Ensure sshd UsePAM Is Enabled : iCompaas Support

Ensure sshd UsePAM Is Enabled Print

Created by: iCompaas Tech Support

Modified on: Mon, 2 Jun, 2025 at 3:51 AM

Profile Applicability:
• Level 1

Description:
The UsePAM option in the SSH daemon (sshd) configuration enables Pluggable Authentication Modules (PAM) for authentication and account management. Enabling this option allows centralized and flexible authentication management.

Rationale:
Using PAM enhances authentication security by integrating with system-wide policies such as password complexity, account lockout, and two-factor authentication.

Impact:
Pros:

Supports advanced and consistent authentication policies.
Enables integration with various authentication modules.

Cons:

Misconfigured PAM can cause authentication issues.

Default Value:
Often enabled by default on most modern Linux distributions.

Pre-requisites:

Root or sudo privileges to modify SSH daemon configuration.

Remediation:

Test Plan:

Using Linux command line:

Check current UsePAM setting in /etc/ssh/sshd_config:

grep ^UsePAM /etc/ssh/sshd_config

Verify it is set to yes.

Implementation Plan:

Using Linux command line:

Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set UsePAM to yes:
UsePAM yes

Save the file and restart sshd:

systemctl restart sshd

Confirm the setting:

grep ^UsePAM /etc/ssh/sshd_config

Backout Plan:

Using Linux command line:

Set UsePAM to no if necessary.
Restart sshd and verify authentication behavior.

References:

NIST SP 800-53 Revision 5 - AC-2

iCompaas is the author of this solution article.

Did you find it helpful? Yes No

Ensure sshd UsePAM Is Enabled Print

Test Plan:

Implementation Plan:

Backout Plan:

Related Articles