Enable PAM

Classification:

compliance

Framework:

Control:

Description

UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.

To enable PAM authentication, add or correct the following line in

/etc/ssh/sshd_config:

UsePAM yes

Rationale

When UsePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd\_config" ] ; then
 
 LC\_ALL=C sed -i "/^\s\*UsePAM\s\+/Id" "/etc/ssh/sshd\_config"
else
 touch "/etc/ssh/sshd\_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd\_config"

cp "/etc/ssh/sshd\_config" "/etc/ssh/sshd\_config.bak"
# Insert before the line matching the regex '^Match'.
line\_number="$(LC\_ALL=C grep -n "^Match" "/etc/ssh/sshd\_config.bak" | LC\_ALL=C sed 's/:.\*//g')"
if [ -z "$line\_number" ]; then
 # There was no match of '^Match', insert at
 # the end of the file.
 printf '%s\n' "UsePAM yes" >> "/etc/ssh/sshd\_config"
else
 head -n "$(( line\_number - 1 ))" "/etc/ssh/sshd\_config.bak" > "/etc/ssh/sshd\_config"
 printf '%s\n' "UsePAM yes" >> "/etc/ssh/sshd\_config"
 tail -n "+$(( line\_number ))" "/etc/ssh/sshd\_config.bak" >> "/etc/ssh/sshd\_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd\_config.bak"

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Enable PAM
 block:

 - name: Check for duplicate values
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: false
 regexp: (?i)^\s\*UsePAM\s+
 state: absent
 check\_mode: true
 changed\_when: false
 register: dupes

 - name: Deduplicate values from /etc/ssh/sshd\_config
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: false
 regexp: (?i)^\s\*UsePAM\s+
 state: absent
 when: dupes.found is defined and dupes.found > 1

 - name: Insert correct line to /etc/ssh/sshd\_config
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: true
 regexp: (?i)^\s\*UsePAM\s+
 line: UsePAM yes
 state: present
 insertbefore: ^[#\s]\*Match
 validate: /usr/sbin/sshd -t -f %s
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - DISA-STIG-UBTU-20-010035
 - PCI-DSSv4-2.2.4
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sshd\_enable\_pam