes

See Also

https://workbench.cisecurity.org/files/3219

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: f119ffc27c502ea74020b420ccf31ecf1ef9298b4eb9f11b08b8f9434918e3fe