I would like to inquire if the PermitRootLogin and PasswordAuthentication should be set to 'yes' in /etc/ssh/sshd_config every hosts we manage for the password change over ssh to work? Let me know also if this is documented on your knowledgebase.
We do have a management host wherein we login and update password to every hosts in our report of unverified.
sample command we issue from our management.
[email protected]$ cat /tmp/cmd
/opt/capim/prod/bin/changepass -h host1 -u root -p 'CU*********'
/opt/capim/prod/bin/changepass -h host1 -u cmadmin -p 'fX8**********'
sample settings on problem host
[[email protected] production: /etc/ssh] grep -i permitrootlogin sshd_config
[[email protected] production: /etc/ssh] grep -i passwordauthentication sshd_config
[[email protected] production: /etc/ssh]
We do not have specific recommendations on how to configure sshd_config. The settings here are normally dictated by your companies security policies. We do support several options for connecting and rotating a users password even if they cannot connect directly with their own password. This would involve using another user to connect and change that password. Depending on the users rights this may involve using Privilege Elevation which utilizes the sudo command to change the users rights. See the current manual for the following topics to learn more.
SSH Key Authentication for Accessing UNIX/LINUX Targets
Set the Privilege Elevation for UNIX Target Accounts
Use an Alternate Account to Change Passwords