←back to thread

66 points todsacerdoti | 2 comments | | HN request time: 0.408s | source
1. kelnos ◴[] No.41910509[source]
I would have appreciated the rationale behind setting 'UsePAM' to 'no'. I assume it's because, with password auth disabled, it's not necessary, and better to disable something that you don't need that would otherwise add to the attack surface?
replies(1): >>41915935 #
2. LinuxBender ◴[] No.41915935[source]
They are probably just trying to avoid PAM mistakes which are common when people hand edit pam modules.

For completeness sake if someone is using SELinux Enforcing mode then UsePam will likely need to be Yes to avoid breaking sshd mandatory access rules.