search cancel

PAM - Unix account- PermitRootLogin and PasswordAuthentication settings in sshd_config

book

Article ID: 228110

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

I would like to inquire if the PermitRootLogin and PasswordAuthentication should be set to 'yes' in /etc/ssh/sshd_config every hosts we manage for the password change over ssh to work? Let me know also if this is documented on your knowledgebase.

We do have a management host wherein we login and update password to every hosts in our report of unverified.

sample command we issue from our management.

[email protected]$ cat /tmp/cmd 
/opt/capim/prod/bin/changepass -h host1 -u root -p 'CU*********'
/opt/capim/prod/bin/changepass -h host1 -u cmadmin -p 'fX8**********'

 

sample settings on problem host

[[email protected] production: /etc/ssh] grep -i permitrootlogin sshd_config
#PermitRootLogin prohibit-password
[[email protected] production: /etc/ssh] grep -i passwordauthentication sshd_config
PasswordAuthentication no
[[email protected] production: /etc/ssh]

 

Environment

Release :

Component :

Resolution

We do not have specific recommendations on how to configure sshd_config. The settings here are normally dictated by your companies security policies. We do support several options for connecting and rotating a users password even if they cannot connect directly with their own password. This would involve using another user to connect and change that password. Depending on the users rights this may involve using Privilege Elevation which utilizes the sudo command to change the users rights. See the current manual for the following topics to learn more.

SSH Key Authentication for Accessing UNIX/LINUX Targets

Set the Privilege Elevation for UNIX Target Accounts

Use an Alternate Account to Change Passwords