UsePAM should probably default to yes on Red Hat Linux 7

[elyscape]

From the sshd_config file on a CentOS 7 box:

# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.

As such, it's probably a good idea to default UsePAM to true on RedHat 7.

This warning isn't in the CentOS 6 sshd_config file, but there is an article in the Red Hat 6 knowledgebase about not being able to SSH into a system if UsePAM is off and SELinux is on. I don't have an account and can't see the solution, though, so there might be a way to deal with that.

See also dev-sec/chef-ssh-hardening#96 and dev-sec/ansible-ssh-hardening#23.