fix(testing): authorize a root key so make test survives sshd hardening

The VM test SSHes into the guest as root with a password for the whole run. archsetup hardens sshd to PermitRootLogin prohibit-password and reloads it partway through the install, so every SSH after that step failed with "Permission denied" and the run aborted before any validation — make test had been silently broken since the hardening landed.

inject_root_key authorizes a throwaway root key right after the first SSH (before archsetup runs) and the ssh/scp helpers now add -i <key> via SSH_KEY_OPT. prohibit-password still allows root key auth, so the harness survives the very hardening it validates. Password stays as the fallback, so the change is additive.

1 files changed, 7 insertions, 0 deletions

diff --git a/scripts/testing/run-test.sh b/scripts/testing/run-test.sh
index 314097a..90022d3 100755
--- a/scripts/testing/run-test.sh
+++ b/scripts/testing/run-test.sh
@@ -142,6 +142,13 @@ start_qemu "$DISK_PATH" "disk" "" "none" || fatal "Failed to start VM"
 wait_for_ssh "$ROOT_PASSWORD" 120 || fatal "VM SSH not available"
 stop_timer "boot"
 
+# Authorize a root key now, before archsetup runs. archsetup hardens sshd to
+# PermitRootLogin prohibit-password partway through, which breaks the harness's
+# root password SSH; key auth survives it. Without this, the run aborts mid-way
+# (before any validation) once the hardening step lands.
+inject_root_key "$TEST_RESULTS_DIR/root_key" || \
+    warn "Continuing without root key - run may break at the sshd hardening step"
+
 # Run network diagnostics
 if ! run_network_diagnostics; then
     fatal "Network diagnostics failed - aborting test"