diff options
| -rwxr-xr-x | archsetup | 8 | ||||
| -rw-r--r-- | todo.org | 5 |
2 files changed, 11 insertions, 2 deletions
@@ -1268,6 +1268,14 @@ EOF action="starting the openssh service" && display "task" "$action" systemctl start sshd >> "$logfile" 2>&1 || error_warn "$action" "$?" + action="hardening sshd (root login by key only)" && display "task" "$action" + cat << 'EOF' > /etc/ssh/sshd_config.d/10-hardening.conf +# Root may log in by key only, never by password. PasswordAuthentication is +# left at the default so a normal user can still bootstrap a key via ssh-copy-id. +PermitRootLogin prohibit-password +EOF + systemctl reload sshd >> "$logfile" 2>&1 || error_warn "$action" "$?" + # SSH Brute Force Protection display "subtitle" "SSH Brute Force Protection" @@ -634,8 +634,9 @@ One real integrity bypass exists, and it is not =--noconfirm=: =archsetup:2403= :END: Ensure new tools integrate with DWM environment and don't break workflow -** TODO [#C] Harden sshd in the installer (explicit prohibit-password) :solo: -Fresh installs already get Arch's safe default (=PermitRootLogin prohibit-password= is the commented stock value) and archsetup doesn't set it — but velox and ratio both carried an explicit =PermitRootLogin yes= at =/etc/ssh/sshd_config:33= from some earlier provisioning, fixed by hand 2026-06-23 (root is now key-only on both; =PasswordAuthentication= left on so ssh-copy-id to the user still works). Make the posture intentional rather than dependent on the upstream default: in the openssh block (=archsetup= ~1265, after =systemctl enable sshd=), write =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password=. Leave =PasswordAuthentication= alone. Surfaced by the 2026-06-23 security-status work. +** DONE [#C] Harden sshd in the installer (explicit prohibit-password) :solo: +CLOSED: [2026-06-24 Wed] +Done 2026-06-24: the openssh block (=archsetup:1271-1277=) now writes =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password= and reloads sshd, right after starting the service. =PasswordAuthentication= left untouched so ssh-copy-id to the user still works. Makes the posture intentional rather than dependent on the upstream default. Velox and ratio (which carried an explicit =PermitRootLogin yes= at =sshd_config:33= from earlier provisioning) were already fixed by hand 2026-06-23. Verified =bash -n= + =shellcheck -S error= clean; full drop-in-on-fresh-install confirmation is VM-deferred (the unit harness covers helpers, not inline install steps). ** TODO [#B] Add NVIDIA preflight check for Hyprland :PROPERTIES: |