26

I'm setting up key based authentication for SSH on a new box, and was reading a few articles that mention setting UsePAM to no along with PasswordAuthentication.

My question is, what is the purpose of setting UsePAM to no if you already have PasswordAuthentication and ChallengeResponseAuthentication set to no?

tacotuesday
  • 1,389
  • 1
  • 16
  • 27
  • 1
    Hope this helps answer your question -- http://mail-index.netbsd.org/tech-security/2009/01/04/msg000153.html – Chida Aug 17 '12 at 18:19

1 Answers1

18

I think that people who recommend disabling UsePAM may not understand completely the services provided by the PAM stack. In addition to authentication, PAM also provides session setup services that you may not want to bypass.

Examples include setting resource limits (via pam_limit), environment variables, and mounting directories.

If it makes you more comfortable you can modify the PAM configuration for sshd such that it does not support password authentication of any sort. Assuming that you have an existing /etc/pam.d/sshd, just remove the existing auth lines and replace them with:

auth required pam_deny.so
larsks
  • 43,623
  • 14
  • 121
  • 180
  • 3
    That is a very subjective answer. It is likely there more for backwards compatibility for specific use cases such as a different authentication module which sshd uses. Yes PAM is the way to go and is designed to be very flexible, but the OP asked why would you not use it, not a description of how to use PAM. – Red Tux Aug 17 '12 at 19:10
  • 6
    That many environments rely on the session setup provided by `PAM` for proper operation is an objective fact, not an opinion. That the OP may want to use `PAM` is, indeed, my opinion. My name is Lars and I approve of this message. – larsks Aug 17 '12 at 19:14
  • 4
    I set "UsePAM no" at sshd cfg and all I needed is still working, any tip on what is it that could be so important or useful that would require PAM? – Aquarius Power Sep 06 '16 at 20:47
  • Could you please elaborate in your answer on how PAM is different from regular PasswordAuthentication? So with PasswordAuthentication the user needs to provide a plaintext password to ssh into the server, but with PAM it's the same story? I couldn't find an answer to "what would be the purpose behind disabling PAM" from this answer – walnut_salami Jan 31 '21 at 11:16