I only want to connect to my EC2 instance using SSH, but my sshd_config has UsePAM yes. What is this and will I get locked out of my instance if I set it to no?

Also I set a cronjob to check if my ZNC bouncer is up and my /var/log/auth.log is full of these:

CRON[5216]: pam_unix(cron:session): session closed for user znc-admin

As you can see there's a pam_unix thing which relates back to my first question.

1

1 Answer

Pam is the Pluggable Authentication Modules.

It is a backend for authentication, that handles authentication for applications on a system. As the name says, it's pluggable. You can have multiple plugs providing authentication from different sources. A common source is /etc/passwd and /etc/shadow in combination. Others can be LDAP, Kerberos, NIS, or fingerprint readers.

In short, it provides a consistent interface for applications, such as login and ssh, to authenticate against.

It consists of four parts:

1. Accounts - keeping track of usernames.
2. Authentication - checking passwords (or fingerprints.. or ...)
3. Session management - actions to be performed on starting and ending an session, like accounting.
4. Passord updating - updating passwords, and also enforcing password standards.

If we have a look at man sshd_config we can read the following:

UsePAM
Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.

Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication.

If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is “no”.

You can set it to no if you do not want to use PAM. On a single standing instance there's no big reason to use PAM - you typically only have one authentication source anyway (/etc/passwd / /etc/shadow). On the other hand, there's no big reasons to change either in this environment.

What you see in your log is part of the session modules: it logs users authenticated - in this case because a script was run as this user. This is normal, and not something to worry about, or even care about.

Edit: as the user was brutally aware of - do not set it to no unless you either have public key authentication working, or enable other password authentication schemes. With ssh, it's also possible to change config, restart ssh, and try to login before logging out from current shell. This way you can revert if you're locket out.

5

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy