highaccess-controlverified ✓rollback-safe
Enable PAM authentication for SSH
ssh-use-pam · RHEL ≥ 8, UBUNTU ≥ 22 · 2 impls
Description
The SSH daemon must use PAM (Pluggable Authentication Modules) for session and authentication processing. PAM provides centralized enforcement of password policies, account lockout, and session controls that are not available through SSH-native authentication alone.
Rationale
Without PAM integration, SSH bypasses system-wide authentication policies including password complexity requirements, account expiration, and login attempt limits. An attacker could exploit weaker SSH-native authentication to circumvent hardened PAM configurations that protect against brute-force and credential-based attacks.
Check → Remediate
Checksshd_effective_config
- key:
- usepam
- expected:
- yes
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- UsePAM
- value:
- yes
- separator:
- reload:
- sshd
Framework references
CIS
rhel10 5.1.22rhel8 5.1.24rhel9 5.1.22ubuntu24 5.1.22ubuntu22 5.1.22
STIG
V-257986 / RHEL-09-255050V-270741 / UBTU-24-500050V-260534 / UBTU-22-255065V-281216 / RHEL-10-600640
NIST 800-53
IA-2IA-5(1)
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#ssh#authentication#pam