PAM - Unix account- PermitRootLogin and PasswordAuthentication settings in sshd_config
search cancel

PAM - Unix account- PermitRootLogin and PasswordAuthentication settings in sshd_config


Article ID: 228110


Updated On:


CA Privileged Access Manager (PAM)


I would like to inquire if the PermitRootLogin and PasswordAuthentication should be set to 'yes' in /etc/ssh/sshd_config every hosts we manage for the password change over ssh to work? Let me know also if this is documented on your knowledgebase.

We do have a management host wherein we login and update password to every hosts in our report of unverified.

sample command we issue from our management.

<servername>@Prod$ cat /tmp/cmd 
/opt/capim/prod/bin/changepass -h <servername> -u root -p 'CU*********'
/opt/capim/prod/bin/changepass -h <servername> -u cmadmin -p 'fX8**********'


sample settings on problem host

[root@<servername> production: /etc/ssh] grep -i permitrootlogin sshd_config
#PermitRootLogin prohibit-password
[root@<servername> production: /etc/ssh] grep -i passwordauthentication sshd_config
PasswordAuthentication no
[root@<servername> production: /etc/ssh]



Release :

Component :


We do not have specific recommendations on how to configure sshd_config. The settings here are normally dictated by your companies security policies. We do support several options for connecting and rotating a users password even if they cannot connect directly with their own password. This would involve using another user to connect and change that password. Depending on the users rights this may involve using Privilege Elevation which utilizes the sudo command to change the users rights. See the current manual for the following topics to learn more.

SSH Key Authentication for Accessing UNIX/LINUX Targets

Set the Privilege Elevation for UNIX Target Accounts

Use an Alternate Account to Change Passwords