We are using PAM 3.1.1. We have the below scenario and we need your expertise and advice on the same.
We have integrated an Linux server to PAM. There is a privileged account (local account) named - pam_sysadmin which is registered and managed by PAM. This account uses the SSH keys.
My understanding is: SSH Key pair has two keys, 1 - Private , 2- Public. Both the keys are stored in PAM and only the public keys is stored in the target linux server.
Please correct me if my understanding is incorrect...
Question 1: When PAM rotates the keys, will it rotate both Public and Private keys and updates the keys in PAM ?
And PAM, does PAM update/sync the public key to target server?
Question 2: Now, the keys are in sync between PAM and target server. Suppose a root equivalent user by mistakenly deleted the public key of the privileged account in target server, Can PAM still be able to rotate the keys and sync to target?
Answer 1: Yes
Answer 2: This works only if you have another account that is used to change the key of the SSH key account, i.e. change process under the UNIX tab is "Use the following account to change password”, and the chosen account has no problem logging on to the target device.