feat(archsetup): harden sshd with a prohibit-password drop-in - archsetup - Builds a full dev workstation from a bare Arch Linux install.

diff options

author	Craig Jennings <c@cjennings.net>	2026-06-24 00:15:25 -0400
committer	Craig Jennings <c@cjennings.net>	2026-06-24 00:15:25 -0400
commit	3c4f7647b9a8117398414bc62c84d2891ff97f54 (patch)
tree	1ffc1e4145af9ae27d6a4d63637681c55df0add4 /scripts/testing/lib
parent	cff6d9d339fcc5a933a0e3a3fcf5fc2faa62b998 (diff)
download	archsetup-3c4f7647b9a8117398414bc62c84d2891ff97f54.tar.gz archsetup-3c4f7647b9a8117398414bc62c84d2891ff97f54.zip

feat(archsetup): harden sshd with a prohibit-password drop-in

The installer now writes /etc/ssh/sshd_config.d/10-hardening.conf with PermitRootLogin prohibit-password and reloads sshd, right after it starts the service. Root can still log in by key, never by password. PasswordAuthentication is left at the default so a normal user can bootstrap a key with ssh-copy-id. This makes the posture intentional instead of leaning on Arch's commented default. velox and ratio both carried an explicit PermitRootLogin yes from earlier provisioning, which I'd already fixed by hand.

Diffstat (limited to 'scripts/testing/lib')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: