UsePAM should probably default to yes on Red Hat Linux 7

[elyscape]

From the sshd_config file on a CentOS 7 box:

# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.

As such, it's probably a good idea to default default['ssh']['use_pam'] to true on RedHat 7.

This warning isn't in the CentOS 6 sshd_config file, but there is an article in the Red Hat 6 knowledgebase about not being able to SSH into a system if UsePAM is off and SELinux is on. I don't have an account and can't see the solution, though, so there might be a way to deal with that.

See also dev-sec/puppet-ssh-hardening#53 and dev-sec/ansible-ssh-hardening#23.

[michaelklishin]

I've seen this (the inability to ssh in with use_pam = false) with Debian-based distributions, too.

[chris-rock]

Thanks @elyscape and @michaelklishin We've scheduled RHEL7 support for the next weeks.

@michaelklishin Especially with Ubuntu cloud machines, you normally run into locked accounts: https://github.com/hardening-io/chef-ssh-hardening#faq--pitfalls In such cases, use_pam works around this.

[chris-rock]

@artem-sidorenko FYI

[michaelklishin]

@chris-rock I'm pretty sure my account was not locked. So was a decision made on making this default to true at laest on RHEL7 and Ubuntu/Debian?

[chris-rock]

let me double-check, do you have any documentation that indicates usepam is required on rhel7

[elyscape]

@chris-rock: As mentioned in the issue, the sshd_config file on EL7-based systems contains the following comment above the UsePAM option:

# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.

[chris-rock]

thanks @elyscape Then we should make it default on RHEL7

[artem-sidorenko]

I guess its not only RHEL7 related, I remember some discussion with RH about 3-4 years ago about this flag (and about SUID bits).
I do not know all details any more, but we decided to go with UsePAM no (and with SUID bit removal) as there were no particular technical reasons (at least for our deployments), but only a question about supported configuration by RH.
(As far as I remember the trade off for support cases for ssh or related things was something like we would have to reproduce the issue on the supported config first, and only in this case raise the support case)

[artem-sidorenko]

Probably its a good idea to change the default options to a supported config to avoid any issues in general. In deployments like we have, the users will have to take care about this option and change the defaults. But in my eyes it makes sense to keep the support for UsePAM no and to keep/extend the test cases for both scenarios if possible

[chris-rock]

We could switch to UsePam yes on all RHEL systems to meet the default supported way.

[rndmh3ro]

As per this post.

The workaround mentioned by RedHat is:
The workaround would be to create an additional policy that allow sshd to read password file directly

We could create that policy and add it to selinux, when use_pam is off and selinux is on.
Does this happen on all OS's?

[chris-rock]

Maybe it is a good a approach to implement the idea @rndmh3ro mentioned to keep usePam=no as default for this cookbook version.
@artem-sidorenko @arlimus @atomic111 what do you think about changing the default for usePam to yes on our next major release? I'd like to keep a consistent approach for all OSes.

[artem-sidorenko]

@chris-rock I think its a good approach

• to keep usepam=no and the described selinux idea in this cookbook version
• to go to usepam=yes in the next major version to have consistency, here I would suggest to take the selinux idea and to provide support for usepam=no (to allow transitions and upgrades and not to break it completely)

FYI:
On Monday I'll take a look to our Hardening&RHEL7 eval notes if I find something like this.

CC @larsjuetten as far as I remember you did the quick evaluation of chef-(os/ssh)-hardening on RHEL/Centos 7, can you remember if you got this issue or have any details which might be useful here?

[artem-sidorenko]

...
        :ssh => { :use_pam => true }
....
ssh-use_pam->true ensures, that the users are still able to login.

So, we had exactly this issue as well:)

[chris-rock]

Thanks for the great discussion. Lets make usePam=yes the default version for all implementations. We should bump a major though and add a proper no implementation for RedHat as suggested by @rndmh3ro

[boldandbusted]

👍 :)