Merge pull request #18 from bkw/reenablePam

Patrick Meier · Patrick Meier · commit 5ec76f47594d · 2014-06-16T14:25:35.000+02:00
passwordless users not able to log in
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -47,3 +47,4 @@
 default['ssh']['allow_root_with_key']     = false   # sshd
 default['ssh']['allow_tcp_forwarding']    = false   # sshd
 default['ssh']['allow_agent_forwarding']  = false   # sshd
+default['ssh']['use_pam']                 = false   # sshd
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
@@ -102,8 +102,9 @@ IgnoreUserKnownHosts yes
 RhostsRSAAuthentication no
 HostbasedAuthentication no
 
+# Enable PAM to enforce system wide rules
+UsePAM <%= ((@node['ssh']['use_pam']) ? "yes" : "no" ) %>
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-UsePAM no
 PasswordAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
