What's the downside of disabling PAM in OpenSSH if only public-key login is allowed?

ssh pam

/etc/ssh/sshd_config by default has the following line

UsePAM yes

I read through available documentation and came to the conclusion that PAM is not used if I only use public-key login. What possible negative consequences could there be if I disable PAM? e.g.

UsePAM no

Solution 1:

PAM does not just do authentication, but authorisation and session services. You probably want to keep it on as it adds quite a bit of flexibility.

PAM will be called for a successful pubkey authentication, because session and account services are still checked.

PAM can do things SSH cannot. This list is not exhaustive:

  • Deny a user access if SELinux is not in enforcing mode (if thats your thing).
  • Set resource limits like max processes and max logins allowed.
  • Flexibly deny a user based off of their user and remote source IP (possible in SSH too, but is pretty terse in PAM)
  • Setup a series of environment variables you may want to pass.
  • Create a home directory for a user if it did not exist.
  • Deny users based off of the time/date of their access attempt.
  • Deny inactive users.
  • Deny users using an invalid shell.
  • Setup key logging facilities of input.

Related

Powershell: A parameter cannot be found that matches
AWS Cloudformation and manual changes
How does this variable escaping work in a systemd unit file?
How can I get information about a binary file that won't execute?
SPF softfail domain does not designate IP as permitted sender
My domain on AWS Route 53 wont propagate
What Prosody modules do I need to support Conversations?
Windows Server 2012 R2 IIS 10 / HTTP/2
Hyperv-V creates mystery .avhdx files and fills up disk space
When/why to use a web proxy/gateway?
FreeBSD jails vs virtualization performance
EC2 Startup - How to Tell When Windows Ready?