← Rules Catalog
highaccess-controlverified rollback-safe

Enable PAM authentication for SSH

ssh-use-pam · RHEL ≥ 8, UBUNTU ≥ 22 · 2 impls

Description

The SSH daemon must use PAM (Pluggable Authentication Modules) for session and authentication processing. PAM provides centralized enforcement of password policies, account lockout, and session controls that are not available through SSH-native authentication alone.

Rationale

Without PAM integration, SSH bypasses system-wide authentication policies including password complexity requirements, account expiration, and login attempt limits. An attacker could exploit weaker SSH-native authentication to circumvent hardened PAM configurations that protect against brute-force and credential-based attacks.

Check → Remediate

Checksshd_effective_config
key:
usepam
expected:
yes
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
UsePAM
value:
yes
separator:
reload:
sshd

Framework references

CIS

rhel10 5.1.22rhel8 5.1.24rhel9 5.1.22ubuntu24 5.1.22ubuntu22 5.1.22

STIG

V-257986 / RHEL-09-255050V-270741 / UBTU-24-500050V-260534 / UBTU-22-255065V-281216 / RHEL-10-600640

NIST 800-53

IA-2IA-5(1)

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#ssh#authentication#pam