A client has the following Info Sec requirement:
1. root SSH Access must be disabled on all unix boxes
2. The root account must be managed by another unix account (master account)
3. The Master account must use key-based auth on port 901
4. The root account's (keyboard based) password must be changed
The Master account has the appropriate privileges to su to root on the target host.
We've setup two Unix applications, one for port 22 (-unix) and another one for port 901 (-unix-901).
We've created the two accounts, root (linked to -unix application) setup with password authentication and a masteraccount (linked to -unix-901 application) setup with key-based authentication.
Both accounts are in a synchronized and "validated" state.
Using a manual process, via putty, we are able to login to the unix host over 901 using the master account and key-based authentication. We can issue the passwd root command and change the password successfully, which leads us to believe that it should also be possible to do in PAM.
However, when we try to generate credentials on the 'validated' root account, it fails.
The client has a similar setup (root ssh is disabled and managed by another account) however, in that case the master account is a centrify'd domain account
Is this a known issue?
is there some special configuration