Home / ubuntu / Questions / 1259848
In Process
Sandu Ursu
Asked: 2020-07-18 04:13:20 +0800 CST

SSH - UsePAM yes or no?

  • 772

After setting up SSH key-based authentication, people are advised to disable SSH password authentication.

This is done by navigating to /etc/ssh/sshd_config and making sure that the following line is not commented out:

PasswordAuthentication no

Some tutorials, e.g.

recommend also setting

UsePAM no

After doing that, I have noticed that I no longer get session notifications from the host. For example when I want to shutdown/reboot it, the terminal hangs and I no longer get:

Connection to 192.168.0.3 closed by remote host.
Connection to 192.168.0.3 closed.

I have read here that one should "probably want to keep it on". Furthermore it may actually help you get safer.

Questions:

  1. How precisely does UsePAM no contribute to security?
  2. Can I somehow still get the session status if I disable UsePAM?
networking server ssh

1 Answers

  1. I copy past the comment in the default confiugration file

    Set this to 'yes' to enable PAM authentication, account processing, and session processing. If this is enabled, PAM authentication will be allowed through the ChallengeResponseAuthentication and PasswordAuthentication. Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin without-password". If you just want the PAM account and session checks to run without PAM authentication, then enable this but set PasswordAuthentication and ChallengeResponseAuthentication to 'no'.

    for those reason disabling only PasswordAuthentication and ChallengeResponseAuthentication let pam to be setup to handle account and session staff I copy past what those modules type are meant for

    account

    this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login only on the console.

    session

    this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.

    you could check the pamd configuration file in etc/pam.conf etc/pam.d/* and doucle check what modules do. Furthermore the connection termination message does not seem to be related to pam configuration... it's sent by sshd specifically in clientloop.c function client_loop

             /*
          * In interactive mode (with pseudo tty) display a message indicating
          * that the connection has been closed.
          */
         if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) {
                 if ((r = sshbuf_putf(stderr_buffer,
                     "Connection to %.64s closed.\r\n", host)) != 0)
                         fatal("%s: buffer error: %s", __func__, ssh_err(r));
         }

    in my case it prints that message no matter the value of UsePAM.

    • 2