CCE-95700-1| Platform: cpe:/o:debian:debian_linux:11.x, cpe:/o:ubuntu:ubuntu_linux:16.04, cpe:/o:ubuntu:ubuntu_linux:18.04, cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2021-06-15 (M)2023-09-01 |
UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.
Rationale:
When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server
Fix:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
UsePAM yes
Parameter:
[yes/no]
Technical Mechanism:
Edit /etc/ssh/sshd_config file to set the parameter as follows UsePAM yes
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 8.1 | Attack Vector: NETWORK |
| Exploit Score: 2.2 | Attack Complexity: HIGH |
| Impact Score: 5.9 | Privileges Required: NONE |
| Severity: HIGH | User Interaction: NONE |
| Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| | Confidentiality: HIGH |
| | Integrity: HIGH |
| | Availability: HIGH |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:69554 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:70835 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:87418 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85277 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:70731 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92251 |
