diff options
| author | Craig Jennings <c@cjennings.net> | 2026-06-24 00:04:18 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-06-24 00:04:18 -0400 |
| commit | cff6d9d339fcc5a933a0e3a3fcf5fc2faa62b998 (patch) | |
| tree | 9498fcc0aeca622af0092866535184cf2e055a6c /todo.org | |
| parent | 6152acd2853410baa88218f5eb945fed78ff94ff (diff) | |
| download | archsetup-cff6d9d339fcc5a933a0e3a3fcf5fc2faa62b998.tar.gz archsetup-cff6d9d339fcc5a933a0e3a3fcf5fc2faa62b998.zip | |
docs(todo): file installer sshd-hardening follow-up from security work
Diffstat (limited to 'todo.org')
| -rw-r--r-- | todo.org | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -634,6 +634,9 @@ One real integrity bypass exists, and it is not =--noconfirm=: =archsetup:2403= :END: Ensure new tools integrate with DWM environment and don't break workflow +** TODO [#C] Harden sshd in the installer (explicit prohibit-password) :solo: +Fresh installs already get Arch's safe default (=PermitRootLogin prohibit-password= is the commented stock value) and archsetup doesn't set it — but velox and ratio both carried an explicit =PermitRootLogin yes= at =/etc/ssh/sshd_config:33= from some earlier provisioning, fixed by hand 2026-06-23 (root is now key-only on both; =PasswordAuthentication= left on so ssh-copy-id to the user still works). Make the posture intentional rather than dependent on the upstream default: in the openssh block (=archsetup= ~1265, after =systemctl enable sshd=), write =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password=. Leave =PasswordAuthentication= alone. Surfaced by the 2026-06-23 security-status work. + ** TODO [#B] Add NVIDIA preflight check for Hyprland :PROPERTIES: :LAST_REVIEWED: 2026-05-21 |