{"description": "UsePAM Enables the Pluggable Authentication Module interface. If set to \u201cyes\u201d this will\nenable PAM authentication using ChallengeResponseAuthentication and\nPasswordAuthentication in addition to PAM account and session module processing for all\nauthentication types.\n\nTo enable PAM authentication, add or correct the following line in\n\n\n<tt>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</tt>:\n\n<pre>UsePAM yes</pre>", "rationale": "When UsePAM is set to yes, PAM runs through account and session types properly. This is\nimportant if you want to restrict access to services based off of IP, time or other factors of\nthe account. Additionally, you can make sure users inherit certain environment variables\non login or disallow access to the server.", "severity": "medium", "references": {"srg": ["SRG-OS-000125-GPOS-00065"], "cis": ["5.1.22"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-255065"], "stigref": ["SV-260534r958510_rule"]}, "control_references": {"cis": ["5.1.22"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-255065"]}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's <tt>UsePAM</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i UsePAM /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n\n\nIf a line indicating <tt>yes</tt> is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "To configure the system add or modify the following line in \"/etc/ssh/sshd_config\".\n\nUsePAM yes\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enable the Pluggable Authentication Module (PAM) interface for SSHD.", "vuldiscussion": "When UsePAM is set to \"yes\", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server.", "checktext": "Verify the Ubuntu 22.04 SSHD is configured to allow for the UsePAM interface with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2&gt;&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*usepam'\n\nUsePAM yes\n\nIf the \"UsePAM\" keyword is set to \"no\", is missing, or is commented out, this is a finding.", "fixtext": "Configure the Ubuntu 22.04 SSHD to use the UsePAM interface by adding or modifying the following line in \"/etc/ssh/sshd_config\" or in a file in \"/etc/ssh/sshd_config.d\".\n\nUsePAM yes\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable PAM", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "UsePAM", "value": "yes", "datatype": "string"}, "backends": {}}}