RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1953807 - Incorrect product name in log: 'UsePAM no' is not supported in Fedora and may cause several problems.
Summary: Incorrect product name in log: 'UsePAM no' is not supported in Fedora and may...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssh
Version: 8.3
Hardware: x86_64
OS: Linux
low
low
Target Milestone: beta
: ---
Assignee: Zoltan Fridrich
QA Contact: Marek Havrila
URL:
Whiteboard:
: 2127992 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-27 02:01 UTC by Sunny Wu
Modified: 2024-06-14 01:22 UTC (History)
7 users (show)

Fixed In Version: openssh-8.0p1-14.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-08 10:53:35 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-7276 0 None None None 2022-05-19 10:01:50 UTC
Red Hat Product Errata RHBA-2022:7763 0 None None None 2022-11-08 10:53:46 UTC

Description Sunny Wu 2021-04-27 02:01:17 UTC 
Description of problem:
On RHEL8.3, 'UsePAM no' is set in sshd_config
Below message is logged in /var/log/messages

WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.

The product name "RHEL" should be used. Printing "Fedora" in log is confusing.

Version-Release number of selected component (if applicable):
openssh-8.0p1-5.el8.src.rpm

How reproducible:
Always


Steps to Reproduce:
1. 'UsePAM no' is set in sshd_config
2. Restart sshd
3. observe /var/log/messages

Actual results:
"WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."

Expected results:
"WARNING: 'UsePAM no' is not supported in RHEL and may cause several problems."

Additional info:

openssh-8.0p1-5.el8.src.rpm

$ cat openssh-7.8p1-UsePAM-warning.patch 
diff --git a/sshd.c b/sshd.c
--- a/sshd.c
+++ b/sshd.c
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
 	    cfg, NULL);
 
+	/* 'UsePAM no' is not supported in Fedora */
+	if (! options.use_pam)
+		logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
 
diff --git a/sshd_config b/sshd_config
--- a/sshd_config
+++ b/sshd_config
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
 UsePAM yes
 
 #AllowAgentForwarding yes
Comment 1 Sunny Wu 2021-04-27 23:19:51 UTC 
On RHEL7.9:

openssh-7.4p1-21.el7.src.rpm

$ cat openssh-6.6p1-log-usepam-no.patch

diff --git a/sshd.c b/sshd.c
index a7b8b6a..24ab272 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1620,6 +1620,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
 	    &cfg, NULL);
 
+	/* 'UsePAM no' is not supported in Red Hat Enterprise Linux */
+	if (! options.use_pam)
+		logit("WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several problems.");
+
 	seed_rng();
 
 	/* Fill in default values for those options not explicitly set. */
diff --git a/sshd_config b/sshd_config
index 36cb27a..c1b7c03 100644
--- a/sshd_config
+++ b/sshd_config
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
 UsePAM yes
 
 #AllowAgentForwarding yes
Comment 8 Dmitry Belyavskiy 2022-03-15 16:05:42 UTC 
*** Bug 2064338 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2022-11-08 10:53:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7763
Comment 19 Dmitry Belyavskiy 2023-08-03 09:40:14 UTC 
*** Bug 2127992 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.