Detections
Analytics

5.2.22 Ensure sshd UsePAM is enabled

Information

The UsePAM directive enables the Pluggable Authentication Module (PAM) interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication directives in addition to PAM account and session module processing for all authentication types.

More information about the openSSH server configuration is available in the "Configure SSH Server" section overview.

When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server.

Solution

Edit the /etc/ssh/sshd_config file to set the UsePAM parameter to yes as follows:

UsePAM yes

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|IA-5, 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: ed994ee832bfb17dc55e97140308b18a5221cf4a0fd1d28f0097d6c7dea53e16