I don't understand why disabling root logins would not allow regular logins. Could you explain how the "master server" works in regard to making ssh connections?
On a Linux or BSD system, read the /etc/ssh/sshd_config file. Pay attention to the comments above the UsePAM Yes line.
You can use PAM for session control but use public key authentication.
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
I've never allowed root logins on my system. I think that without-password mean the same thing as "PasswordAuthentication no" but only for root. I think that a general "PasswordAuthentication no" would suffice but "PermitRootLogins without-password" allows you to configure root for public key authentication but allow password authentication for regular users.
If you must have root logins, pubkey authentication that you have now would be best.
How are regular user ssh logins handled?