diff options
| author | Craig Jennings <c@cjennings.net> | 2026-06-24 00:15:25 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-06-24 00:15:25 -0400 |
| commit | 3c4f7647b9a8117398414bc62c84d2891ff97f54 (patch) | |
| tree | 1ffc1e4145af9ae27d6a4d63637681c55df0add4 | |
| parent | cff6d9d339fcc5a933a0e3a3fcf5fc2faa62b998 (diff) | |
| download | archsetup-3c4f7647b9a8117398414bc62c84d2891ff97f54.tar.gz archsetup-3c4f7647b9a8117398414bc62c84d2891ff97f54.zip | |
feat(archsetup): harden sshd with a prohibit-password drop-in
The installer now writes /etc/ssh/sshd_config.d/10-hardening.conf with PermitRootLogin prohibit-password and reloads sshd, right after it starts the service. Root can still log in by key, never by password. PasswordAuthentication is left at the default so a normal user can bootstrap a key with ssh-copy-id.
This makes the posture intentional instead of leaning on Arch's commented default. velox and ratio both carried an explicit PermitRootLogin yes from earlier provisioning, which I'd already fixed by hand.
| -rwxr-xr-x | archsetup | 8 | ||||
| -rw-r--r-- | todo.org | 5 |
2 files changed, 11 insertions, 2 deletions
@@ -1268,6 +1268,14 @@ EOF action="starting the openssh service" && display "task" "$action" systemctl start sshd >> "$logfile" 2>&1 || error_warn "$action" "$?" + action="hardening sshd (root login by key only)" && display "task" "$action" + cat << 'EOF' > /etc/ssh/sshd_config.d/10-hardening.conf +# Root may log in by key only, never by password. PasswordAuthentication is +# left at the default so a normal user can still bootstrap a key via ssh-copy-id. +PermitRootLogin prohibit-password +EOF + systemctl reload sshd >> "$logfile" 2>&1 || error_warn "$action" "$?" + # SSH Brute Force Protection display "subtitle" "SSH Brute Force Protection" @@ -634,8 +634,9 @@ One real integrity bypass exists, and it is not =--noconfirm=: =archsetup:2403= :END: Ensure new tools integrate with DWM environment and don't break workflow -** TODO [#C] Harden sshd in the installer (explicit prohibit-password) :solo: -Fresh installs already get Arch's safe default (=PermitRootLogin prohibit-password= is the commented stock value) and archsetup doesn't set it — but velox and ratio both carried an explicit =PermitRootLogin yes= at =/etc/ssh/sshd_config:33= from some earlier provisioning, fixed by hand 2026-06-23 (root is now key-only on both; =PasswordAuthentication= left on so ssh-copy-id to the user still works). Make the posture intentional rather than dependent on the upstream default: in the openssh block (=archsetup= ~1265, after =systemctl enable sshd=), write =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password=. Leave =PasswordAuthentication= alone. Surfaced by the 2026-06-23 security-status work. +** DONE [#C] Harden sshd in the installer (explicit prohibit-password) :solo: +CLOSED: [2026-06-24 Wed] +Done 2026-06-24: the openssh block (=archsetup:1271-1277=) now writes =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password= and reloads sshd, right after starting the service. =PasswordAuthentication= left untouched so ssh-copy-id to the user still works. Makes the posture intentional rather than dependent on the upstream default. Velox and ratio (which carried an explicit =PermitRootLogin yes= at =sshd_config:33= from earlier provisioning) were already fixed by hand 2026-06-23. Verified =bash -n= + =shellcheck -S error= clean; full drop-in-on-fresh-install confirmation is VM-deferred (the unit harness covers helpers, not inline install steps). ** TODO [#B] Add NVIDIA preflight check for Hyprland :PROPERTIES: |