Description of problem: On RHEL8.3, 'UsePAM no' is set in sshd_config Below message is logged in /var/log/messages WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems. The product name "RHEL" should be used. Printing "Fedora" in log is confusing. Version-Release number of selected component (if applicable): openssh-8.0p1-5.el8.src.rpm How reproducible: Always Steps to Reproduce: 1. 'UsePAM no' is set in sshd_config 2. Restart sshd 3. observe /var/log/messages Actual results: "WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems." Expected results: "WARNING: 'UsePAM no' is not supported in RHEL and may cause several problems." Additional info: openssh-8.0p1-5.el8.src.rpm $ cat openssh-7.8p1-UsePAM-warning.patch diff --git a/sshd.c b/sshd.c --- a/sshd.c +++ b/sshd.c @@ -1701,6 +1701,10 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, cfg, NULL); + /* 'UsePAM no' is not supported in Fedora */ + if (! options.use_pam) + logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); + /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); diff --git a/sshd_config b/sshd_config --- a/sshd_config +++ b/sshd_config @@ -101,6 +101,8 @@ GSSAPICleanupCredentials no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. UsePAM yes #AllowAgentForwarding yes
On RHEL7.9: openssh-7.4p1-21.el7.src.rpm $ cat openssh-6.6p1-log-usepam-no.patch diff --git a/sshd.c b/sshd.c index a7b8b6a..24ab272 100644 --- a/sshd.c +++ b/sshd.c @@ -1620,6 +1620,10 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, &cfg, NULL); + /* 'UsePAM no' is not supported in Red Hat Enterprise Linux */ + if (! options.use_pam) + logit("WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several problems."); + seed_rng(); /* Fill in default values for those options not explicitly set. */ diff --git a/sshd_config b/sshd_config index 36cb27a..c1b7c03 100644 --- a/sshd_config +++ b/sshd_config @@ -101,6 +101,8 @@ GSSAPICleanupCredentials no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several +# problems. UsePAM yes #AllowAgentForwarding yes
*** Bug 2064338 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openssh bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7763
*** Bug 2127992 has been marked as a duplicate of this bug. ***