diff options
| author | Craig Jennings <c@cjennings.net> | 2026-06-24 00:15:25 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-06-24 00:15:25 -0400 |
| commit | 3c4f7647b9a8117398414bc62c84d2891ff97f54 (patch) | |
| tree | 1ffc1e4145af9ae27d6a4d63637681c55df0add4 /todo.org | |
| parent | cff6d9d339fcc5a933a0e3a3fcf5fc2faa62b998 (diff) | |
| download | archsetup-3c4f7647b9a8117398414bc62c84d2891ff97f54.tar.gz archsetup-3c4f7647b9a8117398414bc62c84d2891ff97f54.zip | |
feat(archsetup): harden sshd with a prohibit-password drop-in
The installer now writes /etc/ssh/sshd_config.d/10-hardening.conf with PermitRootLogin prohibit-password and reloads sshd, right after it starts the service. Root can still log in by key, never by password. PasswordAuthentication is left at the default so a normal user can bootstrap a key with ssh-copy-id.
This makes the posture intentional instead of leaning on Arch's commented default. velox and ratio both carried an explicit PermitRootLogin yes from earlier provisioning, which I'd already fixed by hand.
Diffstat (limited to 'todo.org')
| -rw-r--r-- | todo.org | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -634,8 +634,9 @@ One real integrity bypass exists, and it is not =--noconfirm=: =archsetup:2403= :END: Ensure new tools integrate with DWM environment and don't break workflow -** TODO [#C] Harden sshd in the installer (explicit prohibit-password) :solo: -Fresh installs already get Arch's safe default (=PermitRootLogin prohibit-password= is the commented stock value) and archsetup doesn't set it — but velox and ratio both carried an explicit =PermitRootLogin yes= at =/etc/ssh/sshd_config:33= from some earlier provisioning, fixed by hand 2026-06-23 (root is now key-only on both; =PasswordAuthentication= left on so ssh-copy-id to the user still works). Make the posture intentional rather than dependent on the upstream default: in the openssh block (=archsetup= ~1265, after =systemctl enable sshd=), write =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password=. Leave =PasswordAuthentication= alone. Surfaced by the 2026-06-23 security-status work. +** DONE [#C] Harden sshd in the installer (explicit prohibit-password) :solo: +CLOSED: [2026-06-24 Wed] +Done 2026-06-24: the openssh block (=archsetup:1271-1277=) now writes =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password= and reloads sshd, right after starting the service. =PasswordAuthentication= left untouched so ssh-copy-id to the user still works. Makes the posture intentional rather than dependent on the upstream default. Velox and ratio (which carried an explicit =PermitRootLogin yes= at =sshd_config:33= from earlier provisioning) were already fixed by hand 2026-06-23. Verified =bash -n= + =shellcheck -S error= clean; full drop-in-on-fresh-install confirmation is VM-deferred (the unit harness covers helpers, not inline install steps). ** TODO [#B] Add NVIDIA preflight check for Hyprland :PROPERTIES: |