Catalina 10.15.3 Update Reverts Custom pam.d & sshd_config Settings

If you use custom pam.d or sshd_config settings, you will need to apply them again after the 10.15.3 Update.

Apple allows us to set multiple custom settings using pam.d configuration files. We can use pam.d configuration files to set different options for, sudo, login, su, screensaver& Smart Card.

If you are looking for a good explanation on what pam.d files are, check out this link. https://www.linux.com/news/understanding-pam/

Custom /etc/pam.d Configuration Settings

The following is a few examples of what you would set in the pam.d configuration files.

• /etc/pam.d/screensaver = Set the screensaver window to allow the local admin to get past the Mobile Account password lock.
• /etc/pam.d/sudo = Enable smart card-only for the sudo command.
• /etc/pam.d/sudo = Enable Touch ID for the SUDO command
• /etc/pam.d/su = Enable smart card-only for the SU command
• /etc/pam.d/login = Enable smart card-only for the LOGIN command

Custom /etc/ssh/sshd_config Settings

The same goes for the the /etc/ssh/sshd_config file. This file can be used to set custom ssh settings.

• Set SSH Banner File (so ssh users see a banner warning message)
• SSH HostKey Settings
• SSH Logging
• SSH Authentication
• Kerberos Options
• PAM Authentication

In comes the Catalina 10.15.3 Update, only to revert everything!

I started noticing reports of pam.d and sshd_config settings getting reverted back about a day after the 10.15.3 update went live.

For those who’ve modified /etc/pam.d/sudo to enable Touch ID for sudo auth, looks like 10.15.3 reverted this to stock.

MacAdmins user markcohen – 01/30/20

Other MacAdmins started to check and confirm that the same thing. Some of the specific settings revolved around Smart Card controls. Apple explains the Smart Card settings in the document below.

https://support.apple.com/en-us/HT208372

Allen Golbig then noted that the same thing happened to the /etc/ssh/sshd_configfile!

Is it normal for /etc/ssh/sshd_config to revert during point updates?

MacAdmins user golby – 01/31/20

The test and verification

When reporting issues like this, it’s important to verify the problem as much as possible. For this test, I built out a fresh copy of 10.15.2. I then edited the following files.

• /etc/pam.d/su
• /etc/pam.d/sudo
• /etc/pam.d/login
• /etc/pam.d/screensaver
• /etc/ssh/sshd_config

I modified the files using pico and set some of the Apple recommended settings. I noted the modification date of all the files and tested to make sure the modifications worked.

I then used softwareudpate to install the 10.15.3 update.

Results

Sure enough, after the 10.15.3 update was finished, I checked the files and all 5 of them were reset back to the original modification date of

Nov 9 2019 at 4:xx AM

This problem may not be “New”

I noted in my previous article that some of the pam.d files were reverted back to stock on twitter. A few users noted that this issue is not new and has happened in previous updates. I can’t verify if this is true right now but would like to hear from you if noticed this.

I hope Apple will fix the update process so it will not revert our custom settings.

If you have noticed other custom settings that were reverted by the latest Catalina update, let me know below!