Skip to content
This repository has been archived by the owner on Dec 26, 2020. It is now read-only.

UsePAM should probably default to yes on Red Hat Linux 7 #23

Closed
elyscape opened this issue Jul 26, 2015 · 2 comments
Closed

UsePAM should probably default to yes on Red Hat Linux 7 #23

elyscape opened this issue Jul 26, 2015 · 2 comments

Comments

@elyscape
Copy link

From the sshd_config file on a CentOS 7 box:

# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.

As such, it's probably a good idea to default ssh_use_pam to true on RedHat 7.

This warning isn't in the CentOS 6 sshd_config file, but there is an article in the Red Hat 6 knowledgebase about not being able to SSH into a system if UsePAM is off and SELinux is on. I don't have an account and can't see the solution, though, so there might be a way to deal with that.

See also dev-sec/puppet-ssh-hardening#53 and dev-sec/chef-ssh-hardening#96.
This was referenced Jul 26, 2015
Open
Closed
@rndmh3ro
Copy link
Member

rndmh3ro commented Aug 8, 2015

The workaround mentioned by RedHat is:
The workaround would be to create an additional policy that allow sshd to read password file directly

We could create that policy and add it to selinux, when use_pam is off and selinux is on.
Does this happen on all OS's?

@chris-rock What do you think?
Sounds like a good alternative.

@rndmh3ro
Copy link
Member

rndmh3ro commented Aug 9, 2015

As per dev-sec/chef-ssh-hardening#96:

  • to keep usepam=no and the described selinux idea in this cookbook version
  • to go to usepam=yes in the next major version to have consistency, here I would suggest to take the selinux idea and to provide support for usepam=no (to allow transitions and upgrades and not to break it completely)

chris-rock added a commit that referenced this issue Sep 22, 2015
@chris-rock
Merge pull request #35 from hardening-io/pam_selinux
9a3af69 
Support for selinux and pam. fix #23
artem-sidorenko added a commit to artem-forks/ssh-baseline that referenced this issue Dec 23, 2016
@artem-sidorenko
Verify the challenge response but not PAM
3e62691 
as PAM should be enabled per default on the most distros:
 - dev-sec/chef-ssh-hardening#96
 - dev-sec/ansible-ssh-hardening#23
 - dev-sec/puppet-ssh-hardening#53
@artem-sidorenko artem-sidorenko mentioned this issue Dec 23, 2016
Merged
artem-sidorenko added a commit to artem-forks/ssh-baseline that referenced this issue Dec 23, 2016
@artem-sidorenko
Do not enforce the PAM deactivation
2aca91c 
as PAM should be enabled per default on the most distros:
 - dev-sec/chef-ssh-hardening#96
 - dev-sec/ansible-ssh-hardening#23
 - dev-sec/puppet-ssh-hardening#53
artem-sidorenko added a commit to artem-forks/ssh-baseline that referenced this issue Dec 23, 2016
@artem-sidorenko
Do not enforce the PAM deactivation
ade231a 
as PAM should be enabled per default on the most distros:

- dev-sec/chef-ssh-hardening#96
- dev-sec/ansible-ssh-hardening#23
- dev-sec/puppet-ssh-hardening#53
@rndmh3ro rndmh3ro mentioned this issue Aug 31, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elyscape @rndmh3ro